GRATIS EXAM...Dec 31, 2013 · Exam A QUESTION 1 You have a single Active Directory domain. All...

Microsoft.Certkey.70-640.v2013-12-31.by.Watson.575q

Number: 70-640Passing Score: 800Time Limit: 120 minFile Version: 12.5

http://www.gratisexam.com/

Exam Code: 70-640

Exam Name: Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam

Exam A

QUESTION 1You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configuredas DNS servers.

The domain contains one Active Directory-integrated DNS zone.

You need to ensure that outdated DNS records are automatically removed from the DNS zone.

What should you do?

A. From the properties of the zone, modify the TTL of the SOA record.B. From the properties of the zone, enable scavenging.C. From the command prompt, run ipconfig /flushdns.D. From the properties of the zone, disable dynamic updates.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 2Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.The Audit account management policy setting and Audit directory services access setting are enabled for theentire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged changes mustinclude the old and new values of any attributes.

What should you do?

A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable

directory service changes.C. Enable the Audit account management policy in the Default Domain Controller Policy.D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.

Correct Answer: ASection: (none)Explanation


QUESTION 3Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standardprimary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWANlink fails.

What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.B. Create a new standard secondary zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: DSection: (none)Explanation


QUESTION 4Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS).

You need to create new organizational units in the AD LDS application directory partition.

What should you do?

A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational "A Composite SolutionWith Just One Click" - Certification Guaranteed 3 Microsoft 70-640 : Practice Testunits.

B. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDSapplication directory partition.

C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.



QUESTION 5Your company has an Active Directory domain. The company has two domain controllers named DC1 andDC2. DC1 holds the Schema Master role.

DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer theSchema Master operations role.

You need to ensure that DC2 holds the Schema Master role.

What should you do?

A. Configure DC2 as a bridgehead server.B. On DC2, seize the Schema Master role.C. Log off and log on again to Active Directory by using an account that is a member of the Schema

Administrators group. Start the Active Directory Schema snap-in.D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.



QUESTION 6Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.

You implement Active Directory Rights Management Services (AD RMS).

You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, youreceive the following error message: "SQL Server does not

exist or access denied."

You need to open the AD RMS administration Web site.

Which two actions should you perform? (Each correct answer presents part of the solution.

Choose two.)

A. Restart IIS.B. Manually delete the Service Connection Point in AD DS and restart AD RMS.C. Install Message Queuing.D. Start the MSSQLSVC service.

Correct Answer: ADSection: (none)Explanation


QUESTION 7Your network consists of an Active Directory forest that contains one domain named contoso.com. All domaincontrollers run Windows Server 2008 R2 and are configured as DNS servers. You have two ActiveDirectoryintegrated zones: contoso.com and nwtraders.com.

You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user frommodifying the SOA record in the nwtraders.com zone.


What should you do?

A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers

organizational unit (OU).C. From the DNS Manager console, modify the permissions of the contoso.com zone.D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.

Correct Answer: CSection: (none)Explanation


QUESTION 8Your company has an Active Directory domain. All servers run Windows Server 2008 R2.

Your company uses an Enterprise Root certificate authority (CA).

You need to ensure that revoked certificate information is highly available.

What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security andAcceleration Server array.

B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.



QUESTION 9You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an enterprise root certification authority (CA).

You install the Online Responder role service on Server2.

You need to configure Server1 to support the Online Responder.

What should you do?

A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.


Explanation/Reference:Reference:

http://technet.microsoft.com/en-us/library/cc732526.aspx

Configure a CA to Support OCSP Responders

To function properly, an Online Responder must have a valid Online Certificate StatusProtocol (OCSP)

Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.

Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.

2. Configure enrollment permissions for any computers that will be hosting Online Responders.

3. If this is a Windows Server 2003based CA, enable the OCSP extension in issued certificates.

4. Add the location of the Online Responder or OCSP responder to the authority information access extensionon the CA.

5. Enable the OCSP Response Signing certificate template for the CA.

QUESTION 10Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off fortwelve weeks. The administrator receives an error message that authentication has failed.

You need to ensure that the user is able to log on to the computer.

What should you do?

A. Run the netsh command with the set and machine options.B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the

domain.C. Run the netdom TRUST /reset command.D. Run the Active Directory Users and Computers console to disable, and then enable the computer account.



QUESTION 11Your company has an Active Directory forest that contains a single domain. The domain member server has anActive Directory Federation Services (AD FS) role installed.

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directorydomain.

What should you do?

A. Add and configure a new account partner.B. Add and configure a new resource partner.C. Add and configure a new account store.D. Add and configure a Claims-aware application.



QUESTION 12You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

What tool should you use?

A. Active Directory Users and Computers snap-inB. ntdsutilC. Local Users and Groups snap-inD. dsmod



QUESTION 13Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) thatruns Microsoft Windows Server 2008 to the branch office.

You need to ensure that users at the branch office are able to log on to the domain by using the RODC.

What should you do?

A. Add another RODC to the branch office.B. Configure a new bridgehead server in the main office.C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services

console.D. Configure the Password Replication Policy on the RODC.



QUESTION 14Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers runWindows Server 2008 and the DNS server role. All computers, including non-domain members, dynamicallyregister their DNS records.

You need to configure the intranet.adatum.com zone to allow only domain members to dynamically registerDNS records.

What should you do?

A. Set dynamic updates to Secure Only.B. Remove the Authenticated Users group.C. Enable zone transfers to Name Servers.

D. Deny the Everyone group the Create All Child Objects permission.



QUESTION 15Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2and are configured as DNS servers. A domain controller named DC1 has a standard primary zone forcontoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.

You need to ensure that the replication of the contoso.com zone is encrypted.

You must not lose any zone data.

What should you do?

A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the

secondary zone.D. On both servers, modify the interface that the DNS server listens on.



QUESTION 16You are decommissioning domain controllers that hold all forest-wide operations master roles.

You need to transfer all forest-wide operations master roles to another domain controller.

Which two roles should you transfer? (Each correct answer presents part of the solution.Choose two.)

A. Domain naming masterB. Infrastructure masterC. RID masterD. PDC emulatorE. Schema master

Correct Answer: AESection: (none)Explanation


QUESTION 17Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directorydomain named intranet.fabrikam.com. Fabrikam's security policy

prohibits the transfer of internal DNS zone data outside the Fabrikam network.

You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.

What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.B. Configure conditional forwarding for the intranet.fabrikam.com domain.C. Create a standard secondary zone for the intranet.fabrikam.com domain.D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.



QUESTION 18An Active Directory database is installed on the C volume of a domain controller.

You need to move the Active Directory database to a new volume.

What should you do?

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.B. Move the ntds.dit file to the new volume by using Windows Explorer.C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows

PowerShell.D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.



QUESTION 19Your company has file servers located in an organizational unit named Payroll. The file servers contain payrollfiles located in a folder named Payroll.

You create a GPO.

You need to track which employees access the Payroll files on the file servers.

What should you do?

A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. Onthe file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit.On the file servers, configure Auditing for the Everyone group in the Payroll folder.

C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the fileservers, configure Auditing for the Everyone group in the Payroll folder.

D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configureAuditing for the Authenticated Users group in the Payroll folder.



QUESTION 20Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.

You need to implement key archival.

What should you do?

A. Configure the certificate for automatic enrollment for the computers that store encrypted files.B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.C. Apply the Hisecdc security template to the domain controllers.D. Archive the private key on the server.



QUESTION 21Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains anOU for Computers, an OU for Groups, and an OU for Users.

You perform nightly backups. An administrator deletes the Groups OU.

You need to restore the Groups OU without affecting users and computers in the Sales OU.

What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform a non-authoritative restore of the Sales OU.C. Perform an authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Groups OU.



QUESTION 22Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to create multiple password policies for users in your domain.

What should you do?

A. From the Group Policy Management snap-in, create multiple Group Policy objects.B. From the Schema snap-in, create multiple class schema objects.C. From the ADSI Edit snap-in, create multiple Password Setting objects.D. From the Security Configuration Wizard, create multiple security policies.



QUESTION 23You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.

You need to record all inbound DNS queries to the server.

What should you configure in the DNS Manager console?

A. Enable debug logging.B. Enable automatic testing for simple queries.C. Configure event logging to log errors and warnings.D. Enable automatic testing for recursive queries.



QUESTION 24Your company has a main office and a branch office. The company has a single-domain Active Directory forest.The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. Thebranch office has a Windows Server 2008 R2 read- only domain controller (RODC) named DC3.

All domain controllers hold the DNS Server role and are configured as Active Directory- integrated zones. TheDNS zones only allow secure updates.

You need to enable dynamic DNS updates on DC3.

What should you do?

A. Run the Dnscmd.exe /ZoneResetType command on DC3.B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.C. Create a custom application directory partition on DC1. Configure the partition to store Active

Directoryintegrated zones.D. Run the Ntdsutil.exe > DS Behavior commands on DC3.



QUESTION 25Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllersnamed DC1 and DC2. Both domain controllers have the DNS server role installed.

You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 toforward all unresolved name requests to DNS1.contoso.com.

You discover that the DNS forwarding option is unavailable on DC2.You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.

Which two actions should you perform? (Each correct answer presents part of the solution.

Choose two.)

A. Clear the DNS cache on DC2.B. Configure conditional forwarding on DC2.C. Configure the Listen On address on DC2.D. Delete the Root zone on DC2.

Correct Answer: BDSection: (none)Explanation


QUESTION 26Your company has an organizational unit named Production. The Production organizational unit has a childorganizational unit named R&D. You create a GPO named Software Deployment and link it to the Productionorganizational unit.

You create a shadow group for the R&D organizational unit. You need to deploy an application to users in theProduction organizational unit.

You also need to ensure that the application is not deployed to users in the R&D organizational unit.

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choosetwo.)

A. Configure the Block Inheritance setting on the R&D organizational unit.B. Configure the Enforce setting on the software deployment GPO.C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D

security group.D. Configure the Block Inheritance setting on the Production organizational unit.

Correct Answer: ACSection: (none)Explanation


QUESTION 27

Your company has a branch office that is configured as a separate Active Directory site and has an ActiveDirectory domain controller. The Active Directory site requires a local Global Catalog server to support a new

application.

You need to configure the domain controller as a Global Catalog server.

Which tool should you use?

A. The Server Manager consoleB. The Active Directory Sites and Services consoleC. The Dcpromo.exe utilityD. The Computer Management consoleE. The Active Directory Domains and Trusts console



QUESTION 28Your company has a main office and three branch offices. The company has an Active Directory forest that hasa single domain. Each office has one domain controller. Each office is configured as an Active Directory site.

All sites are connected with the DEFAULTIPSITELINK object.

You need to decrease the replication latency between the domain controllers.

What should you do?

A. Decrease the replication schedule for the DEFAULTIPSITELINK object.B. Decrease the replication interval for the DEFAULTIPSITELINK object.C. Decrease the cost between the connection objects.D. Decrease the replication interval for all connection objects.



QUESTION 29

Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run onlydomain controllers that run Windows Server 2008. The domain functional level of contoso.com is WindowsServer 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode.

You configure an external trust between contoso.com and fabrikam.com.

You need to enable the Kerberos AES encryption option.

What should you do?

A. Raise the forest functional level of fabrikam.com to Windows Server 2008.B. Raise the domain functional level of fabrikam.com to Windows Server 2008.C. Raise the forest functional level of contoso.com to Windows Server 2008.

D. Create a new forest trust and enable forest-wide authentication.



QUESTION 30All consultants belong to a global group named TempWorkers. You place three file servers in a neworganizational unit named SecureServers. The three file servers contain confidential data located in sharedfolders.

You need to record any failed attempts made by the consultants to access the confidential data.

Which two actions should you perform? (Each correct answer presents part of the solution.Choose two.)

A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to thiscomputer from the network user rights setting for the TempWorkers global group.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege useFailure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object accessFailure audit policy setting.

D. On each shared folder on the three file servers, add the three servers to the Auditing E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.

Configure the Failed Full control setting in the Auditing Entry dialog box.

Correct Answer: CESection: (none)Explanation


Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671

Auditing Resource Access

Object access can be audited, although it is not one of the recommended settings. Auditing object access canplace a significant load on the servers, so it should only be enabled when it is specifically needed. Auditingobject access is a two-step process: Step one is enabling "Audit object access" and step two is selecting theobjects to be audited. When enabling Audit object access, you need to decide if both failure and successevents will be logged. The two options are as follows:

Audit object access failure enables you to see if users are attempting to access objects to which they have norights. This shows unauthorized attempts.

Audit object access success enables you to see usage patterns. This shows misuse of privilege.

After object access auditing is enabled, you can easily monitor access to resources such as folders, files, andprinters.

Auditing Files and Folders

The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through theproperty pages for those files or folders. Keep in mind that the more files and folders that are audited, the more

events that can be generated, which can increase administrative overhead and system resource requirements.

Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

1. In Windows Explorer, right-click the file or folder to audit and select Properties.

2. Select the Security tab and then click the Advanced button.

3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.

4. Click the Add button to display the Select User or Group window.

5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names buttonto verify the name.

"A Composite Solution With Just One Click" - Certification Guaranteed 18 Microsoft 70-640 : Practice Test

QUESTION 31You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an Enterprise Root certification authority (CA).

You install the Online Responder role service on Server2.

You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.

Which two tasks should you perform? (Each correct answer presents part of the solution.Choose two.)

A. Import the enterprise root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: (none)Explanation


QUESTION 32Your company has an Active Directory forest. The forest includes organizational units corresponding to thefollowing four locations:

LondonChicagoNew YorkMadrid

Each location has a child organizational unit named Sales. The Sales organizational unit contains all the usersand computers from the sales department.

The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid isconnected by a 256-Kbps ISDN connection.

You need to install an application on all the computers in the sales department.


A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.Link the GPO to each Sales organizational unit.

B. Disable the slow link detection setting in the Group Policy Object (GPO).C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link

the GPO to each Sales organizational unit.



QUESTION 33Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. Theserver is a backup server. The server has a single 500-GB hard disk that has three partitions for the operatingsystem, applications, and data. You perform daily backups of the server.

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart thecomputer on the installation media. You select the Repair your computer option.

You need to restore the operating system and all files.

What should you do?

A. Select the System Image Recovery option.B. Run the Imagex utility at the command prompt.C. Run the Wbadmin utility at the command prompt.D. Run the Rollback utility at the command prompt.



QUESTION 34"A Composite Solution With Just One Click" - Certification Guaranteed 20 Microsoft 70-640 : Practice TestYou need to remove the Active Directory Domain Services role from a domain controller named DC1.

What should you do?

A. Run the netdom remove DC1 command.B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.C. Run the nltest /remove_server: DC1 command.D. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.



QUESTION 35Your company has an Active Directory forest. The company has branch offices in three locations. Each locationhas an organizational unit.

You need to ensure that the branch office administrators are able to create and apply GPOs only to theirrespective organizational units.


A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizationalunits to the branch office administrators.

B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their

respective organizational units.D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office

administrators.



QUESTION 36Your company has an Active Directory domain. A user attempts to log on to the domain

from a client computer and receives the following message: "This user account has expired. Ask youradministrator to reactivate the account."

You need to ensure that the user is able to log on to the domain.

What should you do?

A. Modify the properties of the user account to set the account to never expire.B. Modify the properties of the user account to extend the Logon Hours setting.C. Modify the default domain policy to decrease the account lockout duration.D. Modify the properties of the user account to set the password to never expire.



QUESTION 37You have an existing Active Directory site named Site1. You create a new Active Directory site and name itSite2.

You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.

You create the site link between Site1 and Site2.

What should you do next?

A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2.Move the new domain controller object to Site2.

B. Use the Active Directory Sites and Services console to configure a new site link bridge object.C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred

bridgehead server for Site1.



QUESTION 38

Your company has an Active Directory forest. Each branch office has an organizational unit and a childorganizational unit named Sales. The Sales organizational unit contains all users and computers of the salesdepartment.

You need to install an Office 2007 application only on the computers in the Sales organizational unit.

You create a GPO named SalesApp GPO.


A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to thedomain.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.



QUESTION 39Your network consists of an Active Directory forest that contains one domain. All domain controllers run.

Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.

You have two Active Directory sites. Each site contains five domain controllers.

You add a new NS record to the zone.

You need to ensure that all domain controllers immediately receive the new NS record.

What should you do?

A. From the DNS Manager console, reload the zone.

B. From the DNS Manager console, increase the version number of the SOA record.C. From the command prompt, run repadmin /syncall.D. From the Services snap-in, restart the DNS Server service.



QUESTION 40Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers runWindows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level isWindows 2000.

You need to ensure the UPN suffix for contoso.com is available for user accounts.

What should you do first?

A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.C. Add the new UPN suffix to the forest.D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to

contoso.com.



QUESTION 41You have a Windows Server 2008 R2 Enterprise Root CA. Security policy prevents port 443 and port 80 frombeing opened on domain controllers and on the issuing CA.

You need to allow users to request certificates from a Web interface. You install the Active Directory CertificateServices (AD CS) server role.


A. Configure the Online Responder Role Service on a member server.B. Configure the Online Responder Role Service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.



QUESTION 42You need to relocate the existing user and computer objects in your company to different organizational units.


A. Run the move-item command in the Microsoft Windows PowerShell utility.B. Run the Active Directory Users and Computers utility.C. Run the Dsmove utility.D. Run the Active Directory Migration Tool (ADMT).

Correct Answer: BCSection: (none)Explanation


QUESTION 43Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in theForestDnsZones Active Directory application partition.

You have a member server that contains a standard primary DNS zone for dev.contoso.com.

You need to ensure that all domain controllers can resolve names for dev.contoso.com.

What should you do?

A. Modify the properties of the SOA record in the contoso.com zone.B. Create a NS record in the contoso.com zone.C. Create a delegation in the contoso.com zone.D. Create a standard secondary zone on a Global Catalog server.



QUESTION 44Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.

You install Windows Server 2008 R2 on a server.

You need to add the new server as a domain controller in your domain.


A. On a domain controller run adprep /rodcprep.B. On the new server, run dcpromo /adv.C. On the new server, run dcpromo /createdcaccount.D. On a domain controller, run adprep /forestprep.



QUESTION 45Your company has a main office and three branch offices. Each office is configured as a separate ActiveDirectory site that has its own domain controller.

You disable an account that has administrative rights.

You need to immediately replicate the disabled account information to all sites.


A. From the Active Directory Sites and Services console, configure all domain controllers as global catalogservers.

B. From the Active Directory Sites and Services console, select the existing connection objects and forcereplication.

C. Use Repadmin.exe to force replication between the site connection objects.D. Use Dsmod.exe to configure all domain controllers as global catalog servers.



QUESTION 46Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to capture all replication errors from all domain controllers to a central location.

What should you do?

A. Start the Active Directory Diagnostics data collector set.B. Start the System Performance data collector set.C. Install Network Monitor and create a new a new capture.D. Configure event log subscriptions.



QUESTION 47Your company has an Active Directory forest that contains client computers that run Windows VistaandMicrosoft Windows XP.

You need to ensure that users are able to install approved application updates on their computers.


A. Set up Automatic Updates through Control Panel on the client computers.B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically

search for updates on the Microsoft Update site.C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows

Server Update Services (WSUS) server for approved updates.D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on

the Internet. Approve all required updates.

Correct Answer: CDSection: (none)Explanation


QUESTION 48Your company has an Active Directory domain that has an organizational unit named Sales. The Salesorganizational unit contains two global security groups named sales managers and sales executives.

You need to apply desktop restrictions to the sales executives group.

You must not apply these desktop restrictions to the sales managers group.

You create a GPO named DesktopLockdown and link it to the Sales organizational unit.


A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.



QUESTION 49Your company network has an Active Directory forest that has one parent domain and one child domain. Thechild domain has two domain controllers that run Windows Server 2008. All user accounts from the childdomain are migrated to the parent domain. The child domain is scheduled to be decommissioned.

You need to remove the child domain from the Active Directory forest.

What are two possible ways to achieve this goal? (Each correct answer presents acomplete solution. Choose two.)

A. Run the Computer Management console to stop the Domain Controller service on both domain controllersin the child domain.

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationshipbetween the parent domain and the child domain.

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domainservices role.

D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.



QUESTION 50Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. Thedomain controllers run Windows Server 2008 R2 and are configured as DNS servers.

You plan to create a new Active Directory-integrated zone.

You need to ensure that the new zone is only replicated to four of your domain controllers.


A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.B. Create a new delegation in the ForestDnsZones application directory partition.C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.D. Create a new delegation in the DomainDnsZones application directory partition.



QUESTION 51You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSServer for contoso.com.

You install the DNS Server role on a member server named Server1 and then you create a standard secondaryzone for contoso.com.

You configure DC1 as the master server for the zone.

You need to ensure that Server1 receives zone updates from DC1.

What should you do?

A. On DC1, modify the permissions of contoso.com zone.B. On Server1, add a conditional forwarder.C. On DC1, modify the zone transfer settings for the contoso.com zone.D. Add the Server1 computer account to the DNSUpdateProxy group.




Modify Zone Transfer Settings

You can use the following procedure to control whether a zone will be transferred to other servers and whichservers can receive the zone transfer.

To modify zone transfer settings using the Windows interface

1. Open DNS Manager.

2. Right-click a DNS zone, and then click Properties.

3. On the Zone Transfers tab, do one of the following:

To disable zone transfers, clear the Allow zone transfers check box.

To allow zone transfers, select the Allow zone transfers check box.

4. If you allowed zone transfers, do one of the following:

To allow zone transfers to any server, click To any server.

To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to serverslisted on the Name Servers tab.

To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IPaddress of one or more DNS servers.


QUESTION 52Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runsan Enterprise Root certification authority (CA).

You need to ensure that only administrators can sign code.


A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage TrustedPublishers.

B. Modify the security settings on the template to allow only administrators to request code signing certificates.C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only administrators to apply the policy.D. Publish the code signing template.



QUESTION 53Your company has an Active Directory forest.

You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.

When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CAoption is not available.

You need to install the AD CS role as an Enterprise CA.


A. Add the DNS Server role.B. Add the Active Directory Lightweight Directory Service (AD LDS) role.C. Add the Web server (IIS) role and the AD CS role.D. Join the server to the domain.



QUESTION 54Your company has an Active Directory domain named contoso.com. The company network has two DNSservers named DNS1 and DNS2.

The DNS servers are configured as shown in the following table.

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to InternetWeb sites.

You need to enable Internet name resolution for all client computers.

What should you do?

A. Update the list of root hints servers on DNS2.B. Create a copy of the .(root) zone on DNS1.C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.



QUESTION 55Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

You upgrade all domain controllers to Windows Server 2008.You need to configure the Active Directory environment to support the application of multiple password policies.

What should you do?

A. Raise the functional level of the domain to Windows Server 2008.

B. On one domain controller, run dcpromo /adv.C. Create multiple Active Directory sites.D. On all domain controllers, run dcpromo /adv.



QUESTION 56Your company has two Active Directory forests named contoso.com and fabrikam.com.

The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers areconfigured as shown in the following table.

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. Allother computers use DNS1 as the preferred DNS server.

Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.comdomain.

You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.

What should you do?

A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.



QUESTION 57Your company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forestthat has three domains.

You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when theyaccess resources in the eng.na.contoso.com domain.

What should you do?

A. Decrease the replication interval for all Connection objects.B. Decrease the replication interval for the DEFAULTIPSITELINK site link.C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.

D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.



QUESTION 58Your company purchases a new application to deploy on 200 computers. The application requires that youmodify the registry on each target computer before you install the application.

The registry modifications are in a file that has an .adm extension.

You need to prepare the target computers for the application.

What should you do?

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unitthat contains the target computers.

B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.Run the REDIRUsr CONTAINER-DN command on each target computer.

C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each targetcomputer.

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.Run the REDIRCmp CONTAINER-DN command on each target computer.



QUESTION 59Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One ofthese GPOs publishes applications to user objects. A user reports that the application is not available forinstallation.

You need to identify whether the GPO has been applied.

What should you do?

A. Run the Group Policy Results utility for the user.B. Run the GPRESULT /S <system name> /Z command at the command prompt.C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.D. Run the Group Policy Results utility for the computer.



QUESTION 60

Your company has an Active Directory domain.

You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runsWindows Server 2008 R2.

You need to ensure that members of the Account Operators group are able to issue smartcard credentials.

They should not be able to revoke certificates.

Which three actions should you perform? (Each correct answer presents part of thesolution. Choose three.)

A. Create an Enrollment Agent certificate.B. Create a Smartcard logon certificate.C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.D. Install the AD CS role and configure it as an Enterprise Root CA.E. Install the AD CS role and configure it as a Standalone CA.F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

Correct Answer: BCDSection: (none)Explanation


QUESTION 61You create 200 new user accounts. The users are located in six different sites. New users report that theyreceive the following error message when they try to log on: "The username or password is incorrect." Youconfirm that the user accounts exist and are enabled. You also confirm that the user name and passwordinformation supplied are correct.

You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.

Which utility should you run?

A. Active Directory Domains and TrustsB. RepadminC. RstoolsD. Rsdiag


Explanation/Reference:Explanation:

Repadmin allows us to check the replication status and also allows us to force a replication between domaincontrollers.Reference:


Repadmin /replsummary

Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the

results in a report.

Repadmin /showrepl

Displays the replication status when the specified domain controller last attempted to perform inboundreplication on Active Directory partitions.

Repadmin /syncall Synchronizes a specified domain controller with all replication partners.

QUESTION 62Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.

You have an Active Directory-integrated zone for contoso.com.

You have a Unix-based DNS server.

You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.comzone to the Unix-based DNS server.

What should you do in the DNS Manager console?

A. Enable BIND secondariesB. Create a stub zoneC. Disable recursionD. Create a secondary zone



QUESTION 63Your company has an Active Directory domain.

You log on to the domain controller. The Active Directory Schema snap-in is not available

in the Microsoft Management Console (MMC).


You need to access the Active Directory Schema snap-in.

What should you do?

A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by usingServer Manager.

B. Log off and log on again by using an account that is a member of the Schema Administrators group.C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema

for writing.

D. Register Schmmgmt.dll.



QUESTION 64Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS)is configured as a standalone Certification Authority (CA) on the server.

You need to audit changes to the CA configuration settings and the CA security settings.


A. Configure auditing in the Certification Authority snap-in.B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%

\CertSrv directory.C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate

Services (AD CS) server.



QUESTION 65

Your company has a single-domain Active Directory forest. The functional level of the domain is WindowsServer 2008.

You perform the following activities:

Create a global distribution group.

Add users to the global distribution group.

Create a shared folder on a Windows Server 2008 member server.

Place the global distribution group in a domain local group that has access to the shared folder.

You need to ensure that the users have access to the shared folder.

What should you do?

A. Add the global distribution group to the Domain Administrators group.B. Change the group type of the global distribution group to a security group.C. Change the scope of the global distribution group to a Universal distribution group.D. Raise the forest functional level to Windows Server 2008.

Correct Answer: B

Section: (none)Explanation


QUESTION 66Your company hires 10 new employees.

You want the new employees to connect to the main office through a VPN connection.

You create new user accounts and grant the new employees they Allow Read and Allow Execute permissionsto shared resources in the main office. The new employees are unable to access shared resources in the mainoffice.

You need to ensure that users are able to establish a VPN connection to the main office.

What should you do?

A. Grant the new employees the Allow Access Dial-in permission.B. Grant the new employees the Allow Full control permission.C. Add the new employees to the Remote Desktop Users security group.D. Add the new employees to the Windows Authorization Access security group.



QUESTION 67Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amountof available CPU resources on a domain controller.

What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.



QUESTION 68Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.

Which two tasks should you perform? (Each correct answer presents part of the solution.

Choose two.)

A. Run the adprep /domainprep command.B. Raise the forest functional level to Windows Server 2008.C. Raise the domain functional level to Windows Server 2008.D. Run the adprep /forestprep command.



QUESTION 69You need to identify all failed logon attempts on the domain controllers.

What should you do?

A. View the Netlogon.log file.B. View the Security tab on the domain controller computer object.C. Run Event Viewer.D. Run the Security and Configuration Wizard.



QUESTION 70Your company has a DNS server that has 10 Active Directory integrated zones.

You need to provide copies of the zone files of the DNS server to the security department.

What should you do?

A. Run the dnscmd /ZoneInfo command.B. Run the ipconfig /registerdns command.C. Run the dnscmd /ZoneExport command.D. Run the ntdsutil > Partition Management > List commands.



QUESTION 71Your company has an Active Directory forest. The company has three locations. Each location has anorganizational unit and a child organizational unit named Sales. The Sales organizational unit contains all usersand computers of the sales department.The company plans to deploy a Microsoft Office 2007 application on all computers within the three Salesorganizational units.

You need to ensure that the Office 2007 application is installed only on the computers in the Salesorganizational units.

What should you do?

A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the domain.

B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.



QUESTION 72Your company has a main office and 10 branch offices. Each branch office has an Active Directory site thatcontains one domain controller. Only domain controllers in the main office are configured as Global Catalogservers.

You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers inthe branch offices.

At which level should you deactivate UGMC?

A. ServerB. Connection objectC. DomainD. Site



QUESTION 73Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

You upgrade all domain controllers to Windows Server 2008 R2.

You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).

What should you do?

A. From the command prompt, run dfsutil /addroot:sysvol.B. From the command prompt, run netdom /reset.C. From the command prompt, run dcpromo /unattend:unattendfile.xml.

D. Raise the functional level of the domain to Windows Server 2008 R2.



QUESTION 74Your company has a main office and a branch office that are configured as a single Active Directory forest. Thefunctional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003domain controllers in the main office.

You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.


A. Raise the functional level of the forest to Windows Server 2008.B. Deploy a Windows Server 2008 domain controller at the main office.C. Raise the functional level of the domain to Windows Server 2008.D. Run the adprep/rodcprep command.



QUESTION 75

Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers andDNS servers. All client computers run Windows XP SP3.

You need to use your client computers to edit domainbased GPOs by using the ADMX files that are stored inthe ADMX central store.

What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.C. Install .NET Framework 3.0 on your client computers.D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the

PolicyDefinitions folder.



QUESTION 76Your company has a domain controller that runs Windows Server 2008. The domain controller has the backupfeatures installed.

You need to perform a non-authoritative restore of the doman controller using an existing backup file.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore criticalvolume

B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restorecritical volume

C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volumeD. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume



QUESTION 77

Your company has an Active Directory domain. All servers run Windows Server.

You deploy a Certification Authority (CA) server.

You create a new global security group named CertIssuers.

You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates.

What should you do?

A. Assign the Certificate Manager role to the CertIssuers groupB. Place CertIssuers group in the Certificate Publisher groupC. Run the certsrv -add CertIssuers command promt of the certificate serverD. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows

Powershell



QUESTION 78Your company has an Active Directory domain. The company has purchased 100 new computers. You want todeploy the computers as members of the domain.

You need to create the computer accounts in an OU.

What should you do?

A. Run the csvde -f computers.csv commandB. Run the ldifde -f computers.ldf commandC. Run the dsadd computer <computerdn> commandD. Run the dsmod computer <computerdn> command



QUESTION 79Your network consists of a single Active Directory domain. You have a domain controller

and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Clientcomputers run either Windows XP Service Pack 3 or Windows 7.

You have a standard primary zone on the domain controller. The member server hosts a secondary copy of thezone.

You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.


A. On the member server, add a conditional forwarder.B. On the member server, install Active Directory Domain Services.C. Add all computer accounts to the DNS UpdateProxy group.D. Convert the standard primary zone to an Active Directory-integrated zone.



QUESTION 80Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNSservers are Active Directory-integrated zones. The zones allow all dynamic updates.

You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist.

You need to configure the contoso.com zone to automatically remove expired records.

What should you do?

A. Enable only secure updates on the contoso.com zone,B. Enable scavenging and configure the refresh interval on the contoso.com zone.C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone



QUESTION 81You have an Active Directory domain that runs Windows Server 2008 R2.

You need to implement a certification authority (CA) server that meets the following requirements:

Allows the certification authority to automatically issue certificates

Integrates with Active Directory Domain Services

What should you do?

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA.D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store

of the schema master.



QUESTION 82You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).

You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.

You grant the Account Operators group the Issue and Manage Certificates permission on the CA.

Which three tasks should you perform next? (Each correct answer presents part of the solution.

A. Enable the Restrict Enrollment Agents option on the CA.B. Enable the Restrict Certificate Managers option on the CA.C. Add the Basic EFS certificate template for the Account Operators group.D. Grant the Account Operators group the Manage CA permission on the CA.E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCESection: (none)Explanation


QUESTION 83Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offlineroot CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.

You need to ensure users are able to enroll new certificates.

What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on theissuing CA.

B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates

folder in the users' profile.C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations,



QUESTION 84Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.The Enterprise Intermediate CA certificate expires.

You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.

What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.



QUESTION 85Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administratorsof the subsidiary company must use the French-language version of the administrative templates.

You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR.

You need to ensure that the French-language version of the templates is available.

What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copythe ADM files to the FR folder.

B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator.

C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FRfolder on the subsidiary PDC emulator.

D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folderon the subsidiary PDC emulator."A Composite Solution With Just One Click" - Certification Guaranteed 49 Microsoft 70-640 : Practice Test

Correct Answer: BSection: (none)

Explanation


QUESTION 86A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.

You need to enable the user to join a single computer to the domain. You must ensure that the user is deniedany additional rights beyond those required to complete the task.

What should you do?

A. Prestage the computer account in the Active Directory domain.B. Add the user to the Domain Administrators group for one day.C. Add the user to the Server Operators group in the Active Directory domain.D. Grant the user the right to log on locally by using a Group Policy Object (GPO).



QUESTION 87The default domain GPO in your company is configured by using the following account policy settings:

Minimum password length: 8 charactersMaximum password age: 30 daysEnforce password history: 12 passwords remembered Account lockout threshold: 3 invalid logon attemptsAccount lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQLServer application uses a service account named SQLSrv. The SQLSrv account has domain user rights.

The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is notlocked out.

You need to resolve the server failure and prevent recurrence of the failure. Which two actions should youperform? (Each correct answer presents part of the solution. Choosetwo.)

A. Reset the password of the SQLSrv user account.B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user

account.C. Configure the properties of the SQLSrv account to Password never expires.D. Configure the properties of the SQLSrv account to User cannot change password.E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon

locally user right.



QUESTION 88Your company has two Active Directory forests named Forest1 and Forest2, The forest functional level and thedomain functional level of Forest1 are set to Windows Server 2008.

The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 areset to Windows Server 2003.

You need to set up a transitive forest trust between Forest1 and Forest2,


A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode.B. Raise the forest functional level of Forest2 to Windows Server 2003.C. Upgrade the domain controllers in Forest2 to Windows Server 2008.D. Upgrade the domain controllers in Forest2 to Windows Server 2003.




Creating Forest Trusts

You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way ortwo-way, transitive trust relationship.

The following are required to create forest trusts successfully:

You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008forests, between two Windows Server 2008 R2 forests, between a

Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and aWindows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2forest. Forest trusts cannot be extended implicitly to a third forest.

To create a forest trust, the minimum forest functional level for the forests that are involved in the trustrelationship is Windows Server 2003.

QUESTION 89Your company has an Active Directory forest that contains two domains, The forest has universal groups thatcontain members from each domain. A branch office has a domain controller named DC1, Users at the branchoffice report that the logon process takes too long.

You need to decrease the amount of time it takes for the branch office users to logon.

What should you do?

A. Configure DC1 as a Global Catalog server.B. Configure DC1 as a bridgehead server for the branch office site.C. Decrease the replication interval on the site link that connects the branch office to the corporate network.D. Increase the replication interval on the site link that connects the branch office to the corporate network.

Correct Answer: A



QUESTION 90Your company has an Active Directory domain. The main office has a DNS server named DNS1 that isconfigured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 thatcontains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.

You add a new server to the main office. Five minutes after adding the server, a user from the branch officereports that he is unable to connect to the new server.

You need to ensure that the user is able to connect to the new server.

What should you do?

A. Clear the cache on DNS2.B. Reload the zone on DNS1.C. Refresh the zone on DNS2.D. Export the zone from DNS1 and import the zone to DNS2.



QUESTION 91You need to validate whether Active Directory successfully replicated between two domain controllers.

What should you do?

A. Run the DSget command.B. Run the Dsquery command.C. Run the RepAdmin command.D. Run the Windows System Resource Manager.




You can use the repadmin /showrepl command to verify successful replication to a specific domain controller.

QUESTION 92You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature isinstalled on the domain controller.

You need to perform a non-authoritative restore of the domain controller by using anexisting backup file.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to performa critical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-into perform a critical volume restore.

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a criticalvolume restore.

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volumerestore.



QUESTION 93Your company has an Active Directory forest. Not all domain controllers in the forest are configured as GlobalCatalog Servers. Your domain structure contains one root domain and one child domain.

You modify the folder permissions on a file server that is in the child domain. You discover that some AccessControl entries start with S-1-5-21 and that no account name is listed.

You need to list the account names.

What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global

Catalog.



QUESTION 94Your company security policy requires complex passwords.

You have a comma delimited file named import.csv that contains user account information.

You need to create user account in the domain by using the import.csv file. You also need to ensure that thenew user accounts are set to use default passwords and are disabled.

What should you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run theDSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Runthe DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADDutility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADDutility to set passwords for the imported user accounts.



QUESTION 95You are installing an application on a computer that runs Windows Server 2008 R2.

During installation, the application will need to install new attributes and classes to the Active Directorydatabase.

You need to ensure that you can install the application.

What should you do?

A. Change the functional level of the forest to Windows Server 2008 R2.B. Log on by using an account that has Server Operator rights.C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the

application.D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install

the application."A Composite Solution With Just One Click" - Certification Guaranteed 55 Microsoft 70-640 : Practice Test




QUESTION 96Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 andclient computers that run Windows 7. The domain uses a set of GPO administrative templates that have beenapproved to support regulatory compliance requirements.

Your partner company has an Active Directory forest that contains a single domain. The company has serversthat run Windows Server 2008 R2 and client computers that run Windows 7.

You need to configure your partner company's domain to use the approved set of administrative templates.

What should you do?

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file.

In each site, import the GPO to the default domain policy.B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partner

company's PDC emulator.C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partner

company's PDC emulator.D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web

site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator.



QUESTION 97You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked outfor 5 minutes.

Which three actions should you perform? (Each correct answer presents part of the solution.

Choose three.)

A. Set the Minimum password age setting to one day.B. Set the Maximum password age setting to one day.C. Set the Account lockout duration setting to 5 minutes.D. Set the Reset account lockout counter after setting to 5 minutes.E. Set the Account lockout threshold setting to 3 invalid logon attempts.F. Set the Enforce password history setting to 3 passswords remembered.

Correct Answer: CDESection: (none)Explanation


QUESTION 98Your company has an Active Directory domain and an organizational unit. The organizational unit is namedWeb.

You configure and test new security settings for Internet Information Service (IIS) Servers on a server namedIISServerA.

You need to deploy the new security settings only on the IIS servers that are members of the Weborganizational unit.

What should you do?

A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /dbwebou.inf from the comand prompt.

B. Export the settings on IISServerA to create a security template. Import the security template into a GPO andlink the GPO to the Web organizational unit.

C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf fromthe comand prompt.

D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.



QUESTION 99Your network consists of an Active Directory forest that contains two domains. All servers

run Windows Server 2008 R2. All domain controllers are configured as DNS Servers.

You have a standard primary zone for dev.contoso.com that is stored on a member server.

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.

What should you do?

A. On the member server, create a stub zone.B. On the member server, create a NS record for each domain controller.C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the forest.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.



QUESTION 100Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty usersreport that they are unable to log on to the domain.

You need to register the SRV records.

Which command should you run on the new domain controller?

A. Run the netsh interface reset command.B. Run the ipconfig /flushdns command.C. Run the dnscmd /EnlistDirectoryPartition command.D. Run the sc stop netlogon command followed by the sc start netlogon command.



MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 62

The SRV resource records for a domain controller are important in enabling clients to locate the domain

controller. The Netlogon service on domain controllers registers thisresource record whenever a domain controller is restarted. You can also re-register a domain controller's SRVresource records by restarting this service from the Services branch of Server Manager or by typing net startnetlogon. An exam

Question might ask you how to troubleshoot the nonregistration of SRV resource records.

Topic 2, Volume B

Exam B

QUESTION 1You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.

You need to minimize the amount of time it takes for client computers to download a certificate revocation list(CRL).

What should you do?

A. Install and configure an Online Responder.B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.C. Install and configure an additional domain controller.D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.



QUESTION 2You want users to log on to Active Directory by using a new Principal Name (UPN).

You need to modify the UPN suffix for all user accounts.


A. DsmodB. NetdomC. RedirusrD. Active Directory Domains and Trusts



QUESTION 3Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.Auditing is configured to log changes made to the Managed By attribute on group objects in an organizationalunit named OU1.

You need to log changes made to the Description attribute on all group objects in OU1 only.

What should you do?

A. Run auditpol.exe.B. Modify the auditing entry for OU1.C. Modify the auditing entry for the domain.D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO

to OU1.



QUESTION 4Your company uses shared folders. Users are granted access to the shared folders by using domain localgroups. One of the shared folders contains confidential data.

You need to ensure that unauthorized users are not able to access the shared folder that contains confidentialdata.

What should you do?

A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users byusing the Dsmod utility.

B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account.

C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in tothe Deny DLG group. Configure the Allow Full control permission on the shared folder that hold theconfidential data for the Deny DLG group.

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorizedusers in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that holdthe confidential data for the Deny DLG group.



QUESTION 5Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on amember server named Server1.

You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied byServer1.

What should you do?

A. Remove the Request Certificates permission from the Domain Users group.B. Remove the Request Certificated permission from the Authenticated Users group.C. Assign the Allow - Manage CA permission to only the Security Manager user Account.D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account




Implement Role-Based Administration

You can use role-based administration to organize certification authority (CA) administrators into separate,predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings.

