Microsoft 70-640 Exam Preparation · 10/5/2013 · C. Log off and log on again to Active Directory...

Microsoft 70-640 Exam Preparation

Number: 70-640Passing Score: 700Time Limit: 120 minFile Version: 25.6

http://www.gratisexam.com/

Microsoft 70-640 Exam Preparation

Exam Name: TS: Windows Server 2008 Active Directory, Configuring Exam

For Full Set of Questions please visit: http://www.certkey.com/70-640.html

Sections1. (none)2. Exam C3. Exam D

Certkey

QUESTION 1You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configuredas DNS servers. The domain contains one Active Directory-integrated DNS zone. You need to ensure thatoutdated DNS records are automatically removed from the DNS zone. What should you do?

A. From the properties of the zone, modify the TTL of the SOA record.B. From the properties of the zone, enable scavenging.C. From the command prompt, run ipconfig /flushdns.D. From the properties of the zone, disable dynamic updates.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation/Reference:

QUESTION 2Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 isconfigured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primaryzone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You needto ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.B. Create a new standard secondary zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: DSection: (none)Explanation


QUESTION 3Your company has an Active Directory domain. The company has two domain controllers named DC1 andDC2. DC1 holds the Schema Master role. DC1 fails. You log on to Active Directory by using the administratoraccount. You are not able to transfer the Schema Master operations role. You need to ensure that DC2 holdsthe Schema Master role. What should you do?

A. Configure DC2 as a bridgehead server.B. On DC2, seize the Schema Master role.C. Log off and log on again to Active Directory by using an account that is a member of the Schema

Administrators group. Start the Active Directory Schema snap-in.D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.



QUESTION 4Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. Youimplement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005.When you attempt to open the AD RMS administration Web site, you receive the following error message:"SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Whichtwo actions should you perform? (Each Answer presents part of the solution. Choose two.)

A. Restart IIS.B. Manually delete the Service Connection Point in AD DS and restart AD RMS.C. Install Message Queuing.D. Start the MSSQLSVC service.

Correct Answer: ADSection: (none)Explanation


QUESTION 5Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highlyavailable. What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security andAcceleration Server array.

B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.

Correct Answer: CSection: (none)Explanation


QUESTION 6You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an enterprise root certification authority (CA). You install the Online Responder role service onServer2. You need to configure Server1 to support the Online Responder. What should you do?


A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.

C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.



QUESTION 7Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off fortwelve weeks. The administrator receives an error message that authentication has failed. You need to ensurethat the user is able to log on to the computer. What should you do?

A. Run the netsh command with the set and machine options.B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the

domain.C. Run the netdom TRUST /reset command.D. Run the Active Directory Users and Computers console to disable, and then enable the computer account.



QUESTION 8You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller. What toolshould you use?

A. Active Directory Users and Computers snap-inB. ntdsutilC. Local Users and Groups snap-inD. dsmod



QUESTION 9Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) thatruns Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch officeare able to log on to the domain by using the RODC. What should you do?

A. Add another RODC to the branch office.B. Configure a new bridgehead server in the main office.C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services

console.D. Configure the Password Replication Policy on the RODC.



QUESTION 10Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers runWindows Server 2008 and the DNS server role. All computers, including non-domain members, dynamicallyregister their DNS records. You need to configure the intranet.adatum.com zone to allow only domain membersto dynamically register DNS records. What should you do?

A. Set dynamic updates to Secure Only.B. Remove the Authenticated Users group.C. Enable zone transfers to Name Servers.D. Deny the Everyone group the Create All Child Objects permission.

Correct Answer: ASection: (none)Explanation


QUESTION 11You are decommissioning domain controllers that hold all forest-wide operations master roles. You need totransfer all forest-wide operations master roles to another domain controller. Which two roles should youtransfer? (Each Answer presents part of the solution. Choose two.)

A. Domain naming masterB. Infrastructure masterC. RID masterD. PDC emulatorE. Schema master

Correct Answer: AESection: (none)Explanation


QUESTION 12Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directorydomain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internal DNS zonedata outside the Fabrikam network. You need to ensure that the Contoso users are able to resolve names fromthe intranet.fabrikam.com domain. What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.B. Configure conditional forwarding for the intranet.fabrikam.com domain.C. Create a standard secondary zone for the intranet.fabrikam.com domain.D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.

Correct Answer: BSection: (none)

Explanation


QUESTION 13An Active Directory database is installed on the C volume of a domain controller. You need to move the ActiveDirectory database to a new volume. What should you do?

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.B. Move the ntds.dit file to the new volume by using Windows Explorer.C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows

PowerShell.D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.



QUESTION 14Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need toimplement key archival. What should you do?

A. Configure the certificate for automatic enrollment for the computers that store encrypted files.B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.C. Apply the Hisecdc security template to the domain controllers.D. Archive the private key on the server.