You assign a role to a user by assigning that user the specific security settings that are associated with the role.A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that auser with another type of permission, such as Issue and Manage Certificates permission, cannot perform.

The following table describes the roles, users, and groups that can be used to implement role-basedadministration.

Roles and groups

Certificate manager

Security permission

Issue and Manage Certificates

Description

Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to asCA officer. These permissions are assigned by using the Certification Authority snap-in.

QUESTION 6You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What is the minimal forest functional level that you should use?

A. Windows Server 2008 R2B. Windows Server 2008C. Windows Server 2003D. Windows 2000




Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked- valuereplication (LVR)is available.

QUESTION 7Your company has three Active Directory domains in a single forest. You install a new Active Directory enabledapplication. The application ads new user attributes to the Active Directory schema.

You discover that the Active Directory replication traffic to the Global Catalogs has increased.

You need to prevent the new attributes from being replicated to the Global Catalog. You must achieve this goal

without affecting application functionality.

What should you do?

A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.B. Change the cost for the DEFAULTIPSITELINK object to 9990.C. Make the new attributes in the Active Directory as defunct.D. Modify the properties in the Active Directory schema for the new attributes.



QUESTION 8Your network contains an Active Directory forest named contoso.com. The forest contains two sites namedSeattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configuredas shown in the following table.

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.

You need to configure DC2 as a global catalog server.

Which object's properties should you modify?

To answer, select the appropriate object in the answer area.

A.B.C.D.

Correct Answer: Section: (none)Explanation


QUESTION 9Your network contains an Active Directory forest named contoso.com. The forest containstwo Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only asingle read-only domain controller (RODC).

You accidentally delete the site link between the two sites.

You recreate the site link while you are connected to a domain controller in Seattle.

You need to replicate the change to the RODC in Montreal.

Which node in Active Directory Sites and Services should you use?To answer, select the appropriate node inthe answer area.

A.B.C.D.




QUESTION 10Your network contains an Active Directory forest named contoso.com. The forest contains two sites namedSeattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configuredas shown in the following table.

You need to enable universal group membership caching in the Seattle site.

Which object's properties should you modify?

To answer, select the appropriate object in the answer area.

A.B.C.D.


Explanation/Reference:"A Composite Solution With Just One Click" - Certification Guaranteed 66 Microsoft 70-640 : Practice Test

QUESTION 11You are decommissioning one of the domain controllers in a child domain.

You need to transfer all domain operations master roles within the child domain to a newly installed domaincontroller in the same child domain.

Which three domain operations master roles should you transfer? (Each correct answer presents part of thesolution. Choose three.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: ABDSection: (none)Explanation


QUESTION 12There are 100 servers and 2000 computers present at your company's headquarters.

The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the highavailability of the service.

The nodes are named as CKMFON1 and CKMFON2.

The cluster on CKMFO has one physical shared disk of 400 GB capacity.

A 200GB single volume is configured on the shared disk.

Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.

The DHCP and WINS services will be hosted on other nodes.

Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1node.

The wizard shows an error "no disks are available" during configuration.

Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINSService group to CKMFON1?

A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table andcreate two volumes. Restore the backed up data on one of the volumes and use the other for WINS servicegroup

B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volumeto fix the error in the wizard.

C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk anddirect CKMOFONI to use CKMFON2 volume for the WINS service group

D. Add and configure a new volume on the existing shared disk which has 400GB of space.Use this volume to fix the error in the wizard

E. None of the above



QUESTION 13Exhibit:

Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has fileservices role installed. You install some disk for additional storage. The disks are configured as shown in theexhibit.

To support data stripping with parity, you have to create a new drive volume.

What should you do to achieve this objective?

A. Build a new spanned volume by combining Disk0 and Disk1B. Create a new Raid-5 volume by adding another disk.C. Create a new virtual volume by combining Disk 1 and Disk 2D. Build a new striped volume by combining Disk0 and Disk 2



QUESTION 14Your company asks you to implement Windows Cardspace in the domain.

You want to use Windows Cardspace at your home.

Your home and office computers run Windows Vista Ultimate.

What should you do to create a backup copy of Windows Cardspace cards to be used at home?

A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB driveB. Backup \Windows\Globalization folder by using backup status and save the folder on your USB driveC. Back up the system state data by using backup status tool on your USB driveD. Employ Windows Cardspace application to backup the data on your USB drive.E. Reformat the C: DriveF. None of the above



QUESTION 15Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.

Active Directory services are running on a domain controller named CKDC1.

You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.

What should you do to perform offline critical updates on CKDC1 without rebooting the server?

A. Start the Active Directory Domain Services on CKDC1B. Disconnect from the network and start the Windows update featureC. Stop the Active Directory domain services and install the updates. Start the Active Directory domain

services after installing the updates.D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect

again.E. None of the above



QUESTION 16One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). Forsecurity reasons you don't want some critical credentials like (passwords, encryption keys) to be stored onRODC.

What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2)

A. Configure RODC filtered attribute set on the serverB. Configure RODC filtered set on the server that holds Schema Operations Master role.C. Delegate local administrative permissions for an RODC to any domain user without granting that user any

user rights for the domainD. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.E. None of the above


Explanation/Reference:Explanation: Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753223.aspx Adding attributes to the RODC filtered attribute setThe RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest.You can configure the RODC filtered attribute set on a schema master that runs Windows Server2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposedunnecessarily if an RODC is stolen or compromised. A malicious user who compromises an RODC can attemptto configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set.If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008,the replication request is denied. However, if the RODC tries to replicate those attributes from a domaincontroller that is running Windows Server 2003, the replication request could succeed.Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan toconfigure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODCthat is compromised cannot be exploited in this manner because domain controllers that are running WindowsServer 2003 are not allowed in the forest.

QUESTION 17Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Usershave computers with Windows Vista installed on them with an Active Directory domain installed at WindowsServer 2003 functional level.As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect theirdocuments.

You need to configure AD RMS to enable users to use it and protect their documents.

What should you do to achieve this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each user.B. Add and configure ADRMSADMIN account in local administrators group on the user computersC. Add and configure the ADRMSSRVC account in AD RMS server's local administrator groupD. Reinstall the Active Directory domain on user computersE. All of the above

Correct Answer: ASection: (none)

Explanation


QUESTION 18Company has an active directory forest on a single domain.

Company needs a distributed application that employs a custom application. The application is directorypartition software named PARDAT.

You need to implement this application for data replication.

Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of acomplete solution)

A. Dnscmd.B. Ntdsutil.C. IpconfigD. DnsutilE. All of the above



QUESTION 19

Company has an Active Directory forest with six domains. The company has 5 sites. The company requires anew distributed application that uses a custom application directory partition named ResData for datareplication.

The application is installed on one member server in five sites.

You need to configure the five member servers to receive the ResData application directory partition for datareplication.

What should you do?

A. Run the Dcpromo utility on the five member servers.B. Run the Regsvr32 command on the five member serversC. Run the Webadmin command on the five member serversD. Run the RacAgent utility on the five member servers



QUESTION 20As an administrator at Company, you have installed an Active Directory forest that has a single domain.

You have installed an Active Directory Federation services (AD FS) on the domain member server.

What should you do to configure AD FS to make sure that AD FS token contains information from the activedirectory domain?

A. Add a new account store and configure it.B. Add a new resource partner and configure itC. Add a new resource store and configure itD. Add a new administrator account on AD FS and configure itE. None of the above



QUESTION 21

Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it usesEnterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revokedcertificate information.

You need to make sure that the revoked certificate information is available at all times.

What should you do to achieve that?

A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and linkthe GPO to the domain.

B. Configure and use a GPO to publish a list of trusted certificate authorities to the domainC. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet

Security and Acceleration Server) array.D. Use network load balancing and publish an OCSP responder.E. None of the above



QUESTION 22As the Company administrator you had installed a read-only domain controller (RODC) server at remotelocation.

The remote location doesn't provide enough physical security for the server.

What should you do to allow administrative accounts to replicate authentication information to Read-OnlyDomain Controllers?

A. Remove any administrative accounts from RODC's groupB. Add administrative accounts to the domain Allowed RODC Password Replication groupC. Set the Deny on Receive as permission for administrative accounts on the RODC computer account

Security tab for the Group Policy Object (GPO)

D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled.Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissionsfor the administrators on the Security tab for the GPO.

E. None of the above



QUESTION 23ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose ofthis cluster is to provide load balancing and high availability of the intranet website only.

With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in theirNetwork Neighborhood and they can use it to connect to various services by using the name web.CK1.com.

You also discover that there is only one port rule configured for Network Load Balancing cluster. You have toconfigure web.CK1.com NLB cluster to accept HTTP traffic only.

Which two actions should you perform to achieve this objective? (Choose two answers.Each answer is part of the complete solution)

A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster consoleB. Run the wlbs disable command on the cluster nodesC. Assign a unique port rule for NLB cluster by using the NLB Cluster consoleD. Delete the default port rules through Network Load Balancing Cluster console



QUESTION 24ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.

Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.

You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on acomputer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has noIT personnel onsite and there are no administrators over there. You need to setup a Read-Only DomainController (RODC) on the Server Core installation computer in the branch office.

What should you do to setup RODC on the computer in branch office?

A. Execute an attended installation of AD DSB. Execute an unattended installation of AD DSC. Execute RODC through AD DSD. Execute AD DS by using deploying the image of AD DSE. none of the above


Explanation



Install an RODC on a Server Core installation

To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattendedinstallation of AD DS.

QUESTION 25You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in yourorganization.

Now you need to test the connectivity of clients in the network to ensure that they can successfully reach thenew Federation server and Federation server is operational.

What should you do? (Select all that apply)

A. Go to Services tab, and check if Active Directory Federation Services is runningB. In the event viewer, Applications, Event ID column look for event ID 674.C. Open a browser window, and then type the Federation Service URL for the new federation server.D. None of the above




Verify

Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event isgenerated when the federation server proxy is able to successfully communicate with the Federation Service.

To perform this procedure, you must be a member of the local Administrators group, or you must have beendelegated the appropriate authority.

1. Log on to a client computer with Internet access.

2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Serviceendpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy.

3. Press ENTER.

Note -At this point your browser should display the error Server Error in '/adfs' Application. This step isnecessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by

Internet Information Services (IIS).

4. Log on to the federation server proxy.

5. Click Start, point to Administrative Tools, and then click Event Viewer.

6. In the details pane, double-click Application.

7. In the Event column, look for event ID 674.

QUESTION 26ABC.com has purchased laptop computers that will be used to connect to a wireless network.

You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles byutilizing the names of approved wireless networks.

You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannotconnect to a wireless network.

What should you do to enforce the group policy wireless settings to the laptop computers?

A. Execute gpupdate/target:computer command at the command prompt on laptop computersB. Execute Add a network command and leave the SSID (service set identifier) blank "C. Execute gpupdate/boot command at the command prompt on laptops computersD. Connect each laptop computer to a wired network and log off the laptop computer and then login again.E. None of the above



QUESTION 27The Company has a Windows 2008 domain controller server. This server is routinely backed up over thenetwork from a dedicated backup server that is running Windows 2003 OS.

You need to prepare the domain controller for disaster recovery apart from the routine backup procedures.

You are unable to launch the backup utility while attempting to back up the system state data for the datacontroller.

You need to backup system state data from the Windows Server 2008 domain controller server.

What should you do?

A. Add your user account to the local Backup Operators groupB. Install the Windows Server backup feature using the Server Manager feature.C. Install the Removable Storage Manager feature using the Server Manager featureD. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the

Windows 2003 server.E. None of the above



QUESTION 28You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote

location. The remote location doesn't have proper physical security.

You need to activate nonadministrative accounts passwords on that RODC server.

Which of the following action should be considered to populate the RODC server with non-

administrative accounts passwords?

A. Delete all administrative accounts from the RODC's groupB. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group

Policy Object (GPO)C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied

groupD. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the

security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.E. None of the above



QUESTION 29ABC.com has a network that is comprise of a single Active Directory Domain.

As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on aserver that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the ADLDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and clientcomputers.

Which tool should you use to test the certificate with AD LDS?

A. Ldp.exeB. Active Directory Domain servicesC. ntdsutil.exeD. Lds.exeE. wsamain.exeF. None of the above



QUESTION 30ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has aRead-Only Domain Controller (RODC) server installed.

Users in remote offices complain that they are unable to log on to their accounts. What should you do to makesure that the cached credentials for user accounts are only stored in their local branch office RODC server?

A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the

users that are unable to log on to their accountsB. Add a password replication policy to the main Domain RODC and add user accounts in the security groupC. Configure a unique security group for each branch office and add user accounts to the respective security

group. Add the security groups to the password replication allowed group on the main RODC serverD. Configure and add a separate password replication policy on each RODC computer account



QUESTION 31The corporate network of Company consists of a Windows Server 2008 single Active Directory domain. Thedomain has two servers named Company 1 and Company 2.

To ensure central monitoring of events you decided to collect all the events on one server, to collect eventsfrom Company, and transfer them to Company 1.

You configure the required event subscriptions.

You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol.

However, you discovered that none of the subscriptions work.

Which of the following actions would you perform to configure the event collection and event forwarding on thetwo servers? (Select three. Each answer is a part of the complete solution).

A. Run window execute the winrm quickconfig command on Company 2.B. Run window execute the wecutil qc command on Company 2.C. Add the Company 1 account to the Administrators group on Company 2.D. Run window execute the winrm quickconfig command on Company 1.E. Add the Company 2 account to the Administrators group on Company 1.F. Run window execute the wecutil qc command on Company 1.

Correct Answer: ACFSection: (none)Explanation


Explanation:

We need to do three things:1 - run winrm quickconfig on the source computer (Company 2) 2 - run wecutil qc on the collector computer(Company 1) 3 - add the computer account of the collector computer to the local Administrators group on thesource computerHad the Event delivery optimization setting been set to Minimize Bandwidth or Minimize Latency, then we wouldneed to run winrm quickconfig on the collector computer too. Because it's set to Normal we can skip that step.If the HTTPS protocol had been used we also would have had to configure Windows Firewall exceptions forport 443. But it's not, and it's not even listed, so that's cool.Reference:


Configure Computers to Forward and Collect Events

Before you can create a subscription to collect events on a computer, you must configure both the collectingcomputer (collector) and each computer from which events will be collected (source).

To configure computers in a domain to forward and collect events

1. Log on to all collector and source computers. It is a best practice to use a domain account with administrativeprivileges.

2. On each source computer, type the following at an elevated command prompt: winrm quickconfig

Note

If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then youmust also run the above command on the collector computer.

3. On the collector computer, type the following at an elevated command prompt: wecutil qc

4. Add the computer account of the collector computer to the local Administrators group on each of the sourcecomputers.

5. The computers are now configured to forward and collect events. Follow the steps in Create a New

Subscription to specify the events you want to have forwarded to the collector.


QUESTION 32Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one ofthe branch offices.

You need to identify the user accounts that were cached on the stolen RODC server.

Which utility should you use?

A. Dsmod.exeB. Ntdsutil.exeC. Active Directory Sites and ServicesD. Active Directory Users and Computers



QUESTION 33ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runsWindows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on anisolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card.

ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IPaddress space used by software evaluation lab must not be used by other networks. Similarly, it states the IPaddress space used by other networks should not be used by the evaluation lab network.

As an administrator you find you that the applications tested in the software evaluation lab need to access

normal network to connect to the vendors update servers on the internet.

You need to configure all virtual servers on the CKT server to access the internet. You also need to comply withcompany's security policy.

Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of thecomplete solution)

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on eachvirtual server

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)C. Use ABC.com intranet IP addresses on all virtual servers on CKT.D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and

create a new virtual network.E. None of the above



QUESTION 34You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. Ithas an Active Directory domain.

You have installed a software application on the servers. As soon as the application is installed, one of themember servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO).

You need to change the domain security settings to trace the shutdowns and identify the cause of it.

What should you do to perform this task?

A. Link the GPO to the domain and enable System Events optionB. Link the GPO to the domain and enable Audit Object Access optionC. Link the GPO to the Domain Controllers and enable Audit Object Access optionD. Link the GPO to the Domain Controllers and enable Audit Process tracking optionE. Perform all of the above actions



QUESTION 35ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deletedan Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process ofrestoring the OU.

You need to execute a non-authoritative restore before an authoritative restore of the OU.

Which backup should you use to perform non- authoritative restore of Active Directory

Domain Services (AD DS) without disturbing other data stored on domain controller?

A. Critical volume backupB. Backup of all the volumesC. Backup of the volume that hosts Operating systemD. Backup of AD DS foldersE. all of the above



QUESTION 36ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed onall domain controllers in the network.

You are instructed to capture all replication errors from all domain controllers to a central location.

What should you do to achieve this task?

A. Initiate the Active Directory Diagnostics data collector setB. Set event log subscriptions and configure itC. Initiate the System Performance data collector setD. Create a new capture in the Network Monitor



QUESTION 37Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Clientcomputers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents,spreadsheets and to provide user authentication.

What do you need to configure, in order to complete the deployment of AD RMS?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _DC1C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _SRV5E. None of the above



QUESTION 38You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensurethat data and log files are backed up regularly. This will also ensure the continued availability of data toapplications and users in the event of a system failure.

Because you have limited media resources, you decided to backup only specific ADLDS instance instead oftaking backup of the entire volume.

What should you do to accomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files ofAD LDS

B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instanceC. Move AD LDS database and log files on a separate volume and use windows server backup utilityD. None of the above




Backing up AD LDS instance data with Dsdbutil.exe

With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance thatyou want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.

QUESTION 39You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. TheFileSrv1 computer contains four hard disks, which are configured as basic disks.

For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1on FileSrv1.

Which utility you will use to convert basic disks to dynamic disks on FileSrv1?

A. Diskpart.exeB. Chkdsk.exeC. Fsutil.exeD. Fdisk.exeE. None of the above




[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.

QUESTION 40ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boasts 40 WindowsVista client machines.

As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) to authorizethe network users by issuing digital certificates.

What should you do to manage certificate settings on all machines in a domain from one main location?

A. Configure Enterprise CA certificate settingsB. Configure Enterprise trust certificate settingsC. Configure Advance CA certificate settingsD. Configure Group Policy certificate settingsE. All of the above




AD CS: Policy Settings

In the Windows Server® 2008 operating system, certificate-related Group Policy settings enable administratorsto manage certificate validation settings according to the security needs of the organization.

What are certificate settings in Group Policy?

Certificate settings in Group Policy enable administrators to manage the certificate settings on all thecomputers in the domain from a central location.

QUESTION 41A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for thedomain has been completed and unnecessary objects have been deleted.

You need to perform an offline defragmentation of the Active Directory database on DC12. You also need toensure that the critical services remain online.

What should you do?

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Defrag utility.D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Ntdsutil utility.



QUESTION 42Your company has a server that runs Windows Server 2008 R2. The server runs an instance of Active

Directory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network.

What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.B. Create a naming context by running the Dsmgmt command on the test computer.C. Create a new directory partition by running the Dsmgmt command on the test computer.D. Create and install a replica by running the AD LDS Setup wizard on the test computer.




Create a Replica AD LDS Instance

To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight

Directory Services Set Wizard to create a replica AD LDS instance.

To create a replica AD LDS instance

1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services SetupWizard.

2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.

3. On the Setup Options page, click A replica of an existing instance, and then click Next.

4. Finish creating the new instance by following the wizard instructions.

QUESTION 43

Your network contains an Active Directory domain. The relevant servers in the domain are configured as shownin the following table.

You need to ensure that all device certificate requests use the MD5 hash algorithm.

What should you do?

A. On Server2, run the Certutil tool.B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm

\HashAlgorithm registry key.



http://technet.microsoft.com/en-us/library/ff955642.aspx

Managing Network Device Enrollment Service

Configuring NDES

NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography

\MSCEP.

To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restartIIS. If necessary, create the key and value using the names and data types described in the following table.

Key name

HashAlgorithm \ HashAlgorithm

Value Data Type

String

Default value

"A Composite Solution With Just One Click" - Certification Guaranteed 89 Microsoft 70-640 : Practice TestSHA1

Description

Accepted values are SHA1 and MD5.

QUESTION 44Your network contains an Active Directory domain.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise rootcertification authority (CA).

You have a client computer named Computer1 that runs Windows 7.

You enable automatic certificate enrollment for all client computers that run Windows 7.

You need to verify that the Windows 7 client computers can automatically enroll for certificates.

Which command should you run on Computer1?

A. certreq.exe retrieveB. certreq.exe submitC. certutil.exe getkeyD. certutil.exe pulse



QUESTION 45Your network contains two Active Directory forests named contoso.com and adatum.com. The functional levelof both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory CertificateServices (AD CS) is configured in the contoso.com forest to allow users from both forests to automaticallyenroll user certificates.You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.comcertification authority (CA).

What should you configure in the adatum.com domain?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.



QUESTION 46You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed:

Enterprise root certification authority (CA)Certificate Enrollment Web ServiceCertificate Enrollment Policy Web Service

You create a new certificate template.

External users report that the new template is unavailable when they request a new certificate.

You verify that all other templates are available to the external users.

You need to ensure that the external users can request certificates by using the new template.

What should you do on Server1?

A. Run iisreset.exe /restart.B. Run gpupdate.exe /force.C. Run certutil.exe dspublish.D. Restart the Active Directory Certificate Services service.



QUESTION 47Your network contains an enterprise root certification authority (CA).

You need to ensure that a certificate issued by the CA is valid.

What should you do?

A. Run syskey.exe and use the Update option.B. Run sigverif.exe and use the Advanced option.C. Run certutil.exe and specify the -verify parameter.D. Run certreq.exe and specify the -retrieve parameter.



QUESTION 48You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.

Users are required to log on to the domain by using a smart card. Your company's corporate security policystates that when an employee resigns, his ability to log on to the network must be immediately revoked. Anemployee resigns.

You need to immediately prevent the employee from logging on to the domain.

What should you do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.



QUESTION 49Your network contains an Active Directory domain named contoso.com.

You need to view which password setting object is applied to a user.

Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter option in theanswer area.

A.B.C.D.



QUESTION 50

Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way foresttrust exists between the forests. Selective authentication is enabled on

the trust. Fabrikam.com contains a server named Server1.

You assign Contoso\Domain Users the Manage documents permission and the Print permission to a sharedprinter on Server1.

You discover that users from contoso.com cannot access the shared printer on Server1.

You need to ensure that the contoso.com users can access the shared printer on Server1.

Which permission should you assign to Contoso\Domain Users.

To answer, select the appropriate permission in the answer area.


A.B.C.D.

Correct Answer: Section: (none)

Explanation


QUESTION 51You add an Online Responder to an Online Responder Array.

You need to ensure that the new Online Responder resolves synchronization conflicts for all members of theArray.

What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.C. From the Online Responder Management Console, select the new Online Responder, and then select Set

as Array Controller.D. From the Online Responder Management Console, select the new Online Responder, and then

selectSynchronize Members with Array Controller.



Reference 1:http://technet.microsoft.com/en-us/library/cc770413.aspx Managing Array membersFor each Array, one member is defined as the Array controller; the role of the Array controller is to help resolvesynchronization conflicts and to apply updated revocation configuration information to all Array members.

Reference 2:http://technet.microsoft.com/en-us/library/cc771281.aspx To designate an Array controller1. Open the Online Responder snap-in.2. In the console tree, click Array Configuration Members.3. Select the Online Responder that you want to designate as the Array controller.4. In the Actions pane, click Set as Array Controller.

QUESTION 52Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterpriseroot certification authority (CA).

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use amanyto-one mapping.

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessingthe Web site.

What should you do?

A. Run certutil.exe -crl.B. Run certutil.exe -delkey.C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.D. From Active Directory Users and Computers, modify the Contact object for the external partner.



QUESTION 53Your company has a main office and five branch offices that are connected by WAN links. The company has anActive Directory domain named contoso.com. Each branch office has a member server configured as a DNSserver. All branch office DNS servers host a secondary zone for contoso.com.

You need to configure the contoso.com zone to resolve client queries for at least four days in the event that aWAN link fails.

What should you do?

A. Configure the Expires after option for the contoso.com zone to 4 days.B. Configure the Retry interval option for the contoso.com zone to 4 days.C. Configure the Refresh interval option for the contoso.com zone to 4 days.D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.



QUESTION 54Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com.

You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computersin a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server.

Users in fabrikam.com are unable to resolve FS1 by using DNS.You need to ensure that FS1 has an A record in the fabrikam.com DNS zone.


A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.



QUESTION 55Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. Thedomain has two domain controllers that run Windows Server 2008 R2 operating system. The domaincontrollers also run DNS servers.

The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamicupdates setting configured to Secure only.

A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only bydomain controllers or member servers.

You need to configure the intranet.adatum.com zone to meet the new security policy requirement.


A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zoneproperties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNSzone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on "A CompositeSolution With Just One Click" - Certification Guaranteed 98 Microsoft 70-640 : Practice Testthe Security tab of the intranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tabof the intranet.adatum.com DNS zone properties.



QUESTION 56Your company has two Active Directory forests as shown in the following table.

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wideauthentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain toaccess resources in the contoso.com domain.

You need to configure the forest trust to meet the new security policy requirement.

What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.B. Delete the incoming forest trust in the contoso.com domain.C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide

authentication to Selective authentication.D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng.

fabrikam.com from the Name Suffix Routing trust properties.



QUESTION 57Your company has an Active Directory Rights Management Services (AD RMS) server. Users have WindowsVista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.

You need to configure AD RMS so that users are able to protect their documents.

What should you do?

A. Install the AD RMS client 2.0 on each client computer.B. Add the RMS service account to the local administrators group on the AD RMS server.C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.



QUESTION 58Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.

The TempWorkers group is not nested in any other groups.

You move the computer objects of three file servers to a new organizational unit named SecureServers. Thesefile servers contain only confidential data in shared folders.

You need to prevent members of the TempWorkers group from accessing the confidential data on the fileservers.

You must achieve this goal without affecting access to other domain resources.

What should you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to thiscomputer from the network user right to the TempWorkers global group.

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the networkuser right to the TempWorkers global group.

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkersglobal group.

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally userright to the TempWorkers global group.



QUESTION 59

Your network consists of a single Active Directory domain. User accounts for engineering department arelocated in an OU named Engineering.

You need to create a password policy for the engineering department that is different from your domainpassword policy.

What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.



QUESTION 60Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone.DC2 hosts a standard secondary DNS zone for the domain.

You need to configure DNS to allow only secure dynamic updates.


A. On DC1 and DC2, configure a trust anchor.B. On DC1 and DC2, configure a connection security rule.C. On DC1, configure the zone transfer settings.D. On DC1, configure the zone to be stored in Active Directory.



QUESTION 61

Your network contains a domain controller that has two network connections named Internal and Private.

Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent thedomain controller from registering Host (A) records for the 10.10.10.5 IP address.

What should you do?

A. Modify the netlogon.dns file on the domain controller.B. Modify the Name Server settings of the DNS zone for the domain.C. Modify the properties of the Private network connection on the domain controller.D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.



QUESTION 62Your network contains an Active Directory forest named contoso.com. You plan to add a new domain namednwtraders.com to the forest. All DNS servers are domain controllers.

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNSservers in the forest.

What should you do?

A. Add the computer accounts of all the domain controllers to the DnsAdmins group.B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.C. Create a standard primary zone on a domain controller in the forest root domain.D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.



QUESTION 63Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 hosts a standard primary zone for contoso.com.

You discover that non-domain member computers register records in the contoso.com

zone.

You need to prevent the non-domain member computers from registering records in the contoso.com zone.

All domain member computers must be allowed to register records in the contoso.com zone.


A. Configure a trust anchor.B. Run the Security Configuration Wizard (SCW).C. Change the contoso.com zone to an Active Directory-integrated zone.D. Modify the security settings of the %SystemRoot%\System32\Dns folder.




You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. Thetarget host of the record is server2.contoso.com.

When you ping Server1, you discover that the name fails to resolve.

You successfully resolve server2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.

What should you do?

A. From the command prompt, use the netsh tool.B. From the command prompt, use the dnscmd tool.C. From DNS Manager, modify the properties of the GlobalNames zone.D. From DNS Manager, modify the advanced settings of the DNS server.



Reference:


Enable GlobalNames zone support

The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitlyenabled by using the following command on every authoritative DNS server in the forest:

dnscmd<ServerName> /config /enableglobalnamessupport 1

QUESTION 65Your company has a main office and a branch office.

The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com isconfigured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.

The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.

You uninstall the DNS server role from RODC1.

You need to prevent DNS records from replicating to RODC1.

What should you do?

A. Modify the replication scope for the contoso.com zone.B. Flush the DNS cache and enable cache locking on RODC1.C. Configure conditional forwarding for the contoso.com zone.D. Modify the zone transfer settings for the contoso.com zone.



QUESTION 66

Your network contains an Active Directory domain named contoso.com. The domain contains the serversshown in the following table.

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2003.

DNS1 and DNS2 host the contoso.com zone.

All client computers run Windows 7 Enterprise.

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.


A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade DNS1 to Windows Server 2008 R2.



QUESTION 67Your network contains a domain controller that is configured as a DNS server. The server hosts an ActiveDirectory-integrated zone for the domain.

You need to reduce how long it takes until stale records are deleted from the zone.

What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime.B. From the configuration directory partition of the forest, modify the garbage collection interval.C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.



QUESTION 68You have an Active Directory domain named contoso.com. You have a domain controller named Server1 that isconfigured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The DNS configuration ofServer1 is shown in the exhibit. (Click the Exhibit button.)

You discover that stale resource records are not automatically removed from the contoso.com zone.

You need to ensure that the stale resource records are automatically removed from the contoso.com zone.

What should you do?

A. Set the scavenging period of Server1 to 0 days.B. Modify the Server Aging/Scavenging properties.C. Configure the aging properties for the contoso.com zone.D. Convert the contoso.com zone to an Active Directory-integrated zone.




You remove several computers from the network.

You need to ensure that the host (A) records for the removed computers are automatically deleted from the

contoso.com DNS zone.

What should you do?

A. Configure dynamic updates.B. Configure aging and scavenging.C. Create a scheduled task that runs the Dnscmd /ClearCache command.D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.



QUESTION 70You need to force a domain controller to register all service location (SRV) resource records in DNS.

Which command should you run?

A. ipconfig.exe /registerdnsB. net.exe stop dnscache & net.exe start dnscacheC. net.exe stop netlogon & net.exe start netlogonD. regsvr32.exe dnsrslvr.dll




The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller's SRV resource records by restarting thisservice from the Services branch of Server Manager or by typing net start netlogon. An exam question mightask you how to troubleshoot the nonregistration of SRV resource records.


You plan to deploy a child domain named sales.contoso.com.

The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com.

You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fullyqualified domain names (FQDNs).

What should you do?

A. Create a DNS forwarder.B. Create a DNS delegation.C. Configure root hint servers.

D. Configure an alternate DNS server on all client computers.



QUESTION 72Your network contains a single Active Directory domain named contoso.com. The domain contains two domaincontrollers named DC1 and DC2 that run Windows Server 2008 R2.DC1 hosts a primary zone for Contoso.

com. DC2 hosts a secondary zone for contosto.com.

On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept securedynamic updates only.

You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.


A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.comB. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimaryC. dnslint.exe /qlD. repadmin.exe /syncall /force



QUESTION 73Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in thefollowing Command Prompt window.

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records forcontoso.com.

What should you modify?

A. the root hints of the DNS serverB. the security settings of the zoneC. the Windows Firewall settings on the DNS serverD. the zone transfer settings of the zone




The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2.

You need to identify if all of the DNS records used for Active Directory replication are correctly registered.

What should you do?

A. From the command prompt, use netsh.exe.B. From the command prompt, use dnslint.exe.C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Get- ADDomainController cmdlet.



http://technet.microsoft.com/en-us/library/dd197560.aspx

Dnslint.exe

DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues.

It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNSservers. It can also be used to verify that DNS records used

specifically for Active Directory replication are correct.

QUESTION 75Your network contains an Active Directory forest. The forest contains one domain and three sites. Each sitecontains two domain controllers. All domain controllers are DNS servers.

You create a new Active Directory-integrated zone.

You need to ensure that the new zone is replicated to the domain controllers in only one of the sites.


A. Modify the NTDS Site Settings object for the site.B. Modify the replication settings of the default site link.C. Create an Active Directory connection object.D. Create an Active Directory application directory partition.

Correct Answer: DSection: (none)

Explanation


QUESTION 76Your network contains a single Active Directory forest. The forest contains two domains named contoso.comand sales.contoso.com. The domain controllers are configured as shown in the following table.

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integratedzones.

You need to ensure that contoso.com records are available on DC3.


A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainB. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forestC. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainD. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest



QUESTION 77You have a DNS zone that is stored in a custom application directory partition.

You install a new domain controller.

You need to ensure that the custom application directory partition replicates to the new domain controller.

What should you use?

A. the Active Directory Administrative Center consoleB. the Active Directory Sites and Services consoleC. the DNS Manager consoleD. the Dnscmd tool




dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition's replica set.

QUESTION 78

Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of theforest is Windows Server 2008.

You have a member server named Server1 that runs Windows Server 2008.

You need to ensure that you can add Server1 to contoso.com as a domain controller.

What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccountB. dcpromo.exe /ReplicaOrNewDomain:replicaC. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008DomainD. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest



http://technet.microsoft.com/en-us/library/understanding-active-directory-functional- levels.aspx

After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back orlower the domain functional level, with one exception: when you raise the domain functional level to WindowsServer 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rollingthe domain functional level back to Windows Server 2008. You can lower the domain functional level only fromWindows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

QUESTION 79Your network contains an Active Directory forest. The forest contains a single domain.

You want to access resources in a domain that is located in another forest.

You need to configure a trust between the domain in your forest and the domain in the other forest.

What should you create?

A. an incoming external trustB. an incoming realm trustC. an outgoing external trustD. an outgoing realm trust



QUESTION 80Your network contains two Active Directory forests. One forest contains two domains named contoso.com andna.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configuredbetween the two forests.

You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to acomputer in the nwtraders.com domain by using the user name NA\User1.

Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain.

You need to ensure that User1 can log on to the computer in the nwtraders.com domain.

What should you do?

A. Enable selective authentication over the forest trust.B. Create an external one-way trust from na.contoso.com to nwtraders.com.C. Instruct User1 to log on to the computer by using his user principal name (UPN).D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.



QUESTION 81Your company has a main office and a branch office. The main office contains two domain controllers.

You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branchoffice, and then add the domain controller to the BranchOfficeSite site.You discover that users in the branch office are randomly authenticated by either the domain controller in thebranch office or the domain controllers in the main office.

You need to ensure that the users in the branch office always attempt to authenticate to the domain controller inthe branch office first.

What should you do?

A. Create organizational units (OUs).B. Create Active Directory subnet objects.C. Modify the slow link detection threshold.D. Modify the Location attribute of the computer objects.



QUESTION 82Your company has a main office and 50 branch offices. Each office contains multiple subnets.

You need to automate the creation of Active Directory subnet objects.


A. the Dsadd toolB. the Netsh toolC. the New-ADObject cmdletD. the New-Object cmdlet



QUESTION 83Your network contains an Active Directory forest. The forest contains multiple sites.

You need to enable universal group membership caching for a site.

What should you do?

A. From Active Directory Sites and Services, modify the NTDS Settings.B. From Active Directory Sites and Services, modify the NTDS Site Settings.C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the

site.



QUESTION 84You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.

What should you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.B. From the IP properties, select Disable site link bridging.C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection

objects.D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each

site.




You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by

using a domain controller in the main office.

You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.

What should you do?

A. Configure the NTDS Site Settings object.B. Create Active Directory subnet objects.C. Create Active Directory Domain Services connection objects.D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.



QUESTION 86Your network contains an Active Directory domain. The domain is configured as shown in the following table.

Users in Branch2 sometimes authenticate to a domain controller in Branch1.

You need to ensure that users inBranch2 only authenticate to the domain controllers in Main.

What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.B. On DC3, set the AutoSiteCoverage value to 1.C. On DC1 and DC2, set the AutoSiteCoverage value to 0.D. On DC1 and DC2, set the AutoSiteCoverage value to 1.



QUESTION 87Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has twodomain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.

DC3 fails.

You discover that replication no longer occurs between the sites.

You verify the connectivity between DC4 and the domain controllers in Site1.

On DC4, you run repadmin.exe /kcc.

Replication between the sites continues to fail.

You need to ensure that Active Directory data replicates between the sites.

What should you do?

A. From Active Directory Sites and Services, modify the properties of DC3.B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.C. From Active Directory Users and Computers, modify the location settings of DC4.D. From Active Directory Users and Computers, modify the delegation settings of DC4.



MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 193, 194

Bridgehead Servers

A bridgehead server is the domain controller designated by each site's KCC to take control of intersitereplication. The bridgehead server receives information replicated from other sites and replicates it to its site'sother domain controllers. It ensures that the greatest portion of replication occurs within sites rather thanbetween them.

In most cases, the KCC automatically decides which domain controller acts as the bridgehead server.

However, you can use Active Directory Sites and Services to specify which domain controller will be thepreferred bridgehead server by using the following steps:

1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgeheadserver.

2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.

3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you wantto designate this server as a preferred bridgehead server and then click Add.


QUESTION 88Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.

The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that runWindows Server 2008 R2.

You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).


A. Run dfsrdiag.exe PollAD.B. Run dfsrmig.exe /SetGlobalState 0.C. Upgrade all domain controllers to Windows Server 2008 R2.D. Raise the functional level of the domain to Windows Server 2008.



QUESTION 89Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.

You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.

You need to ensure that Attribute1 is replicated to the global catalog.

What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.B. In Active Directory Sites and Services, configure the universal group membership caching.C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.



QUESTION 90Your network contains an Active Directory domain. The domain contains three domain controllers.

One of the domain controllers fails.

Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that thehelp desk can create new user accounts.

Which operations master role should you seize?

A. domain naming masterB. infrastructure masterC. primary domain controller (PDC) emulatorD. RID masterE. schema master



QUESTION 91Your network contains two standalone servers named Server1 and Server2 that have Active DirectoryLightweight Directory Services (AD LDS) installed.

Server1 has an AD LDS instance.

You need to ensure that you can replicate the instance from Server1 to Server2.

What should you do on both servers?

A. Obtain a server certificate.B. Import the MS-User.ldf file.C. Create a service user account for AD LDS.D. Register the service location (SRV) resource records.



QUESTION 92Your network contains a server named Server1 that runs Windows Server 2008 R2.

You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1.

You need to create an additional AD LDS application directory partition in the existing instance.


A. AdaminstallB. DsaddC. DsmodD. Ldp




Create an Application Directory Partition

You use Ldp.exe to add a new application directory partition to an existing instance of Active Directory

Lightweight Directory Services (AD LDS).

QUESTION 93Your network contains a server named Server1 that runs Windows Server 2008 R2.

On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) instance named

Instance1.

You connect to Instance1 by using ADSI Edit.

You run the Create Object wizard and you discover that there is no User object class. You need to ensure thatyou can create user objects in Instance1.

What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).




To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS intothe AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory%windir%adam on the computer where AD LDS is installed.

The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the ADLDS user class definitions into the schema.

QUESTION 94Your network contains an Active Directory domain. The domain contains a server named Server1.

Server1 runs Windows Server 2008 R2.

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.

What should you do?

A. Run ldp.exe and use the Bind option.B. Run diskpart.exe and use the Attach option.C. Run dsdbutil.exe and use the snapshot option.D. Run imagex.exe and specify the /mount parameter.



QUESTION 95Your network contains a single Active Directory domain. Active Directory Rights Management Services (ADRMS) is deployed on the network.

A user named User1 is a member of only the AD RMS Enterprise Administrators group.

You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation.

The solution must minimize the administrative rights of User1.

To which group should you add User1?

A. AD RMS Auditors

B. AD RMS Service GroupC. Domain AdminsD. Schema Admins



QUESTION 96Your network contains two Active Directory forests named contoso.com and adatum.com. Active DirectoryRights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD)exists between contoso.com and adatum.com.

From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest areauthenticating as users from contoso.com.

You need to prevent users from impersonating contoso.com users.What should you do?

A. Configure trusted e-mail domains.B. Enable lockbox exclusion in AD RMS.C. Create a forest trust between adatum.com and contoso.com.D. Add a certificate from a third-party trusted certification authority (CA).



QUESTION 97Your network contains an Active Directory domain named contoso.com. The network contains client computersthat run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) isdeployed on the network.

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updatedevery month.

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.

You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.


Explanation


QUESTION 98Active Directory Rights Management Services (AD RMS) is deployed on your network. Users whohaveWindows Mobile 6 devices report that they cannot access documents thatare protected by AD RMS.

You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.

What should you do?

A. Modify the security of the ServerCertification.asmx file.B. Modify the security of the MobileDeviceCertification.asmx file.C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.



QUESTION 99Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS.

You need to update AD RMS to use the new password.

Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Component ServicesD. Services



QUESTION 100Your network contains an Active Directory Rights Management Services (AD RMS) cluster.

You have several custom policy templates. The custom policy templates are updatedfrequently.

Some users report that it takes as many as 30 days to receive the updated policy templates.

You need to ensure that users receive the updated custom policy templates within seven days.

What should you do?

A. Modify the registry on the AD RMS servers.B. Modify the registry on the users' computers.C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.




Configuring the AD RMS client

The automated scheduled task will not query the AD RMS template distribution pipeline each time that thisscheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entryspecifies the time interval (in days) after which the client should update its rights policy templates. By default theregistry key is not present on the client computer. In this scenario, the client checks for new, deleted, ormodified rights policy templates every 30 days. To configure an interval other than 30 days, create a registryentry at the following location:HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM

\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, whichforces the client computer to update its rights policy templates.