QUESTION 15Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains anOU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups. An administratordeletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the SalesOU. What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform a non-authoritative restore of the Sales OU.C. Perform an authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Groups OU.



QUESTION 16Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server2008 R2. You need to create multiple password policies for users in your domain. What should you do?

A. From the Group Policy Management snap-in, create multiple Group Policy objects.B. From the Schema snap-in, create multiple class schema objects.C. From the ADSI Edit snap-in, create multiple Password Setting objects.D. From the Security Configuration Wizard, create multiple security policies.



QUESTION 17Your company has a main office and a branch office. The company has a single-domain Active Directory forest.The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. Thebranch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domaincontrollers hold the DNS Server role and are configured as Active Directory-integrated zones. The DNS zonesonly allow secure updates. You need to enable dynamic DNS updates on DC3. What should you do?

A. Run the Dnscmd.exe /ZoneResetType command on DC3.B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.C. Create a custom application directory partition on DC1. Configure the partition to store Active Directory-

integrated zones.D. Run the Ntdsutil.exe > DS Behavior commands on DC3.



QUESTION 18Your company has an organizational unit named Production. The Production organizational unit has a childorganizational unit named R&D. You create a GPO named Software Deployment and link it to the Productionorganizational unit. You create a shadow group for the R&D organizational unit. You need to deploy anapplication to users in the Production organizational unit. You also need to ensure that the application is notdeployed to users in the R&D organizational unit. What are two possible ways to achieve this goal? (EachAnswer presents a complete solution. Choose two.)

A. Configure the Block Inheritance setting on the R&D organizational unit.B. Configure the Enforce setting on the software deployment GPO.C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D

security group.D. Configure the Block Inheritance setting on the Production organizational unit.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:

QUESTION 19Your company has a branch office that is configured as a separate Active Directory site and has an ActiveDirectory domain controller. The Active Directory site requires a local Global Catalog server to support a newapplication. You need to configure the domain controller as a Global Catalog server. Which tool should youuse?

A. The Server Manager consoleB. The Active Directory Sites and Services consoleC. The Dcpromo.exe utilityD. The Computer Management consoleE. The Active Directory Domains and Trusts console



QUESTION 20Your company has a main office and three branch offices. The company has an Active Directory forest that hasa single domain. Each office has one domain controller. Each office is configured as an Active Directory site. Allsites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latencybetween the domain controllers. What should you do?

A. Decrease the replication schedule for the DEFAULTIPSITELINK object.B. Decrease the replication interval for the DEFAULTIPSITELINK object. C. Decrease the replication interval for all connection objects.D. Decrease the cost between the connection objects.



QUESTION 21All consultants belong to a global group named TempWorkers. You place three file servers in a neworganizational unit named SecureServers. The three file servers contain confidential data located in sharedfolders. You need to record any failed attempts made by the consultants to access the confidential data. Whichtwo actions should you perform? (Each Answer presents part of the solution. Choose two.)

A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to thiscomputer from the network user rights setting for the TempWorkers global group.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege useFailure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object accessFailure audit policy setting.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure theFailed Full control setting in the Auditing Entry dialog box.

E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.Configure the Failed Full control setting in the Auditing Entry dialog box.

Correct Answer: CE

Section: (none)Explanation


QUESTION 22You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an Enterprise Root certification authority (CA). You install the Online Responder role service onServer2. You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.Which two tasks should you perform? (Each Answer presents part of the solution. Choose two.)

A. Import the enterprise root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: (none)Explanation


QUESTION 23Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. Theserver is a backup server. The server has a single 500-GB hard disk that has three partitions for the operatingsystem, applications, and data. You perform daily backups of the server. The hard disk fails. You replace thehard disk with a new hard disk of the same capacity. You restart the computer on the installation media. Youselect the Repair your computer option. You need to restore the operating system and all files.What should you do?

A. Select the System Image Recovery option.B. Run the Imagex utility at the command prompt.C. Run the Wbadmin utility at the command prompt.D. Run the Rollback utility at the command prompt.



QUESTION 24Your company has an Active Directory forest. The company has branch offices in three locations. Each locationhas an organizational unit. You need to ensure that the branch office administrators are able to create andapply GPOs only to their respective organizational units. Which two actions should you perform? (Each Answerpresents part of the solution. Choose two.)

A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizationalunits to the branch office administrators.

B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their

respective organizational units.D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office

administrators.

Correct Answer: ABSection: (none)Explanation


QUESTION 25Your company has an Active Directory domain. A user attempts to log on to the domain from a client computerand receives the following message: "This user account has expired. Ask your administrator to reactivate theaccount." You need to ensure that the user is able to log on to the domain. What should you do?

A. Modify the properties of the user account to set the account to never expire.B. Modify the properties of the user account to extend the Logon Hours setting.C. Modify the default domain policy to decrease the account lockout duration.D. Modify the properties of the user account to set the password to never expire.