Topic 3, Volume C

Exam C

QUESTION 1

Your company has a main office and a branch office. The branch office contains a read- only domain controllernamed RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must preventAdmin1 from logging on to other domain controllers.

What should you do?

A. Run ntdsutil.exe and use the Roles option.B. Run dsmgmt.exe and use the Local Roles option.C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.




Administrator Role Separation Configuration

This section provides procedures for creating a local administrator role for an RODC and for adding a user tothat role.

To configure Administrator Role Separation for an RODC

1. Click Start, click Run, type cmd, and then press ENTER.

2. At the command prompt, type dsmgmt.exe, and then press ENTER.

3. At the DSMGMT prompt, type local roles, and then press ENTER.

QUESTION 2You install a read-only domain controller (RODC) named RODC1.

You need to ensure that a user named User1 can administer RODC1. The solution must minimize the numberof permissions assigned to User1.

"A Composite Solution With Just One Click" - Certification Guaranteed 127 Microsoft 70-640 : Practice TestWhich tool should you use?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. DsaddD. Dsmgmt



Reference 1:http://technet.microsoft.com/en-us/library/cc755310.aspx

Delegating local administration of an RODCAdministrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administeran RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or asecurity group, the user or group is not added the Domain Admins group and therefore does not have additionalrights to perform directory service operations.

Steps and best practices for setting up ARSYou can specify a delegated RODC administrator during an RODC installation or after it.

To specify the delegated RODC administrator after installation, you can use either of the following options:

Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is thedelegated RODC administrator. You can choose only one security principal. Specify a security group ratherthan an individual user so you can control RODC administration permissions most efficiently. This methodchanges the managedBy attribute of the computer object that corresponds to the RODC to the SID of thesecurity principal that you specify. This is the recommended way to specify the delegated RODC administratoraccount because the information is stored in AD DS, where it can be centrally managed by domainadministrators.



Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view,add, or remove members from the Administrators group and other built-in groups on the RODC. [See also thesecond reference for more information on how to use dsmgmt.]

Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended becausethe information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate anadministrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODCaccount properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will notreveal that the RODC has a delegated administrator.

In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local rolesremains stored in the registry of the server. This can be a security concern if you demote an RODC in onedomain and then promote it to be an RODC again in a different domain. In that case, the original securityprincipal would have administrative rights on the new RODC in the different domain.



Administrator Role Separation ConfigurationThis section provides procedures for creating a local administrator role for an RODC and for adding a user to

that role.

To configure Administrator Role Separation for an RODC Click Start, click Run, type cmd, and then pressENTER. At the command prompt, type dsmgmt.exe, and then press ENTER. At the DSMGMT prompt, typelocal roles, and then press ENTER. For a list of valid parameters, type ?, and then press ENTER. By default, nolocal administrator role is defined on the RODC after AD DS installation. To add the local administrator role, usethe Add parameter.Type add <DOMAIN>\<user><administrative role>For example, type add CONTOSO\testuser administrators

QUESTION 3Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1contains four domain controllers. Site2 contains a read-only domain controller (RODC).

You add a user named User1 to the Allowed RODC Password Replication Group.

The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that he is unable to log onto the domain. The WAN link is restored and User1 reports that he is able to log on to the domain. You need toprevent the problem from reoccurring if the WAN link fails.

What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.



QUESTION 4Your company has a main office and a branch office. The network contains an Active Directory domain. Themain office contains a writable domain controller named DC1. The branch office contains a read- only domaincontroller (RODC) named DC2.

You discover that the password of an administrator named Admin1 is cached on DC2.

You need to prevent Admin1's password from being cached on DC2.

What should you do?

A. Modify the NTDS Site Settings.B. Modify the properties of the domain.C. Create a Password Setting object (PSO).D. Modify the properties of DC2's computer account.



QUESTION 5Your network contains an Active Directory domain named contoso.com. The network has a branch office sitethat contains a read-only domain controller (RODC) named RODC1.RODC1 runs Windows Server 2008 R2.

A user named User1 logs on to a computer in the branch office site.

You discover that the password of User1 is not stored on RODC1. You need to ensure that User1's password isstored on RODC1.

What should you modify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1



QUESTION 6Your company has a main office and a branch office. The branch office has an Active Directory site thatcontains a read-only domain controller (RODC).

A user from the branch office reports that his account is locked out.

From a writable domain controller in the main office, you discover that the user's account is not locked out. Youneed to ensure that the user can log on to the domain.

What should you do?

A. Modify the Password Replication Policy.B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.



QUESTION 7Your network contains a single Active Directory domain. The domain contains five read- only domain controllers(RODCs) and five writable domain controllers. All servers run Windows Server 2008.

You plan to install a new RODC that runs Windows Server 2008 R2.

You need to ensure that you can add the new RODC to the domain.

You want to achieve this goal by using the minimum amount of administrative effort.


A. At the command prompt, run adprep.exe /rodcprep.B. At the command prompt, run adprep.exe /forestprep.C. At the command prompt, run adprep.exe /domainprep.D. From Active Directory Domains and Trusts, raise the functional level of the domain.E. From Active Directory Users and Computers, pre-stage the RODC computer account.



QUESTION 8You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a servernamedServer1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which inbound TCP port should you allow on Server1?

A. 88B. 135C. 443D. 445



QUESTION 9You deploy a new Active Directory Federation Services (AD FS) federation server.

You request new certificates for the AD FS federation server.

You need to ensure that the AD FS federation server can use the new certificates.

To which certificate store should you import the certificates?

A. ComputerB. IIS Admin Service service accountC. Local AdministratorD. World Wide Web Publishing Service service account



QUESTION 10Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. Server1 has the Active Directory Federation Services (AD FS) role installed.

You have an application named App1 that is configured to use Server1 for AD FS authentication.

You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.

You need to ensure that App1 can use Server2 for authentication.


A. Add an attribute store.B. Create a relying party trust.C. Create a claims provider trust.D. Create a relaying provider trust.



QUESTION 11Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is definedas an account store.

A partner company has a Web-based application that uses AD FS authentication. The partner company plansto provide users from contoso.com access to the Web application.

You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partnercompany.

What should you create on Server1?

A. a new applicationB. a resource partnerC. an account partnerD. an organization claim



Since the account store has already been configured, what needs to be done is to use the account store to mapan AD DS global security group to an organization claim (called group claim extraction). So that's what we needto create for authentication: an organization claim.

Creating a resource/account partner is part of setting up the Federation Trust.

Reference 1:http://technet.microsoft.com/en-us/library/dd378957.aspx

Configuring the Federation Servers[All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to posthere.]


Add an AD DS Account StoreIf user and computer accounts that require access to a resource that is protected by Active Directory FederationServices (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as an accountstore on a federation server in the Federation Service that authenticates the accounts.


Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active DirectoryDomain Services (AD DS) as the Active Directory Federation Services (AD FS) account store for an accountFederation Service, you map an organization group claim to a security group in AD DS. This mapping is calleda group claim extraction.


QUESTION 12Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has the Active Directory Federation Services (AD FS) Federation Service role service installed.

You plan to deploy AD FS 2.0 on Server2. You need to export the token-signing certificate from Server1, andthen import the certificate to Server2.

Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)C. DER encoded binary X.509 (.cer)D. Personal Information Exchange PKCS #12 (.pfx)



Reference 1:http://technet.microsoft.com/en-us/library/ff678038.aspx

Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x FederationService has a token-signing certificate that was issued by a trusted certification authority (CA) and you want toreuse it, you will have to export it from AD FS 1.x.

[The site provides also a link for instructions on how to export the token-signing certificate. That link point to thesite mentioned in reference 2.]


Export the private key portion of a token-signing certificate

To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then clickActive Directory Federation Services.Right-click Federation Service, and then click Properties.

"A Composite Solution With Just One Click" - Certification Guaranteed 137 Microsoft 70-640 : Practice TestOn the General tab, click View.In the Certificate dialog box, click the Details tab.On the Details tab, click Copy to File.On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes,export the private key, and then click Next.On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then clickNext.(...)

QUESTION 13Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm. TheAD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server.

You install AD FS 2.0 on Server2.

You need to add Server2 to the existing AD FS farm.

What should you do?

A. On Server1, run fsconfig.exe.B. On Server1, run fsconfigwizard.exe.C. On Server2, run fsconfig.exe.D. On Server2, run fsconfigwizard.exe.



http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation- server.aspx

Configure a New Federation Server

To configure a new federation server using the command line

1. Open a Command Prompt window.

2. Change the directory to the path where AD FS 2.0 was installed.3. To configure this computer as a federation server, type the applicable syntax using either of the followingcommand parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm|

CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters]

Parameter

JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server.

QUESTION 14Your network contains an Active Directory forest.

You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the

network.

You create a Windows PowerShell script named new-users.ps1 that contains the following lines:

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the script fails tocreate the user accounts.

You need to ensure that the script creates the user accounts.

Which cmdlet should you add to the script?

A. Import-ModuleB. Register-ObjectEventC. Set-ADDomainD. Set-ADUser



QUESTION 15Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to modify the custom attribute value of 500 user accounts.


A. CsvdeB. DsmodC. DsrmD. Ldifde



We cannot use Dsmod here, because it supports only a subset of commonly used object class attributes.Csvde can only import and export data.Dsrm is used to delete objects from the directory.Reference:


Ldifde

Creates, modifies, and deletes directory objects.


You need to give the human resources department a file that contains the last logon time and the customattribute values for each user in the forest.


A. the Dsquery toolB. the Export-CSV cmdletC. the Get-ADUser cmdletD. the Net.exe user command



References:https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for- output.aspxhttp://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9- f591-4b44-b838-e0f5f3a591d7http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Export-CsvReference:

http://technet.microsoft.com/en-us/library/ee176825.aspx

Saving Data as a Comma-Separated Values File

The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need todo is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process tograb information about all the processes running on the computer, then uses Export-Csv to write that data to afile named C:\Scripts\Test.txt:

Get-Process | Export-Csv c:\scripts\test.txt.

Net User

Reference:


Adds or modifies user accounts, or displays user account information.

DSQUERY

Reference 1:


Parameters

{<StartNode> | forestroot | domainroot}

Specifies the node in the console tree where the search starts. You can specify the forest

"A Composite Solution With Just One Click" - Certification Guaranteed 141 Microsoft 70-640 : Practice Testroot (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. Ifyou specify

forestroot, AD DS searches by using the global catalog.

-attr {<AttributeList> | *}

Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in theresult set. If you specify the value of this parameter as a wildcard character (*), this parameter displays allattributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses thedefault output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is adistinguished name.

Reference 2:

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47- 9379-02ca38aaa65b

Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot asthe startnode, instead of forestroot what we need.

Reference 3:

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1- 48fd-ab6f-690378e0f787/

List all last login times for all users, regardless of whether they are disabled.

dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName

lastLogon>>c:\last_logon_for_all.txt

QUESTION 17You have a Windows PowerShell script that contains the following code: import-csv Accounts.csv | Foreach{New-ADUser -Name $_.Name -Enabled $true - AccountPassword $_. password}

When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.

You need to run a script that successfully creates the user accounts by using the password contained inaccounts.csv.

Which script should you run?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)}

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)}

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString "Password")}

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true AccountPassword(Read-Host -AsSecureString $_.Password)}


Explanation


QUESTION 18Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

Your company's corporate security policy states that the password for each user account must be changed atleast every 45 days.

You have a user account named Service1. Service1 is used by a network application named Application1.

Every 45 days, Application1 fails.

After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causesApplication1 to fail. The solution must adhere to the corporate security policy.

What should you do?

A. Run the cmdlet.B. Run the Set-ADServiceAccount cmdlet.C. Create a new password policy.D. Create a new Password Settings object (PSO).




You add an additional user principal name (UPN) suffix to the forest.

You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount ofadministrative effort.


A. the Active Directory Domains and Trusts consoleB. the Active Directory Users and Computers consoleC. the Csvde toolD. the Ldifde tool



QUESTION 20Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2(SP2).

You need to prevent all users from running an application named App1.exe.

Which Group Policy settings should you configure?

A. Application CompatibilityB. AppLockerC. Software InstallationD. Software Restriction Policies



QUESTION 21Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows XP Service Pack 3 (SP3) or Windows Vista.

You need to ensure that all client computers can apply Group Policy preferences.

What should you do?

A. Upgrade all Windows XP client computers to Windows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).



QUESTION 22Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows 7 or Windows Vista Service Pack 2 (SP2).

You need to audit user access to the administrative shares on the client computers.

What should you do?

A. Deploy a logon script that runs Icacls.exe.B. Deploy a logon script that runs Auditpol.exe.C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.



http://support.microsoft.com/kb/921469

Administrators can use the procedure that is described in this article to deploy a custom audit policy that appliesdetailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in aWindows Server 2003 domain or in a Windows 2000 domain.Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.


You need to create a central store for the Group Policy Administrative templates.

What should you do?

A. Run dfsrmig.exe /createglobalobjects.B. Run adprep.exe /domainprep /gpprep.C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\SYSVOL\contoso.com\Policies

folder.D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\contoso.com

\Policies folder.



QUESTION 24You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.

You need to identify whether a specific application file is allowed to run on a computer.

Which Windows PowerShell cmdlet should you use?

A. Get-AppLockerFileInformationB. Get-GPOReportC. Get-GPPermissionsD. Test-AppLockerPolicy




Test-AppLockerPolicy

Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy.

QUESTION 25You create a Password Settings object (PSO).

You need to apply the PSO to a domain user named User1.

What should you do?

A. Modify the properties of the PSO.B. Modify the account options of the User1 account.C. Modify the security settings of the User1 account.D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).




To apply PSOs to users or global security groups using the Windows interface

1. Open Active Directory Users and Computers

2. On the View menu, ensure that Advanced Features is checked.

3. In the console tree, click Password Settings Container.

4. In the details pane, right-click the PSO, and then click Properties.

5. Click the Attribute Editor tab.

6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user orthe global security group that you want to apply this PSO to, click Add, and then click OK.


QUESTION 26You need to create a Password Settings object (PSO).


A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. Ntdsutil




You can create Password Settings objects (PSOs): using the Active Directory module for Windows PowerShellusing ADSI Edit using ldifde

QUESTION 27Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.

You need to audit the deletion of registry keys on each server.

What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.B. From Audit Policy, modify the System Events settings and the Privilege Use settings.C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object

Access Auditing settings.




Advanced Security Audit Policy Step-by-Step Guide

A global object access audit policy can be used to enforce object access audit policy for a computer, file share,or registry.

QUESTION 28Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to enable the Active Directory Recycle Bin.


A. the Dsmod toolB. the Enable-ADOptionalFeature cmdletC. the Ntdsutil toolD. the Set-ADDomainMode cmdlet



Similar question to question L/Q5.Reference:


Enabling Active Directory Recycle Bin

After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active

Directory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)

Ldp.exe

QUESTION 29Your network contains a single Active Directory domain.

You need to create an Active Directory Domain Services snapshot.

What should you do?

A. Use the Ldp tool.B. Use the NTDSUtil tool.C. Use the Wbadmin tool.D. From Windows Server Backup, perform a full backup.




To create an AD DS or AD LDS snapshot

1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.

2. Click Start, right-click Command Prompt, and then click Run as administrator.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and thenclick Continue.

4. At the elevated command prompt, type the following command, and then press ENTER:ntdsutil

5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot

6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds

7. At the snapshot prompt, type the following command, and then press ENTER: create

QUESTION 30

Your network contains a single Active Directory domain.

A domain controller named DC2 fails.

You need to remove DC2 from Active Directory.


A. At the command prompt, run dcdiag.exe /fix.B. At the command prompt, run netdom.exe remove dc2.C. From Active Directory Sites and Services, delete DC2.

D. From Active Directory Users and Computers, delete DC2.




Clean Up Server Metadata

Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS).

You perform metadata cleanup on a domain controller in the domain of the domain controller that you forciblyremoved. Metadata cleanup removes data from AD DS that identifies a domain controller to the replicationsystem.

Clean up server metadata by using GUI tools

Clean up server metadata by using Active Directory Users and Computers

1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and thenclick Active Directory Users and Computers.

2. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.

3. In the details pane, right-click the computer object of the domain controller whose metadata you want toclean up, and then click Delete.

Clean up server metadata by using Active Directory Sites and Services

1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then clickActive Directory Sites and Services

2. Expand the site of the domain controller that was forcibly removed, expand Servers,

"A Composite Solution With Just One Click" - Certification Guaranteed 151 Microsoft 70-640 : Practice Testexpand the name of the domain controller, right-click the NTDS Settings object, and then click Delete.

QUESTION 31Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server2008. All domain controllers run Windows Server 2008 R2.

You need to ensure that you can enable the Active Directory Recycle Bin.

What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.




Active Directory Recycle Bin Step-by-Step Guide

By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must firstraise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which inturn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to berunning Windows Server 2008 R2.

QUESTION 32Your network contains an Active Directory domain. The domain contains several domain controllers.All domain controllers run Windows Server 2008 R2.

You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server2008 R2 default settings.

What should you do?

A. Run dcgpofix.exe /target:dc.B. Run dcgpofix.exe /target:domain.C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.



http://technet.microsoft.com/en-us/library/hh875588.aspx

Dcgpofix Recreates the default Group Policy Objects (GPOs) for a domain.

Syntax

DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?]

/ignoreschema Ignores the version of the Active Directory® schema when you run this command. Otherwise,the command only works on the same schema version as the Windows version in which the command wasshipped.

/target {Domain | DC | Both} Specifies which GPO to restore. You can restore the Default Domain Policy GPO,the Default Domain Controllers GPO, or both.

Examples

Restore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that youhave made to this GPO. dcgpofix /ignoreschema /target:DC

QUESTION 33Your network contains an Active Directory domain. The domain contains two ActiveDirectory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1

and Site2 occurs from 20:00 to01:00 every day.

At 07:00, an administrator deletes a user account while he is logged on to DC1.

You need to restore the deleted user account. You want to achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. On DC1, run the Restore-ADObject cmdlet.B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory

Domain Services.D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active

Directory Domain Services.


Explanation/Reference:Explanation:We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and youcan only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the questiontext it says "The functional level of the forest is Windows Server 2003."See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored useraccount to other DC's.Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 An authoritative restorerestores data that was lost and updates the Update Sequence Number (USN) for the data to make itauthoritative and ensure that it is replicated to all other servers.Reference 2:http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the followingrequirements:You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restorecommand and restart the service after the command is complete.


QUESTION 34Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.

You update a script in the SYSVOL folder.

You discover that the new script fails to run properly. You need to restore the previous version of the script inthe SYSVOL folder. The solution must minimize the amount of time required to restore the script.


A. Run the Restore-ADObject cmdlet.B. Restore the system state to its original location.C. Restore the system state to an alternate location.D. Attach the VHD file created by Windows Server Backup.




You need to restore a deleted computer account from the Active Directory Recycle Bin.

What should you do?

A. From the command prompt, run recover.exe.B. From the command prompt, run ntdsutil.exe.C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.



QUESTION 36You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.


A. the Add-WBSystemState cmdletB. the Group Policy Management consoleC. the Wbadmin toolD. the Windows Server Backup feature




To back up a Group Policy object

1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest anddomain containing the Group Policy object (GPO) to back up.

2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain,right-click Group Policy objects and click Back Up All.

QUESTION 37You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.

You need to ensure that you can recover the private key of a certificate issued to a Web server.

What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.B. From the Web server, run the Get-PfxCertificate cmdlet.C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.




The network contains a single Active Directory domain. The main office contains a domain controller namedDC1.

You need to install a domain controller in the branch office by using an offline copy of the Active Directorydatabase.


A. From the Ntdsutil tool, create an IFM media set.B. From the command prompt, run djoin.exe /loadfile.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the get-ADDomainController cmdlet.



QUESTION 39Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. Thefunctional level of the domain is Windows Server 2003. All client computers run Windows 7.

You install Windows Server 2008 R2 on a server named Server1.

You need to perform an offline domain join of Server1.


A. From Server1, run djoin.exe.B. From Server1, run netdom.exe.C. From a Windows 7 computer, run djoin.exe.D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.



MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218

Offline Domain Join

Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.

When the computer is connected to the domain network and started for the first time, it will already be amember of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.

Four major steps are required to join a computer to the domain by using offline domain join:

1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an accountthat has permissions to join computers to the domain.

2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates ActiveDirectory with the information that Active Directory needs to join the computer to the domain, and exports theinformation called a blob to a text file.

3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windowsdirectory.

4. When you start or restart the computer, it will be a member of the domain.

QUESTION 40You have an Active Directory snapshot.

You need to view the contents of the organizational units (OUs) in the snapshot.

Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.msc"A Composite Solution With Just One Click" - Certification Guaranteed 158 Microsoft 70-640 : Practice Test

B. ntdsutil.exe, dsamain.exe, and dsa.mscC. wbadmin.msc, dsamain.exe, and netdom.exeD. wbadmin.msc, ntdsutil.exe, and explorer.exe



QUESTION 41Your network contains a domain controller that runs Windows Server 2008 R2. You run the following commandon the domain controller:

dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport 389 -allowNonAdminAccess

The command fails.

You need to ensure that the command completes successfully.

How should you modify the command?

A. Include the path to Dsamain.B. Change the value of the -dbpath parameter.C. Change the value of the -ldapport parameter.D. Remove the allowNonAdminAccess



MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690

Use the AD DS database mounting tool to load the snapshot as an LDAP server.

dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport

portnumber

Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value toensure that you do not conflict with AD DS.

Also note that you can use the minus () sign or the slash (/) for the options in the command.


QUESTION 42Your network contains an Active Directory domain. The domain contains five domain controllers. A domaincontroller named DC1 has the DHCP role and the file server role installed.

You need to move the Active Directory database on DC1 to an alternate location.

The solution must minimize impact on the network during the database move.


A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.




The network contains an Active Directory forest. The forest contains three domains. The branch office containsone domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file

server.

You remove the global catalog from DC5.

You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impacton all users in the branch office.


A. Start DC5 in Safe Mode.B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.



QUESTION 44Your network contains a domain controller that runs Windows Server 2008 R2.

You need to change the location of the Active Directory log files.


A. DsamainB. DsmgmtC. DsmoveD. Ntdsutil



QUESTION 45Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.

You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internalnetwork.

You need to ensure that the new server is already joined to the domain when it first connects to the internalnetwork.

What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, runsysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter.From the new server, run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter.From the new server, run djoin.exe and specify the /provision parameter.



Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain JoinOffline domain join is also useful when a computer is deployed in a lab or other disconnected environment.When the computer is connected to the domain network and started for the first time, it will already be amember of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Fourmajor steps are required to join a computer to the domain by using offline domain join:1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an accountthat has permissions to join computers to the domain.2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates ActiveDirectory with the information that Active Directory needs to join the computer to the domain, and exports theinformation called a blob to a text file.3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windowsdirectory.4. When you start or restart the computer, it will be a member of the domain.Reference 2:http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx Steps for performing anoffline domain joinThe offline domain join process includes the following steps:1. Run the djoin.exe /provision command to create computer account metadata for the destination computer(the computer that you want to join to the domain). As part of this command, you must specify the name of thedomain that you want the computer to join.2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windowsdirectory of the destination computer.3. When you start the destination computer, either as a virtual machine or after a complete operating systeminstallation, the computer will be joined to the domain that you specify.


QUESTION 46Your network contains an Active Directory domain. The domain contains four domain controllers.

You modify the Active Directory schema.

You need to verify that all the domain controllers received the schema modification.


A. dcdiag.exe /aB. netdom.exe query fsmoC. repadmin.exe /showrepl *D. sc.exe query ntds



QUESTION 47You remotely monitor several domain controllers.

You run winrm.exe quickconfig on each domain controller.

You need to create a WMI script query to retrieve information from the bios of each domain controller.

Which format should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML



QUESTION 48

Your network contains an Active Directory domain named contoso.com. The domain contains five domaincontrollers.

You add a logoff script to an existing Group Policy object (GPO).

You need to verify that each domain controller successfully replicates the updated group policy.

Which two objects should you verify on each domain controller? (Each correct answer presents part of thesolution. Choose two.)

A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.polC. the uSNChanged value for the

CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com containerD. the versionNumber value for the

CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container



QUESTION 49Your network contains an Active Directory domain that contains five domain controllers.

You have a management computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the domain.

The information must be consolidated on one list.

Which command should you run on each domain controller?

A. Wecutil.exe qcB. Wevtutil.exe gliC. Winrm.exe quickconfigD. Winrshost.exe



QUESTION 50You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. Thedomain contains five domain controllers.

You need to monitor the replication of the group policy template files.


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl



With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use theDFSRDIAG tool. It is not available with domain functional level 2003.With domain functional level 2003 you can only use Ntfrsutl.

QUESTION 51You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. Thedomain contains five domain controllers that run Windows Server 2008 R2.

You need to monitor the replication of the group policy template files.


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl



Explanation:

With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use theDFSRDIAG tool. It is not available with domain functional level 2003.With domain functional level 2003 you can only use Ntfrsutl.

QUESTION 52You have a domain controller named Server1 that runs Windows Server 2008 R2.

You need to determine the size of the Active Directory database on Server1.

What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.



QUESTION 53You need to receive an e-mail message whenever a domain user account is locked out.


A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard



MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525

Automatically Responding to Events

One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type thatappears in Event Viewer. You can respond to events in three ways:Start A Program - Launches an application. Often, administrators write a script that carries out a series of tasksthat they would otherwise need to manually perform, and automatically run that script when an event appears.

Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP) server you specify.

Often, administrators configure urgent events to be sent to a mobile device.

Display A Message - Displays a dialog box showing a message. This is typically useful only when a user needsto be notified of something happening on the computer.

To trigger a task when an event occurs, follow one of these three procedures:

Find an example of the event in Event Viewer. Then, right-click the event and click Attach Task To This Event.A wizard will guide you through the process.

QUESTION 54Your network contains an Active Directory domain named contoso.com. You have a management computernamed Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllersorganizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).



http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx

Setting up a Source Initiated Subscription

Source-initiated subscriptions allow you to define a subscription on an event collector computer without definingthe event source computers, and then multiple remote event source computers can be set up (using a grouppolicy setting) to forward events to the event collector computer. This differs from a collector initiatedsubscription because in the collector initiated subscription model, the event collector must define all the eventsources in the event subscription.

QUESTION 55Your network contains an Active Directory domain that has two sites.

You need to identify whether logon scripts are replicated to all domain controllers.

Which folder should you verify?

A. GroupPolicyB. NTDSC. SoftwareDistributionD. SYSVOL




SYSVOL is a collection of folders that contain a copy of the domain's public files, including system policies,logon scripts, and important elements of Group Policy objects (GPOs).

QUESTION 56You install a standalone root certification authority (CA) on a server named Server1.

You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the localcomputer's Trusted Root Certification Authorities store.

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameterB. certreq.exe and specify the -retrieve parameterC. certutil.exe and specify the -dspublish parameterD. certutil.exe and specify the -importcert parameter




Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exeto dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Syntax

Certutil <-parameter> [-parameter]

Parameter

-dsPublish

Publish a certificate or certificate revocation list (CRL) to Active Directory

QUESTION 57Your network contains an Active Directory forest. The forest contains two domains. You have a standalone rootcertification authority (CA).

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select anenterprise CA is disabled.

You need to install an enterprise subordinate CA on the server.

What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domain

C. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain



http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6- 4c15-a506-568ddb21d46b

In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configurationnaming context is replicated between domain controllers in the forest (not only current domain) and are writablefor Enterprise Admins (domain admins permissions are insufficient).

QUESTION 58You have an enterprise subordinate certification authority (CA).

You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must notbe allowed to revoke certificates.

What should you do?

A. Add Group1 to the local Administrators group.B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.





Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable,publish, or configure certificate revocation list (CRL) schedules.

Revoking certificates is an activity of the Certificate Manager role.

QUESTION 59You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued. The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

A. Add a data recovery agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.

C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.



MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page You enable keyarchival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Keyoption and specifying a key recovery agent. In the number of recovery agents to use, select the number of keyrecovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used torecover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA willrandomly select that number of KRA certificates from the available total and encrypt the private key, usingthose certificates. This complicates recovery because youthen have to figure out which recovery agent certificate was used to encrypt the private key before beginningrecovery.

QUESTION 60You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardwaresecurity module. You need to back up Active Directory Certificate Services on the CA.


A. certutil.exe backupB. certutil.exe backupdbC. certutil.exe backupkeyD. certutil.exe store



Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have aproprietary procedure for that.The given commands are:certutil -backupBackup set includes certificate database, CA certificate an the CA key pair certutil -backupdbBackup set only includes certificate databasecertutil -backupkeyBackup set only includes CA certificate and the CA key pair certutil store Provides a dump of the certificatestore onscreen. Since we cannot extract the keys from the HSM we have to use backupdb.Reference 1:Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215For the commands listed above.Reference 2:http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that isinstalled as part of Certificate Services. You

can use Certutil.exe to dump and display certification authority (CA) configuration information, configureCertificate Services, back up and restore CA components, and verify certificates, key pairs, and certificatechains.

SyntaxCertutil <-parameter> [-parameter]Parameter-backupdbBackup the Active Directory Certificate Services database Reference 3:http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificateservices/

QUESTION 61You have Active Directory Certificate Services (AD CS) deployed.

You create a custom certificate template.

You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template.


A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.




To automatically enroll client computers for certificates in a domain environment, you must:

Configure an autoenrollment policy for the domain.(...)

In Configuration Model, select Enabled to enable autoenrollment.

Configure certificate templates for autoenrollment.

(...)

In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, andthen click OK and Close to finish

Configure an enterprise CA.


You have a custom Version 3 certificate template.

Users can enroll for certificates based on the custom certificate template by using the Certificates console. Thecertificate template is unavailable for Web enrollment.

You need to ensure that the certificate template is available on the Web enrollment pages.

What should you do?

A. Run certutil.exe pulse.B. Run certutil.exe installcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.


Explanation/Reference:Explanation:Explanation

Identical to F/Q33.Reference 1:http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used withversion 3 certificate templates.

Reference 2:http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3- templates.aspxThe reason for this blog post is that one of our customers called after noticing some unexpected behavior whenthey were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template basedcertificate. The problem was that no matter what they did the Version 3 Templates would not appear ascertificates which could be requested via the web page. On the other hand, version 1 and 2 templates didappear in the page and requests could be done successfully using those templates.

QUESTION 63You have an enterprise subordinate certification authority (CA). You have a custom certificate template that hasa key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits. You need to ensure that all current certificate holdersautomatically enroll for a certificate that uses the new template.


A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management




Re-Enroll All Certificate Holders

This procedure is used when a critical change is made to the certificate template and you want all subjects thathold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subjectverifies the version of the certificate against the version of the template on the certification authority (CA), thesubject will re-enroll.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this

procedure. For more information, see Implement Role-BasedAdministration.

To re-enroll all certificate holders

1. Open the Certificate Templates snap-in.

2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.

QUESTION 64Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.

The functional level of the domain is Windows Server 2003. You have a certification authority (CA).

The relevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.




Installation requirements

Before installing the certificate enrollment Web services, ensure that your environment meets theserequirements:

A host computer as a domain member running Windows Server 2008 R2.

An Active Directory forest with a Windows Server 2008 R2 schema.

An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or

Windows Server 2003.

QUESTION 65You have a domain controller that runs the DHCP service.

You need to perform an offline defragmentation of the Active Directory database on the domain controller.

You must achieve this goal without affecting the availability of the DHCP service.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.



We don't need to restart the server to defragment the AD database. We do need to stop AD DS in order todefragment the database.Reference:


To perform offline defragmentation of the directory database

1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and thenclick Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, andthen click Continue.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds

3. Type Y to agree to stop additional services, and then press ENTER.

4. At the command prompt, type ntdsutil, and then press ENTER.

QUESTION 66Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way foresttrust exists between contoso.com and nwtraders.com. The forest trust is configured to use selectiveauthentication.

Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.

Nwtraders.com contains a global group named G_Marketing. The Change share permission and the ModifyNTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketingreport that they cannot access the Marketing folder.

You need to ensure that the G_Marketing members can access the folder from the network.

What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folder.B. From Windows Explorer, modify the share permissions of the folder.C. From Active Directory Users and Computers, modify the computer object for Server1.D. From Active Directory Users and Computers, modify the group object for G_Marketing.



MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644

After you have selected Selective Authentication for the trust, no trusted users will be able to access resourcesin the trusting domain, even if those users have been given permissions. The users must also be assigned theAllowed To Authenticate permission on the computer object in the domain.

To assign this permission:

1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selectedon the View menu.

2. Open the properties of the computer to which trusted users should be allowed to authenticate--that is, thecomputer that trusted users will log on to or that contains resources to which trusted users have been givenpermissions.

3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box forthe Allowed To Authenticate permission.


You need to add a new user principal name (UPN) suffix to the forest.


A. Active Directory Administrative CenterB. Active Directory Domains and TrustsC. Active Directory Sites and ServicesD. Active Directory Users and Computers



http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/

Demonstration adding a UPN Suffix

To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu.Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add andremove additional domain UPN suffixes for the forest.

QUESTION 68Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2connect to each other by using a slow WAN link.

You discover that the cached password for a user named User1 is compromised on the RODC.

On a domain controller in Site1, you change the password for User1.

You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate

other objects to the RODC.


A. Active Directory Sites and ServicesB. Active Directory Users and ComputersC. RepadminD. Replmon




Repadmin /rodcpwdrepl

Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domaincontroller to one or more read-only domain controllers (RODCs).

Example:

The following example triggers replication of the passwords for the user account named JaneOh from thesource domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:

repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com



The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

You need to update all service location (SRV) records for a domain controller in the domain.

What should you do?


A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.




The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller's SRV resource records by restarting thisservice from the Services branch of Server Manager or by typing net start netlogon. An exam question might

ask you how to troubleshoot the nonregistration of SRV resource records.


A user named User1 takes a leave of absence for one year.

You need to restrict access to the User1 user account while User1 is away.

What should you do?

A. From the Default Domain Policy, modify the account lockout settings.B. From the Default Domain Controller Policy, modify the account lockout settings.C. From the properties of the user account, modify the Account options.D. From the properties of the user account, modify the Session settings.



Account lockout settings deal with logon security, like how many times a wrong password can be enteredbefore an account gets locked out, or after how many minutes a locked out user can try again.

To really restrict access to the User1 account it has to be disabled, by modifying the account options.Reference:

http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-useraccounts.aspx

Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online data, but retains theuser's data. Disabling a user account also keeps the user license associated with that account. This is the bestoption to utilize when a person leaves an organization temporarily.

QUESTION 71Your network contains an Active Directory domain. The domain contains 1,000 user accounts.

You have a list that contains the mobile phone number of each user. You need to add the mobile number ofeach user to Active Directory.

What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.B. Create a file that contains the mobile phone numbers, and then run csvde.exe.C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the

users.



CSVDE can only import and export data from AD DS. http://technet.microsoft.com/en-us/library/cc732101.aspxReference:


LdifdeCreates, modifies, and deletes directory objects.

QUESTION 72Your network contains an Active Directory domain named contoso.com. All domain controllers and memberservers run Windows Server 2008. All client computers run Windows 7.

From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings inthe Default Domain Policy Group Policy object (GPO).

You discover that the audit policy is not applied to the member servers. The audit policy is applied to the clientcomputers.

You need to ensure that the audit policy is applied to all member servers and all client computers.

What should you do?

A. Add a WMI filter to the Default Domain Policy GPO.B. Modify the security settings of the Default Domain Policy GPO.C. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.



Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. Tocircumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 memberservers.Reference1:http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQThe advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. Theadvanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008R2, or Windows Server 2008.Note

In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-linetool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. Thisallows administrators to configure, deploy, and manage these settings in the Group Policy ManagementConsole (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).

QUESTION 73Your network contains an Active Directory domain. The domain contains a group named Group1.

The minimum password length for the domain is set to six characters.

You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other usersmust be able to use passwords that are six characters long.


A. Run the New-ADFineGrainedPasswordPolicy cmdlet.

B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.



First we need to create a new Active Directory fine grained password policy, using New-ADFineGrainedPasswordPolicy.Then we can apply the new policy to Group1, using Add- ADFineGrainedPasswordPolicySubject.Reference:


New-ADFineGrainedPasswordPolicyCreates a new Active Directory fine grained password policy.

QUESTION 74Your company uses an application that stores data in an Active Directory Lightweight Directory Services (ADLDS) instance named Instance1.

You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can take a snapshot of Instance1.

What should you do?

A. At the command prompt, run net start VSS.B. At the command prompt, run net start Instance1.C. Set the Startup Type for the Instance1 service to Disabled.D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.



Hard to find references on this, but the solution can be found by eliminating the rest. Instance1 is running,otherwise you'd get a different message at the snaphot: create step.("AD service


must be running in order to perform this operation", on my virtual server.) Disabling Instance1 makes no sensebecause you need it, nor is setting the Startup Type for the VolumeShadow Copy Service (VSS) to Manual.

QUESTION 75Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains amember server that is configured to collect all of the events that occur on the domain controllers.

You need to ensure that administrators are notified when a specific event occurs on any of the domaincontrollers. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.



Since the member server is collecting all domain controller events we just need to run the Create Basic TaskWizard on the member server, which enables us to send an e-mail when a specific event is logged. Runningthe wizard on every domain controller would work, but is much more work and we need to use the minimumamount of administrative effort.Reference:


To Run a Task in Response to a Given Event

1. Start Event Viewer.

2. In the console tree, navigate to the log that contains the event you want to associate witha task.

3. Right-click the event and select Attach Task to This Event.

4. Perform each step presented by the Create Basic Task Wizard.

In the Action step in the wizard you can decide to send an e-mail.

QUESTION 76Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.

You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.


A. At the command prompt, run net stop ntds.B. At the command prompt, run net stop netlogon.C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).



We don't need to restart the server to defragment the AD database. We only need to stop AD DS in order todefragment the database, using ntdsutil.Reference:


To perform offline defragmentation of the directory database

1. Open a Command Prompt as an administrator.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds

3. Type Y to agree to stop additional services, and then press ENTER.

4. At the command prompt, type ntdsutil, and then press ENTER.

QUESTION 77Your network contains a single Active Directory domain named contoso.com.

An administrator accidentally deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.comzone.

You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.

What should you do on each domain controller?

A. Restart the Netlogon service.B. Restart the DNS Server service.C. Run dcdiag.exe /fix.D. Run ipconfig.exe /registerdns.



Reference 1:

http://support.microsoft.com/kb/817470To register the required records to the single root domain controller, restart the Net Logon service on all thedomain controllers. The replication works correctly if the replication window is not less than the default DNSTime to Live (TTL) entry. To restart the Net Logon service, follow these steps:1. Click Start, click Run, type cmd in the Open box, and then press ENTER.2. At the command prompt, type the following command, and then press ENTER: net stop netlogon3. Type net start netlogon, and then press ENTER.Reference 2:http://serverfault.com/questions/383915/how-do-i-manually-create-the-msdcs-dns-zone-for- a-domain-that-wascreated-pre-sBe sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces theDC's to register their SRV records in the _msdcs zone.

QUESTION 78Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domaincontrollers.

You add multiple DNS records to the zone.

You need to ensure that the records are replicated to all DNS servers.


A. DnslintB. LdpC. NslookupD. Repadmin


Explanation/Reference:Explanation:To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.Reference:


Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitionsbetween domain controllers that may or may not have replication agreements.

Force a replication event with all partners The repadmin /syncall command synchronizes a specified domaincontroller with all replication partners.

Syntax

repadmin /syncall <DC> [<NamingContext>] [<Flags>]

Parameters

<DC>Specifies the host name of the domain controller to synchronize with all replication partners.

<NamingContext>Specifies the distinguished name of the directory partition.

"A Composite Solution With Just One Click" - Certification Guaranteed 190 Microsoft 70-640 : Practice Test<Flags> Performs specific actions during the replication.

QUESTION 79

Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com. All domain controllers are DNS servers.

The domain controllers in contoso.com host the zone for contoso.com. The domain controllers ineu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown inthe exhibit. (Click the Exhibit button.)

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.


A. Create a zone delegation record in the contoso.com zone.B. Create a zone delegation record in the eu.contoso.com zone.C. Create an Active Directory-integrated zone for _msdsc.contoso.com.D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.




Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.

QUESTION 80You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.

What should you do?

A. Run defrag.exe /a /c.B. Run defrag.exe /c /u.

C. From Ntdsutil, use the Files option.D. From Ntdsutil, use the Metadata cleanup option.



Reference 1:http://technet.microsoft.com/en-us/library/cc794920.aspx Compact the Directory Database File (OfflineDefragmentation) You can use this procedure to compact the Active Directory database offline. Offlinedefragmentation returns free disk space in the Active Directory database to the file system. As part of the offlinedefragmentation procedure, check directory database integrity. Performing offline defragmentation creates anew, compacted version of the database file in a different location.Reference 2:Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.ditThese steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment andcompact the database to a remote shared folder, map a drive letter to that shared folder before you begin thesesteps, and use that drive letter in the path where appropriate.1. Open an elevated command prompt. Click Start, and then right-click Command Prompt.

Click Run as Administrator.2. Type ntdsutil, and then press Enter.3. Type Activate instance NTDS, and press Enter.4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.5. At the file maintenance prompt, type compact to followed by the path to the destination folder for thedefragmentation, and then press Enter.

QUESTION 81Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.

The servers are configured as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the CertificateEnrollment Web Service.


A. Configure the policy module settings.B. Configure the issuance requirements for the certificate templates.C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.D. Configure the delegation settings for the Certificate Enrollment Web Service application pool account.



Explanation: Reference 1:http://technet.microsoft.com/en-us/library/dd759245.aspx

The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificaterenewal. In both cases, the client computer submits the request to the Web service and the Web servicesubmits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Webservice account must be trusted for delegation in order to present the client identity to the CA.

Reference 2:http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web- services-in-active-directory-certificate-services.aspx

Delegation is required for the Certificate Enrollment Web Service account when all of the following are true:the CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment WebService needs to be able to process initial enrollment requests, as opposed to only processing certificaterenewal requests the authentication type is set to Windows Integrated Authentication or Client certificateauthentication

QUESTION 82Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 Standard.

You need to install an enterprise subordinate certification authority (CA) that supports private key archival.

You must achieve this goal by using the minimum amount of administrative effort.


A. Initialize the Trusted Platform Module (TPM).B. Upgrade the member server to Windows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box."A Composite Solution With Just One Click" - Certification Guaranteed 194 Microsoft 70-640 : Practice Test




You have a custom Version 3 certificate template.

Users can enroll for certificates based on the custom certificate template by using the Certificates console. Thecertificate template is unavailable for Web enrollment.

You need to ensure that the certificate template is available on the Web enrollment pages.

What should you do?

A. Run certutil.exe Cpulse.B. Run certutil.exe Cinstallcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.



Identical to F/Q12.Reference 1:http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used withversion 3 certificate templates.Reference 2:http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3- templates.aspxThe reason for this blog post is that one of our customers called after noticing some unexpected behavior whenthey were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template basedcertificate. The problem was that no matter what they did the Version 3 Templates would not appear ascertificates which could be requested via the web page. On the other hand, version 1 and 2 templates didappear in the page and requests could be done successfully using those templates.

QUESTION 84Your network contains an Active Directory domain. The domain contains a member server named Server1 thatruns Windows Server 2008 R2.

You need to configure Server1 as a global catalog server.

What should you do?

A. Modify the Active Directory schema.B. From Ntdsutil, use the Roles option.C. Run the Active Directory Domain Services Installation Wizard on Server1.D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).



Now it's just a member server, so you'll have to run dcpromo to start the Active Directory Domain ServicesInstallation Wizard in order to promote the server to a domain controller. Only a domain controller can be aglobal catalog server.Reference:


The global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog isstored on domain controllers that have been designated as global catalog servers and is distributed throughmultimaster replication.

QUESTION 85Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forestcontains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trustexists between Forest2 and

Forest3.You need to configure the forests to meet the following requirements:

Users in Forest3 must be able to access resources in Forest1

Users in Forest1 must be able to access resources in Forest3.

The number of trusts must be minimized.

What should you do?

A. In Forest2, modify the name suffix routing settings.B. In Forest1 and Forest3, configure selective authentication.C. In Forest1 and Forest3, modify the name suffix routing settings.D. Create a two-way forest trust between Forest1 and Forest3.E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.



QUESTION 86Your network contains an Active Directory domain. All domain controller run Windows Server 2003.

You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise thefunctional level of the domain to Windows Server 2008 R2.

You need to minimize the amount of SYSVOL replication traffic on the network.

What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.


Explanation/Reference:Explanation:Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functionallevel has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL,instead of File Replication Service (FRS) of previous

Windows Server versions.The migration takes place on a domain controller holding the PDC Emulator role.Reference 1:

http://technet.microsoft.com/en-us/library/cc794837.aspx Using DFS Replication for replicating SYSVOL inWindows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of theSYSVOL share.

When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files largerthan 64 KB, only the updated portion of the file is replicated.Reference 2:

http://technet.microsoft.com/en-us/library/dd639809.aspx Migrating to the Prepared StateThe following sections provide an overview of the procedures that you perform when you migrate SYSVOLreplication from File Replication Service (FRS) to Distributed File System (DFS Replication).This migration phase includes the tasks in the following list. Running the dfsrmig /SetGlobalState 1 commandon the PDC emulator to start the migration to the Prepared state.

QUESTION 87Your network contains an Active Directory forest. The forest contains two domain controllers. The domaincontrollers are configured as shown in the following table.

All client computers run Windows 7.You need to ensure that all client computers in the domain keep the same time as an external time server.

What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.




Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root DomainThe domain controller in the forest root domain that holds the primary domain controller (PDC) emulatoroperations master (also known as flexible single master operations or FSMO) role is the default time source forthe domain hierarchy of time sources in the forest.Reference 2:http://technet.microsoft.com/en-us/library/cc773263.aspx Windows Time Service Tools and SettingsMost domain member computers have a time client type of NT5DS, which means that they synchronize timefrom the domain hierarchy. The only typical exception to this is the domain controller that functions as theprimary domain controller (PDC) emulator operations master of the forest root domain, which is usuallyconfigured to synchronize time with an external time source.

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems withthe time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshootingthe Windows Time service.

QUESTION 88

"A Composite Solution With Just One Click" - Certification Guaranteed 199 Microsoft 70-640 : Practice TestYour network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers. The domain controllers are configured as shown in the following table.

All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range.

You need to minimize the number of client authentication requests sent to DC2.

What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign thesubnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign thesubnet to Site1. Move DC1 to Site1.

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign thesubnet to Site1. Move DC2 to Site1.

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign thesubnet to Site1. Move DC2 to Site1.



Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means onlyONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processedfrom the DC1 in the default-first-site and dc2 will authenticate only itself.

QUESTION 89Active Directory Rights Management Services (AD RMS) is deployed on your network.

You need to configure AD RMS to use Kerberos authentication.


A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.




If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, youmust take additional steps to configure the server running AD RMS after installing the AD RMS server role andprovisioning the server. Specifically, you must perform these procedures:

Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

Set the Service Principal Names (SPN) value for the AD RMS service account

QUESTION 90Your network contains an Active Directory forest. The forest contains an Active Directory site for a remoteoffice. The remote site contains a read-only domain controller (RODC).

You need to configure the RODC to store only the passwords of users in the remote site.

What should you do?

A. Create a Password Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication

Group.




Password Replication Policy Allowed and Denied lists

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC Password

Replication Group.

These groups help implement a default Allowed List and Denied List for the RODC Password ReplicationPolicy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup andmsDSNeverRevealGroup

Active Directory attributes mentioned earlier.

QUESTION 91Your company has four offices. The network contains a single Active Directory domain. Each office has adomain controller. Each office has an organizational unit (OU) that contains the user accounts for the users inthat office. In each office, support technicians perform basic troubleshooting for the users in their respectiveoffice.

You need to ensure that the support technicians can reset the passwords for the user accounts in theirrespective office only. The solution must prevent the technicians from creating user accounts.

What should you do?

A. For each OU, run the Delegation of Control Wizard.B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security settings for each group.

D. For each office, create an Active Directory group, and then modify the controlAccessRights attribute foreach group.




Reference 1:http://technet.microsoft.com/en-us/library/cc732524.aspx To delegate control of an organizational unit1. To open Active Directory Users and Computers, click Start, click Control Panel, double- click AdministrativeTools, and then double-click Active Directory Users and Computers.2. To open Active Directory Users and Computers in Windows Server® 2012, click Start, type dsa.msc.3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in thewizard.Reference 2:http://technet.microsoft.com/en-us/library/dd145442.aspx Delegate the following common tasksThe following are common tasks that you can select to delegate control of them:Reset user passwords and force password change at next logon

QUESTION 92Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizationalunit (OU) named OU1.

You link a new Group Policy object (GPO) named GPO10 to OU1.

You need to ensure that GPO10 is applied only to client computers that run Windows 7.

What should you do?

A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.B. Enable block inheritance on OU1.C. Create a WMI filter and assign the filter to GPO10.D. Modify the permissions of OU1.



http://technet.microsoft.com/en-us/library/cc947846.aspxTo make sure that each GPO associated with a group can only be applied to computers running the correctversion of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to theGPO. Although you can create a separate membership group for each GPO, you would then have to managethe memberships of the different groups. Instead, use only a single membership group, and let WMI filtersautomatically ensure the correct GPO is applied to each computer.


You need to audit changes to a service account. The solution must ensure that the audit logs contain the beforeand after values of all the changes.

Which security policy setting should you configure?

A. Audit Sensitive Privilege UseB. Audit User Account ManagementC. Audit Directory Service ChangesD. Audit Other Account Management Events




Audit Directory Service ChangesThis security policy setting determines whether the operating system generates audit events when changes aremade to objects in Active Directory Domain Services (AD DS).Reference 2:http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step GuideThis guide includes a description of the new Active Directory® Domain Services (AD DS) auditing feature inWindows Server® 2008. With the new auditing feature, you can log events that show old and new values; forexample, you can show that Joe's favorite drink changed from single latte to triple-shot latte.


QUESTION 94Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest.

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in thecontoso.com forest.

What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Create an external trust from nwtraders.com to contoso.com.C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.D. Create an external trust from contoso.com to nwtraders.com.




Using AD RMS trust

It is not necessary to create trust or federation relationships between the Active Directory forests oforganizations to be able to share rights-protected information between separate organizations. AD RMS

provides two types of trust relationships that provide this kind of rights-protected information exchange. Atrusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates oruse licenses from users whose rights account certificates (RACs) were issued by a different AD RMS rootcluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster totrust.

QUESTION 95Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured asan Active Directory Federation Services (AD FS) 2.0 standalone server.

You plan to add a new token-signing certificate to Server1.

You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.

You need to ensure that you can use the new certificate for AD FS.

What should you do?

A. From the properties of the certificate, modify the Certificate Policy OIDs setting.B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.C. From the properties of the certificate, modify the Certificate purposes setting.D. Import the certificate to the local computer personal certificate store.




When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing

certificate and install it in the local computer personal certificate store on that federation server.


QUESTION 96You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC).

What should you do?

A. Run the repadmin.exe command and specify the /prp parameter.B. From Active Directory Sites and Services, modify the properties of the RODC computer object.C. From Active Directory Users and Computers, modify the properties of the RODC computer object.D. Run the dsrm.exe command and specify the -u parameter.



http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-passwordreplication-policy.aspx

Clearing the authenticated accounts list

In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list ofaccounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the newaccounts that have authenticated through the RODC.

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is theminimum required to complete this procedure.

To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all.

Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list ofauthenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.

QUESTION 97Your company has a main office and four branch offices. An Active Directory site exists for each office. Eachsite contains one domain controller. Each branch office site has a site linkto the main office site.

You discover that the domain controllers in the branch offices sometimes replicate directly to each other.

You need to ensure that the domain controllers in the branch offices only replicate to the domain controller inthe main office.

What should you do?

A. Modify the firewall settings for the main office site.B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.C. Disable site link bridging.D. Modify the security settings for the main office site.




Configuring site link bridges

By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicitsite link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridgingall site links is that your network is easier to maintain because you do not need to create a site link to describeevery possible path between pairs of sites.

Generally, you can leave automatic site link bridging enabled. However, you might want to disable automaticsite link bridging and create site link bridges manually just for specific site links, in the following cases:

You have a network routing or security policy in place that prevents every domain controller from being able todirectly communicate with every other domain controller.

QUESTION 98Your network contains an Active Directory forest. The forest contains one domain. The domain contains twodomain controllers named DC1 and DC2 that run Windows Server 2008 R2.

DC1 was installed before DC2.

DC1 fails.

You need to ensure that you can add 1,000 new user accounts to the domain.

What should you do?

A. Modify the permissions of the DC2 computer account.B. Seize the schema master FSMO role.C. Configure DC2 as a global catalog server.D. Seize the RID master FSMO role.



MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 536-537

RID master failure

A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, preventsyou from creating new accounts for users, groups, or computers. However, domain controllers receive a sizablepool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go forsome time without the RID master online while it is being repaired. Seizing this role to another domain controlleris a significant action. After the RID master role has been seized, the domain controller that had beenperforming the role cannot be brought back online.


You need to identify whether the Active Directory Recycle Bin is enabled.

What should you do?

A. From Ldp, search for the Reanimate-Tombstones object.B. From Ldp, search for the LostAndFound container.

"A Composite Solution With Just One Click" - Certification Guaranteed 209 Microsoft 70-640 : Practice TestC. From Windows PowerShell, run the Get-ADObject cmdlet.D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.



http://www.frickelsoft.net/blog/?p=224

How can I check whether the AD Recycle-Bin is enabled in my R2 forest?

[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin isenabled.]


You create and mount an Active Directory snapshot.

You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can browse the contents of the Active Directory snapshot.

What should you?

A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.

B. Change the value of the dbpath parameter, and then rerun dsamain.exe.C. Change the value of the ldapport parameter, and then rerun dsamain.exe.D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.



The path in the exhibit points to the running Active Directory database, not to the snapshot.Reference:


For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along withthe complete path to the Ntds.dit file, for example:

/dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit

Topic 4, Volume D

Exam D


You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy linksfor the domain.

What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Backup-GPO cmdlet.



http://www.microsoft.com/en-us/download/details.aspx?id=22478 Planning and Deploying Group Policy (.doc)

Links to OUs, however, are not part of the backup data and will not be restored during a restore operation.http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266- 4991-8309-c957a123a455/Permissions are backed up but links are not. The links are actually properties of the OU and would be backedup as part of the system state. The backup function in GPMC only backs up the properties of selected GPOs(the settings inside the GPOs as well as Security Filters and all other things that belong directly to the GPO). Itnever backs up OU / Site links -these are not properties of the GPO itself, but of the respective OUs and Sites...http://sdmsoftware.com/general-stuff/the-clash-of-the-gpo-links/ Group Policy links are stored within the gpLinkattribute on an AD container (in the case of GP, the container is a site, domain or OU object). http://technet.microsoft.com/de-de/library/cc756808%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc784474%28v=ws.10%29.aspx Information saved in a backupBacking up a GPO saves all information that is stored inside the GPO to the file system.This includes the following information:GPO globally unique identifier (GUID) and domain.GPO settings.Discretionary access control list (DACL) on the GPO. WMI filter link, if there is one, but not the filter itself.Links to IP Security Policies, if any.XML report of the GPO settings, which can be viewed as HTML from within GPMC.Date and time stamp of when the backup was taken.User-supplied description of the backup.Information not saved in a backup

Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is notavailable when the backup is restored to the original GPO or imported into a new one. This data that becomesunavailable includes the following information:Links to a site, domain, or organizational unit.WMI filter.IP Security policy.

Reference:

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d7c621fc-e0e9-47dd- a4df-9082b33132a6

For back up all of the Group Policy objets (GPOs Policy permissions, and Group Policy links for the domain) theanswer is C.

For details:

"A Composite Solution With Just One Click" - Certification Guaranteed 212 Microsoft 70-640 : Practice TestSystem State data

http://technet.microsoft.com/en-us/library/cc785306(WS.10).aspx


You need to reset the Directory Services Restore Mode (DSRM) password on the domain controller.


A. NtdsutilB. DsamainC. Active Directory Users and ComputersD. Local Users and Groups



http://blogs.technet.com/b/meamcs/archive/2012/05/29/reset-the-dsrm-administrator- password.aspx

To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK.

2. At the Ntdsutil command prompt, type set dsrm password.

QUESTION 3Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).B. Configure an Online Certification Status Protocol (OCSP) responder.C. Modify the settings of the delta certificate revocation list (CRL).D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).




Online responder

This service is designed to respond to specific certificate validation requests through the Online Certificate

Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain afull CRL and can submit a validation request for a specific certificate. The online responder decodes thevalidation request and determines whether the certificate is valid. When it determines the status of therequested certificate, it sends back an encrypted response containing the information to the requester. Usingonline responders is much faster and more efficient than using CRLs. AD CS includes online responders as anew feature in Windows Server 2008 R2.

QUESTION 4Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance,HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in theexhibit. (Click the Exhibit button.

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solutionmust prevent GPO1 from being applied to users in the Dev OU.

What should you do?

A. Enforce GPO1.B. Modify the security settings of the Dev OU.C. Link GPO1 to the Finance OU.D. Modify the security settings of the Finance OU.



The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. Thismeans that GPO1 will not be applied to those OUs. For the Dev OU that's ok, but not for the Finance OU. Sowe have to link GPO1 to the Finance OU.Reference:


Block Inheritance

You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policyobjects (GPOs) that are linked to higher sites, domains, or organizational units from being automaticallyinherited by the child-level.

If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree.


QUESTION 5Your network contains an Active Directory domain. The domain contains an organizational unit (OU) namedOU1. OU1 contains all managed service accounts in the domain.

You need to prevent the managed service accounts from being deleted accidentally from OU1.

Which cmdlet should you use?

A. Set-ADUserB. Set-ADOrganizationalUnitC. Set-ADServiceAccountD. Set-ADObject



You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to preventOU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use Set-ADObject to protect the accounts.Reference:


Set-ADObject Modifies an Active Directory object.

Parameter

-ProtectedFromAccidentalDeletion <Boolean>Specifies whether to prevent the object from being deleted. Whenthis property is set to true, you cannot delete the corresponding object without changing the value of theproperty. Possible values for this parameter include:

$false or 0

$true or 1

The following example shows how to set this parameter to true.

-ProtectedFromAccidentalDeletion $true


QUESTION 6Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writabledomain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllersrun Windows Server 2008 R2.

You need to install a new writable domain controller named DC3 in a remote site. The solution must minimizethe amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS)on DC3.


A. Run dcpromo.exe /createdcaccount on DC3.B. Run ntdsutil.exe on DC2.C. Run dcpromo.exe /adv on DC3.D. Run ntdsutil.exe on DC1.



We can run dcpromo.exe /adv on DC3 to install a new writable domain controller using the Install From Media(IFM) option. That way there is less replication traffic. But before we can do that we have to create theinstallation media first. I suspect that's what they mean when they say "What should you do first?" So first wecreate the installation media, then we use the installation media to install DC3.Technet gives us instructions on how to create the installation media. It says:"You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently." "Youmust use writeable domain controller installation media to install a writeable domain controller. You can createwriteable domain controller installation media only on a writeable domain controller."Since DC2 in answer B is a read-only domain controller, that leaves us with answer D ("Run ntdsutil.exe onDC1").


[Used for the information above]

[Some extra info on using IFM to install the DC:] Reference 2:http://http://technet.microsoft.com/en-us/library/cc732887.aspx dcpromo /advPerforms an install from media (IFM) operation.Reference 3:http://http://technet.microsoft.com/en-us/library/cc816722.aspx Installing an Additional Domain Controller byUsing IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM)method, you can reduce the replication traffic that is initiated during the installation of an additional domaincontroller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary toinstall the additional domain controller.

QUESTION 7Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers are

configured as global catalog servers.

You remove the global catalog role from a domain controller named DC5.

You need to reclaim the hard disk space used by the global catalog on DC5.

What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).B. From Active Directory Sites and Services, modify the general properties of DC5.C. From Ntdsutil, use the Semantic database analysis option.D. From Ntdsutil, use the Files option.



Reference 1:http://http://technet.microsoft.com/en-us/library/cc816618.aspx

Database defragmentationIn cases in which the data decreases significantly, such as when the global catalog is removed from a domaincontroller, free disk space is not automatically returned to the file system. Although this condition does notaffect database operation, it does result in large amounts of free disk space in the database. To decrease thesize of the database file by returning free disk space from the database file to the file system, you can performan offline defragmentation of the database. Whereas online defragmentation occurs automatically while AD DSis running, offline defragmentation requires taking the domain controller offline and using the Ntdsutil.execommand-line tool to perform the procedure.Reference 2:http://technet.microsoft.com/en-us/library/cc794920.aspx To perform offline defragmentation of the directorydatabase1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and thenclick Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, andthen click Continue.2. At the command prompt, type the following command, and then press ENTER: net stop ntds3. Type Y to agree to stop additional services, and then press ENTER.4. At the command prompt, type ntdsutil, and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER.6. At the ntdsutil prompt, type files, and then press ENTER.

QUESTION 8A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone aredomain controllers.


You need to ensure that the new records are available on all DNS servers as soon as possible.


A. LdpB. RepadminC. NtdsutilD. NslookupE. Active Directory Sites And Services console

F. Active Directory Domains And Trusts consoleG. DnslintH. Dnscmd



To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.Reference:


Forcing Replication

Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domaincontrollers that may or may not have replication agreements.

Force a replication event with all partners

The repadmin /syncall command synchronizes a specified domain controller with all replication partners.

Syntax


Parameters

<DC>

Specifies the host name of the domain controller to synchronize with all replication partners.

<NamingContext>

Specifies the distinguished name of the directory partition.

<Flags>

Performs specific actions during the replication.

QUESTION 9"A Composite Solution With Just One Click" - Certification Guaranteed 220 Microsoft 70-640 : Practice TestYou have a DNS zone that is stored in a custom application partition.

You need to add a domain controller to the replication scope of the custom application partition.


A. DNScmdB. DNS ManagerC. Server ManagerD. Dsmod


Explanation



After you create a Domain Name System (DNS) application directory partition to store a zone, you must enlistthe DNS server that hosts the zone in the application directory partition.

To enlist a DNS server in a DNS application directory partition

1. Open a command prompt.

2. Type the following command, and then press ENTER: dnscmd <ServerName> /

EnlistDirectoryPartition <FQDN>

QUESTION 10Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has theActive Directory Certificate Services (AD CS) role installed.

You configure a certificate template named Template1 for autoenrollment. You discover that certificates are notbeing issued to any client computers. The event logs on the client computers do not contain any autoenrollmenterrors.

You need to ensure that all of the client computers automatically receive certificates based on Template1.

"A Composite Solution With Just One Click" - Certification Guaranteed 221 Microsoft 70-640 : Practice TestWhat should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).B. Modify the Default Domain Controllers Policy Group Policy object (GPO).C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.D. Restart Certificate Services on Server1.




Configure Certificate Autoenrollment

Many certificates can be distributed without the client even being aware that enrollment is taking place. Thesecan include most types of certificates issued to computers and services, as well as many certificates issued tousers.

To automatically enroll clients for certificates in a domain environment, you must:

Configure a certificate template with Autoenroll permissions.

Configure an autoenrollment policy for the domain.

To configure autoenrollment Group Policy for a domain

1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to

Administrative Tools, and then click Group Policy Management.

2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default

Domain Policy Group Policy object (GPO) that you want to edit.

QUESTION 11Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) roleinstalled.

You need to perform an automated installation of an AD LDS instance.

"A Composite Solution With Just One Click" - Certification Guaranteed 222 Microsoft 70-640 : Practice TestWhich tool should you use?

A. Dism.exeB. Servermanagercmd.exeC. Adaminstall.exeD. Ocsetup.exe




To perform an unattended install of an AD LDS instance

1. Create a new text file by using any text editor.

2. Specify the installation parameters.

3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the ADLDS setup files.

4. At the command prompt, type the following command, and then press ENTER:%systemroot%\ADAM

\adaminstall.exe /answer:drive:\<pathname>\<filename>.txt"

QUESTION 12Your network contains an Active Directory domain named contoso.com. A partner company has an ActiveDirectory domain named nwtraders.com. The networks for contoso.com and nwtraders.com connect to eachother by using a WAN link.

You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on theInternet.


A. Modify the Trusted Root Certification Authorities store.B. Modify the Intermediate Certification Authorities store.C. Create conditional forwarders.

D. Add a root hint to the DNS server."A Composite Solution With Just One Click" - Certification Guaranteed 223 Microsoft 70-640 : Practice Test



MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 114-115

Conditional Forwarders

You can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolutionfor specified domains only. In other words, the local DNS server will forward all the queries that it receives fornames ending with a specific domain name to the conditional forwarder. This is especially useful in situationswhere users in your company need access to resources in another company with a separate AD DS forest andDNS zones, such as a partner company. In such a case, specify a conditional forwarder that directs suchqueries to the DNS server in the partner company while other queries are forwarded to the Internet. Doing soreduces the need for adding secondary zones for partner companies on your DNS servers.

QUESTION 13Your network contains an Active Directory forest. The forest contains multiple domains.

You need to ensure that users in the human resources department can search for employees by using theemployeeNumber attribute.

What should you do?

A. From Active Directory Sites and Services, modify the properties of each global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the user object class.C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.



http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

"A Composite Solution With Just One Click" - Certification Guaranteed 224 Microsoft 70-640 : Practice TestGlobal Catalog Replication of Additions to the Partial Attribute Set

Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For theobjects of its own domain, a global catalog server has information related to all attributes that are associatedwith those objects. For the objects in domains other than its own, a global catalog server has only informationthat is related to the set of attributes that are marked in the AD DS schema to be included in the partial attributeset (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to beused for searches. These attributes are replicated to every global catalog server in an AD DS forest." "Theattributes that are replicated to the global catalog by default include a base set that have been defined byMicrosoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to

the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets thevalue of the isMemberOfPartialAttributeSet attribute to TRUE.

QUESTION 14Your network contains a single Active Directory domain. The domain contains an enterprise certificationauthority (CA).

You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database.

You modify the e-mail certificate template to support key archival.


A. Issue the key recovery agent certificate template.B. Run certutil.exe -recoverkey.C. Run certreq.exe-policy.D. Modify the location of the Authority Information Access (AIA) distribution point.




"A Composite Solution With Just One Click" - Certification Guaranteed 225 Microsoft 70-640 : Practice TestIdentify a Key Recovery Agent

A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Becausethe role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned tothis role.

To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow theperson assigned to this role to enroll for a key recovery agent certificate.

QUESTION 15Your network contains an Active Directory-integrated DNS zone named contoso.com.

You discover that the zone includes DNS records for computers that were removed from the network.

You need to ensure that the DNS records are deleted automatically from the zone.

What should you do?

A. From DNS Manager, set the aging properties.B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.D. Create a scheduled task that runs ipconfig.exe /flushdns.




Set Aging and Scavenging Properties for the DNS Server

The DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale resource records, which can accumulate in zone dataover time. You can use this procedure to set the default aging and scavenging properties for the zones on aserver.

To set aging and scavenging properties for the DNS server using the Windows interface


"A Composite Solution With Just One Click" - Certification Guaranteed 226 Microsoft 70-640 : Practice Test2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.

3. Select the Scavenge stale resource records check box.

4. Modify other aging and scavenging properties as needed.


You run the following command on the domain controller:

dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -

allowNonAdminAccess

The command fails. You need to ensure that the command completes successfully.

How should you modify the command?

A. Change the value of the -dbpath parameter.B. Include the path to Dsamain.C. Change the value of the -ldapport parameter.D. Remove the CallowNonAdminAccess parameter.




Use the AD DS database mounting tool to load the snapshot as an LDAP server.

dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport

portnumber

Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value toensure that you do not conflict with AD DS.

Also note that you can use the minus () sign or the slash (/) for the options in the


command.

QUESTION 17Your network contains an Active Directory domain. The domain contains 10 domain controllers that runWindows Server 2008 R2.

You need to monitor the following information on the domain controllers during the next five days:

Memory usageProcessor usageThe number of LDAP queries

What should you do?

A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.B. Use the System Performance Data Collector Set (DCS).C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.D. Use the Active Directory Diagnostics Data Collector Set (DCS).



The System Performance Data Collector Set/System Performance template does not monitor Active Directorydata (we need the number of LDAP queries). That leaves out answersB ("Use the System Performance Data Collector Set (DCS)") and C ("Create a User Defined Data Collector Set(DCS) that uses the System Performance template").Because the Active Directory Diagnostics Data Collector Set (DCS) runs only for 5 minutes and we need tomonitor for 5 days we have to use a User Defined Data Collector Set (DCS) that uses the Active DirectoryDiagnostics template. For a User Defined Data Collector Set we can set the monitoring duration in seconds,minutes, hours, days or weeks.So we have to create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnosticstemplate.

"A Composite Solution With Just One Click" - Certification Guaranteed 228 Microsoft 70-640 : Practice TestReference:

http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in- win2008-andbeyond.aspx

AD Data Collector Sets in Win2008 and beyond

The Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannotbe modified for the built-in collector. However, the collection can be stopped manually by clicking the Stopbutton or from the command line. If reducing or increasing the time that a data collector set runs is required,and manually stopping the collection is not desirable, then see How to Create a User Defined Data CollectionSet.


Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC)namedRODC1.

You need to view the most recent user accounts authenticated by RODC1.


A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.



http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-passwordreplication-policy.aspx#BKMK_Auth2

"A Composite Solution With Just One Click" - Certification Guaranteed 229 Microsoft 70-640 : Practice TestTo view authenticated accounts using Active Directory Users and Computers

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start.

In Start Search, type dsa.msc, and then press ENTER.

2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correctdomain. To connect to the appropriate domain or domain controller, in the details pane, right-click the ActiveDirectory Users and Computers object, and then click Change Domain or Change Domain Controller,respectively.

3. Click Domain Controllers.

4. In the details pane, right-click the RODC computer account, and then click Properties.

5. Click the Password Replication Policy tab.

6. Click Advanced.

7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, asshown in the following illustration.

QUESTION 19Your network contains an Active Directory domain. The domain contains 3,000 client computers. All of the clientcomputers run Windows 7. Users log on to their client computers by using standard user accounts.

You plan to deploy a new application named App1.

The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run.

You need to deploy App1 to all client computers. The solution must meet the following requirements:

App1 must automatically detect and replace corrupt application files. App1 must be available from the Startmenu on each client computer.



A. Create a logon script that calls Setup.exe for App1.B. Create a .zap file.C. Create a startup script that calls Setup.exe for App1.D. Repackage App1 as a Windows Installer package.




Windows Installer features Diagnoses and repairs corrupted applications--An application can query WindowsInstaller to determine whether an installed application has missing or corrupted files. If any are detected,Windows Installer repairs the application by recopying only those files found to be missing or corrupted.

QUESTION 20Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sitesnamed Site1 and Site2. Site1 contains a domain controller named DC1.

In Site1, you install a new domain controller named DC2. You ship DC2 to Site2.

You discover that certain users in Site2 authenticate to DC1.

You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.

What should you do?

A. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.B. From Active Directory Sites and Services, modify the Location attribute for Site2.C. From Active Directory Sites and Services, move the DC2 server object.D. From Active Directory Users and Computers, move the DC2 computer object.



DC2 may be shipped to Site2, but it's not yet associated properly with Site2 in Active Directory.


Reference1:http://technet.microsoft.com/en-us/library/cc816674.aspx To move a server object to a new site1. Open Active Directory Sites and Services.2. In the console tree, expand Sites and the site in which the server object resides.3. Expand Servers to display the domain controllers that are currently configured for that site.4. Right-click the server object that you want to move, and then click Move.5. In Site Name, click the destination site, and then click OK.6. Expand the site object to which you moved the server, and then expand the Servers container.7. Verify that an object for the server that you moved exists.8. Expand the server object, and verify that an NTDS Settings object exists.

Reference2:http://technet.microsoft.com/en-us/library/cc754697.aspx Using sitesSites help facilitate several activities, including:(...)Authentication. Site information helps make authentication faster and more efficient. When a client logs on to adomain, it first requests a domain controller in its local site for authentication. By establishing sites, you canensure that clients use domain controllers that are nearest to them for authentication, which reducesauthentication latency and traffic on wide area network (WAN) connections.


Contoso.com contains a server named Server2.

You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.)


When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discoverthat the enterprise subordinate CA option is unavailable.

You need to configure Server2 as an enterprise subordinate CA.


A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.

C. Import the root CA certificate.D. Join Server2 to the domain.



http://social.technet.microsoft.com/Forums/nl-BE/winserversecurity/thread/1a1172c6-abdb- 4c5a-8a7cea254de5dada

QUESTION 22"A Composite Solution With Just One Click" - Certification Guaranteed 233 Microsoft 70-640 : Practice TestYour network contains an Active Directory domain. The domain contains an enterprise certification authority(CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.

Which tool should you use to assign permissions to Admin1?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services



We need to use Active Directory Sites and Services to assign permissions to create certificate templates toglobal or universal groups. The first reference lists what needs to be done, the second reference explains howto do it.

Reference 1:http://technet.microsoft.com/en-us/library/cc725621.aspx Delegating Template ManagementYou can delegate the ability to manage individual certificate templates or to create any certificate templates bydefining appropriate permissions to global groups or universal groups that a user belongs to.There are three levels of delegation for certificate template administration:Modify existing templatesCreate new templates (by duplicating existing templates) Full delegation (including modifying all existingtemplates and creating new ones) Create New Templates

To delegate the ability to create certificate templates to users who are not members of the Domain Adminsgroup in the forest root domain, or members of the Enterprise Admins group, it is necessary to define theappropriate permissions in the Configuration naming context of AD DS.To delegate the ability to duplicate and create new certificate templates, you must make the followingpermission assignments to a global or universal group of which the user is a member:Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=PublicKey Services,CN=Services,CN=Configuration,DC=ForestRoot. Grant Full Control permission to everycertificate template in the following container:

"A Composite Solution With Just One Click" - Certification Guaranteed 234 Microsoft 70-640 : Practice TestCN=Certificate

Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissionsassigned to the Certificate Templates container are not inherited by the individual certificate templates.Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot container.Reference 2:Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissionsfor Creation of New Templates You can delegate the permission to create new templates by assigningpermissions to a custom universal group for the CN=Certificate Templates,CN=Public KeyServices,CN=Services,CN=Configuration,ForestRootDomain container.

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.2. Open the Active Directory Sites And Services console.3. From the View menu, ensure that the Show Services Node setting is enabled.4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.5. In the console tree, right-click Certificate Templates, and then click Delegate Control.6. In the Delegation Of Control wizard, click Next.7. On the Users Or Groups page, click Add.8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.9. On the Users Or Groups page, click Next.10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and CreationOfNew Objects In This Folder, and then click Next. 12.On the Permissions page, in the Permissions list, enableFull Control, and then click Next.13.On the Completing The Delegation Of Control wizard page, click Finish.

QUESTION 23Your network contains an Active Directory domain. All DNS servers are domain controllers. You view theproperties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)


You need to ensure that only domain members can register DNS records in the zone.


A. Modify the zone type.B. Create a trust anchor.C. Modify the Advanced properties of the DNS server.D. Modify the Dynamic updates setting.



To ensure that only domain members are allowed to register DNS records we have to:1. modify the zone type to Active Directory-Integrated.2. set the Dynamic updates option to Secure only, which is only available to Active


Directory-Integrated zones.Reference 1:MCTS Windows Server ® 2008 Active Directory Configuration Study Guide (Sybex, 2008) page 53Secure only--This means that only machines with accounts in Active Directory can register with DNS.Before DNS registers any account in its database, it checks Active Directory to make sure that account is anauthorized domain computer.

Reference 2:http://technet.microsoft.com/en-us/library/ee649287.aspx Secure dynamic update is supported only for ActiveDirectory-integrated zones. If the zone type is configured differently, you must change the zone type anddirectory-integrate the zone before securing it for DNS dynamic updates.

QUESTION 24Your company has a single Active Directory forest with a single domain. Consultants in different departments ofthe company require access to different network resources. The consultants belong to a global group namedTempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The fileservers contain confidential data in shared folders.

You need to prevent the consultants from accessing the confidential data.

What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign theDeny access to this computer from the network user right to the TempWorkers global group.

B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computerfrom the network user right to the TempWorkers global group.

C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full controlpermission for the TempWorkers global group on the share.

D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user rightto the TempWorkers global group.

E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign theDeny log on locally user right to the TempWorkers global group."A Composite Solution With Just One Click" - Certification Guaranteed 237 Microsoft 70-640 : Practice Test



QUESTION 25Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functionallevel of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains twodomains.

You need to ensure that users in contoso.com can access the resources in all domains. The solution mustrequire the minimum number of trusts.

Which type of trust should you create?

A. externalB. forestC. realmD. shortcut




When to create a forest trust

You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in eachforest. Forest trusts are useful for application service providers, organizations undergoing mergers oracquisitions, collaborative business extranets, and organizations seeking a solution for administrativeautonomy.

QUESTION 26You install an Active Directory domain in a test environment.

You need to reset the passwords of all the user accounts in the domain from a domain

"A Composite Solution With Just One Click" - Certification Guaranteed 238 Microsoft 70-640 : Practice Testcontroller.

Which two Windows PowerShell commands should you run? (Each correct answer presents part of thesolution, choose two.)

A. $ newPassword = *B. Import-Module ActiveDirectoryC. Import-Module WebAdministrationD. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - ResetE. Set- ADAccountPossword - NewPassword - ResetF. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )G. Import-Module ServerManager

Correct Answer: DFSection: (none)Explanation


First we create a variable, $newPassword, and prompt the user for the password to assign it to the variable.Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to SetADAccountPassword toassign the $newPassword variable to every account's new password.Note that Set- ADAccountPossword must be a typo.Reference 1:http://technet.microsoft.com/en-us/library/ee176935.aspx

Prompting a User to Enter InformationThe Read-Host cmdlet enables you to interactively prompt a user for information. For example, this commandprompts the user to enter his or her name, then stores that name in the variable $Name (to answer the prompt,type a name and then press ENTER):$Name = Read-Host "Please enter your name"Reference 2:http://technet.microsoft.com/en-us/library/ee617241.aspx Get-ADUser Gets one or more Active Directory users.Reference 3:

http://technet.microsoft.com/en-us/library/ee617261.aspx Set-ADAccountPassword Modifies the password ofan Active Directory account.ParametersNewPasswordSpecifies a new password value.Reset


Specifies to reset the password on an account. When you use this parameter, you must set the NewPasswordparameter. You do not need to specify the OldPassword parameter.

QUESTION 27Your network contains two forests named adatum.com and litwareinc.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a forest trust between adatum.com and litwareinc.com.


A. Create an external trust.B. Raise the functional level of both forests.C. Configure SID filtering.D. Raise the functional level of all the domains.




When to create a forest trust

You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003or higher.

QUESTION 28Your network contains an Active Directory forest named adatum.com.

All client computers used by the marketing department are in an organizational unit (OU) named MarketingComputers. All user accounts for the marketing department are in an OU named Marketing Users.

"A Composite Solution With Just One Click" - Certification Guaranteed 240 Microsoft 70-640 : Practice TestYou purchase a new application.

You need to ensure that every user in the domain who logs on to a marketing department computer can use theapplication. The application must only be available from the marketing department computers.

What should you do?

A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to ashared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a shared folder on the network. Assign the application.

C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a local drive on each marketing department computer. Publish the application.

D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to afolder on each marketing department computer. Publish the application.


Explanation


The software must only be available on the marketing department computers, so we must link the GPO to theMarketing Computers OU. Next we need to assign the application to the Marketing Computers OU.Reference:


Assigning Software to Computers

When you assign software to computers, it is available to all authenticated users of the computer, regardless oftheir group membership or privileges. The software package is installed when the computer is next restartedafter the package has been assigned. For example, suppose that you have a design application that should beavailable on all computers in the Engineering OU but not to computers elsewhere on your network. You wouldassign this application to computers in a Group Policy object (GPO) linked to the Engineering OU.



You need to create an Active Directory Rights Management Services (AD RMS) licensing- only cluster.

What should you install before you create the AD RMS root cluster?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008

Correct Answer: ESection: (none)Explanation



Before you install AD RMS

Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 forthe first time, there are several requirements that must be met:

(...)

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:

Install the database server that is used to host the AD RMS databases on a separate computer.

(...)

QUESTION 30

Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains adomain controller named DC1.

You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource recordnamed Server1 to the zone. The target host of the record is server2.contoso.com.

"A Composite Solution With Just One Click" - Certification Guaranteed 242 Microsoft 70-640 : Practice TestWhen you ping Server1, you discover that the name fails to resolve. You are able to successfully pingserver2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.


A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domainB. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forestC. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport 1D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest



Support for Globalnames must be enabled, otherwise the DNS Server service does not resolve single-labelnames in the GlobalNames zone.Reference:


dnscmd /config Changes values in the registry for the DNS server and individual zones. Accepts server-levelsettings and zone-level settings.

Parameter

/enableglobalnamessupport {0|1}

Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution ofsinglelabel

DNS names across a forest.Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Serverservice does not resolve single-label names in the GlobalNames zone. Enables support for the GlobalNameszone. When you set the value of this command to 1, the DNS Server service resolves single-label names in theGlobalNames zone.



The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.

RODC1 runs Windows Server 2008 R2.

A user logs on to a computer in the branch office site.

You discover that the user's password is not stored on RODC1.

You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office sitecomputer.

What should you do?

A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC PasswordReplication Group.

B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowedusers, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1.D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1.



MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417

Password Replication Policy

Password Replication Policy (PRP) determines which users' credentials can be cached on a specific RODC. IfPRP allows an RODC to cache a user's credentials, authentication and service ticket activities of that user canbe processed by the RODC. If a user's credentials cannot be cached on an RODC, authentication and serviceticket activities are referred by the RODC to a writable domain controller.

An RODC's PRP is determined by two multivalued attributes of the RODC's computer account. These attributesare commonly known as the Allowed List and the Denied List. If a user's account is on the Allowed List, theuser's credentials are cached. You can include

"A Composite Solution With Just One Click" - Certification Guaranteed 244 Microsoft 70-640 : Practice Testgroups on the Allowed List, in which case all users who belong to the group can have their credentials cachedon the RODC. If the user is on both the Allowed List and the Denied List, the user's credentials will not becached--the Denied List takes precedence.

Configuring Domain-Wide Password Replication Policy

To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in theUsers container of Active Directory. The first group, Allowed RODC Password Replication Group, is added tothe Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a newRODC will not cache any user's credentials. If you have users whose credentials you want to be cached by alldomain RODCs, add those users to the Allowed RODC Password Replication Group.

QUESTION 32You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a servernamedServer1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which protocol should you allow on Server1?

A. KerberosB. SSLC. SMB

D. RPC




AD FS relies on secure HTTP communications by using SSL authentication certificates to verify the identity ofboth the server and the client during communications. Because of this, all communications occur through port443 over HTTPS.


QUESTION 33Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard.

You need to create an enterprise subordinate certification authority (CA) that can issue certificates based onversion 3 certificate templates.



A. Run the certutil.exe - addenrollmentserver command.B. Install the Active Directory Certificate Services (AD CS) role on the member server.C. Upgrade the member server to Windows Server 2008 R2 Enterprise.D. Run the certutil.exe - installdefaulttemplates command.



QUESTION 34Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS. You need to update ADRMS to use the new password.


A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Local Users and GroupsD. Services



http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the- rms-serviceaccount-password.aspx

"A Composite Solution With Just One Click" - Certification Guaranteed 246 Microsoft 70-640 : Practice TestAD RMS How To: Change the RMS Service Account Password

The Active Directory Rights Management Services management console provides a wizard to change orupdate the AD RMS service account. The most common use for this process is to update the service accountpassword when it has been changed.

It is important to use this process to update or change the AD RMS service account. This ensures thenecessary components are updated properly.

QUESTION 35Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.

Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standardprimary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWANlink fails.

What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.B. Create a new stub zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.



Three answers don't make sense, leaving us with the one that works. Create a new secondary zone namedad.contoso.com on DC2.


This would create a read-only zone, so it couldn't be updated Create a new stub zone named ad.contoso.comon DC2. This stub zone would contain source information about authoritative name servers for its zone only,being DC1, but that one would be unavailable in the WAN link fails. Configure the DNS server on DC2 toforward requests to DC1. This doesn't help if the WAN link fails and DC1 is unavailable.

QUESTION 36Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File

System (EFS) certificates.

You need to archive the private key for all new EFS certificates.

Which snap-in should you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Group Policy ManagementD. Enterprise PKIE. Security TemplatesF. TPM ManagementG. CertificatesH. Certification AuthorityI. Certificate Templates

Correct Answer: ISection: (none)Explanation



Configure a Certificate Template for Key Archival

The key archival process takes place when a certificate is issued. Therefore, a certificate template must bemodified to archive keys before any certificates are issued based on this template.

"A Composite Solution With Just One Click" - Certification Guaranteed 248 Microsoft 70-640 : Practice TestKey archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate templatein order to protect users from data loss, but it can also be useful when applied to other types of certificates.

To configure a certificate template for key archival and recovery


2. In the details pane, right-click the certificate template that you want to change, and then click DuplicateTemplate.

3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certificationauthorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows7, or Windows Vista.

4. In Template, type a new template display name, and then modify any other optional properties as needed.

5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, andthen click OK.

6. Under Group or user names, select the user or group names that you just added. Under Permissions, selectthe Read and Enroll check boxes, and if you want to automatically issue the certificate, also select theAutoenroll check box.

7. On the Request Handling tab, select the Archive subject's encryption private key check box.

Original explanation:

http://technet.microsoft.com/en-us/library/cc730721


http://technet.microsoft.com/en-us/library/cc730721


You need to ensure that all of the members of a group named Group1 can view the event log entries forCertificate Services.

"A Composite Solution With Just One Click" - Certification Guaranteed 249 Microsoft 70-640 : Practice TestWhich snap-in should you use?

A. Certificate TemplatesB. Certification AuthorityC. Authorization ManagerD. Active Directory Users and ComputersE. TPM ManagementF. Security TemplatesG. Group Policy ManagementH. Enterprise PKII. Certificates

Correct Answer: GSection: (none)Explanation

Explanation/Reference:Explanation:We can make the Group1 group a member of the Event Log Readers Group, giving them read access to allevent logs, thus including the Certificate Services events. We can do that by using Group Policy Management.

Reference 1:It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here'swhat I did in VMWare, using a domain controller and a member server.Click along if you want!

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to thecontoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group,named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

Start the Group Policy Management console on DC01. Right-click the Events OU and choose "Create a GPO inthis domain, and Link it here..."I named the GPO "EventLog_TESTGROUP"Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." Go to Computer Configuration \ Policies\Windows Settings \ Security Settings and select "Restricted Groups"Right-click "Restricted Groups" and choose "Add Group..." Now there are two ways to do this. We can selectTESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readersgroup and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go find theEvent Log Readers group. Click OK. Click the Browse button next to "Members of this group", search for theTESTGROUP group and add it.

It should look like this now:



Click OK.On MEM01 open a command prompt and run gpupdate /force. Check the Event Log Readers group propertiesand see that the TESTGROUP group is now a member.

Reference 2:

"A Composite Solution With Just One Click" - Certification Guaranteed 252 Microsoft 70-640 : Practice Testhttp://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators- permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows So if you want to giveNon-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessingare Windows 2003 follow the steps below.

(...)

Windows 2008 is much easier as long as you are giving the users and groups in question read access to allevent logs. If that is the case just add them to the Built in Event Log Readers group.


You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificatetemplate


A. Enterprise PKIB. TPM ManagementC. CertificatesD. Active Directory Users and ComputersE. Authorization ManagerF. Certification AuthorityG. Group Policy ManagementH. Security TemplatesI. Certificate Templates

Correct Answer: ISection: (none)Explanation


http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/962be5d1-d824- 4dd8-a501-3c3a9d600083

"A Composite Solution With Just One Click" - Certification Guaranteed 253 Microsoft 70-640 : Practice TestThe user should have proper permission on Certificate Templates. Please follow the steps below fortroubleshooting:

1. Open MMC, add Certificate Templates snap-in.

2. Double-click IPSec (Offline Request), switch to Security tab, give the user Read and Enroll rights.

3. Close and restart IE on clients computer to test.


You have a custom certificate template named Template 1. Template1 is published to the CA.

You need to ensure that all of the members of a group named Group1 can enroll for certificates that useTemplate1.


A. Security TemplatesB. Enterprise PKIC. Certification AuthorityD. Certificate TemplatesE. CertificatesF. TPM ManagementG. Authorization Manager

H. Group Policy ManagementI. Active Directory Users and Computers




Configuring Certificate Templates

"A Composite Solution With Just One Click" - Certification Guaranteed 254 Microsoft 70-640 : Practice TestAD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the following capabilities:

(...)

Configuring access control lists (ACLs) on certificate templates


You need to approve a pending certificate request.


A. Active Directory Users and ComputersB. Authorization ManagerC. Certification AuthorityD. Group Policy ManagementE. Certificate TemplatesF. TPM ManagementG. CertificatesH. Enterprise PKII. Security Templates



http://technet.microsoft.com/de-de/library/ff849263.aspx

To issue a pending certificate request:

1. Log on to your root CA by using an account that is a certificate manager.

2. Start the Certification Authority snap-in.

3. In the console tree, expand your root CA, and click Pending Certificates.

4. In the details pane, right-click the pending CA certificate, and click Issue.


QUESTION 41Your network contains an Active Directory domain. The domain contains a domain controller named DC1 thatruns windows Server 2008 R2 Service Pack 1 (SP1).

You need to implement a central store for domain policy templates.

What should you do?

To answer, select the source content that should be copied to the destination folder in the answer area.

A.B.C.D.



QUESTION 42Your network contains an Active Directory forest named contoso.com.

You plan to migrate all user accounts to a new forest named litwareinc.com.

The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains four servers.


The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains four servers.


You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration Toolversion 3.2 (ADMT v3.2).

Which server should you identify?

A. Litw_Srv4B. Litw_Srv1C. Litw_Srv2D. Litw_Srv3




"A Composite Solution With Just One Click" - Certification Guaranteed 257 Microsoft 70-640 : Practice TestPrerequisites for installing ADMT v3.2

Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments thathave a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a serverrunning Windows Server 2008 R2.

In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 must

not be installed under the Server Core installation option or be running as a read-only domain controller(RODC).


The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibitbutton.)

You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit button.)

You need to provide users with examples of a valid password.

Which password examples should you provide to the users? (Each correct answer presents a completesolution. Choose three.)

A. 123456!@#$%^B. !@#$1234ABCDC. passwordl234D. 1-2-3-4-5-a-b-c-e

E. %%PASS1234%%F. 111111aaaaaaa

Correct Answer: BDESection: (none)Explanation



Passwords must meet complexity requirements

This security setting determines whether passwords must meet complexity requirements. Complexityrequirements are enforced when passwords are changed or created.

If this policy is enabled, passwords must meet the following minimum requirements when they are changed orcreated:

1. Passwords must not contain the user's entire samAccountName (Account Name) value or entiredisplayName (Full Name) value.

2. Passwords must contain characters from three of the following five categories:

Uppercase characters of European languages (A through Z, with diacritic marks, Greek

"A Composite Solution With Just One Click" - Certification Guaranteed 259 Microsoft 70-640 : Practice Testand Cyrillic characters)

Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrilliccharacters)

Base 10 digits (0 through 9)

Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ Any Unicode character that is categorized as analphabetic character but is not uppercase or lowercase.

This includes Unicode characters from Asian languages.


The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between thesites.

What should you do?

A. Configure DC1 as a preferred bridgehead server for IP transport.B. Configure DC4 as a preferred bridgehead server for IP transport.C. From the DC4 server object, create a Connection object for DC1.

"A Composite Solution With Just One Click" - Certification Guaranteed 260 Microsoft 70-640 : Practice TestD. From the DC1 server object, create a Connection object for DC4.




Bridgehead Servers



However, you can use Active Directory Sites and Services to specify which domain controller will be thepreferred bridgehead server by using the following steps:



3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you wantto designate this server as a preferred bridgehead server and then click add.

QUESTION 45Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The forest contains a single domain.

You need to ensure that objects can be restored from the Active Directory Recycle Bin.


A. NtdsutilB. Set-ADDomainC. DsamainD. Enable-ADOptionalFeature



Similar question to question E/Q28Reference:



After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:


Ldp.exe

QUESTION 46Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click theExhibit button.)

Users in the Finance organizational unit (OU) frequently log on to client computers in the Human ResourcesOU.

You need to meet the following requirements:

All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the HumanResources OU must be applied to finance users when they log on to client computers in the Engineering OU.Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they logon to client computers in the Finance OU. Policy settings in the GPOs linked to the Finance OU must not beapplied to users in the Human Resources OU.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.



Very similar question to K/Q11.We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO'sthat are linked to the Sales OU and the Engineering OU to be applied.Reference 1:http://technet.microsoft.com/en-us/library/cc782810.aspx

Loopback processing with merge or replaceSetting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied toevery user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the UserConfiguration settings of the user. This


allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer,regardless of their location in Active Directory. Loopback can be set to Not Configured, Enabled, or Disabled. Inthe Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-relatedpolicy settings.Loopback with Replace--In the case of Loopback with Replace, the GPO list for the user is replaced in itsentirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in GroupPolicy processing and precedence). The User Configuration settings from this list are applied to the user.

Loopback with Merge--In the case of Loopback with Merge, the Group Policy object list is a concatenation. Thedefault list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer(obtained during computer startup) is appended to this list. Because the computer's GPOs are processed afterthe user's GPOs, they have precedence if any of the settings conflict.

Reference 2:http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

For a clear and easy explanation of Loopback Processing. Recommended! Reference 3:Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028

Loopback ProcessingWhen a user is processing domain policies, the policies that apply to that user are based on the location of theuser object in the Active Directory hierarchy. The same goes for domain policy application for computers. Thereare situations, however, when administrators or organizations want to ensure that all users get the same policywhen logging on to a particular computer or server. For example, on a computer that is used for training or on aRemote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must bethe same for each user, this can be controlled by enabling loopback processing in Replace mode on a policythat is applied to the computer objects.

To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, anysettings defined within that policy in the User Configuration node are applied to all users who log on to thecomputer this particular policy is applied to. When loopback processing is enabled and configured in Mergemode on a policy applied to a computer object and a user logs on, all of the user policies are applied and thenall of the user settings within the policy applied to the computer object are also applied to the user.


This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in thecomputer-linked policies last.

QUESTION 47Your network contains an Active Directory forest named contoso.com. The forest contains four computers. Thecomputers are configured as shown in the following table.

An administrator creates a script that contains the following commands:

You need to identity which computers can successfully run all of the commands in the script.

Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.)

A. Computer1B. Server1C. Computer2D. Server2




Original answer was B, D ("Server1", "Server2"). According to Technet the "Auditpol /resourceSACL" commandapplies only to Windows 7 and WindowsServer 2008 R2 (and I suppose Windows 8 and Windows Server 2012), so the answer should be Computer2and Server2Reference:


Auditpol resourceSACL

Applies only to Windows 7 and Windows Server 2008 R2.

QUESTION 48Your network contains an Active Directory domain. The domain is configured as shown in the exhibit, (Click theExhibit button.)

You need to ensure that when users log on to client computers, they are added automatically to the localAdministrators group. The users must be removed from the group when they log off of the client computers.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Correct Answer: HSection: (none)Explanation


http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local- administrator-groups/

QUESTION 49Your company plans to open a new branch office.

The new office will have a low-speed connection to the Internet.You plan to deploy a read-only domain controller (RODC) in the branch office.

You need to create an offline copy of the Active Directory database that can be used to install the Active

Directory on the new RODC.

Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.

A.B.C.D.




You need to use Group Policies to deploy the applications shown in the following table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

A.B.C.D.



QUESTION 51

Your network contains an Active Directory domain named adatum.com.

You need to ensure that IP addresses can be resolved to fully qualified domain names

Under which node in the DNS snap-in should you add a zone?

A. Reverse Lookup ZonesB. adatum.comC. Forward Lookup ZonesD. Conditional ForwardersE. _msdcs.adatum.com



Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193

A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IPaddress. A reverse lookup does the opposite: the client provides an IP address, and then the DNS serverreturns an FQDN.

QUESTION 52Your network contains an Active Directory domain named adatum.com. The domain contains a domaincontroller named DC1. DC1 has an IP address of 192.168.200.100.

You need to identify the zone that contains the Pointer (PTR) record for DC1.

Which zone should you identify?

A. adatum.comB. _msdcs.adatum.comC. 100.168.192.in-addr.arpaD. 200.168.192.in-addr.arpa



Reference 1:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 57

Reverse lookup: This occurs when a client computer knows the IP address of another computer and requiresits hostname, which can be found in the DNS server's PTR (pointer) resource record.Reference 2:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 45/730You are configuring a reverse lookup zone for your network, which uses the Class C network address range of192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?a. 5.168.192.in-addr.arpa

b. 0.5.168.192.in-addr.arpac. 192.168.5.in-addr.arpad. 192.168.5.0.in-addr.arpa

The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and usesa special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do notuse the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified inreverse sequence, so the other two choices are both incorrect.

QUESTION 53Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails.

You rebuild the DNS infrastructure.

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

A. NetlogonB. DNS ServerC. Network Location AwarenessD. Network Store Interface ServiceE. Online Responder Service




The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller's SRV resource records by restarting thisservice from the Services branch of Server Manager or by typing net start netlogon. An exam question mightask you how to troubleshoot the nonregistration of SRV resource records.

QUESTION 54Your network contains an Active Directory domain named adatum.com.

The password policy of the domain requires that the passwords for all user accounts be changed every 50days.

You need to create several user accounts that will be used by services. The passwords for these accountsmust be changed automatically every 50 days.

Which tool should you use to create the accounts?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. Active Directory Module for Windows PowerShellD. ADSI EditE. Active Directory Domains and Trusts



Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed serviceaccounts. Managed service accounts offer Automatic password management, making password managementeasier.Reference 1:


What are the benefits of new service accounts?In addition to the enhanced security that is provided by having individual accounts for critical services, there arefour important administrative benefits associated with managed service accounts:(...)Unlike with regular domain accounts in which administrators must reset passwords manually, the networkpasswords for these accounts will be reset automatically.(...)Reference 2:http://technet.microsoft.com/en-us/library/dd391964.aspx Use the Active Directory module for WindowsPowerShell to create a managed service account.Reference 3:http://technet.microsoft.com/en-us/library/dd548356.aspx To create a new managed service account1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OKto open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Accountcontainer exists.2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [- Path <String>].Reference 4:http://technet.microsoft.com/en-us/library/hh852236.aspx Use the -ManagedPasswordIntervalInDays parameterwith New-ADServiceAccount to specify the number of days for the password change interval. -ManagedPasswordIntervalInDays<Int32>Specifies the number of days for the password change interval. If setto 0 then the default is used. This can only be set on object creation. After that the setting is read only. Thisvalue returns the msDSManagedPasswordInterval of the group managed service account object.The following example shows how to specify a 90 day password changes interval:-ManagedPasswordIntervalInDays 90

QUESTION 55

Your network contains an Active Directory domain. The domain contains several domain controllers.

You need to modify the Password Replication Policy on a read-only domain controller (RODC).


A. Group Policy ManagementB. Active Directory Domains and TrustsC. Active Directory Users and ComputersD. Computer ManagementE. Security Configuration Wizard



http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-passwordreplication-policy.aspx

Administering the Password Replication Policy

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP)and password caching for read-only domain controllers (RODCs).

To configure the PRP using Active Directory Users and Computers

1. Open Active Directory Users and Computers as a member of the Domain Admins group.

2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correctdomain.

3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then clickProperties.

4. Click the Password Replication Policy tab.

5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and theDeny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list,click Add.

To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account toreplicate to this RODC.

To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords forthe account from replicating to this RODC.


QUESTION 56Your network contains an Active Directory forest. The forest contains domain controllers that run WindowsServer 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain isWindows Server 2008.

From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).


A. Raise the functional level of the forestB. Modify the tombstone lifetime of the forest.C. Restore the system state.D. Raise the functional level of the domain.



The Recycle Bin feature cannot be applied here, see the reference below.Reference:

Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297

Active Directory Recycle Bin Recovery

Let's begin this section with a very clear statement: If you need to recover a deleted Active Directory object andthe Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceedto the "Active Directory Authoritative Restore" section.

Active Directory Authoritative Restore

When Active Directory has been modified and needs to be restored to a previous state, and this rollback needsto be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of ActiveDirectory is required. An authoritative restore of Active Directory can include the entire Active Directorydatabase, a single object, or a container, such as an organizational unit including all objects previously storedwithin the container. To perform an authoritative restore of Active Directory, perform the System State restoreof a domain controller.


QUESTION 57Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.

You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.

You need to ensure that Attribute1 is included in the global catalog.

What should you do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User

objects.C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the

forest.




Global Catalog Partial Attribute Set

The attributes that are replicated to the global catalog by default include a base set that have been defined by

Microsoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute tothe global catalog check box to designate an attributeSchema object as a member of the PAS, which sets thevalue of the isMemberOfPartialAttributeSet attribute to TRUE.

Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DSforest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalogserver has information related to all attributes that are associated with those objects. For the objects in domainsother than its own, aglobal catalog server has only information that is related to the set of attributes that are marked in the AD DS

schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft asthose attributes that are most likely to be used for searches. These attributes are replicated to every globalcatalog server in an AD DS forest.

If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schemasnap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object. You mark theattribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the

isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog.

If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog.

QUESTION 58Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the ActiveDirectory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances namedInstance1 and Instance2.

You need to remove Instance2 from Server1 without affecting Instance1.


A. NTDSUtilB. DsdbutilC. Programs and Features in the Control PanelD. Server Manager




Administering AD LDS Instances

Each AD LDS instance runs as an independent--and separately administered--service on a computer.Reference 2:technet.microsoft.com/en-us/library/cc794886.aspx

To remove an AD LDS instance1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-clickPrograms and Features.2. Locate and click the AD LDS instance that you want to remove.3. Click Uninstall.NoteIt is not necessary to restart the computer after you remove an AD LDS instance.

QUESTION 59Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to compact the Active Directory database.

What should you do?

A. Run the Get-ADForest cmdlet.

B. Configure subscriptions from Event Viewer.C. Run the eventcreate.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (OCS).E. Create a Data Collector Set (DCS).F. Run the repadmin.exe command.G. Run the ntdsutil.exe command.H. Run the dsquery.exe command.I. Run the dsamain.exe command.J. Create custom views from Event Viewer.



Reference 1:http://technet.microsoft.com/en-us/library/cc794920.aspx Compact the Directory Database File (OfflineDefragmentation) You can use this procedure to compact the Active Directory database offline. Offlinedefragmentation returns free disk space in the Active Directory database to the file system. As part of the offlinedefragmentation procedure, check directory database integrity. Performing offline defragmentation creates anew, compacted version of the database file in a different location.

Reference 2:Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.ditThese steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment andcompact the database to a remote shared folder, map a drive letter to that shared folder before you begin thesesteps, and use that drive letter in the path where appropriate.1. Open an elevated command prompt. Click Start, and then right-click Command Prompt.Click Run as Administrator.2. Type ntdsutil, and then press Enter.3. Type Activate instance NTDS, and press Enter.4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.5. At the file maintenance prompt, type compact to followed by the path to the destination folder for thedefragmentation, and then press Enter.


You need to collect all of the Directory Services events from all of the domain controllers and store the events ina single central computer.

What should you do?

A. Run the ntdsutil.exe command.B. Run the repodmin.exe command.C. Run the Get-ADForest cmdlet.D. Run the dsamain.exe command.E. Create custom views from Event Viewer.F. Run the dsquery.exe command.G. Configure the Active Directory Diagnostics Data Collector Set (DCS),H. Configure subscriptions from Event Viewer.I. Run the eventcreate.exe command.J. Create a Data Collector Set (DCS).




Event Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issuemight require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store themlocally. To specify which events to collect, you create an event subscription. Among other details, thesubscription specifies exactly which events will be collected and in which log they will be stored locally. Once asubscription is active and events are being collected, you can view and manipulate these forwarded events asyou would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

The functionality depends on the Windows Remote Management (WinRM) service and the Windows EventCollector (Wecsvc) service. Both of these services must be running on computers participating in theforwarding and collecting process. To learn about the steps required to configure event collecting andforwarding computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/en-us/library/cc748890.aspx).

QUESTION 61Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to receive a notification when more than 100 Active Directory objects are deleted per second.

What should you do?

A. Create custom views from Event Viewer.B. Run the Get-ADForest cmdlet.C. Run the ntdsutil.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (DCS).E. Create a Data Collector Set (DCS).F. Run the dsamain.exe command.G. Run the dsquery.exe command.H. Run the repadmin.exe command.I. Configure subscriptions from Event Viewer.J. Run the eventcreate.exe command.



http://technet.microsoft.com/en-us/magazine/ff458614.aspx

Configure Windows Server 2008 to Notify you when Certain Events Occur

You can configure alerts to notify you when certain events occur or when certain performance thresholds arereached. You can send these alerts as network messages and as events that are logged in the applicationevent log. You can also configure alerts to start applications and performance logs.

To configure an alert, follow these steps:

1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the leftpane, point to New, and then choose Data Collector Set.

2. (...)

3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box toset the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above orbelow a specific value. Select Above or Below, and then set the trigger value. The unit of measurement iswhatever makes sense for the currently selected counter or counters. For example, to generate an alert ifprocessor time is over 95 percent, select Over, and then type 95. Repeat this process to configure othercounters you've selected.



You need to create a snapshot of Active Directory.

What should you do?

A. Run the dsquery.exe command.B. Run the dsamain.exe command.C. Create custom views from Event Viewer.D. Configure subscriptions from Event Viewer.E. Create a Data Collector Set (DCS).F. Configure the Active Directory Diagnostics Data Collector Set (DCS).G. Run the repadmin.exe command.H. Run the ntdsutil.exe command.I. Run the Get-ADForest cmdlet.J. Run the eventcreate.exe command.




To create an AD DS or AD LDS snapshot

1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.


3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and thenclick Continue.

4. At the elevated command prompt, type the following command, and then press ENTER:

ntdsutil

5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot

6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds

7. At the snapshot prompt, type the following command, and then press ENTER: create



You mount an Active Directory snapshot.

You need to ensure that you can query the snapshot by using LDAP.

What should you do?

A. Run the dsamain.exe command.B. Create custom views from Event Viewer.C. Run the ntdsutil.exe command.D. Configure subscriptions from Event Viewer.E. Run the Get-ADForest cmdlet.F. Create a Data Collector Set (DCS).G. Run the eventcreate.exe command.H. Configure the Active Directory Diagnostics Data Collector Set (DCS).I. Run the repadmin.exe command.J. Run the dsquery.exe command.




The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for yourorganization by providing a means to compare data as it exists in snapshots that are taken at different times sothat you can better decide which data to restore after data loss. This eliminates the need to restore multiplebackups to compare the Active Directory data that they contain.

Requirements for using the Active Directory database mounting tool

You do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following:

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server

"A Composite Solution With Just One Click" - Certification Guaranteed 283 Microsoft 70-640 : Practice TestExisting LDAP tools, such as Ldp.exe and Active Directory Users and Computers

QUESTION 64Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008

R2.

The network contains an enterprise certification authority (CA).

You need to ensure that all of the members of a group named Managers can view the event log entries forCertificate Services.


A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management


Explanation/Reference:Explanation: We can make the Group1 group a member of the Event Log Readers Group, giving them readaccess to all event logs, thus including the Certificate Services events. We can do that by using Group PolicyManagement.

Reference 1:It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here'swhat I did in VMWare, using a domain controller and a member server.Click along if you want!

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to thecontoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group,named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.


Start the Group Policy Management console on DC01. Right-click the Events OU and choose "Create a GPO inthis domain, and Link it here..."I named the GPO "EventLog_TESTGROUP"Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." Go to Computer Configuration \ Policies\Windows Settings \ Security Settings and select "Restricted Groups"Right-click "Restricted Groups" and choose "Add Group..." Now there are two ways to do this. We can selectTESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readersgroup and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go find theEvent Log Readers group. Click OK. Click the Browse button next to "Members of this group", search for theTESTGROUP group and add it.Click OK.10. On MEM01 open a command prompt and run gpupdate /force. Check the Event Log Readers groupproperties and see that the TESTGROUP group is now a member.

Reference 2:http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators- permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows So if you want to give

Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessingare Windows 2003 follow the steps below.

(...)

Windows 2008 is much easier as long as you are giving the users and groups in question read access to allevent logs. If that is the case just add them to the Built in Event Log Readers group.

QUESTION 65Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2 Enterprise. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA).You need to approve a pending certificate request.


A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management



Reference 1:http://technet.microsoft.com/de-de/library/ff849263.aspx To issue a pending certificate request:1. Log on to your root CA by using an account that is a certificate manager.2. Start the Certification Authority snap-in.3. In the console tree, expand your root CA, and click Pending Certificates.4. In the details pane, right-click the pending CA certificate, and click Issue.


You have an organizational unit (OU) named Sales and an OU named Engineering.

You have a Group Policy object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts inthe Sales OU. You must achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.

D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.




Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance preventsGroup Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from beingautomatically inherited by the child-level.

QUESTION 67A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNSservers.

You plan to create an Active Directory-integrated zone.

You need to ensure that the new zone is replicated to only four of the domain controllers.


A. Use the ntdsutil tool to modify the DS behavior for the domain.B. Use the ntdsutil tool to add a naming context.C. Create a new delegation in the ForestDnsZones application directory partition.D. Use the dnscmd tool with the /zoneadd parameter.




Store Data in an AD DS Application PartitionYou can store Domain Name System (DNS) zones in the domain or application directory partitions of ActiveDirectory Domain Services (AD DS). An application directory partition is a data structure in AD DS thatdistinguishes data for different replication purposes. When you store a DNS zone in an application directorypartition, you can control the zone replication scope by controlling the replication scope of the applicationdirectory partition.



Partition managementManages directory partitions for Active Directory Domain Services (AD DS) or Active Directory LightweightDirectory Services (AD LDS).This is a subcommand of Ntdsutil and Dsmgmt.ExamplesTo create an application directory partition named AppPartition in the contoso.com domain, complete thefollowing steps:1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories,rightclickCommand Prompt, and then click Run as administrator.

2. Type: ntdsutil3. Type: Ac in ntds4. Type: partition management5. Type: connections6. Type: Connect to server DC_Name7. Type: quit8. Type: listThe following partitions will be listed:0 CN=Configuration,DC=Contoso,DC=com1 DC=Contoso,DC=com2 CN=Schema,CN=Configuration,DC=Contoso,DC=com3 DC=DomainDnsZones,DC=Contoso,DC=com4 DC=ForestDnsZones,DC=Contoso,DC=com9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=comConDc1.contoso.com10. Run the list command again to refresh the list of partitions.

QUESTION 68Your network contains an Active Directory forest named fabrikam.com. The forest contains the followingdomains:

Fabrikam.comEu.fabrikam.comNa.fabrikam.comEu.contoso.comNa.contoso.com

You need to configure the forest to ensure that the administrators of any of the domains can specify a userprincipal name (UPN) suffix of contoso.com when they create user accounts from Active Directory Users andComputers.


A. Active Directory Sites and ServicesB. Set-ADDomainC. Set-ADForestD. Active Directory Administrative Center



Explanation:

We would use the following command to achieve this:Set-ADForest -UPNSuffixes @{Add="contoso.com"}Reference 1:


Creating a UPN Suffix for a ForestThis topic explains how to use the Active Directory module for Windows PowerShell to create a new userprincipal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the namesthat are used to log on to another domain in the forest.

ExampleThe following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"} Reference 2http://technet.microsoft.com/en-us/library/ee617221.aspx Set-ADForest Modifies an Active Directory forest.ParameterUPNSuffixesModifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valuedmsDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to addremove, replace, or clear UPN suffix values.


Syntax:To add values:-UPNSuffixes @{Add=value1,value2,...}

QUESTION 69A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS sites.

The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers.

You need to determine which domain controller holds the Inter-Site Topology Generator role for the Torontosite.

What should you do?

A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site.B. Use the Ntdsutil tool with the roles parameter.C. Use the Ntdsutil tool with the LDAP policies parameter.D. Use the Active Directory Sites and Services console to view the properties of each domain controller in the

Toronto site.




Determine the ISTG Role Owner for a Site

The Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generatingthe intersite topology. If you want to regenerate the intersite topology, you must determine the identity of theISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties and

determine the ISTG role owner for the site.

To determine the ISTG role owner for a site

"A Composite Solution With Just One Click" - Certification Guaranteed 291 Microsoft 70-640 : Practice Test1. Open Active Directory Sites and Services.

2. In the console tree, click the site object whose ISTG role owner you want to determine.

3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current roleowner appears in the Server box under Inter-Site Topology Generator.

QUESTION 70Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains aread-only domain controller (RODC) named RODC1.

You need to identify which user accounts can have their password cached on RODC1.


A. RepadminB. DcdiagC. Get-ADDomainControllerPasswordReplicationPolicyUsageD. Adtest



Original answer was C ("Get-ADDomainControllerPasswordReplicationPolicyUsage"). On why it's not correct, Iquote the original explanation:"The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that areauthenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC.The list of accounts that are stored on a RODC is known as the revealed list."So, this revealed list has a list of accounts whose passwords are cached on RODC's. But we don't need theaccounts that are cached on RODC1, but the ones that can be cached on RODC1. Those are in the allowedlist, and we can get it using repadmin.

Reference:


Repadmin /prpLists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

Syntax

repadmin /prp view <RODC> {<List_Name>|<User>}

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for aspecified user.

Parameters

<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domainname. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in onedomain.

<List_Name>

Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

auth2: The list of security principals that the RODC has authenticated.

reveal: The list of security principals for which the RODC has cached passwords.

allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache

passwords for this list of security principals only.

deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache

passwords for any security principals in this list.

Original explanation for answer C:

The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that areauthenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC.The list of accounts that are stored on a RODC is known as the revealed list.



QUESTION 71A network contains an Active Directory forest. The forest contains three domains and two sites.

You remove the global catalog from a domain controller named DC2. DC2 is located in Site1.

You need to reduce the size of the Active Directory database on DC2. The solution must minimize the impacton all users in Site1.


A. On DC2, start the Protected Storage service.B. On DC2, stop the Active Directory Domain Services service.C. Start DC2 in Safe Mode.D. Start DC2 in Directory Services Restore Mode.




Returning Unused Disk Space from the Active Directory Database to the File System

During ordinary operation, the free disk space in the Active Directory database file becomes fragmented. Eachtime garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented onlineto optimize its use within the database file. The unused disk space is maintained for the database; it is not

returned to the file system.

Only offline defragmentation can return unused disk space from the directory database to the file system.

When database contents have decreased considerably through a bulk deletion (for example, when you removethe global catalog from a domain controller), or if the size of the database backup is significantly increased as aresult of the amount of free disk space, use offline defragmentation to reduce the size of the Ntds.dit file.

On domain controllers that are running Windows Server 2008, offline defragmentation does not requirerestarting the domain controller in Directory Services Restore Mode (DSRM), as is required on domaincontrollers that are running versions of Windows Server 2000 and Windows Server 2003. You can use a newfeature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the AD DSservice. When the service is

"A Composite Solution With Just One Click" - Certification Guaranteed 294 Microsoft 70-640 : Practice Teststopped, services that depend on AD DS shut down automatically. However, any other services that are runningon the domain controller, such as Dynamic Host Configuration Protocol (DHCP), continue to run and respond toclients.

QUESTION 72Your network contains an Active Directory domain named adatum.com. The functional level of the domain isWindows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows7 Enterprise.

You need to receive a notification when more than 50 Active Directory objects are deleted per second.

What should you do?

A. Run the Get-ADDomain cmdlet.B. Run the dsget.exe command.C. Run the ntdsutil.exe command.D. Run the ocsetup.exe command.E. Run the dsamain.exe command.F. Run the eventcreate.exe command.G. Create a Data Collector Set (DCS).H. Create custom views from Event Viewer.I. Configure subscriptions from Event Viewer.J. Import the Active Directory module for Windows PowerShell.



http://technet.microsoft.com/en-us/magazine/ff458614.aspx

Configure Windows Server 2008 to Notify you when Certain Events Occur

You can configure alerts to notify you when certain events occur or when certain performance thresholds arereached. You can send these alerts as network messages and as events that are logged in the applicationevent log. You can also configure alerts to start applications and performance logs.

To configure an alert, follow these steps:


1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the leftpane, point to New, and then choose Data Collector Set.

2. (...)

3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box toset the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above orbelow a specific value. Select Above or Below, and then set the trigger value. The unit of measurement iswhatever makes sense for the currently selected counter or counters. For example, to generate an alert ifprocessor time is over 95 percent, select Over, and then type 95. Repeat this process to configure othercounters you've selected.


You have a custom certificate template that has a key length of 1,024 bits. The template is enabled forautoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.


A. Group Policy Management MMC Snap-InB. Certificates MMC Snap-In on the Certificate AuthorityC. Certificate Templates MMC Snap-InD. Certification Authority MMC Snap-In




Re-Enroll All Certificate Holders

This procedure is used when a critical change is made to the certificate template and youwant all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. Thenext time the subject verifies the version of the certificate against the version of the template on the certificationauthority (CA), the subject will re-enroll.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete thisprocedure. For more information, see Implement Role-Based Administration.

To re-enroll all certificate holders


2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.

QUESTION 74Your network contains an Active Directory forest. The forest contains one domain named contoso.com.

You attempt to create a new child domain and you receive the following error message:

"An LDAP read of operational attributes failed."

You need to ensure that you can add a new child domain to the forest.

What should you do?

A. Move the PDC emulator role.B. Move the RID master role.C. Move the infrastructure master role.D. Move the schema master role.E. Move the domain naming master role.F. Move the global catalog server.G. Move the bridgehead server.H. Install a read-only domain controller (RODC).I. Deploy an additional global catalog server.J. Restart the Active Directory Domain Services (AD DS) service.



This message appears when the domain naming master is unavailable. It needs to be moved to anotherdomain controller to resolve this.Reference:

http://technet.microsoft.com/en-us/library/bb727058.aspx

Troubleshooting Active Directory Installation Wizard Problems

Symptom or Error

An LDAP read of operational attributes failed.

Root Cause

The domain naming master for the forest is offline or cannot be contacted.

Solution Make the current domain naming master accessible. If necessary, see "Seizing Operations MasterRoles" in this guide.

QUESTION 75Your network contains an Active Directory domain named adatum.com. The functional level of the domain isWindows Server 2003. All domain controllers run Windows Server 2008 R2.

You mount an Active Directory snapshot.

You need to ensure that you can connect to the snapshot by using LDAP.

What should you do?

A. Run the Get-ADDomain cmdlet.B. Run the dsget.exe command.C. Run the ntdsutil.exe command.

D. Run the ocsetup.exe command.E. Run the dsamain.exe command.F. Run the eventcreate.exe command,G. Create a Data Collector Set (DCS).H. Create custom views from Event Viewer.I. Configure subscriptions from Event Viewer.J. Import the Active Directory module for Windows PowerShell.




The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for yourorganization by providing a means to compare data as it exists in snapshots that are taken at different times sothat you can better decide which data to restore after data loss. This eliminates the need to restore multiplebackups to compare the Active Directory data that they contain.

Requirements for using the Active Directory database mounting tool

You do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following: (...)

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server

Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers



You need to ensure that when users log on to client computers, they are added automatically to the localAdministrators group. The users must be removed from the group when they log off of the client computers.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Sales OU.J. Link the Group Policy object (GPO) to the Engineering OU.

Correct Answer: HSection: (none)

Explanation


http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local- administrator-groups/

QUESTION 77Your network contains an Active Directory forest named contoso.com. The forest contains two member serversnamed Server1 and Server2. Server1 and Server2 have the DNS Server server role installed.

Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server forcontoso.com.

You experience issues with the copy of the zone on Server2,

You verify that both copies of the zone have the same serial number.

You need to transfer a complete copy of the zone from Server1 to Server2.


A. From DNS Manager, right-click contoso.com and click Transfer from Master.B. From Services, right-click DNS Server and click Refresh.C. From Services, right-click DNS Server and click Restart.D. From DNS Manager, right-click contoso.com and click Reload.E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from "A Composite

Solution With Just One Click" - Certification Guaranteed 300 Microsoft 70-640 : Practice TestMaster.



MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 212

Manually Updating a Secondary Zone

By right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to performthe following secondary zone update operations:

Reload - This operation reloads the secondary zone from the local storage.

Transfer From Master - The server hosting the local secondary zone determines whether the serial number inthe secondary zone's SOA resource record has expired and then pulls a zone transfer from the master server.Transfer New Copy Of Zone From Master - This operation performs a zone transfer from the secondary zone'smaster server regardless of the serial number in the secondary zone's SOA resource record.

QUESTION 78Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllernamed DC3 and DC4, The functional level of the domain is Windows Server 2008 R2. The functional level ofthe forest is Windows Server 2003.

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.

At 07:00, an administrator deletes a user account while he is logged on to DC1.

"A Composite Solution With Just One Click" - Certification Guaranteed 266 Microsoft 70- 640 Exam

You need to restore the deleted user account. You want to achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and "then start Active Directory Domain Services.

B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, run the Restore-ADObject cmdlet.D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory

Domain Services.



We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and youcan only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the questiontext it says "The functional level of the forest is Windows Server 2003."

See http://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored useraccount to other DC's.Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 "An authoritative restorerestores data that was lost and updates the Update Sequence Number (USN) for the data to make itauthoritative and ensure that it is replicated to all other servers."Reference 2:http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the followingrequirements:(...)You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restorecommand and restart the service after the command is complete.

QUESTION 79You create a standard primary zone for contoso.com.

You need to specify a user named Admin1 as the person responsible for managing the zone.

What should you do? (Each correct answer presents a complete solution. Choose two.)


A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of"hostmaster.contoso.com" to "admin1.contoso.com".

B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com, Specifyadmin1.contoso.com as the responsible person.

C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of

"[email protected]" to "[email protected]".D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com.Specify

[email protected] as the responsible person.




To modify the start of authority (SOA) resource record for a zone using the Windows interface1. Open DNS Manager.2. In the console tree, right-click the applicable zone, and then click Properties.3. Click the Start of Authority (SOA) tab.4. As needed, modify properties for the start of authority (SOA) resource record.5. Click OK to save the modified properties.

Reference 2:http://technet.microsoft.com/en-us/library/dd197495.aspx The SOA resource record contains the followinginformation:SOA resource record fieldsResponsible person The e-mail address of the person responsible for administering the zone. A period (.) isused instead of an at sign (@) in this e-mail name.(...)

QUESTION 80Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2.

The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role onRODC1.

You discover that RODC1 does not have any DNS application directory partitions.

You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.

What should you do? (Each correct answer presents a complete solution. Choose two.)

A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.B. Run ntdsutil.exe. From the Partition Management context, run the create nc command.C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DESection: (none)Explanation



RODC Post-Installation Configuration

If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS applicationdirectory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by designbecause it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to addor remove other DNS servers that are enlisted in the application directory partitions.


1. Open an elevated command prompt.

2. At the command prompt, type the following command, and then press ENTER:

dnscmd<ServerName> /EnlistDirectoryPartition <FQDN>

For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain namedchild.contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com

You might encounter the following error when you run this command:

"A Composite Solution With Just One Click" - Certification Guaranteed 304 Microsoft 70-640 : Practice TestCommand failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF

If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:

1. ntdsutil

2. partition management

3. connections

4. Connect to a writeable domain controller (not an RODC): connect to server<WriteableDC>.Child.contoso.com

5. quit

6. To enlist this server in the replication scope for this zone, run the following command:add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com <rodc Server>.Child.

contoso.com


Please Check but I think this should be A and C and not A and D.

I have changed it to A and C.

Reason: Once the application directory partition is created, contoso.com should replicate to it.

Dnscmd /enlistdirectorypartition --- Adds the DNS server to the specified directory partition's replica set.

Dnscmd /createbuiltindirectorypartitions Creates a DNS application directory partition. When DNS is installed,an application directory partition for the service is created at the forest and domain levels. Use this command tocreate DNS application directory partitions that were deleted or never created. With no parameter, thiscommand creates a built-in DNS directory partition for the domain.

To create the default DNS application directory partitions

Using the Windows interface

Open DNS.

In the console tree, right-click the applicable DNS server.

Where?

"A Composite Solution With Just One Click" - Certification Guaranteed 305 Microsoft 70-640 : Practice TestDNS/applicable DNS server

Click Create Default Application Directory Partitions.

Follow the instructions to create the DNS application directory partitions.





A. NtdsutilB. DnscmdC. RepadminD. Nslookup





Forcing Replication

Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domaincontrollers that may or may not have replication agreements.



Syntax


Parameters

<DC>

Specifies the host name of the domain controller to synchronize with all replication partners.

<NamingContext>


<Flags>


QUESTION 82Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2.ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.

You plan to deploy AD FS 2.0 on ADFS2 and ADFS3. You need to export the token-signing certificate fromADFS1, and then import the certificate to ADFS2 and ADFS3.

A. Personal Information Exchange PKCS #12 (.pfx)B. DER encoded binary X.509 (.cer)C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)D. Base-64 encoded X.S09 (.cer)



Reference 1:http://technet.microsoft.com/en-us/library/ff678038.aspx

Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x FederationService has a token-signing certificate that was issued by atrusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.

[The site provides also a link for instructions on how to export the token-signing certificate. That link point to thesite mentioned in reference 2.]


Export the private key portion of a token-signing certificate

To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then clickActive Directory Federation Services.Right-click Federation Service, and then click Properties.On the General tab, click View.In the Certificate dialog box, click the Details tab.On the Details tab, click Copy to File.On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes,export the private key, and then click Next.On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then clickNext.(...)

QUESTION 83You create a user account template for the marketing department.

When you copy the user account template, you discover that the Web page attribute is not copied.

You need to preserve the Web page attribute when you copy the user account template.

What should you do?

A. From Active Directory Administrative Center, modify the value of the wWWHomePage attribute for the useraccount template.

B. From the Active Directory Schema snap-in, modify the properties of the user class.C. From Active Directory Users and Computers, modify the value of the wWWHomePage attribute for the user

account template.D. From ADSI Edit, modify the properties of the wWWHomePage attribute.




You can modify which default attributes are carried over to a newly copied user or specify additional attributesthat will be copied to the new user. To do this, open the Active Directory Schema snap-in, view the desiredattribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You canmodify or add only the attributes that are instances of the user class.

QUESTION 84Your network contains an Active Directory domain named contoso.com. The functional level of the forest isWindows Server 2008 R2.

The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.

On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configurationsettings by using a local GPO.

You need to identify what will be audited on DC1.


A. Get-ADObjectB. SeceditC. Security Configuration and AnalysisD. Auditpol



Reference 1:http://technet.microsoft.com/en-us/library/cc772576.aspx Auditpol getRetrieves the system policy, per-user policy, auditing options, and audit security descriptor object.Reference 2:Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670 You can use the AUDITPOL command to get

and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories andsubcategories, use the following command:auditpol /get /category:*

QUESTION 85A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.


A. DsmodB. CsvdeC. LdifdeD. Dsrm



We can achieve this by using csvde:CSVDE -f onlyusers.csv -r "objectCategory=person" -l "CN,<CustomAttributeName>" The exported CSV filecan be viewed in Excel.

Reference:


"A Composite Solution With Just One Click" - Certification Guaranteed 310 Microsoft 70-640 : Practice TestCsvde

Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in thecomma-separated value (CSV) format. You can also support batch operations based on the CSV file formatstandard.

Syntax

Csvde [-i] [-f <FileName>] [-r <LDAPFilter>] [-l <LDAPAttributeList>] (...)

Parameters

-i

Specifies import mode. If not specified, the default mode is export.

-f <FileName>

Identifies the import or export file name.

-r <LDAPFilter>

Creates an LDAP search filter for data export.

-l <LDAPAttributeList>Sets the list of attributes to return in the results of an export query. LDAP can returnattributes in any order, and csvde does not attempt to impose any order on the columns. If you omit thisparameter, AD DS returns all attributes.

QUESTION 86Your network contains an Active Directory forest named contoso.com. The forest contains two domains namedcontoso.com and child.contoso.com. All domain controllers run Windows Server 2008. All forest-wideoperations master roles are in child.contoso.com.

An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack 1(SP1) installation media.

You plan to run adprep.exe /domainprep in each domain.

You need to ensure that you have the required user rights to run the command successfully in each domain.Of which groups should you be a member? (Each correct answer presents part of the solution.

Choose two.)

A. Administrators in child.contoso.comB. Enterprise Admins in contoso.comC. Domain Admins in child.contoso.comD. Domain Admins in contoso.comE. Administrators in contoso.comF. Schema Admins in contoso.com



http://technet.microsoft.com/de-de/library/cc731728.aspx

Adprep /domainprep

Prepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run thiscommand after the forestprep command finishes and after the changes replicate to all the domain controllers inthe forest.

Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008.

You must run this command on the domain controller that holds the infrastructure operations master role for thedomain. You must be a member of the Domain Admins group to run this command.

QUESTION 87Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).

The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controllernamed DC1 has a copy of the application directory partition.You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.


A. Active Directory Sites and ServicesB. DsmodC. DcpromoD. Dsmgmt




Dcpromo

Installs and removes Active Directory Domain Services (AD DS).

Parameter

ApplicationPartitionsToReplicate:""

Specifies the application directory partitions that dcpromo will replicate. Use the following format:

"partition1" "partition2" "partitionN"

Use * to replicate all application directory partitions.


Please Check Answer

I don't think this is Dsmod. It is most likely Dcpromo.

Dsmod -- Modifies an existing object of a specific type in the directory.

QUESTION 88A corporate environment includes a Windows Server 2008 R2 Active Directory DomainServices (AD DS) domain.

You need to enable Universal Group Membership Caching on several domain controllers in the domain.


A. DsmodB. DscmdC. NtdsutilD. Active Directory Sites and Services console




Enable Universal Group Membership Caching in a Site

In a branch site that has no global catalog server and in a forest that has multiple domains, you can use thisprocedure to enable Universal Group Membership Caching on a domain controller in the site so that a globalcatalog server does not have to be contacted across a wide area network (WAN) link for every initial user

logon.

To enable Universal Group Membership Caching in a site

1. Open Active Directory Sites and Services.

2. In the console tree, expand Sites, and then click the site in which you want to enable Universal GroupMembership Caching.

3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.

4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

5. In the Refresh cache from list, click the site that you want the domain controller to contact when the

Universal Group membership cache must be updated, and then click OK.


QUESTION 89Your network contains an Active Directory forest. The forest contains three domains. All domain controllershave the DNS Server server role installed.

The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client computers,and domain controllers of each domain. Site1 contains the first domain controller deployed to the forest. Thesites connect to each other by using unreliable WAN links.

The users in Site2 and Site3 report that is takes a long time to log on to their client computer when they usetheir user principal name (UPN). The users in Site1 do not experience the same issue.

You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their clientcomputer by using their UPN.

What should you do?

A. Configure a global catalog server in Site2 and a global catalog server in Site3.B. Reduce the replication interval of the site links.C. Move a primary domain controller (PDC) emulator to Site2 and to Site3.D. Add additional domain controllers to Site2 and to Site3.E. Reduce the cost of the site links.F. Enable universal group membership caching in Site2 and in Site3.




Common Global Catalog Scenarios

The following events require a global catalog server:

(...) User logon. In a forest that has more than one domain, two conditions require the global catalog duringuser authentication:

1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a globalcatalog server is required to resolve the name.

2. (...)


QUESTION 90You have a client computer named Computer1 that runs Windows 7.

On Computer1, you configure a source-initiated subscription.

You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1.

The subscription is configured to use the HTTP protocol.

You discover that events from the Security log of DC1 are not collected on Computer1.Events from the

Application log of DC1 and the System log of DC1 are collected on Computer1.

You need to ensure that events from the Security log of DC1 are collected on Computer1.

What should you do?

A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller.B. Add the Network Service security principal to the Event Log Readers group on the domain.C. Configure the subscription to use custom Event Delivery Optimization settings.D. Configure the subscription to use the HTTPS protocol.



Reference 1:http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event- forwarding-and-you.aspxPreparing Windows Server 2008 and Windows Server 2008 R2 You have to prepare your Windows Server2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account tothe Built-in Event Log Readers group.Reference 2:http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/8434ffb3-1621- 4bc5-8311-66d88b215886/How to collect security logs using event forwarding? For Windows Vista, Windows Server 2008 and laterversion of clients, please follow the


steps below to configure it.1. Click start->run, type CompMgmt.msc to open Computer Management Console.2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.3. Click Add, then click Location button, select your computer and click OK.4. Click Object Types button, check the checkbox of Build-in security principals and click OK.5. Add "Network Service"build-in account to Event Log Readers group.6. Reboot the client computer.After these steps have been taken, you will see the security event logs in the Forwarded Events on your eventcollector.

QUESTION 91Your network contains an Active Directory forest named contoso.com. The forest contains six domains.

You need to ensure that the administrators of any of the domains can specify a user principal name (UPN)suffix oflitwareinc.com when they create user accounts by using Active Directory Users and Computers.


A. Active Directory Administrative CenterB. Set-ADDomainC. Active Directory Sites and ServicesD. Set-ADForest


Explanation/Reference:Explanation:We would use the following command to achieve this:Set-ADForest -UPNSuffixes @{Add="contoso.com"}

Reference 1:http://technet.microsoft.com/en-us/library/dd391925.aspx Creating a UPN Suffix for a ForestThis topic explains how to use the Active Directory module for Windows PowerShell to

create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helpssimplify the names that are used to log on to another domain in the forest.

ExampleThe following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"} Reference 2http://technet.microsoft.com/en-us/library/ee617221.aspx Set-ADForest Modifies an Active Directory forest.ParameterUPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntaxto add remove, replace, or clear UPN suffix values.

Syntax:To add values:-UPNSuffixes @{Add=value1,value2,...}

QUESTION 92Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Sitel and Site2. Site2 contains a read-only domain controller (RODC).

You need to identify which user accounts attempted to authenticate to the RODC.


A. Active Directory Users and ComputersB. NtdsutilC. Get-ADAccountResultantPasswordReplicationPolicyD. Adtest


Explanation


Original answer was C ("Get-ADAccountResultantPasswordReplicationPolicy").Ntdsutil cannot be used for this.http://technet.microsoft.com/en-us/library/cc753343.aspx Get-ADAccountResultantPasswordReplicationPolicyis used to get the members of the allowed list or denied list of a read-only domain controller's passwordreplication policy.Get-ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed. http://technet.microsoft.com/en-us/library/ee617207.aspx

Adtest is used for perfomance testing.Reference 1:http://technet.microsoft.com/en-us/library/cc755310.aspx

Review whose accounts have been authenticated to an RODC Periodically, you should review whose accountshave been authenticated to an RODC. (...) You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have been authenticated to an RODC.Reference 2:http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3- ebb9d7fa6bf(v=ws.10)#BKMK_Auth2Gives a step by step explanation on using Active Directory Users and Computers.

Old explanation:Get-ADDomainControllerPasswordReplicationPolicyUsage o get accounts that are authenticated by the RODC,use the AuthenticatedAccounts parameter. To get the accounts that have passwords stored on the RODC, usethe RevealedAccounts parameter. http://technet.microsoft.com/en-us/library/ee617194.aspx


You need to generate a file that contains the last logon time and the custom attribute values for each user in theforest.What should you use?

A. the Get-ADUser cmdletB. the Export-CSV cmdletC. the Net User commandD. the Dsquery User tool



Export-CSV cannot perform queries. It is used to save queries that have been piped through.Net User is too limited for our question.Get-ADUserReferences:https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for- output.aspxhttp://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9- f591-4b44-b838-e0f5f3a591d7http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Export-CsvReference:


Saving Data as a Comma-Separated Values File

The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need todo is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process tograb information about all the processes running on the computer, then uses Export-Csv to write that data to afile named C:\Scripts\Test.txt: Get- Process | Export-Csv c:\scripts\test.txt.

Net User

Reference:


Adds or modifies user accounts, or displays user account information.

DSQUERY

"A Composite Solution With Just One Click" - Certification Guaranteed 320 Microsoft 70-640 : Practice TestReference 1:


Parameters

{<StartNode> | forestroot | domainroot}

Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot),domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specifyforestroot, AD DS searches by using the global catalog.

-attr {<AttributeList> | *} Specifies that the semicolon separated LDAP display names included in <AttributeList>for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), thisparameter displays all attributes that are present on the object in the result set. In addition, if you specify a *,this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. Thedefault <AttributeList> is a distinguished name.

Reference 2:

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47- 9379-02ca38aaa65b

Give an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as thestartnode, instead of forestroot what we need.

Reference 3:

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1- 48fd-ab6f-690378e0f787/

List all last login times for all users, regardless of whether they are disabled.

dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName

lastLogon>>c:\last_logon_for_all.txt

QUESTION 94

You have an Active Directory domain named contoso.com.

You need to view the account lockout threshold and duration for the domain.


A. Net UserB. Active Directory Users and ComputersC. Group Policy Management Console (GPMC)D. Computer Management



QUESTION 95A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server forfabrikam.com.

You install the DNS Server server role on a member server named DNS1 and then you create a standardsecondary zone for fabrikam.com. You configure DC4 as the master server for the zone.

You need to ensure that DNS1 receives zone updates from DC4.

What should you do?

A. Add the DNS1 computer account to the DNSUpdateProxy group.B. On DC4, modify the permissions offabrikam.com zone.C. On DNS1, add a conditional forwarder.D. On DC4, modify the zone transfer settings for the fabrikam.com zone.








"A Composite Solution With Just One Click" - Certification Guaranteed 322 Microsoft 70-640 : Practice Test2. Right-click a DNS zone, and then click Properties.








QUESTION 96A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority(CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to ahardware security module for private key storage.

You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1.The Enterprise CA option is not available.

You need to install the AD CS server role as an Enterprise CA on CA1.


A. Add the DNS Server server role to CA1.B. Add the Web Server (IIS) server role and the AD CS server role to CA1.C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.D. Join CA1 to the domain.



Reference 1:http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Many times,administrators ask me what to do when installing Active Directory Certificate Services they cannot choose toinstall Enterprise Certification Authority, because it's unavailable.Well, you need to fulfill basic requirements:1. Server machine has to be a member server (domain joined).2. (...)

Reference 2:http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211- 9a99-a06108521268

QUESTION 97Your company has an Active Directory forest. Each regional office has an organizational unit (OU) namedMarketing. The Marketing OU contains all users and computers in the region's Marketing department.

You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs.

You create a GPO named MarketingApps.


A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain.B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU.D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.



We need to assign the software to the computers, and link the GPO to each Marketing OU. We do not link it tothe domain, then every computer would have the software.

Reference:

http://support.microsoft.com/kb/816102

You can use Group Policy to distribute computer programs by using the following methods:

Assigning Software You can assign a program distribution to users or computers. If you assign the program toa user, it is installed when the user logs on to the computer. When the user first runs the program, theinstallation is completed. If you assign the program to a computer, it is installed when the computer starts, and itis available to all users who log on to the computer. When a user first runs the program, the installation iscompleted.

Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published programis displayed in the Add or Remove Programs dialog box, and it can be installed from there.


The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between thesites.

What should you do?

A. Configure DC1 as a preferred bridgehead server for IP transport.B. Configure DC4 as a preferred bridgehead server for IP transport.C. From the DC4 server object, create a Connection object for DC1.D. From the DC1 server object, create a Connection object for DC4.




Bridgehead Servers



"A Composite Solution With Just One Click" - Certification Guaranteed 326 Microsoft 70-640 : Practice TestHowever, you can use Active Directory Sites and Services to specify which domain controller will be thepreferred bridgehead server by using the following steps:





Please Check Answer

Connections. The KCC creates connections that enable domain controllers to replicate with each other. Aconnection defines a one-way, inbound route from one domain controller, the source, to another domaincontroller, the destination. The KCC reuses existing connections where it can, deletes unused connections, andcreates new connections if none exist that meet the current need. Bridgehead Servers. To communicate acrosssite links, the KCC automatically designates a single server, called the bridgehead server, in each site toperform site-to-site replication. Subsequent replication occurs by replication within a site. When site links areestablished, authorized administrators can designate the bridgehead servers that they want to receivereplication between sites. By designating a specific server to receive replication between sites, rather thanusing any available server, authorized administrators can specify the most beneficial conditions for theconnection between sites. Bridgehead servers ensure that most replication occurs within sites rather thanbetween sites.

http://technet.microsoft.com/library/dd277429.aspx

QUESTION 99Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directory-integratedzone for contoso.com. The no-refresh interval and the refresh interval are both set to three days. The AdvancedDNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit button.)

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.

(Click the Exhibit button.)


You discover that the scavenging process ran today, but the record for Server1 was not deleted.

You run dnscmd.exe and specify the age all records parameter.

You need to identify when the record for Server1 will be deleted from the zone.

In how many days will the record be deleted?

A. 13B. 10C. 23D. 7




The blank Record time stamp field indicates a static record. That's the reason it wasn't deleted. The timestamphas been set using dnscmd /ageallrecords. The Time to live setting means that the server will hold a cachedrecord for 10 days, so it has nothing to do with this question. The record will become stale in six days (no-refresh interval + refresh interval, that's 3 + 3 days), so now that the timestamp has been set it will be deleted

when the next scavenging operation occurs, in seven days.

Reference 1:http://technet.microsoft.com/en-us/library/cc772069.aspx dnscmd /ageallrecords Sets the current time on alltime stamps in a zone or node. Record scavenging does not occur unless the records are time stamped. Nameserver (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service(WINS) resource records are not included in the scavenging process, and they are not time stamped evenwhen the ageallrecords command runs.

Reference 2:http://www.windowsitpro.com/article/dns/scavenging-stale-dns-records

When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging featureconsiders the record stale and deletes it. So, when you set No-refresh interval to 3 days and Refresh interval to5 days, scavenging will delete records that are more than 8 days old.


Each organizational unit (OU) contains over 500 user accounts.

The Finance OU and the Human Resources OU contain several user accounts that are members of a universalgroup named Group1.


You need to prevent the GPO from being applied to the members of Group1 only.

What should you do?





"GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU.The security filter will only help you specify groups. So you have two choices. You could remove authenticatedusers in the secuirty filter and add groups containing everyone except group1 members(messy solution) or youcould leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(sincedeny will alwys win over allow)."

The reference below explains a situation where the GPO only needs to be applied to one group, it's the otherway around so to speak.

Reference:

MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286

Using Security Filtering to Modify GPO Scope

By now, you've learned that you can link a GPO to a site, domain, or OU. However, you might need to applyGPOs only to certain groups of users or computers rather than to all users or computers within the scope of theGPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specificsecurity groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policypermissions to the GPO.

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Readand Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to acomputer (for example, by its link to the computer's OU), but the computer does not have Read and ApplyGroup Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriatepermissions for security groups, you can filter a GPO so that its settings apply only to the computers and usersyou specify.

Filtering a GPO to Apply to Specific Groups

To apply a GPO to a specific security group, perform the following steps:

4. Select the GPO in the Group Policy Objects container in the console tree.

5. In the Security Filtering section, select the Authenticated Users group and click Remove.

6. Click OK to confirm the change.

7. Click Add.

8. Select the group to which you want the policy to apply and click OK.


Topic 5, Volume E

Exam E


The forest contains four child domains named europe.adatum.com, northamerica.adatum.com,asia.adatum.com, and africa.adatum.com.

You need to create four new groups in the forest root domain. The groups must be configured as shown in thefollowing table.

What should you do?

To answer, drag the appropriate group type to the correct group name in the answer area.

A.B.C.D.



QUESTION 2CORRECT TEXT - (Topic 5)

Your network contains an Active Directory domain named adatum.com.

You need to use Group Policies to deploy the line-of-business applications shown in the following table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

A.B.C.D.


Explanation/Reference:Answer: <map><m x1="10" x2="141" y1="31" y2="56" ss="0" a="0" /><m x1="12" x2="145" y1="64" y2="88"ss="0" a="0" /><m x1="13" x2="144" y1="96" y2="123" ss="0" a="0" /><m x1="228" x2="357" y1="55" y2="81"ss="1" a="0" /><m x1="372" x2="507" y1="55" y2="84" ss="1" a="0" /><m x1="517" x2="646" y1="58" y2="82"ss="1" a="0" /><c start="0" stop="0" /><c start="2" stop="1" /><c start="1" stop="2" /></map>

Answer:



The DNS infrastructure fails.

You rebuild the DNS infrastructure.

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

To answer, select the appropriate service in the answer area.

A.B.C.D.





The password policy of the forest requires that the passwords for all of the user accounts be changed every 30days.

You need to create user accounts that will be used by services. The passwords for these accounts must bechanged automatically every 30 days.

Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

A.B.C.D.




QUESTION 5Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7Enterprise.

You need automatically to create a local group named PowerManagers on each client computer that contains abattery. The solution must minimize the amount of administrative effort.

Which node in Group Policy Management Editor should you use?

To answer, select the appropriate node in the answer area.

A.B.C.D.




QUESTION 6Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named Server1. Server1 has an IP address of 192.168.200.100.

You need to view the Pointer (PTR) record for Server1.

Which zone should you open in the DNS snap-in to view the record?

To answer, select the appropriate zone in the answer area.

A.B.C.D.




You need to create a new site link between two sites named Site1 and Site3. The site link must support thereplication of domain objects.

Under which node in Active Directory Sites and Services should you create the site link?


A.B.C.D.




QUESTION 8Your company has a main office and a branch office. All servers are located in the main office. The networkcontains an Active Directory forest named adatum.com. The forest contains a domain controller namedMainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runsWindows Server 2008 R2 Standard.

You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connectedto the network.

You need to join Public_Computer to the adatum.com domain.

What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

A.B.C.D.



QUESTION 9Your network contains two forests named contoso.com and fabrikam.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that users fromcontoso.com can only access the servers in fabrikam.com that have the Allowed to Authenticate permissionset.

What should you do?


A.B.C.D.



QUESTION 10

Your network contains an Active Directory forest named contoso.com. You need to create an Active DirectoryRights Management Services (AD RMS) licensing-only cluster.

What should you do?


A.B.C.D.



QUESTION 11Your network contains an Active Directory forest named contoso.com. The forest contains a domain controllernamed DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runsWindows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7. Computer1is not connected to the network.

You need to join Computer1 to the contoso.com domain.

What should you do?



A.B.C.D.



QUESTION 12You need to modify the Password Replication Policy on a read-only domain controller (RODC).


To answer, select the appropriate tool in the answer area.

A.B.C.D.




You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?


A.B.C.D.



QUESTION 14Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operationsmaster roles. DC1 fails.

You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations masterroles to their original state.

You perform a metadata cleanup and remove all references of DC1.

Which three actions should you perform next?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.)


A.B.C.D.



QUESTION 15A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory

Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on theC: drive.

You need to relocate the LDS1 instance to the D: drive.

Which three actions should you perform in sequence?

(To answer, move the three appropriate actions from the list of actions to the answer area and arrange them inthe correct order.)

A.B.C.D.



QUESTION 16You need to perform an offline defragmentation of an Active Directory database.

Which four actions should you perform in sequence?

(To answer, move the appropriate four actions from the list of actions to the answer area and arrange them inthe correct order.)

A.B.C.D.



QUESTION 17Your company has an Active Directory forest that contains multiple domain controllers. The domain controllersrun Windows Server 2008.

You need to perform an authoritative restore of a deleted organizational unit and its child objects.

Which four actions should you perform in sequence?

(To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them inthe correct order.)

A.B.C.D.




QUESTION 18ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. Anew administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts6000 objects.

You have backed up the system state data using third-party backup software. To restore backup, you start thedomain controller in the Directory Services Restore Mode (DSRM).

You need to perform an authoritative restore of the organizational unit and restore the domain controller to itsoriginal state.

Which three actions should you perform?

A.B.C.D.




QUESTION 19Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1 and a domain controller named DC1.

On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription isconfigured to collect all events.

After several days, you discover that Server1 failed to collect any events from DC1, although there are morethan 100 new events in the Application log of DC1.

You need to ensure that Server1 collects events from DC1.

What should you do?

A. On Server1, run wecutil quick-config.B. On Server1, run winrm quickconfig.C. On DC1, run wecutil quick-config.D. On DC1, run winrm quickconfig.



Since the subscription has been created, wecutil quick-config has already run on Server1. Only thing left is toconfigure DC1 to forward the events, using winrm quickconfig.Reference1:Mastering Windows Server 2008 R2 (Sybex, 2010) page 773 Windows event Collector ServiceThe first time you select the Subscriptions node of Event Viewer or the Subscription tab of any log, a dialog boxwill appear stating that the Windows Event Collector Service must be running and configured. It then askswhether you want to start and configure the service. If you click Yes, it starts the service and changes thestartup type from Manual to Automatic (Delayed Start), causing it to start each time Windows starts.

Reference 2:http://technet.microsoft.com/en-us/library/cc748890.aspx To configure computers in a domain to forward andcollect events1. Log on to all collector and source computers. It is a best practice to use a domain account with administrativeprivileges.2. On each source computer, type the following at an elevated command prompt: winrm quickconfig

QUESTION 20A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured asshown in the following table.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between the Seattle site and the Chicago site occurs from 8:00

A. M. to 1:00 A.M. every day.At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001.You need to restore the deleted user account. You must achieve this goal by using the minimumadministrative effort.What should you do?

B. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.C. On DC001, run the Restore-ADObject cmdlet.D. On DC006, run the Restore-ADObject cmdlet.E. On DC001, stop AD DS, restore the system state, and then start AD DS.


Explanation


We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and youcan only use Recycle Bin when the forest functional level is set to

Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server2003."See http://technet.microsoft.com/nl-nl/library/dd379481.aspx

Performing an authoritative restore on DC006 updates the Update Sequence Number (USN) on that DC, whichcauses it to replicate the restored user account to other DC's.Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 "An authoritative restorerestores data that was lost and updates the Update Sequence Number (USN) for the data to make itauthoritative and ensure that it is replicated to all other servers."Reference 2:

http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the followingrequirements:(...)You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restorecommand and restart the service after the command is complete.

QUESTION 21Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts inthe Finance organizational unit (OU). You must achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. Modify the Group Policy permissions.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.




Block Inheritance

You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policyobjects (GPOs) that are linked to higher sites, domains, or organizational units from being automaticallyinherited by the child-level.



You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the

Sales OU and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting inGPO1. When the policies are applied, the setting in GPO2 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure thatall non-conflicting settings in both GPOs are applied.

What should you do?

A. Configure Restricted Groups.B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineer OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI filtering.H. Configure Group Policy Permissions.I. Enable loopback processing in replace mode.J. Enable block inheritance.




Precedence of Multiple Linked GPOs

An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs' linkorder determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.

Figure 6-10 GPO link order

The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that areenabled or disabled in the Power User Configuration GPO have precedence over these same settings in theStandard User Configuration GPO.

To change the precedence of a GPO link:

1. Select the OU, site, or domain in the GPMC console tree.

2. Click the Linked Group Policy Objects tab in the details pane.

3. Select the GPO.

4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selectedGPO.


QUESTION 23All vendors belong to a global group named vendors.

You place three file servers in a new organizational unit (OU) named ConfidentialFileServers. The three fileservers contain confidential data located in shared folders.

You need to record any failed attempts made by the vendors to access the confidential data.


A. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configurethe Audit object access failure audit policy setting.

B. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configurethe Audit privilege use Failure audit policy setting.

C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab.Configure Failed Full control setting in the AuditingEntry dialog box.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure FailedFull control setting in the AuditingEntry dialog box.

E. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configurethe Deny access to this computer from the network user rights setting for the Vendors global group.



Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671

Auditing Resource Access Object access can be audited, although it is not one of the recommended settings.Auditing object access can place a significant load on the servers, so it should only be enabled when it isspecifically needed. Auditing object access is a two- step process: Step one is enabling "Audit object access"and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide ifboth failure and success events will be logged. The two options are as follows:

Audit object access failure enables you to see if users are attempting to access objects to

which they have no rights. This shows unauthorized attempts.

Audit object access success enables you to see usage patterns. This shows misuse of privilege.

After object access auditing is enabled, you can easily monitor access to resources such as folders, files, andprinters.

Auditing Files and Folders

The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through theproperty pages for those files or folders. Keep in mind that the more files and folders that are audited, the moreevents that can be generated, which can increase administrative overhead and system resource requirements.

Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

1. In Windows Explorer, right-click the file or folder to audit and select Properties.

2. Select the Security tab and then click the Advanced button.

3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.

4. Click the Add button to display the Select User or Group window.

5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names buttonto verify the name.

QUESTION 24A corporate network includes a single Active Directory Domain Services (AD DS) domain.

The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs: HRUsers and HR Computers. User accounts for the HR department reside in the HR Users OU. Computeraccounts for the HR department reside in the HR Computers OU. All HR department employees belong to asecurity group named HR Employees. All HR department computers belong to a security group named HRPCs.

Company policy requires that passwords are a minimum of 6 characters.

You need to ensure that, the next time HR department employees change their passwords,

"A Composite Solution With Just One Click" - Certification Guaranteed 360 Microsoft 70-640 : Practice Testthe passwords are required to have at least 8 characters. The password length requirement should not changefor employees of any other department.

What should you do?

A. Modify the password policy in the GPO that is applied to the domain.

B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.C. Create a new GPO, with the necessary password policy, and link it to the HR Computers OU.D. Modify the password policy in the GPO that is applied to the domain controllers OU.


Explanation/Reference::


What do fine-grained password policies do?

You can use fine-grained password policies to specify multiple password policies within a single domain. Youcan use fine-grained password policies to apply different restrictions for password and account lockout policiesto different sets of users in a domain.

For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts ofother users. In other cases, you might want to apply a special password policy for accounts whose passwordsare synchronized with other data sources.

Are there any special considerations?

Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead ofuser objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. Thedomain functional level must be Windows Server 2008.

Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grainedpassword policy to users of an OU, you can use a shadow group

QUESTION 25

A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular useraccounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OUnamed Admins.

You need to ensure that any time an administrator modifies an employee's name in AD DS, the change isaudited.


A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to theEmployees OU.

B. Modify the searchFlags property for the Name attribute in the Schema.C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Admins OU.D. Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategory.



Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We cando that by using auditpol.exe.Reference:


Auditing changes to objects in AD DS

In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access,that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008,this policy is divided into four subcategories:

Directory Service Access

Directory Service Changes

Directory Service Replication

Detailed Directory Service Replication

The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory DirectoryService Changes. This guide provides instructions for implementing this audit policy subcategory.

The types of changes that you can audit include a user (or any security principal) creating,

"A Composite Solution With Just One Click" - Certification Guaranteed 362 Microsoft 70-640 : Practice Testmodifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities toauditing in AD DS:

When a successful modify operation is performed on an attribute, AD DS logs the previous and current valuesof the attribute. If the attribute has more than one value, only the values that change as a result of the modifyoperation are logged.

(...)

Steps to set up auditing

This section includes procedures for each of the primary steps for enabling change auditing:

Step 1: Enable audit policy.

Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.


This step includes procedures to enable change auditing with either the Windows interface or a command line:

(...)

By using the Auditpol command-line tool, you can enable individual subcategories.

To enable the change auditing policy using a command line


2. Type the following command, and then press ENTER:

auditpol /set /subcategory:"directory service changes" /success:enable

QUESTION 26

Your network contains an Active Directory forest named contoso.com.

You need to provide a user named User1 with the ability to create and manage subnet objects.

The solution must minimize the number of permissions assigned to User1.

What should you do?

A. From Active Directory Users and Computers, run the Delegation of Control wizard.B. From Active Directory Administrative Centre, add User1 to the Schema Admins group.C. From Active Directory Sites and Services, run the Delegation of Control wizard.D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.



Adding the user to the Schema Admins group, or to the Network Configuration Operators group would giveUser1 too much rights. Since we have to delegate an administrative task concerning subnets, we have to runthe Delegation of Control wizard from Active Directory Sites and Services.Reference below is for Windows Server 2003 R2, but is still valid for 2008 R2.Reference:


Delegate control of a site

To delegate control of a site

1. Open Active Directory Sites and Services.

2. Right-click the container whose control you want to delegate, and then click Delegate Control to start theDelegation of Control Wizard.

3. Follow the instructions in the Delegation of Control Wizard.

Notes

(...)

In Active Directory Sites and Services, you can delegate control for the subnets, intersite transports, sites, andserver containers.

QUESTION 27

A corporate network contains a Windows Server 2008 R2 Active Directory forest.

You need to add a User Principle Name (UPN) suffix to the forest.

What tool should you use?

A. Dsmgmt.B. Active Directory Domains and Trusts console.C. Active Directory Users and Computers console.D. Active Directory Sites and Services console.



http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/

Demonstration adding a UPN Suffix

To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu.

Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add andremove additional domain UPN suffixes for the forest.

QUESTION 28Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has twodomain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.

DC3 fails.

You discover that replication no longer occurs between the sites.

You verify the connectivity between DC4 and the domain controllers in Site1.

On DC4, you run repadmin.exe /kcc.

Replication between the sites continues to fail.

"A Composite Solution With Just One Click" - Certification Guaranteed 365 Microsoft 70-640 : Practice TestYou need to ensure that Active Directory data replicates between the sites.

What should you do?

A. From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.B. From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server.C. From Active Directory Users and Computers, configure the NTDS settings of DC4.D. From Active Directory Users and Computers, configure the location settings of DC4.




Bridgehead Servers A bridgehead server is the domain controller designated by each site's KCC to take controlof intersite replication. The bridgehead server receives information replicated from other sites and replicates itto its site's other domain controllers. It ensures that the greatest portion of replication occurs within sites ratherthan between them.


However, you can use Active Directory Sites and Services to specify which domain controller will be the

preferred bridgehead server by using the following steps:




QUESTION 29Your network contains an Active Directory domain named contoso.com.All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service Pack 1(SP1). The functional level of the domain is Windows Server 2003.

You need to configure SYSVOL to use DFS Replication.

Which tools should you use? (Each correct answer presents part of the solution. Choose two.)

A. DfsrmigB. FrsdiagC. NtdsutilD. Set-ADForestE. RepadminF. Set-ADDomainModeG. DFS Management

Correct Answer: AFSection: (none)Explanation


First we need to upgrade the domain functional level, using Set-ADDomainMode. Then, now that the domaincontrollers have been upgraded to Windows Server 2008 R2 and the domain functional level has beenupgraded (to Windows Server 2008 (R2)), we can migrate to DFS Replication for replicating SYSVOL, insteadof File Replication Service (FRS) of previous Windows Server versions. We can use Dfsrmig for that migration.

Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 543 In versions of WindowsServer prior to Windows Server 2008, the FRS was used to replicate the contents of SYSVOL between domaincontrollers. FRS has limitations in both capacity and performance that cause it to break occasionally.Unfortunately, troubleshooting and configuring FRS is quite difficult. In Windows Server 2008 and WindowsServer 2008 R2 domains, you have the option to use DFS-R to replicate the contents of SYSVOL.

Reference 2:http://technet.microsoft.com/en-us/library/ee617230.aspx Set-ADDomainModeThe Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by settingthe DomainMode parameter. The domain mode can be set to the following values that are listed in order offunctionality from lowest to highest.


Windows2000DomainWindows2003InterimDomainWindows2003DomainWindows2008Domain

Windows2008R2Domain

Reference 3:http://technet.microsoft.com/en-us/library/dd639809.aspx Migrating to the Prepared StateThe following sections provide an overview of the procedures that you perform when you migrate SYSVOLreplication from File Replication Service (FRS) to Distributed File System (DFS Replication).This migration phase includes the tasks in the following list.(...)Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Preparedstate.

QUESTION 30You manage an Active Directory forest named contoso.com.

The forest contains an empty root domain named contoso.com and a child domain named child.contoso.com.

All domain controllers run Windows Server 2008. The functional level of the forest is Windows Server 2008.

You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal byusing the minimum amount of administrative effort.

What should you do?



A.B.C.D.





You attempt to run adprep /domainprep and the operation fails.

You discover that the first domain controller deployed to the forest failed.

You need to run adprep /domainprep successfully.

What should you do?

A. Move the domain naming master role.

B. Install a read-only domain controller (RODC).C. Move the PDC emulator role.D. Move the RID master role.E. Move the infrastructure master role.F. Deploy an additional global catalog server.G. Move the bridgehead server.H. Move the schema master role.I. Restart the Active Directory Domain Services (AD DS) service.J. Move the global catalog server.


Explanation/Reference:Explanation:Adprep /domainprep must be run on the server holding the Infrastructure Master role. The role was originallyinstalled on the first domain controller in the forest. Now it's down and another domain controller must get theInfrastructure Master role.Reference 1:

http://technet.microsoft.com/en-us/library/cc754889.aspx Planning Operations Master Role PlacementOperations master role holders are assigned automatically when the first domain controller in a given domain iscreated. The two forest-level roles (schema master and domain naming master) are assigned to the firstdomain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructuremaster, and PDC emulator) are assigned to the first domain controller created in a domain.



Adprep /domainprep Must be run on the infrastructure operations master for the domain.


You discover the following event in the Event log of client computers: "The time provider NtpClient was unableto find a domain controller to use as a time source. NtpClient will try again in %1 minutes."

You need to ensure that the client computers can synchronize their clocks properly.

What should you do?

A. Move the domain naming master role.B. Restart Active Directory Domain Services (AD DS) service.C. Move the PDC emulator role.D. Move the infrastructure master role.E. Move the global catalog server.F. Move the RID master role.G. Move the bridgehead server.H. Move the schema master role.I. Deploy an additional global catalog server.J. Install a read-only domain controller (RODC).


Explanation/Reference:Explanation:It could be that the server holding the PDC Emulator role has failed. Whatever the cause, we need to move thePDC Emulator role to another domain controller to restore time synchronization in the domain.Reference 1:http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operat ing+System&ProdVer=5.2&EvtID=14&EvtSrc=w32time&LCID=1033

Event IDMessage


The time provider NtpClient was unable to find a domain controller to use as a time source.NtpClient will try again in %1 minutes.

ExplanationWindows Time Service is configured to use the domain hierarchy to locate its time source. It could not locate adomain controller that is a suitable time source. The time service will continue to search for an acceptabledomain controller. If the time service cannot locate a time source after the maximum number of attempts, theWin32Time 49 message will be logged.

Reference 2:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 531 PDC Emulator RoleThe PDC Emulator role performs multiple, crucial functions for a domain:(...)Provides a master time source for the domain - Active Directory, Kerberos, File Replication Service(FRS), and Distributed File System Replication (DFS-R) each rely on timestamps, so synchronizing the timeacross all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for theentire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root PDCemulator. Other domain controllers in the domain synchronize their clocks against that domain's PDC emulator.All other domain members synchronize their time with their preferred domain controller. This hierarchicalstructure of time synchronization, all implemented through the Win32Time service, ensures consistency of time.Coordinated Universal Time (UTC) is synchronized, and the time displayed to users is adjusted based on thetime zone setting of the computer.

QUESTION 33Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named RODC1.

You install the DNS Server server role on RODC1.

You discover that RODC1 does not have any application directory partitions.

You need to ensure that RODC1 has a directory partition of contoso.com.

What should you do?

A. From DNS Manager, create secondary zones.B. Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter.C. From DNS Manager, right-click RODC1 and click Update Server Data Files.D. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.




RODC Post-Installation Configuration

If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS applicationdirectory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by designbecause it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to addor remove other DNS servers that are enlisted in the application directory partitions.


1. Open an elevated command prompt.

2. At the command prompt, type the following command, and then press ENTER:

dnscmd<ServerName> /EnlistDirectoryPartition <FQDN>

For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain namedchild.contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com


"A Composite Solution With Just One Click" - Certification Guaranteed 373 Microsoft 70-640 : Practice TestYou need to identify whether a fine-grained password policy is applied to a specific group.


A. Credential ManagerB. Group Policy Management EditorC. Active Directory Users and ComputersD. Active Directory Sites and Services



Use Active Directory Users and Computers to determine the value of the msDS- PSOApplied attribute of thespecific group:1. Open the Properties windows for the group in Active Directory Users and Computers2. Click the Attribute Editor tab, and then click Filter3. Ensure that the Show attributes/Optional check box is selected.4. Ensure that the Show read-only attributes/Backlinks check box is selected.5. Locate the value of msDS-PSOApplied in the Attributes list.Reference:


Defining the scope of fine-grained password policies

A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...)

A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDSPSOAppliedattribute has a back-link, a user or group can have multiple PSOs applied to it.

As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since themsDS-PSOApplied attribute of the user and group objects has a back-link to the PSO.

QUESTION 35

Your network contains an Active Directory domain named contoso.com.

You need to create one password policy for administrators and another password policy for all other users.


A. Group Policy Management EditorB. Group Policy Management Console (GPMC)C. Authorization ManagerD. Ldifde



http://technet.microsoft.com/en-US/library/cc754461.aspx

Creating a PSO using ldifde

You can use the ldifde command as a scriptable alternative for creating PSOs.

To create a PSO using ldifde

1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn:CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: addobjectClass:msDS-PasswordSettings

msDS-MaximumPasswordAge:-1728000000000

msDS-MinimumPasswordAge:-864000000000

msDS-MinimumPasswordLength:8

msDS-PasswordHistoryLength:24

msDS-PasswordComplexityEnabled:TRUE

msDS-PasswordReversibleEncryptionEnabled:FALSE

msDS-LockoutObservationWindow:-18000000000

msDS-LockoutDuration:-18000000000

msDS-LockoutThreshold:0

msDS-PasswordSettingsPrecedence:20

"A Composite Solution With Just One Click" - Certification Guaranteed 375 Microsoft 70-640 : Practice TestmsDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com

2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.


ldifde i f pso.ldf

QUESTION 36Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forestcontains one domain. A two-way forest trust exists between the forests.

You plan to add users from fabrikam.com to groups in contoso.com.

You need to identify which group you must use to assign users in fabrikam.com access to the shared folders incontoso.com.

To which group should you add the users?

A. Group 1: Security Group - Domain Local.B. Group 2: Distribution Group - Domain Local.C. Group 3: Security Group - Global.D. Group 4: Distribution Group - Global.E. Group 5: Security Group - Universal.F. Group 6: Distribution Group - Universal.




Best practices for using security groups across forests

By carefully using domain local, global, and universal groups, administrators can more effectively controlaccess to resources located in other forests. Consider the following best practices:

To represent the sets of users who need access to the same types of resources, create

"A Composite Solution With Just One Click" - Certification Guaranteed 376 Microsoft 70-640 : Practice Testrole-based global groups in every domain and forest that contains these users. For example, users in the SalesDepartment in ForestA require access to an order-entry application that is a resource in ForestB. AccountDepartment users in ForestA require access to the same application, but these users are in a different domain.In ForestA, create the global group SalesOrder and add users in the Sales Department to the group.

Create the global group AccountsOrder and add users in the Accounting Department to that group.

To group the users from one forest who require similar access to the same resources in a different forest,

create universal groups that correspond to the global group roles. For example, in ForestA, create a universalgroup called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group.

To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use these groups to assign permissions on the resources inthat domain. For example, in ForestB, create a domain local group called

OrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entry application,and assign appropriate permissions.

To implement access to a resource across a forest, add universal groups from trusted forests to the domainlocal groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA tothe OrderEntryApp domain local group in ForestB.

QUESTION 37Your network contains an Active Directory domain. The domain contains 5,000 user accounts.

You need to disable all of the user accounts that have a description of Temp.


Which tools should you use? (Each correct answer presents part of the solution. Choose two.)

A. FindB. DsgetC. DsmodD. DsaddE. Net accountsF. Dsquery

Correct Answer: CFSection: (none)Explanation


Here we can use Dsquery to find the accounts that have "Temp" as their description and pipe it through toDsmod to disable them. Should look like this:dsquery user domainroot -desc "Temp" | dsmod user -disabled yes

Reference 1:http://technet.microsoft.com/en-us/library/cc725702.aspx Dsquery user Finds users in the directory who matchthe search criteria that you specify.If the predefined search criteria in this command are insufficient, use themore general version of the query command, dsquery *.

Syntaxdsmod userParametersdomainrootSpecifies the node in the console tree where the search starts. You can specify the forest root (forestroot),domain root (domainroot), or distinguished name of a node as the start node (<StartNode>). If you specifyforestroot, dsquery searches by using the global catalog. The default value is domainroot.-desc <Description>

Specifies the descriptions of the user objects you want to modify.RemarksThe results from a dsquery search can be piped as input to one of the other directory service command-line

tools, such as Dsget, Dsmod, Dsmove, or Dsrm.

Reference 2:http://technet.microsoft.com/en-us/library/cc732954.aspx Dsmod user Modifies attributes of one or moreexisting users in the directory.Syntaxdsmod userParameter-disabled {yes | no} Specifies whether AD DS disables user accounts for logon.


The available values are yes and no. Yes indicates that AD DS disables user accounts for logon and noindicates that AD DS does not disable user accounts for logon.

QUESTION 38Your network contains an Active Directory domain. The domain contains two file servers. The file servers areconfigured as shown in the following table.

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.

You configure the advanced audit policy.

You discover that the settings are not applied to Server1. The settings are applied to Server2.

You need to ensure that access to the file shares on Server1 is audited.

What should you do?

A. From Active Directory Users and Computers, modify the permissions of the computer account for Server1.B. From GPO1, configure the Security Options.C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.D. On Server1, run seceditexe and specify the /configure parameter.E. On Server1, run auditpol.exe and specify the /set parameter.




What are the differences in auditing functionality between versions of Windows?

"A Composite Solution With Just One Click" - Certification Guaranteed 379 Microsoft 70-640 : Practice TestBasic audit policy settings are available in all versions of Windows since Windows 2000 and can be appliedlocally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista andWindows Server 2008, but the settings can only be applied by using logon scripts. In Windows 7 and WindowsServer 2008 R2, advanced audit policy settings can be configured and applied by using local and domain GroupPolicy settings.

Reference:


Auditpol set

Sets the per-user audit policy, system audit policy, or auditing options.


You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU contains over 200user accounts.

The Sales OU and the Engineering OU contain several user accounts that are members of a universal groupnamed Group1.


You need to prevent the GPO from being applied to the members of Group1 only.

What should you do?

A. Modify the Group Policy permissions.B. Configure Restricted Groups.C. Configure WMI filtering.D. Configure the link order.E. Enable loopback processing in merge mode.F. Link the GPO to the Sales OU.G. Configure Group Policy Preferences.H. Link the GPO to the Engineering OU.I. Enable block inheritance.J. Enable loopback processing in replace mode.


Explanation/Reference:Explanation:"GPOs are linked to OUs, not groups. Block inheritance blocks all inherited GPOs from being applied to theOU. The security filter will only help you specify groups. So you have two choices. You could removeauthenticated users in the security filter and add groups containing everyone except group1 members(messysolution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission forthe gpo(since deny will always win over allow)."The reference below explains a situation where the GPO only needs to be applied to one group, it's the otherway around so to speak.

Reference:

MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286

Using Security Filtering to Modify GPO Scope

By now, you've learned that you can link a GPO to a site, domain, or OU. However, you might need to applyGPOs only to certain groups of users or computers rather than to all users or computers within the scope of theGPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific

security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policypermissions to the GPO.

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Readand Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to acomputer (for example, by its link to the computer's OU), but the computer does not have Read and ApplyGroup Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriatepermissions for security groups, you can filter a GPO so that its settings apply only to the computers and usersyou specify.

Filtering a GPO to Apply to Specific Groups

To apply a GPO to a specific security group, perform the following steps:

4. Select the GPO in the Group Policy Objects container in the console tree.

5. In the Security Filtering section, select the Authenticated Users group and click Remove.

"A Composite Solution With Just One Click" - Certification Guaranteed 381 Microsoft 70-640 : Practice Test6. Click OK to confirm the change.

7. Click Add.

8. Select the group to which you want the policy to apply and click OK.


You have two Group Policy objects (GPOS) named GPO1 and GPO2. GPO1 and GPO2 are linked to the

Finance organizational unit (OU) and contain multiple settings.

You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, thesetting in GPO2 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure thatall non-conflicting settings in both GPOs are applied.

What should you do?

A. Configure the link order.B. Configure Restricted Groups.C. Enable block inheritance.D. Link the GPO to the Finance OU.E. Enable Ioopback processing in merge mode.F. Enable Ioopback processing in replace mode.G. Link the GPO to the Human Resources OU.H. Configure Group Policy Preferences.I. Configure WMI filtering.J. Modify the Group Policy permissions.




Precedence of Multiple Linked GPOs

"A Composite Solution With Just One Click" - Certification Guaranteed 382 Microsoft 70-640 : Practice TestAn OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs' linkorder determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.

Figure 6-10 GPO link order





3. Select the GPO.


QUESTION 41You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSserver for contoso.com.

You install the DNS server server role on a member server named server1 and then you create a standardsecondary zone for contoso.com. You configure DC1 as the master server for the zone.

You need to ensure that Server1 receives zone updates from DC1.

What should you do?

A. On DC1, modify the permissions of contoso.com zone.B. On Server1, add a conditional forwarder.C. Add the Server1 computer account to the DNsUpdateProxy group.D. On DC1, modify the zone transfer settings for the contoso.com zone.



Reference:






2. Right-click a DNS zone, and then click Properties.








QUESTION 42A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone aredomain controllers.





A. Active Directory Sites And Services consoleB. NtdsutilC. DnslintD. Nslookup




Forcing Replication

When you need updates to be replicated sooner than the intersite replication schedule allows, or whenreplication between sites is impossible because of configuration errors, you can force replication to and fromdomain controllers.

Forcing replication of all directory updates over a connection

If you want to replicate certain updates, such as a significant addition of new passwords or user accounts, toanother domain controller in the domain, you can use the Replicate now option in the Active Directory Sites andServices snap-in to force replication of all directory partitions over a connection object that represents inboundreplication from a specific domain controller. A connection object for a server object that represents a domaincontroller identifies the replication partner from which the domain controller receives replication. If the changes

are made on one domain controller, you can select the connection from that domain controller and forcereplication to its replication partner.

You can also use the Repadmin.exe command-line tool to replication changes from a server to one or moreother servers or to all servers.

ssniyer -- In the case where (Exam J, Q24) Repadmin is not an answer option, I will go with AD Sites and

Services because it allows to force AD replication across connection objects.

Both DNSLint and nslookup are diagnostic tools. DNSLint is useful to make sure RRs are associated with theright services and nslookup for domain namespace resolution issues.There is no diagnostic need in this question.

Dnscmd is useful to administer/maintain a DNS server or zone using a command line tool. It is also the righttool to create Application Directory Partition. However, I don't see literature to suggest it as a good replicationtool for AD integrated zones.


QUESTION 43Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the ActiveDirectoryintegrated zone for contoso.com.

From DNS Manager on DC1, you enable scavenging for the contoso.com zone.

You discover stale DNS records in the zone.

You need to ensure that the stale DNS records are deleted from contoso.com.

What should you do?

A. From DNS Manager, enable scavenging on DC1.B. From DNS Manager, reload the zone.C. Run dnscmd.exe and specify the ageallrecords parameter.D. Run dnscmd.exe and specify the startscavenging parameter.




You discover the following event in the Event log of domain controllers: "The request for a new accountidentifierpool failed. The operation will be retried until the request succeeds.The error is " %1 ""

You need to ensure that the domain controllers can acquire new account-identifier pools successfully.

What should you do?

A. Move the domain naming master role.B. Move the global catalog server.

C. Restart the Active Directory Domain Services (AD DS) service.D. Deploy an additional global catalog server.E. Move the infrastructure master role.F. Move the PDC emulator role.G. Install a read-only domain controller (RODC).H. Move the RID master role.I. Move the bridgehead server.J. Move the schema master role.


Explanation/Reference:Explanation:This error can occur when the server holding the RID master role is not available to provide a new RID pool.Moving the RID master role to another domain controller will resolve this.Reference:


Event ID 16651 -- RID Pool Request

Users, computers, and groups stored in Active Directory are collectively known as security principals. Eachsecurity principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefixidentifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the securityprincipal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domaincontroller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RIDmaster role (also known as flexible single master operations or FSMO) in each Active Directory domain. TheRID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible forissuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained inincrements of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertisetheir availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additionalRID allocations in order to continue creating security principals when their current RID pool becomes depleted.

Event Details

Message

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds.

The error is " %1 "

Resolve

Check connectivity to the RID master, and check its replication status

"A Composite Solution With Just One Click" - Certification Guaranteed 387 Microsoft 70-640 : Practice TestA relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controllercan communicate with the domain controller that is identified as the RID operations master.

Ensure that the RID master is online and replicating to other domain controllers.



You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted FileSystem (EFS) certificates.

All users plan to encrypt files by using EFS.

You need to ensure that the private keys for all new EFS certificates are archived.


A. Share and Storage ManagementB. Security Configuration wizardC. Enterprise PKID. Active Directory Administrative CenterE. Certification AuthorityF. Group Policy ManagementG. Certificate TemplatesH. Authorization ManagerI. Certificates




Configure a Certificate Template for Key Archival

"A Composite Solution With Just One Click" - Certification Guaranteed 388 Microsoft 70-640 : Practice TestThe key archival process takes place when a certificate is issued. Therefore, a certificate template must bemodified to archive keys before any certificates are issued based on this template.

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate templatein order to protect users from data loss, but it can also be useful when applied to other types of certificates.

To configure a certificate template for key archival and recovery


2. In the details pane, right-click the certificate template that you want to change, and then click DuplicateTemplate.

3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certificationauthorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows7, or Windows Vista.

4. In Template, type a new template display name, and then modify any other optional properties as needed.

5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, andthen click OK.

6. Under Group or user names, select the user or group names that you just added. Under Permissions, selectthe Read and Enroll check boxes, and if you want to automatically issue the certificate, also select theAutoenroll check box.

7. On the Request Handling tab, select the Archive subject's encryption private key check box.



You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA.

You need to ensure that all of the members of a group named Sales can enroll for certificates that useSales_Temp.


A. Enterprise PKIB. Certification AuthorityC. Share and storage ManagementD. Certificate TemplatesE. Security Configuration WizardF. Authorization ManagerG. Group Policy ManagementH. CertificatesI. Active Directory Administrative Center




Deploying Certificate Templates

After creating a new certificate template, the next step is to deploy the certificate template so that a certificationauthority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to oneor more CAs, defining which security principals have Enroll permissions for the certificate template, anddeciding whether to configure autoenrollment for the certificate template.

To define permissions to allow a specific security principal to enroll for certificates based on a certificatetemplate

1. Open the Certificate Templates snap-in (Certtmpl.msc).

2. In the details pane, right-click the certificate template you want to change, and then click Properties.

3. On the Security tab, ensure that Authenticated users is assigned Read permissions. This ensures that allauthenticated users on the network can see the certificate templates.

4. On the Security tab, click Add. Add a global group or universal group that contains all security principalsrequiring Enroll permissions for the certificate template, and then click OK.

5. On the Security tab, select the newly added security group, and then assign Allow for the Read and Enrollpermissions.


6. Click OK.

Permission Design

Use the following recommendations for permissions assignments:

Assign permissions only to global groups or to universal groups. It is not recommended to assign permissionsto domain local groups. Domain local groups are only recognized in the domain where they exist, and assigningpermissions to them can result in inconsistent application of permissions. You should not assign permissionsdirectly to an individual user or computer account. (...)

QUESTION 47Your network contains an Active Directory forest named adatum.com. All domain controllers currently runWindows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is WindowsServer 2003.

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.


A. Deploy a writable domain controller that runs Windows Server 2008 R2.B. Raise the functional level of the forest to Windows Server 2008.C. Run adprep.exe.D. Raise the functional level of the domain to Windows Server 2003.



An RODC requires a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.So, whether you install the writable domain controller first or the Windows Server 2008 R2 server (your futureRODC), you have to run adprep.exe first to prepare the domain/forest for either domain controller.Reference:


Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked- value replication

(LVR) is available. This provides a higher level of replication consistency. The domain functional level must beWindows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functionallevel is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003or higher.

Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that runWindows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directoryschema and update security descriptors so that you can add the new domain controllers.

Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC and ensure that the writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

QUESTION 48Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest.

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in thecontoso.com forest.

What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.C. Create an external trust from nwtraders.com to contoso.com.D. Create an external trust from contoso.com to nwtraders.corn.



Reference:


Using AD RMS trust

It is not necessary to create trust or federation relationships between the Active Directory forests oforganizations to be able to share rights-protected information between separate organizations. AD RMSprovides two types of trust relationships that provide this kind of rights-protected information exchange. Atrusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates oruse licenses from users whose rights account certificates (RACs) were issued by a different AD RMS rootcluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster totrust.

http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx

QUESTION 49Your company plans to open a new branch office. The new office will have a Iow-speed connection to theInternet.

You plan to deploy a read-only domain controller (RODC) in the branch office.

You need to create an offline copy of the Active Directory database that can be used to install Active Directoryon the new RODC.

Which commands should you run from Ntdsutil?


A.B.C.D.




All users have a value set for the Department attribute.

From Active Directory Users and computers, you search a domain for all users who have a Departmentattribute value of Marketing.

The search returns 50 users.

From Active Directory Users and Computers, you search the entire directory for all users who have aDepartment attribute value of Marketing.

The search does not return any users.

You need to ensure that a search of the entire directory for users in the marketing department returns all of theusers who have the Marketing Department attribute.

What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the user class.




Global Catalog Partial Attribute Set

The attributes that are replicated to the global catalog by default include a base set that have been defined byMicrosoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute tothe global catalog check box to designate an attributeSchema object as a member of the PAS, which sets thevalue of the isMemberOfPartialAttributeSet attribute to TRUE.

QUESTION 51A corporate network includes a single Active Directory Domain Services (AD DS) domain. The AD DSinfrastructure is shown in the following graphic.

When the Montreal site domain controller is offline, authentication requests for Montreal branch office users aresent to the Toronto site domain controller.

You need to ensure that when the Montreal Site domain controller is offline, authentication requests for

Montreal branch office users are sent to the Quebec City site domain controller.

What should you do?

A. Create a site link bndge between the Montreal site and the Quebec City site.B. Enable the global catalog role on the Montreal site domain controller.C. Modify the Default Domain Policy Group Policy Object.D. Delete the Toronto-Montreal Site Link




Enable Clients to Locate a Domain Controller in the Next Closest Site You can modify the Default DomainPolicy to enable Windows Vista and Windows Server 2008 clients in the domain to locate domain controllers inthe next closest site if no domain controller in their own site or the closest site is available.


To enable clients to locate a domain controller in the next closest site1. Click Start, click Administrative Tools, and then click Group Policy Management.2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and thenclick Continue.3. Double-click Forest:forest_name, double-click Domains, and then double-click domain_name.4. Right-click Default Domain Policy, and then click Edit.5. In Group Policy Management Editor, in the console tree, go to Computer Configuration/Policies/Administrative Templates/System/Netlogon/DC Locator DNS Records.6. In the details pane, double-click Try Next Closest Site, click Enabled, and then click OK.Reference 2:http://technet.microsoft.com/en-us/library/cc733142.aspx

Enabling Clients to Locate the Next Closest Domain Controller If you have a domain controller that runsWindows Server 2008 or Windows Server 2008 R2, you can make it possible for client computers that runWindows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 to locate domain controllersmore efficiently by enabling the Try Next Closest Site Group Policy setting. This setting improves the DomainController Locator (DC Locator) by helping to streamline network traffic, especially in large enterprises that havemany branch offices and sites. By default, the Try Next Closest Site setting is not enabled. When the setting isnot enabled, DC Locator uses the following algorithm to locate a domain controller:Try to find a domain controller in the same site. If no domain controller is available in the same site, try to findany domain controller in the domain.If you enable the Try Next Closest Site setting, DC Locator uses the following algorithm to locate a domaincontroller:Try to find a domain controller in the same site. If no domain controller is available in the same site, try to find adomain controller in the next closest site. A site is closer if it has a lower site-link cost than another site with ahigher site-link cost.If no domain controller is available in the next closest site, try to find any domain controller in the domain.

QUESTION 52"A Composite Solution With Just One Click" - Certification Guaranteed 397 Microsoft 70-640 : Practice TestA corporate environment includes two Active Directory Domain Services (AD DS) forests, as shown in thefollowing table.

You need to ensure that users in the contoso.com domain can access resources in the eng.fabrikam.comdomain.

What should you do?

A. Enable selective authentication.B. Enable forest-wide authentication.C. Create an external trust between contoso.com and eng.fabrikam.com.D. Enable domain-wide authentication.




Creating External Trusts

You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outsideyour forest. External trusts are sometimes necessary when users need access to resources that are located ina Windows NT 4.0 domain or in a domain that is in a separate Active Directory Domain Services (AD DS) forestthat is not joined by a forest trust.


You need to activate the Active Directory Recycle Bin in the domain.


A. DsamainB. Set-ADDomainC. Add-WindowsFeatureD. Ldp





After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:


Ldp.exe


You need to create a script that runs the Best Practices Analyzer (BPA) each week for all of the server rolesthat BPA supports on each domain controller.


Which tools should you use? (Each correct answer presents part of the solution. Choose three.)

A. Get-Troubleshooting Pack / Invoke-Troubleshooting Pack.B. Import-Module Best Practices.C. Get-BPA Model / Invoke-BPA Model.D. Import-Module Troubleshooting Pack.

E. Get- BPA Result.

Correct Answer: BCESection: (none)Explanation


Explanation:

Reference 1:http://technet.microsoft.com/en-us/library/dd759206.aspx To scan all roles by using Windows PowerShellcmdlets1. Open a Windows PowerShell session with elevated user rights.2. Import the Server Manager module into your Windows PowerShell session. To import the Server Managermodule, type the following, and then press ENTER.Import-Module ServerManager3. Import the BPA module. Type the following, and then press Enter.Import-Module BestPractices4. Pipe all roles for which BPA scans can be performed into the Invoke-BPAModel cmdlet to start scans.Get-BPAModel | Invoke-BPAModelReference 2:http://technet.microsoft.com/en-us/library/ee617286.aspx Get-BpaResult The Get-BPAResult cmdlet allows youto retrieve and view the results of the most recent Best Practices Analyzer (BPA) scan for a specific model.

QUESTION 55A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular useraccounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OUnamed Admins.



A. Enable the Audit directory service access setting in the Default Domain Controllers Policy GroupPolicyObject.

B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to theEmployees OU.

C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.D. Modify the searchFlags property for the User class in the schema.



Explanation/Reference:Explanation:To audit changes made to objects in AD DS we have to use Directory Service Changes auditing, whichindicates the old and new values of the changed properties of the objects that were changed. DirectoryServiceChanges auditing is a subcategory of Audit directory service access, and is not enabled by default.

To use it we have to enable it first, and we can do that specifically for Directory Service Changes by usingauditpol.exe, or we can use Group Policy Management to enable Audit directory service access, which enablesall subcategories, including Directory Service Changes. You do this by modifying the Default DomainControllers Policy.

Reference:








By using Group Policy Management, you can turn on the global audit policy, Audit directory service access,which enables all the subcategories for AD DS auditing.

To enable the global audit policy using the Windows interface

1. Click Start, point to Administrative Tools, and then Group Policy Management.

2. In the console tree, double-click the name of the forest, double-click Domains, double- click the name of yourdomain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click SecuritySettings, double-click Local Policies, and then click Audit Policy.

"A Composite Solution With Just One Click" - Certification Guaranteed 401 Microsoft 70-640 : Practice Test4. In the details pane, right-click Audit directory service access, and then click Properties.

5. Select the Define these policy settings check box.

6. Under Audit these attempts, select the Success, check box, and then click OK.


The Administrator deletes an OU named OU1 accidentally.

You need to restore OU1. Which cmdlet should you use?

A. Set-ADObject cmdlet.B. Set-ADOrganizationalUnit cmdlet.C. Set-ADUser cmdlet.D. Set-ADGroup cmdlet.




Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets

You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject ActiveDirectory module for Windows PowerShell cmdlets. The recommended approach is to use the Get-ADObjectcmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObjectcmdlet.

QUESTION 57Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts inthe Finance organizational unit (OU). You must achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. Modify the Group Policy Permission.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.

Correct Answer: C




Block Inheritance

You can block inheritance for a domain or organizational unit. Blocking inheritance

"A Composite Solution With Just One Click" - Certification Guaranteed 403 Microsoft 70-640 : Practice Testprevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units frombeing automatically inherited by the child-level.



You have two Group Policy objects (GPOs) named GP01 and GPO2. GP01 and GP02 are linked to the SalesOU and contain multiple settings.

You discover that GPO2 has a setting that conflicts with a setting in GP01. When the policies are applied, thesetting in GPO2 takes effect.

You need to ensure that the settings in GP01 supersede the settings in GP02. The solution must ensure that allnon-conflicting settings in both GPOs are applied.

A. Configure Restricted Groups.B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineering OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI Filtering.H. Configure Group Policy Preferences.I. Enable loopback processing in replace mode.J. Enable block inheritance.




Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In theevent of multiple GPOs, the GPOs' link order determines their precedence. In Figure 6-10, two GPOs are linkedto the People OU.

"A Composite Solution With Just One Click" - Certification Guaranteed 404 Microsoft 70-640 : Practice TestFigure 6-10 GPO link order





3. Select the GPO.



All users have a value set for the Department attribute.

From Active Directory Users and Computers, you search a domain for all users who have a Departmentattribute value of Marketing. The search returns 50 users.

From Active Directory Users and Computers, you search the entire directory for all users who have aDepartment attribute value of Marketing.

The search does not return any users.

You need to ensure that a search of the entire directory for users in the marketing department returns all of theusers who have the Marketing Department attribute.

What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in modify the properties of the user class.




Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include abase set that have been defined by Microsoft as the attributes that are most likely to be used in searches.Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specifyadditional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you canselect the Replicate this attribute to the global catalog check box to designate an attributeSchema object as amember of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.


You discover the following event in the Event log of domain controllers: "The request for a new accountidentifierpool failed. The operation will be retried until the request succeeds.

The error is " %1 ""

You need to ensure that the domain controllers can acquire new account-identifier pools successfully.

What should you do?

A. Move the PDC emulator role.B. Move the schema master role.C. Move the global catalog server.D. Move the domain naming master role.E. Move the infrastructure master role.F. Move the RID master role.G. Restart the Active Directory Domain Services (AD DS) service.H. Deploy an additional global catalog server.I. Move the bridgehead server.J. Install a read-only domain controller (RODC).

Correct Answer: FSection: (none)Explanation


This error can occur when the server holding the RID master role is not available to provide a new RID pool.Moving the RID master role to another domain controller will resolve this.Reference:


Event ID 16651 -- RID Pool Request

Users, computers, and groups stored in Active Directory are collectively known as security principals. Eachsecurity principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefixidentifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the securityprincipal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domaincontroller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RIDmaster role (also known as flexible single master operations or FSMO) in each Active Directory domain. TheRID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible forissuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained inincrements of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertisetheir availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additionalRID allocations in order to continue creating security principals when their current RID pool becomes depleted.

Event Details

Message

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds.

The error is " %1 "

Resolve

Check connectivity to the RID master, and check its replication status

A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controller

can communicate with the domain controller that is identified as the RID operations master.

Ensure that the RID master is online and replicating to other domain controllers.





A. NtdsutilB. Active Directory Users and ComputersC. ADSI EditD. Group Policy Management Console (GPMC)




Creating a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an ActiveDirectory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects andattributes.

To create a PSO using ADSI Edit

1. Click Start, click Run, type adsiedit.msc, and then click OK.

2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.

3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO,and then click OK.

4. Double-click the domain.

5. Double-click DC=<domain_name>.

6. Double-click CN=System.

7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domainappear.

"A Composite Solution With Just One Click" - Certification Guaranteed 408 Microsoft 70-640 : Practice Test8. Right-click CN=Password Settings Container, click New, and then click Object.

9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.

10. In Value, type the name of the new PSO, and then click Next.

11. Continue with the wizard, and enter appropriate values for all mustHave attributes.


You need to identify whether a fine-grained password policy is applied to a specific group.


A. Active Directory Sites and ServicesB. Authorization ManagerC. Local Security PolicyD. ADSI Edit



Use ADSI Edit to determine the value of the msDS-PSOApplied attribute of the specific group:1. Open the Properties windows for the group in ADSI Edit2. On the Attribute Editor tab click Filter3. Ensure that the Show attributes/Optional check box is selected.4. Ensure that the Show read-only attributes/Backlinks check box is selected.5. Locate the value of msDS-PSOApplied in the Attributes list.Reference:


Defining the scope of fine-grained password policies

A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same

domain as the PSO: (...)

A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDSPSOAppliedattribute has a back-link, a user or group can have multiple PSOs applied to it.

As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since themsDS-PSOApplied attribute of the user and group objects has a back-link to the PSO.





A. RepadminB. Active Directory Domains and Trusts consoleC. LdpD. Ntdsutil





Forcing Replication

Sometimes it becomes necessary to forcefully replicate objects and entire partitions

"A Composite Solution With Just One Click" - Certification Guaranteed 410 Microsoft 70-640 : Practice Testbetween domain controllers that may or may not have replication agreements.



Syntax


Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners.

<NamingContext>


<Flags>


QUESTION 64Your network contains an Active Directory forest named contoso.com. The forest contains two domains namedcontoso.com and child.contoso.com. The forest contains two sites named Seattle and Denver. Both sitescontain users, client computers, and domain controllers from both domains.

The Seattle site contains the first domain controller deployed to the forest. The Seattle site also contains theprimary domain controller (PDC) emulator for both domains. All of the domain controllers are configured asDNS servers. All DNS zones are replicated to all of the domain controllers in the forest.

The users in the Denver site report that is takes a long time to log on to their client computer when they usetheir user principal name (UPN). The users in the Seattle site do not experience the same issue.

You need to reduce the amount of time it takes for the Denver users to log on to their client computer by usingtheir UPN.

What should you do?

A. Reduce the cost of the site link between the Denver site and the Seattle site.B. Enable the global catalog on a domain controller in the Denver site.C. Enable universal group membership caching in the Denver site.D. Move a PDC emulator to the Denver site.E. Reduce the replication interval of the site link between the Denver site and the Seattle site.

F. Add an additional domain controller to the Denver site.




Common Global Catalog Scenarios

The following events require a global catalog server:

(...) User logon. In a forest that has more than one domain, two conditions require the global catalog duringuser authentication:

1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a globalcatalog server is required to resolve the name.

2. (...)

QUESTION 65Your network contains two Active Directory forests named contoso.com and fabrikam.com.Each forest contains a single domain.

A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.

Contoso.com contains a group named Group 1.

Fabrikam.com contains a server named Server1.

You need to ensure that users in Group1 can access resources on Server1.What should you modify?

A. the permissions of the Group1 groupB. the UPN suffixes of the contoso.com forestC. the UPN suffixes of the fabrikam.com forestD. the permissions of the Server1 computer account



Group1 must get the 'Allowed To Authenticate' permission on Server1, so I'd go for A, as given.Answer D may sound tempting, but it speaks of permissions of the Server1 computer account.Reference:

MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 643, 644

After you have selected Selective Authentication for the trust, no trusted users will be able to access resourcesin the trusting domain, even if those users have been given permissions. The users must also be assigned theAllowed To Authenticate permission on the computer object in the domain.

1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selectedon the View menu.

2. Open the properties of the computer to which trusted users should be allowed to authenticate--that is, thecomputer that trusted users will log on to or that contains resources to which trusted users have been givenpermissions.

3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box forthe Allowed To Authenticate permission.



Users in the Sates OU frequently log on to client computers in the Engineering OU.

You need to meet the following requirements:

All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the Engineering OUmust be applied to sales users when they log on to client computers in the Engineering OU.Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log on toclient computers in the Sales OU. Policy settings in the GPOs linked to the Sales OU must not be applied tousers in the Engineering OU.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO'sthat are linked to the Sales OU and the Engineering OU to be applied.Reference 1:http://technet.microsoft.com/en-us/library/cc782810.aspx

Loopback processing with merge or replaceSetting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied toevery user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the UserConfiguration settings of the user. This allows you to ensure that a consistent set of policies is applied to anyuser logging on to a particular computer, regardless of their location in Active Directory. Loopback can be set toNot Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In eithercase the user only receives user-related policy settings.

Loopback with Replace--In the case of Loopback with Replace, the GPO list for the user is replaced in itsentirety by the GPO list that is already obtained for the computer at


computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settingsfrom this list are applied to the user. Loopback with Merge--In the case of Loopback with Merge, the GroupPolicy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but thenthe list of GPOs for the computer (obtained during computer startup) is appended to this list. Because thecomputer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict.

Reference 2:http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

For a clear and easy explanation of Loopback Processing. Recommended! Reference 3:Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028 Loopback ProcessingWhen a user is processing domain policies, the policies that apply to that user are based on the location of theuser object in the Active Directory hierarchy. The same goes for domain policy application for computers.There are situations, however, when administrators or organizations want to ensure that all users get the samepolicy when logging on to a particular computer or server. For example, on a computer that is used for trainingor on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environmentmust be the same for each user, this can be controlled by enabling loopback processing in Replace mode on apolicy that is applied to the computer objects.To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, anysettings defined within that policy in the User Configuration node are applied to all users who log on to thecomputer this particular policy is applied to. When loopback processing is enabled and configured in Mergemode on a policy applied to a computer object and a user logs on, all of the user policies are applied and thenall of the user settings within the policy applied to the computer object are also applied to the user. This ensuresthat in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.

QUESTION 67You have an Active Directory domain named contoso.com.

"A Composite Solution With Just One Click" - Certification Guaranteed 415 Microsoft 70-640 : Practice TestYou need to view the account lockout threshold and duration for the domain.


A. Computer ManagementB. Net ConfigC. Active Directory Users and ComputersD. Gpresult



You can see the required settings when you:1. Open Active Directory Users and Computers2. Go to View in the menubar and make sure "Advanced Features"is checked.3. Right click on the domain and choose Properties4. On the Attribute Editor tab click on Filter5. Ensure that the Show attributes/Optional check box is selected.6. In the Attributes list locate lockoutThreshold and lockoutDuration. Played with the settings in the Group PolicyManagement Editor and the settings were reflected in the steps above every time.

QUESTION 68Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeast.contoso.com. The contoso.com domain contains a domain controller named DC1. The east.contoso.comdomain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed.

You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zonetransfers are encrypted.

What should you do?

A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rulesand outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2and select DC1 as the master.

B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=comnaming context.

C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com namingcontext. Create a secondary zone on DC1 and select DC2 as the master.

D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create asecondary zone on DC2 and select DC1 as the master.




Securing DNS Zone Replication

Using Active Directory Replication

Replicating zones as part of Active Directory replication provides the following security benefits:

Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted automatically.

(...)

Reference:

http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created byDNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNSresolver is able to check if the information is identical (correct and complete) to the information on theauthoritative DNS server. DNSSEC does not provide confidentiality of data; in particular, all DNSSECresponses are authenticated but not encrypted.

Reference:

http://www.nlnetlabs.nl/publications/dnssec_howto/

Voorbeeld opbouw DNSSEC records.

Reference:

http://www.efficientip.com/dnssec

It is important to note that DNSSEC does not supply a solution for data confidentiality but

"A Composite Solution With Just One Click" - Certification Guaranteed 417 Microsoft 70-640 : Practice Testonly a validation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only thesignature which is encrypted.

Reference:


Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsignedzone. All of the resource records, including DNSSEC resource records, are transferred from the primary serverto the secondary servers with no additional setup requirements.


You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GP02 are linked to theFinance organizational unit (OU) and contain multiple settings.

You discover that GP02 has a setting that conflicts with a setting in GPO1. When the

"A Composite Solution With Just One Click" - Certification Guaranteed 418 Microsoft 70-640 : Practice Testpolicies are applied, the setting in GP02 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GP02. The solution must ensure thatall non-conflicting settings in both GPOs are applied.

What should you do?




QUESTION 70A corporate network includes an Active Directory Domain Services (AD DS) forest that contains two domains.All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers.

A standard primary zone for dev.contoso.com is stored on a member server.


What should you do?

A. On one domain controller, create a secondary zone.B. On the member server, create a secondary zone.C. On each domain controller, create a secondary zone.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.



QUESTION 71A corporate network includes a single Active Directory Domain Services (AD D5) domain. The domain contains10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNSservers.




A. Create a new delegation in the ForestDnsZones application directory partition.B. Create a new delegation in the DomainDnsZones application directory partition.C. Use the dnscmd tool with the /zoneadd parameter.D. Use the ntdsutil tool to add a naming context.



QUESTION 72Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directory-integratedzone for contoso.com. The no-refresh interval is set to three days and the refresh interval is set to 10 days.

The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit.(Click the Exhibit button.)

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit. (Click theExhibit button.)


You discover that the scavenging process ran today, but the record for Server1 was not deleted.

You run dnscmd.exe and specify the ageallrecords parameter.

You need to identify when the record for Server1 will be deleted from the zone.

In how many days will the record be deleted?

A. 7B. 10C. 17D. 20



QUESTION 73Your network contains two Active Directory forests named contoso.com and fabrikam.com.

Each forest contains one domain. A two-way forest trust exists between the forests.

You plan to add users from fabrikam.com to groups in contoso.com.

You need to identify which group you must use to assign users in fabrikam.com access to the shared folders incontoso.com.

To which group should you add the users?

To answer, select the appropriate group in the answer area.

A.B.C.D.






A. Active Directory Sites and ServicesB. Active Directory Users and ComputersC. Security Configuration Wizard (SCW)D. Local Security Policy




You need to ensure that the administrators of any of the domains can specify a user principal name (UPN)suffix of litwareinc.com when they create user accounts by using Active Directory Users and Computers.Which tool should you use?

A. New-ADObjectB. Active Directory Sites and ServicesC. Active Directory Domains and TrustsD. Set-ADAccountControl



QUESTION 76Your network contains two Active Directory forests named contoso.com and fabrikam.com. The contoso.comforest contains a server named Server1l that has the Certification Authority role service installed.

You need to ensure that Windows 7 client computers in the fabrikam.com forest can enroll for certificates fromServer1. The solution must minimize the number of role services installed on Server1.

Which additional role service or role services should you install?

To answer, select the appropriate role service or role services in the answer area.


A.B.

C.D.





You have a Group Policy object (GPO) linked to the domain. The GPO is used to deploy a number of softwarepackages.

You need to ensure that the GPO is applied only to client computers that have sufficient free disk space.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.

C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



QUESTION 78A corporate network includes a single Active Directory Domain Services (AD D5) domain. The AD DSinfrastructure is shown in the following graphic.

When the Montreal Site domain controller is offline, authentication requests for Montreal branch office usersare sent to the Toronto Site domain controller.

You need to ensure that when the Montreal Site domain controller is offline, authentication requests forMontreal branch office users are sent to the Quebec City Site domain controller.

What should you do?

A. Create a site link bridge between the Montreal Site and the Quebec City Site.B. Create a registry entry on each client computer in the Montreal branch office,C. Enable the global catalog role on the Montreal Site domain controllerD. Delete the Toronto-Montreal Site Link.




QUESTION 79Your company has two Active Directory sites named New York and Los Angeles.

When you disable IPv4 on a computer in the Los Angeles site, the computer authenticates by using a domaincontroller in the New York site.

You need to ensure that IPv6-only computers in the Los Angeles site authenticate to domain controllers in thesame site.

What should you do?

A. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router in the Los Angeles site.B. Create Active Directory Domain Services connection objects between the two sites.C. Create Active Directory subnet objects for the Los Angeles site.D. Configure the NTDS Site Settings object for the Los Angeles site.



QUESTION 80A corporate network contains a Windows Server 2008 R2 Active Directory forest.

You need to add a user principal name (UPN) suffix to the forest.


A. Active Directory module for Windows PowerShellB. Active Directory Administrative Center consoleC. Active Directory Sites and Services consoleD. Active Directory Users and Computers console



QUESTION 81Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Site1 and Site2. Site2 contains a read-only domain controller (RODC).



A. RepadminB. Get-ADAccountResultantPasswordReplicationPolicyC. Active Directory Sites and ServicesD. Get-ADFineGrainedPasswordPolicy



QUESTION 82Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.

You update a script in the 5YSVOL folder. The new script fails to run properly.

You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize theamount of time required to restore the script.


A. Run the Restore-ADObject cmdlet.B. Attach the VHD file created by Windows Server Backup.C. Run the NTDSUtil.exe command-line tool.D. Restore the system state to its original location.



QUESTION 83Your network contains two DNS servers named Server1 and Server2.

Server1 hosts a primary zone named contoso.com. Server2 hosts a secondary copy of the contoso.com zone.

You need to configure how often Server2 will check for updates for the contoso.com zone.

Which tab should you use?

To answer, select the appropriate tab in the answer area.


A.B.C.D.


Explanation


QUESTION 84Your network contains an Active Directory domain named contoso.com. The domain has one Active Directorysite.

The domain contains an organizational unit (OU) named 0U1. OU1 contains user accounts for 100 users andtheir managers.

You apply a Group Policy object (GPO) named GPO1 to OU1. GPO1 restricts several desktop settings.

The managers request that the desktop settings not be applied to them.

You need to prevent the desktop settings in GPO1 from being applied to the managers. All other users in OU1must have GPO1 applied to them.

What should you do?

A. Link GPO1 to the site and remove the link for GPO1 from 0U1.B. Move the managers to a child OU of OU1 and block inheritance on the child OU.C. Configure the permissions on OU1.D. Disable the computer configurations of GPO1.






A. Group Policy Management EditorB. Authorization ManagerC. Local Security PolicyD. ADSI Edit




All users have laptops that run Windows 7. The laptops are joined to the domain. Windows Firewall is enabledon all the laptops.

You need to ensure that when the users connect to unidentified networks, Windows

Firewall uses the Public Profile.

Which node in Group Policy Management Editor should you use?


A.B.C.D.




QUESTION 87Your network contains an Active Directory domain. The domain contains 20 domain controllers.

You need to identify which domain controllers are global catalog servers.


A. NetshB. DsqueryC. NltestD. Get-ADRootDSE




All client computers used by the sales department are in an organizational unit (OU) named Sales Computers.All user accounts for the sales department are in an OU named Sales Users.

You purchase a new application.

You need to ensure that every user in the domain who logs on to a sales department computer can use theapplication. The application must only be available from the sales department computers.

What should you do?


A.B.C.D.



QUESTION 89Your network contains an Active Directory forest named fabrikam.com. The forest contains the followingdomains:

Fabrikam.comEu.fabrikam.comNa.fabrikam.comEu.contoso.comNa.contoso.com

You need to configure the forest to ensure that the administrators of any of the domains

can specify a user principal name (UPN) suffix of contoso.com when they create user accounts from ActiveDirectory users and Computers.


A. Active Directory Users and ComputersB. Set-ADAccountControlC. Set-ADForestD. New-ADObject






A. Active Directory Users and ComputersB. Security Configuration Wizard (SCW)C. Group Policy Management EditorD. Active Directory Sites and Services




You attempt to run adprep /forestprep and the operation fails.

You discover that the first domain controller deployed to the forest failed.

You need to run adprep /forestprep successfully.

What should you do?

A. Move the PDC emulator role.B. Move the RID master role.C. Move the infrastructure master role.D. Move the schema master role.E. Move the global catalog server.F. Move the bridgehead server.G. Install a read-only domain controller (RODC).H. Deploy an additional global catalog server.I. Restart the Active Directory Domain Services (AD DS) service.



QUESTION 92Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The forest contains a single domain.

You need to ensure that objects can be restored from the Active Directory Recycle Bin.


A. NtdsutilB. DsamainC. LdpD. Add-PSSnapin



QUESTION 93Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. You have four Active Directory sites. Each site has multiple Active Directory subnets.

You need to identify all of the authentication requests that originate from client computers that are notassociated to an Active Directory subnet.What should you use?

A. The System logB. The %Systemroot%\Debug\Netsetup.log log fileC. The Authentication User Interface operational logD. The %Systemroot%\Security\Logs\Winlogon.log log file




You create a new application directory partition.

You need to ensure that the new application directory partition replicates to only three of the domain controllers.


A. DsdbutilB. Active Directory Administrative CenterC. DsmodD. Dsmgmt



QUESTION 95Your network contains an Active Directory domain named fabrikam.com. The domain has one Active Directory

site.

The domain contains an organizational unit (OU) named SalesOU. SalesOU contains all of the user accountsfor the sales department. Some of the sales users are temporary employees.

You apply a Group Policy object (GPO) named SalesGPO to SalesOU.

You need to prevent SalesGPO from being applied to the temporary sales employees. All other salesemployees must have SalesGPO applied to them.

What should you do?

A. Configure the permissions on the user accounts of the temporary sales employees.B. Configure the permissions of SalesGPO.C. Link SalesGPO to the site and remove the link for SalesGPO from SalesOU.D. Disable the computer configurations of SalesGPO.



QUESTION 96A corporate network includes a single Active Directory Domain Services (AD D5) domain. The domain contains10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNSservers.




A. Use the dnscmd tool with the /enlistdirectorypartition parameter.B. Create a new delegation in the ForestDnsZones application directory partition.C. Use the dnscmd tool with the /createdirectorypartition parameter.D. Use the dnscmd tool with the /createbuiltindirectorypartitions parameter.



QUESTION 97Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 has the DNS Server server role installed and hosts the zone for contoso.com.

All host (A) records are registered in DNS by using dynamic updates.

You deploy a new server named dns.contoso.com.

You install the DNS Server server role on dns.contoso.com.

The Name Servers list is shown in the Name Server exhibit. (Click the Exhibit button.)

The Zone Transfers settings are shown in the Zone Transfers exhibit. (Click the Exhibit button.)


On dns.contoso.com, you create a secondary zone for contoso.com and you specify DC1 as the master server.

You discover that the zone fails to transfer to dns.contoso.com.

You open DNS Manager as shown in the DNS Manager exhibit. (Click the Exhibit button.)


You need to ensure that dns.contoso.com can transfer the contoso.com zone.

What should you do?

A. Modify the name servers list for the contoso.com zone.B. Change the A record for dns.contoso.com to use 10.0.0.2.C. Add an A record for contoso.com that has a value of 10.0.0.2.D. Allow zone transfers to the 10.0.0.2 IP address.E. Add a name server (NS) record for contoso.com that has a value of 10.0.0.2.



QUESTION 98Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).

The forest contains an application directory partition named dc=app1/dc=contoso,dc=com. A domain controllernamed DC1 has a copy of the application directory partition.

You need to configure a domain controller named DC2 to receive a copy of dc=app1,dc=contoso,dc=com.


A. DsdbutilB. smgmtC. Dsamain

D. Dsmod



QUESTION 99A corporate network includes a single Active Directory Domain Services (AD D5) domain and two AD DS sites.The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers.

You need to determine which domain controller holds the Inter-Site Topology Generator role for the Torontosite.

What should you do?

A. Use the Ntdsutil tool with the roles parameter.B. Use the Ntdsutil tool with the local roles parameter.C. Use the LDP tool to view the NTDS Site Settings for the Toronto site.D. Use the LDP tool to view the properties of each domain controller in the Toronto site




You need to ensure that the administrators of any of the domains can specify a user principal name (UPN)suffix of litwareinc.com when they create user accounts by using Active Directory Users and Computers.


A. Set-ADAccountControlB. Active Directory Domains and TrustsC. Set-ADDomainD. Active Directory Users and Computers


Explanation/Reference:Topic 6, Volume F

Exam F

QUESTION 1Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. You have four Active Directory sites. Each site has multiple Active Directory subnets.

You need to identify all of the authentication requests that originate from client computers that are notassociated to an Active Directory subnet.


A. The %Systemroot%\System32\Network_llu.log log fileB. The %Systemroot%\Debug\Netsetup.log log fileC. The Authentication User Interface operational logD. The %Systemroot%\Debug\Netlogon.log log file






A. Get-ADFineGrainedPasswordPolicyB. DcdiagC. Get-ADDomamControllerPasswordReplicationPolicyD. Get-ADAccountResultantPasswordReplicationPolicy





The GPO is used to deploy a number of software packages.

You need to ensure that the GPO is applied only to client computers that have sufficient free disk space.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. WMI FilterG. Enable block inheritance.H. Configure the link order.I. Enable loopback processing in merge mode.J. Enable loopback processing in replace mode.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd184083.asp

QUESTION 4You have an Active Directory domain named contoso.com.

You need to view the account lockout threshold and duration for the domain.


A. Get-ItemPropertyB. Active Directory Domains and TrustsC. Net UserD. Gpresult


Explanation/Reference:http://social.technet.microsoft.com/Forums/windowsserver/en-US/e796ed64-e137-4ce4-91ee-f4f6e574f7c1/account-lockout-policy

QUESTION 5Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Site1 and Site2. Site2 contains a read-only domain controller (RODC).




A. RepadminB. DcdiagC. Get-ADAccountResultantPasswordReplicationPolicyD. Active Directory Sites and Services


Explanation/Reference:http://technet.microsoft.com/en-au/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx

QUESTION 6Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2.

The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named RODC1.

You install the DNS Server server role on RODC1.

You discover that RODC1 does not have any DNS application directory partitions.

You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.

What should you do?

A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.B. From DNS Manager, create primary zones.C. Run ntdsutil.exe. From the Partition Management context, run the create nc command.D. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.


Explanation/Reference:http://technet.microsoft.com/pl-pl/library/cc742490%28v=ws.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc753801.aspx


You have a comma separated value (CSV) file named Users.txt. Users.txt contains the information for 500users and all of the attributes required to create user accounts.

You plan to automate the creation of user accounts by using the Users.txt file.

You need to identify which two cmdlets you must run. The solution must pipe the output from the first cmdlet tothe second cmdlet.

What should you run from Windows PowerShell?

To answer, configure the appropriate PowerShell command in the answer area.

A.B.C.D.





You have two Group Policy objects (GPOs) named GPO1 and GP02. GPO1 and GP02 are linked to the SalesOU and contain multiple settings.

You discover that GP02 has a setting that conflicts with a setting in GPO1. When the policies are applied, thesetting in GP02 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GP02. The solution must ensure thatall non-conflicting settings in both GPOs are applied.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



QUESTION 9You have a standard primary zone named contoso.com.

You need to configure how often the zone will be transferred to servers that host a secondary copy of the zone.

Which tab should you use?

To answer, select the appropriate tab in the answer area.

A.B.C.D.






A. NtdsutilB. DcdiagC. RepadminD. Get-ADAccountResultantPasswordReplicationPolicy



QUESTION 11Your network contains four domain controllers. The domain controllers are configured as shown in the followingtable.

All of the domain controllers are configured to host an Active Directory-integrated zone for their respectivedomain.

A GlobalNames zone is deployed in the fabrikam.com forest.

You add a canonical (CNAME) record named Server1 to the GlobalNames zone.

You discover that users in the contoso.com forest cannot resolve the name Server1. The users infabrikam.com can resolve the name Server1.

You need to ensure that the contoso.com users can resolve names in the GlobalNames zone.

What should you do? (Each correct answer presents part of the solution. Choose two.)

A. Run dnscmd.exe and specify the globalnamesqueryorder parameter on CONT-DC1 and CONT-DC2.B. Add service location (SRV) records named _globalnames to the _msdcs.contoso.com zone.C. Run dnscmd.exe and specify the enableglobalnamessupport parameter on CONT-DC1 and CONT-DC2.D. Run dnscmd.exe and specify the globalnamesqueryorder parameter on FABR-DC1 and FABR-DC2.E. Run dnscmd.exe and specify the enableglobalnamessupport parameter on FABR-DC1 and FABR-DC2.F. Add service location (SRV) records named _globalnames to the _msdcs.fabrikam.com zone.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794961(v=ws.10).aspx

You can use this task to create a GlobalNames zone to maintain a set of single-label Domain Name System(DNS) names that can be resolved by Windows Server 2008 DNS servers on behalf of DNS clients throughoutmultiple Active Directory Domain Services (AD DS) forests. See Providing Single-Label DNS Name Resolutionfor information about deploying a GlobalNames zone.Deploying a GlobalNames zone in multiples forest requires you to perform the following steps:Create a zone named GlobalNames that is replicated to all domain controllers in one forest.

Add an alias (CNAME) record to the zone for each host for which you want to provide single-label nameresolution. For example, if you want DNS clients to be able to access a server whose fully qualified domainname is cweb.itgroup.contoso.com, you would add a CNAME record that maps the name cweb tocweb.igroup.contoso.com.

Add a service locator (SRV) resource record to the zone corresponding to the forest-wide _msdcs zone of theother forests.





A. RepadminB. LdpC. DnscmdD. Ntdsutil



QUESTION 13Your network contains an Active Directory domain. The domain contains two file servers. The file servers areconfigured as shown in the following table.

TestYou create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.

You configure the advanced audit policy as shown in the exhibit. (Click the Exhibit button.)

You discover that the settings are not applied to Server1. The settings are applied to Server2.

You need to ensure that access to the file shares on Server1 is audited.

What should you do?

A. On Server1, run secedit.exe and specify the /configure parameter.B. On Server1, run auditpol.exe and specify the /set parameter.C. From GPO1, configure the Security Options.D. From Active Directory Users and Computers, modify the permissions of the computer account for Server1.E. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.



QUESTION 14A corporate network includes a single Active Directory Domain Services (AD DS} domain.

The HR department has a dedicated organization unit (OU) named HR. The HR OU has two sub-OUs: HRUsers and HR Computers. User accounts for the HR department reside in the HR Users OU. Computeraccounts for the HR department reside in the HR Computers OU. All HR department employees belong to asecurity group named HR Employees. All HR department computers belong to a security group named HRPCs.

Company policy requires that passwords are a minimum of six characters.

You need to ensure that, the next time HR department employees change their passwords, the passwords arerequired to have at least eight characters. The password length requirement should not change for employeesof any other department.

What should you do?

A. Modify the local security policy on each computer in the HR PCs group.B. Create a fine-grained password policy and apply it to the HR Employees group.C. Create a new GPO, with the necessary password policy, and link it to the HR Computers OU.D. Create a fine-grained password policy and apply it to the HR Computers OU.



QUESTION 15Your network contains an Active Directory domain. The domain contains a domain controller named DC1 thatruns Windows Server 208 R2 Service Pack 1 (SP1).

You need to implement a central store for domain policy templates.

What should you do?

To answer, select the source content that should be copied to the destination folder in the answer area.

A.B.C.D.



QUESTION 16Your network contains an Active Directory domain named contoso.com. The domain contains a file servernamed Server1. Server1 has a shared folder named Profiles.

You plan to create a new user template named User_Template.

You need to ensure that when you copy User_Temptate, the new user account has a unique profile foldercreated in the Profiles share.

Which value should you specify for the profile path?

A. %Userprofile%\Server1\profilesB. \\Server1\profiles\%username%C. \\Server1\%userprofile%\D. \\Server1\profiles\username



QUESTION 17A corporate network includes a single Active Directory Domain Services (AD D5) domain.

The HR department has a dedicated organization unit (OU) named HR. The HR OU has two sub-OUs: HRUsers and HR Computers. User accounts for the HR department reside in the HR Users OU. Computeraccounts for the HR department reside in the HR

Computers OU. All HR department employees belong to a security group named HR Employees. All HRdepartment computers belong to a security group named HR PCs.

Company policy requires that passwords are a minimum of six characters.

You need to ensure that, the next time HR department employees change their passwords, the passwords arerequired to have at least eight characters. The password length requirement should not change for employeesof any other department.

What should you do?

A. Create a fine-grained password policy and apply it to the HR Computers OU.B. Modify the password policy in the GPO that is applied to the domain controllers OU.C. Create a fine-grained password policy and apply it to the HR Employees group.D. Modify the password policy in the GPO that is applied to the domain.

Correct Answer: CSection: (none)

Explanation


QUESTION 18A user attempts to join a computer to the domain, but the attempt fails.

You need to ensure that the user can join fifty computer to the domain. You must ensure that the user is deniedany additional rights beyond those required to complete the task.

What should you do?

A. Prestage each computer account in the Active Directory domain.B. Deploy a Group Policy Object (GPO) that modifies the user rights settings.C. Add the user to the Domain Administrators group for one day.D. Deploy a Group Policy object (GPO) that modifies the Restricted Groups settings.



QUESTION 19A corporate network includes a single Active Directory Domain Services (AD D5) domain.

All regular user accounts reside in an organizational unit (OU) named Employees. All administrator accountsreside in an OU named Admins.



A. Use the Auditpol.exe command-line tool to enable the directory services access auditing subcategory.B. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group Policy

Object.C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Employees OU.D. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.



Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We cando that by using auditpol.exe.Reference:


Auditing changes to objects in AD DS






The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory DirectoryService Changes. This guide provides instructions for implementing this audit policy subcategory.

The types of changes that you can audit include a user (or any security principal) creating, modifying, moving,or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:

When a successful modify operation is performed on an attribute, AD DS logs the previous and current valuesof the attribute. If the attribute has more than one value, only the values that change as a result of the modifyoperation are logged.

(...)

Steps to set up auditing

This section includes procedures for each of the primary steps for enabling change auditing:


Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.



(...)

By using the Auditpol command-line tool, you can enable individual subcategories.

To enable the change auditing policy using a command line



auditpol /set /subcategory:"directory service changes" /success:enable


You create a new application directory partition.

You need to ensure that the new application directory partition replicates to only three of the domain controllers.


A. Active Directory Administrative CenterB. DsamainC. DsmodD. Ntdsutil



QUESTION 21Your network contains an Active Directory domain named contoso.com. All domain controllers run a ServerCore installation of Windows Server 2008 R2.

You need to identify which domain controller holds the PDC emulator role.

Which tool should you run?

A. Get-AdOptionalFeatureB. netdom.exeC. Search-AdAccountD. dsrm.exe


Explanation/Reference:Explanation: The FSMO role holders can be easily found by use of the Netdom command. On any domaincontroller, click Start, click Run, type CMD in the Open box, and then click OK.In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name ofYOUR domain).Note:The five FSMO roles [in Windows 2003] are:Schema master - Forest-wide and one per forest.Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for eachdomain. PDC - PDC Emulator is domain-specific and one for each domain.

Infrastructure master - Domain-specific and one for each domain.

QUESTION 22Your network contains an Active Directory forest. The forest contains two domains. The forest contains fourdomain controllers. The domain controllers are configured as shown in the following table.

All user accounts are located in the child.contoso.com domain. Users in the child.contoso.com domain aremembers of several security groups in the contoso.com domain.

Your company decides to change the naming standard of user accounts.

You rename all of the user accounts to comply with the new standard.

You discover that the old user names are listed in the members' list of the security groups in the contoso.comdomain.

You need to ensure that the members' list of the security groups in the contoso.com domain displays the newuser names.

What should you do?

A. Transfer the PDC emulator role from DC2 to DC3.B. Configure DC5 as a global catalog server.C. Configure DC1 as a global catalog server.D. Transfer the infrastructure master role from DC3 to DC2.



QUESTION 23You are decommissioning a child domain. The child domain contains five operations master roles.

You need to transfer the forest operations master roles to a newly installed domain controller in a different childdomain.

Which two domain operations master roles should you transfer? (Each correct answer presents part of thesolution. Choose two.)

A. RID masterB. PDC emulatorC. Schema masterD. Domain naming masterE. Infrastructure master


Explanation/Reference:Explanation: Forestwide Operations Master RolesThe schema master and domain naming master are forestwide roles, meaning that there is only one schemamaster and one domain naming master in the entire forest.

Note:* Operations Master RolesThe five operations master roles are assigned automatically when the first domain controller in a given domainis created. Two forest-level roles are assigned to the first domain controller created in a forest and threedomain-level roles are assigned to the first domain controller created in a domain.* The five FSMO roles [in Windows 2003] are:Schema master - Forest-wide and one per forest.Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for eachdomain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain.


The domain contains a certification authority (CA).

The network contains several Layer 3 switches.

You need to ensure that the switches can request certificates from the CA.

Which role service should you deploy?

A. Network Device Enrollment ServiceB. Windows Token-based AgentC. Network Policy ServerD. Client Certificate Mapping Authentication




The forest contains an enterprise certification authority (CA). The enterprise CA is inaccessible from theinternet.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is accessible from the Internet.Server1 can communicate with the enterprise CA.

You need to ensure that laptops that are joined to the domain can renew their certificates automatically from theInternet.

Which two role services should you install on Server1? (To answer, select the two appropriate role services inthe answer area.)

A.B.C.D.



QUESTION 26Your network contains an Active Directory domain named contoso.com. The domain contains two memberservers named Server1 and Server2.

You configure Server1 as a standalone root certification authority (CA).

You identify the following requirements for the public key infrastructure (PKI):

The root CA must be offline once the PKI is deployed. Users must be able to enroll for certificatesautomatically.

You need to configure Server2 to meet the PKI requirements.

What should you configure on Server2?

A. A standalone subordinate CAB. A standalone root CA

C. An enterprise subordinate CAD. An enterprise root CA




The aging and scavenging settings of the contoso.com zone are configured as shown in the exhibit. (Click theExhibit button.)

To answer, complete each statement according to the information presented in the exhibit.

A. 30B. Rmain unchangedC.D.



QUESTION 28Your network contains an Active Directory domain named contoso.com. The domain contains three domaincontrollers named DC1, DC2 and DC3.

You need to create a zone named adatum.com that replicates between DC1 and DC2 only. The zone data foradatum.com must be writable on both DC1 and DC2.

Which three actions should you perform in sequence? (To answer, move the appropriate three actions from thelist of actions to the answer area and arrange them in the correct order.)

A.B.C.D.



QUESTION 29Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2008 R2. The domain contains a domain controller named DC1. DC1 hosts an Active Directory-integrated zone for contoso.com.

You enable record scavenging for contoso.com by using the default settings. You configure scavenging to runevery seven days.

After 30 days, you discover that some DNS records of computers that were removed from the network are stillpresent in the contoso.com zone.

You need to ensure that the scavenging process can remove the stale records.What command should yourun? (To answer, select the appropriate options in the answer area.)

A.B.C.

D.



QUESTION 30Your network contains an Active Directory domain named contoso.com. All servers are located in the sameActive Directory site. The domain contains two domain controllers named DC1 and DC2. Both domaincontrollers host an Active Directory-integrated zone for contoso.com.

The Start of Authority (SOA) record of the contoso.com zone is shown in the exhibit. (Click the Exhibit button.)

You have a member server named Server1. Server1 hosts a secondary zone of contoso.com.

On DC1, you add a new record to the contoso.com zone.

In the table below, identify the maximum amount of time required to replicate the record to each server. Makeonly one selection in each column.


A.B.C.D.



QUESTION 31Your network consists of an Active Directory forest that contains one domain named contoso.com. All domaincontrollers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.

You need to ensure a user is able to modify records in the nwtraders.com zone. The solution must prevent theuser from modifying the SOA record in the contoso.com zone.

What should you do?

A. From the DNS Manager console, modify the permissions of the nwtraders.com zone.B. From the DNS Manager console, modify the permissions of the contoso.com zone.C. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.D. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers

organizational unit (OU).



QUESTION 32Your network contains 50 domain controllers that runs Windows Server 2008 R2.

You need to create a script that resets the Directory Services Restore Mode (DSRM) password on all of thedomain controllers. The solution must NOT maintain passwords in the script.

Which two tools should you use? (Each correct answer presents part of the solution.Choose two.)

A. Active Directory Users and ComputersB. NtdsutilC. DsamainD. Local Users and Groups


Explanation/Reference:Explanation: B: You can also NTDSUTIL command tool to reset DSRM password.

In an elevated CMD prompt where you have logged on as a Domain Admin, run:NTDSUTIL SET DSRM PASSWORD SYNC FROM DOMAIN ACCOUNT <your user here> Q Q

D (not A): There comes a day in nearly every administrator's life where they will need to boot a domaincontroller into DS Restore Mode. Whether it's to perform an authoritative restore or fix database issues, you willneed the local administrator password.


You modify the Active Directory schema.

You need to verify that all the domain controllers received the schema modification.


A. netdom.exe query fsmoB. repadmin.exe /showrepl *C. dcdiag.exe /e /test:TopologyD. dcdiag.exe /a



QUESTION 34Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1.

You install Active Directory Lightweight Directory Services (AD LDS) on a member server named Server2. OnServer2, you create a directory partition named fabrikam.com.

You need to configure the MS-AdamSyncConfig.xml file to synchronize data from contoso.com tofabrikam.com.

What should you do? (To answer, select the appropriate options in the answer area.)


A.B.C.D.

Correct Answer:




The domain has a branch site that contains a read-only domain controller (RODC) named R0DC1.

A user named User1 is a member of the Allowed RODC Password Replication Group. User1 frequently logs onto a computer in the branchsite.

You remove User1 from the Allowed RODC Password Replication Group.

You need to ensure that the password of User1 is no longer cached on RODC1.

What should you do?

A. Add User1 to the Denied RODC Password Replication Group, and then force Active Directory replication.B. Run repadmin /rodcpwdrepl rodc2.contoso.com dc.contoso.com cn = User1,cn-users,dc = contoso,dc-com.C. Run repadmin /prp delete rodcl.contoso.com allow cn = User1, cn = users, dc = contoso,dc = com.D. Reset the password of User1, and then force Active Directory replication.



QUESTION 36Your network contains an Active Directory forest. The forest contains a single domain named contoso.com. Thedomain contains domain controllers that run either Windows Server 2003 or Windows Server 2008 R2.

The functional level of the domain and the forest is Windows Server 2003.

You need to add a read-only domain controller (RODC) to the forest.


A. Upgrade the domain controllers that run Windows Server 2003.B. Raise the domain functional level.C. Run the adprep command.D. Raise the forest functional level.



QUESTION 37Your company has two offices. The offices are located in Miami and London.

The network contains an Active Directory forest named contoso.com. The forest contains two child domainsnamed miami.contoso.com and london.contoso.com. Each domain contains 50 domain controllers that runWindows Server 2008 R2. Each office is configured as an Active Directory site.

The office in London recently hired several thousand new employees.

You need to move 10 domain controllers from miami.contoso.com to london.contoso.com.

What should you do?

A. Run the dsadd.exe commandB. Run the nltest.exe command.C. Run the Set-AdDomain cmdlet.D. Run the dsmove.exe command.E. Run the dcpromo.exe command.F. Run the Move-AdDirectoryServer cmdlet.G. Use the Active Directory Schema snap-in.H. Use the Active Directory Users and Computers console.



QUESTION 38Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. Thedomain contains 50 domain controllers that run Windows Server 2008 R2.

The domain contains a group named Computer_Location.

You plan to create 1,000 computer accounts in the domain in several organizational units (OUs).

You need to ensure that the members of the Computer_Location group can modify the description of eachcomputer account as soon as the account is created.

The solution must use permissions that are applied explicitly to the new computer accounts.

What should you do?



Explanation/Reference:http://technet.microsoft.com/en-us/library/cc757520(v=ws.10).aspx

To assign, change, or remove permissions on Active Directory objects or attributes

Open Active Directory Users and Computers.

On the View menu, select Advanced Features.

Right-click the object for which you want to assign, change, or remove permissions, and then click Properties.

On the Security tab, click Advanced to view all of the permission entries that exist for the object.

Do one or more of the following:

To assign new permissions on an object or attribute, click Add. Type the name of the group, computer, or userthat you want to add, and then click OK. In the Permission Entry for ObjectName dialog box, on the Object andProperties tabs, select or clear the Allow or Deny check boxes, as appropriate.

To change existing permissions on an object or attribute, click a permission entry, and then click Edit. On theObject and Properties tabs, select or clear the Allow or Deny check boxes, as appropriate.

To remove existing permissions from an object or attribute, click a permission entry, and then click Remove.

ImportantBefore adding access control permissions on Active Directory objects or properties, see Related Topics.


The network contains an Active Directory forest named contoso.com. The forest contains two child domainsnamed miami.contoso.com and london.contoso.com. The domain contains 50 domain controllers that runWindows Server 2008 R2. Each office is configured as an Active Directory site.

The forest contains a custom attribute named SecurityAccessCode.

You recently configured a domain controller named DC22 as a global catalog server.

You need to verify that SecurityAccessCode is configured to replicate to DC22.

What should you do?




QUESTION 40Your network contains an Active Directory domain named contoso.com. The domain

contains a domain controller named DC1. DC1 hosts an Active Directory-integrated zone for contoso.com.

The research department maintains its own DNS servers and hosts a zone named research.contoso.com on aUNIXbased server named Server1.

The perimeter network contains a DNS server named Server2. Server2 is a standalone server that runsWindows Server 2008 R2.

You need to configure the DNS settings of Server2 to meet the following requirements:

Server2 must maintain a copy of all the records in research.contoso.com. DC1 must query Server2 to resolvethe names of Internet hosts.


A. Create a secondary zone.B. Create a conditional forwarder.C. Create a stub zone.D. Create a primary zone.E. Create a Forwarder.

Correct Answer: AESection: (none)Explanation

Explanation/Reference:Explanation: A: When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondarysource for information about this zone. The zone at this server must be obtained from another remote DNSserver computer that also hosts the zone. This DNS server must have network access to the remote DNSserver that supplies this server with updated information about the zone. Because a secondary zone is merely acopy of a primary zone that is hosted on another server, it cannot be stored in AD DS.

E: * A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries forexternal DNS names to DNS servers outside that network.Incorrect:Not B: You can configure your server to forward queries according to specific domain names using conditionalforwarders.


The Zone Transfers settings of contoso.com are configured as shown in the Zone Transfers exhibit. (Click theExhibit button.)

The Name Servers settings of contoso.com are configured as shown in the Name Servers exhibit. (Click the

Exhibit button.)


To answer, complete each statement according to the information presented in the exhibits.

A.

B.C.D.



QUESTION 42Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1 that runs Windows Server 2008 R2.

You need to increase the amount of Active Directory diagnostic information logged to the Event Viewer on DC1.

What should you do?

A. Modify the properties of the objects in the Active Directory Diagnostics Data Collector Set (DCS).B. Modify the properties of the System Log and the Application Log.C. Modify the flags attribute of DC1.D. Modify the settings in the

HKey_Local_Machine\SYSTEM\CurrentControlSet\services\NTDS\Diagnostics registry key.




The domain contains an enterprise certification authority (CA).

You plan to delegate certificate enrollment for Smartcard Logon certificates to a user named User1.

User1 is the member of a group named CONTOSO\DelegatedAdmins.

You need to recommend a solution to provide User1 with the ability to enroll for Smartcard Logon certificates onbehalf of other domain users.

What should you include in the recommendation?

A. Duplicate the Smartcard Logon certificate template. Modify the Extensions settings and the RequestHandling settings of the new template.

B. Modify the Issuance Requirements settings and the Security settings of the Smartcard Logon certificatetemplate.

C. Modify the Extensions settings and the Request Handling settings of the Smartcard Logon certificatetemplate.

D. Duplicate the Smartcard Logon certificate template. Modify the Issuance Requirements settings and theSecurity settings of the new template.



QUESTION 44A corporate network includes a single Active Directory Domain Services (AD D5) domain. All regular useraccounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OUnamed Admins.



A. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.B. Use the Auditpol.exe command-line tool to enable the directory services changes auditing subcategory.C. Modify the searchFlags property for the User class in the schema.D. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Admins OU.




You need to ensure that when computers are joined manually to the domain by using the System Properties,the computer account of the computers is created automatically in an organizational unit (OU) namedNewComputers.


A. dsmgmt.exeB. redircmp.exeC. csvde.exeD. computerdefaults.exe


Explanation


QUESTION 46A corporate network includes an Active Directory Domain Services (AD DS) forest that contains two domains.All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers.

A standard primary zone for dev.contoso.com is stored on a member server.


What should you do?

A. On one domain controller, create a stub zone. Configure the stub zone to replicate to all DNS servers in theforest.

B. On one domain controller, create a stub zone. Configure the stub zone to replicate to all DNS servers in thedomain.

C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate toall DNS servers in the domain.

D. On the member server, create a secondary zone.



QUESTION 47Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1.

You have a member server named Server1.

Both DC1 and Server1 have the DNS Server server role installed.

On DC1, you create an Active Directory-integrated zone named adatum.com.

You need to ensure that Server1 receives a copy of the zone.


A. Create a secondary zone on Server1.B. Modify the zone type of adatum.com.C. Modify the Zone Transfers settings of adatum.com,D. Add Server1 to the DNSUpdateProxy group.E. Create a primary zone on Server1.



QUESTION 48Your company has one main office and four branch offices.

The main office contains a standard primary DNS zone named adatum.com. Each branch office contains acopy of the adatum.com zone.

When records are added to the adatum.com zone, you discover that it takes up to one hour before the changesreplicate to each zone in the branch offices.

You need to minimize the amount of time it takes for the records to be updated in the branch offices.

What should you do?

A. On the DNS server in the main office, configure the Notify settings.B. On the DNS servers in the branch offices, configure the Notify settings.C. On the DNS servers in the branch offices, configure the Zone Aging/Scavenging Properties.D. On the DNS server in the main office, configure the Zone Aging/Scavenging Properties.




The domain contains a domain controller named DC1. DC1 has the DNS namespaces configured as shown inthe following table.

In the table below, identify which queries will have an authoritative or non-authoritative response from DC1.Make only one selection in each row.


A.B.C.D.




You have a server named Server1 that is configured as an enterprise root certification authority (CA).

You need to ensure that private keys can be archived on Server1.

Which three actions should you perform in sequence? (To answer, move the appropriate three actions from thelist of actions to the answer area and arrange them in the correct order.)

A.B.C.D.




The network contains a public key infrastructure (PKI).

You deploy a new certificate revocation list (CRL) distribution point (CDP) to a server named Server1.

You discover that users cannot download delta CRLs from Server1.

You verify that the users can download the complete CRL successfully.

You need to ensure that the users can download delta CRLs from Server1.


A. Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True

B. Appcmd set config "Certificates" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping: False

C. Certutil -setreg CA\CRLDeltaPeriod "Days"D. Certutil -setreg CA\CRLOverlapPeriod "Days"




A portion of the Group Policy object (GPO) settings for a computer in the contoso.com domain is configured asshown in the following exhibit. (Click the Exhibit button.)


A.B.

C.D.




You create two global groups named Group1 and Group2. The group membership of each group is shown inthe following table.

You create the Password Settings objects (PSOs) shown in the following table.

In the table below, identify which PSOs will apply to User1 and User2. Make only one selection in each column.

A.B.C.D.






A. Group Policy Management EditorB. Authorization ManagerC. DsaddD. Ldifde




Creating a PSO using ldifde

You can use the ldifde command as a scriptable alternative for creating PSOs.

To create a PSO using ldifde

1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn:CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: addobjectClass:

msDS-PasswordSettings

msDS-MaximumPasswordAge:-1728000000000

msDS-MinimumPasswordAge:-864000000000

msDS-MinimumPasswordLength:8

msDS-PasswordHistoryLength:24

msDS-PasswordComplexityEnabled:TRUE

msDS-PasswordReversibleEncryptionEnabled:FALSE

msDS-LockoutObservationWindow:-18000000000

msDS-LockoutDuration:-18000000000

msDS-LockoutThreshold:0

msDS-PasswordSettingsPrecedence:20

msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com

2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.


ldifde i f pso.ldf

QUESTION 55

Your network contains an Active Directory domain named contoso.com.

Members of the sales department are issued laptops that have wireless network cards.

You need to ensure that when users connect to an unidentified network from their laptop, the network isconfigured as a Public network.

Which node in Group Policy Management Editor should you use?To answer, select the appropriate node in theanswer area.


A.B.C.D.



QUESTION 56"A Composite Solution With Just One Click" - Certification Guaranteed 494 Microsoft 70-640 : Practice TestYour network contains an Active Directory domain named contoso.com.

The domain contains an organizational unit (OU) named SalesUsers.

The OU contains 50 user accounts. You need to identify the effective Password Settings object (PSO) of eachuser in the SalesUsers OU.

Which command should you run? (To answer, select the appropriate options in the answer area.)

A.B.C.D.


Explanation





A. Get-AdForestB. Netdom.exeC. Get-AdOptionalFeatureD. Query.exe



QUESTION 58Your network contains an Active Directory forest named contoso.com. The forest contains one domain. Thedomain contains three domain controllers. The domain controllers are configured as shown in the followingtable.

DC2 fails and cannot be recovered.

Several weeks later, administrators report that they can no longer create new users and groups in the domain.

You need to ensure that the administrators can create new users and groups.

What should you add?

A. the RID master role to DC3

B. the schema master role to DC1C. the infrastructure master role to DC1D. the domain naming master role to DC3



QUESTION 59Your network contains an Active Directory domain. The domain contains eight domain controllers.

You need to verify that all the domain controllers can connect to the time server.


A. netdom.exe query fsmoB. dcdiag.exe /e /test:TopologyC. repadmin.exe /showrepl *D. dcdiag.exe /a



QUESTION 60Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC).

You need to identify the user accounts that can be cached on the RODC server.

Which utility should you use?

A. Dsmod.exeB. Repadmin.exeC. Active Directory Domain and TrustsD. Active Directory Sites and Services




The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

You need to update the Host (A) record for a domain controller in the domain.

What should you do?

A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.




The network contains an Active Directory forest named contoso.com. The forest contains two child domainsnamed miami.contoso.com and london.contoso.com. The domain contains 50 domain controllers that runWindows Server 2008 R2. Each office is configured as an Active Directory site.

You plan to deploy several read-only domain controllers (RODCs) to the Miami site.

You need to pre-create the computer accounts of the RODCs.

What should you do?




QUESTION 63Your network contains an Active Directory forest named contoso.com. The forest contains 10 domains. Eachdomain contains 50 domain controllers that run Windows Server 2008 R2. The domain functional level isWindows Server 2008.

You need to raise the domain functional level of all the domains to Windows Server 2008 R2.

What should you do?

A. Run the dsadd.exe commandB. Run the nltest.exe command.

"A Composite Solution With Just One Click" - Certification Guaranteed 499 Microsoft 70-640 : Practice TestC. Run the Set-AdDomain cmdlet.D. Run the dsmove.exe command.E. Run the dcpromo.exe command.F. Run the Move-AdDirectoryServer cmdlet.G. Use the Active Directory Schema snap-in.H. Use the Active Directory Users and Computers console.



QUESTION 64Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. Thedomain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 isconfigured as the infrastructure master for contoso.com.

You need to move the infrastructure master role from DC1 to DC2.

What should you do?

A. Run the dsadd.exe commandB. Run the nltest.exe commandC. Run the Set-AdDomain cmdlet.D. Run the dsmove.exe command.E. Run the dcpromo.exe command.F. Run the Move-AdDirectoryServer cmdlet.G. Use the Active Directory Schema snap-in.H. Use the Active Directory Users and Computers console.



QUESTION 65Your network contains an Active Directory forest named contoso.com. The forest contains two domains. Alldomain controllers are configured as global catalog servers.

The forest root domain contains five domain controllers. The domain controllers are configured as shown in thefollowing table.

You plan to create a custom attribute in Active Directory that will replicate to all of the global catalog servers.

You need to identify which domain controller must be online to perform the planned action.

Which domain controller should you identify?

A. DC1B. DC2C. DC3D. DC4E. DC5



QUESTION 66Your network contains an Active Directory domain. The domain is configured as shown in the following table.

Users in Branch2 sometimes authenticate to a domain controller in Main.

You need to ensure that users in Branch2 only authenticate to the domain controllers in

Branch1.

What should you do?

A. On DC1 and DC2, set the AutoSiteCoverage value to 1.B. On DC1 and DC2, set the AutoSiteCoverage value to 0.C. On DC3, set the AutoSiteCoverage value to 0.D. On DC3, set the AutoSiteCoverage value to 1.



QUESTION 67Your network contains an Active Directory domain that has the password policy shown in the following exhibit.(Click the Exhibit button.)



A.B.C.D.



QUESTION 68A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular useraccounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OUnamed Admins.



A. Use the Auditpol.exe command-line tool to enable the directory services subcategory.B. Use the Auditpol.exe command-line tool to enable the directory services changes auditing subcategory.C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Admins OU.D. Modify the searchFlags property for the Name attribute in the schema.



QUESTION 69You have Active Directory Certificate Services (AD CS) deployed.

You have a Version 1 certificate template.

You need to ensure that all of the computers in the domain automatically enroll for a certificate based on thecertificate template.

What should you do?

A. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. In a Group Policy object (GPO), configure the autoenrollment settings.






A. Get AdDomainB. Query.exeC. Netsh.exeD. Search-AdAccount

Correct Answer: A


Explanation/Reference:Explanation: Get-ADDomainGets an Active Directory domain.

Example output (see last line):Get-ADDomainAllowedDNSSuffixes : {}ChildDomains : {}ComputersContainer : CN=Computers,DC=Fabrikam,DC=com DeletedObjectsContainer : CN=DeletedObjects,DC=Fabrikam,DC=com DistinguishedName : DC=Fabrikam,DC=comDNSRoot : Fabrikam.comDomainControllersContainer : OU=Domain Controllers,DC=Fabrikam,DC=com DomainMode :Windows2003DomainDomainSID : S-1-5-21-41432690-3719764436-1984117282 ForeignSecurityPrincipalsContainer :CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=comForest : Fabrikam.comInfrastructureMaster : Fabrikam-DC1.Fabrikam.com LastLogonReplicationInterval :LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Fabrikam,DC=com} LostAndFoundContainer :CN=LostAndFound,DC=Fabrikam,DC=com ManagedBy :Name : FabrikamNetBIOSName : FABRIKAMObjectClass : domainDNSObjectGUID : b63b4f44-58b9-49cf-8911-b36e8575d5eb ParentDomain :PDCEmulator : Fabrikam-DC1.Fabrikam.comEtc...

QUESTION 71Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Sitel and Site2. Site2 contains a read-only domain controller (RODC).



A. Get-ADAccountResultantPasswordReplicationPolicyB. Get-ADFineGrainedPasswordPolicyC. DcdiagD. Repadmin



QUESTION 72Your network contains an Active Directory domain. The domain contains a group named Group1. The minimumpassword length for the domain is set to six characters.

You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other usersmust be able to use passwords that are six characters long.

You create an Active Directory Fine Grained Password Policy.


A. From the Default Domain Policy, modify the password policy.B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. Run the Set-ADDomain cmdlet.D. From the Default Domain Controller Policy, modify the password policy.



QUESTION 73Your network contains an Active Directory forest named contoso.com. The forest contains

"A Composite Solution With Just One Click" - Certification Guaranteed 506 Microsoft 70-640 : Practice Testthree domains named contoso.com, childl.contoso.com, and child2.contoso.com. The childl.contoso.comdomain contains five domain controllers. The domain controllers are configured as shown in the following table.

You plan to decommission the child1.contoso.com domain.

You need to identify which two FSMO roles can be moved from childl.contoso.com to child2.contoso.com.

Which two FSMO roles should you identify? (Each correct answer presents part of the solution. Choose two.)

A. Domain naming masterB. Schema masterC. Infrastructure masterD. PDC emulatorE. RID master


Explanation/Reference:Explanation:Forestwide Operations Master RolesThe schema master and domain naming master are forestwide roles, meaning that there is only one schemamaster and one domain naming master in the entire forest.

Note:* Operations Master RolesThe five operations master roles are assigned automatically when the first domain controller in a given domainis created. Two forest-level roles are assigned to the first domain controller created in a forest and three

domain-level roles are assigned to the first domain controller created in a domain.* The five FSMO roles [in Windows 2003] are:Schema master - Forest-wide and one per forest.


Domain naming master - Forest-wide and one per forest. RID master - Domain-specific and one for eachdomain. PDC - PDC Emulator is domain-specific and one for each domain. Infrastructure master - Domain-specific and one for each domain.

QUESTION 74Your network contains an Active Directory domain named contoso.com. The domain contains a file servernamed Server1 that runs Windows Server 2008 R2. Server1 has a file share named Share1.

You plan to configure the audit policy settings of Server1 by using a Group Policy object (GPO).

You need to ensure that entries are generated in the Event Log when the users in a group named Group1successfully access or fail to access the files in Share1. The event entries must show the specific operationeach user attempted. The solution must minimize the number of audit entries in the Event Log.

Which Object Access audit policy should you configure?

A. Audit File ShareB. Audit Detailed File ShareC. Audit File SystemD. Audit Other Object Access Events



QUESTION 75You deploy a certification authority (CA) named CA1. CA1 will be used to issue a large number of temporarycertificates to provide users with access to public wireless access points (WAPs).

You create a certificate template named Template1. You enable the Do not store certificates and requests inthe CA database option.You need to configure CA1 to ensure that certificate requests and issued certificates for Template1 are notstored in the CA database.


A. certutil -setreg DBFlags +DBFLAGS_MAXCACHESIZEX100B. certutil -setreg DBFlags +DBFLAGS_CREATEIFNEEDEDC. certutil -setreg DBFlags -DBFLAGS_LOGBUFFERSHUGED. certutil -setreg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS




Date post:	22-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

GRATIS EXAM...Dec 31, 2013 · Exam A QUESTION 1 You have a single Active Directory domain. All...

Documents