QUESTION 26Your company has an Active Directory forest. Each branch office has an organizational unit and a childorganizational unit named Sales. The Sales organizational unit contains all users and computers of the salesdepartment. You need to install an Office 2007 application only on the computers in the Sales organizationalunit. You create a GPO named SalesApp GPO. What should you do next?

A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to thedomain.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.



QUESTION 27Your network consists of an Active Directory forest that contains one domain. All domain controllers runWindows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.You have two Active Directory sites. Each site contains five domain controllers. You add a new NS record to thezone. You need to ensure that all domain controllers immediately receive the new NS record. What should youdo?

A. From the DNS Manager console, reload the zone.

B. From the DNS Manager console, increase the version number of the SOA record.C. From the command prompt, run repadmin /syncall.D. From the Services snap-in, restart the DNS Server service.



QUESTION 28You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80 frombeing opened on domain controllers and on the issuing CA . You need to allow users to request certificatesfrom a Web interface. You install the Active Directory Certificate Services (AD CS) server role. What should youdo next?

A. Configure the Online Responder Role Service on a member server.B. Configure the Online Responder Role Service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.



QUESTION 29You need to relocate the existing user and computer objects in your company to different organizational units.What are two possible ways to achieve this goal? (Each Answer presents a complete solution. Choose two.)

A. Run the move-item command in the Microsoft Windows PowerShell utility.B. Run the Active Directory Users and Computers utility.C. Run the Dsmove utility.D. Run the Active Directory Migration Tool (ADMT).

Correct Answer: BCSection: (none)Explanation


QUESTION 30Your company has a main office and three branch offices. Each office is configured as a separate ActiveDirectory site that has its own domain controller. You disable an account that has administrative rights. Youneed to immediately replicate the disabled account information to all sites. What are two possible ways toachieve this goal? (Each Answer presents a complete solution. Choose two.)

A. From the Active Directory Sites and Services console, configure all domain controllers as global catalogservers.

B. From the Active Directory Sites and Services console, select the existing connection objects and forcereplication.

C. Use Repadmin.exe to force replication between the site connection objects.

D. Use Dsmod.exe to configure all domain controllers as global catalog servers.



QUESTION 31Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to capture all replication errors from all domain controllers to a central location. What should you do?

A. Start the Active Directory Diagnostics data collector set.B. Start the System Performance data collector set.C. Install Network Monitor and create a new a new capture.D. Configure event log subscriptions.



QUESTION 32Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP. You need to ensure that users are able to install approved application updates on theircomputers. Which two actions should you perform? (Each Answer presents part of the solution. Choose two.)

A. Set up Automatic Updates through Control Panel on the client computers.B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically

search for updates on the Microsoft Update site.C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows

Server Update Services (WSUS) server for approved updates.D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on

the Internet. Approve all required updates.

Correct Answer: CDSection: (none)Explanation


QUESTION 33Your company has an Active Directory domain that has an organizational unit named Sales. The Salesorganizational unit contains two global security groups named sales managers and sales executives. You needto apply desktop restrictions to the sales executives group. You must not apply these desktop restrictions to thesales managers group. You create a GPO named DesktopLockdown and link it to the Sales organizational unit.What should you do next?


A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.



QUESTION 34Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. Thedomain controllers run Windows Server 2008 R2 and are configured as DNS servers. You plan to create a newActive Directory-integrated zone. You need to ensure that the new zone is only replicated to four of your domaincontrollers. What should you do first?

A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.B. Create a new delegation in the ForestDnsZones application directory partition.C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.D. Create a new delegation in the DomainDnsZones application directory partition.



QUESTION 35You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSServer for contoso.com. You install the DNS Server role on a member server named Server1 and then youcreate a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. Youneed to ensure that Server1 receives zone updates from DC1. What should you do?

A. On DC1, modify the permissions of contoso.com zone.B. On Server1, add a conditional forwarder.C. On DC1, modify the zone transfer settings for the contoso.com zone.D. Add the Server1 computer account to the DNSUpdateProxy group.



QUESTION 36Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runsan Enterprise Root certification authority (CA). You need to ensure that only administrators can sign code.Which two tasks should you perform? (Each Answer presents part of the solution. Choose two.)

A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage TrustedPublishers.

B. Modify the security settings on the template to allow only administrators to request code signing certificates.C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only administrators to apply the policy.D. Publish the code signing template.

Correct Answer: BDSection: (none)Explanation


QUESTION 37Your company has an Active Directory domain named contoso.com. The company network has two DNSservers named DNS1 and DNS2. The DNS servers are configured as shown in the following table.

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to InternetWeb sites. You need to enable Internet name resolution for all client computers. What should you do?

A. Update the list of root hints servers on DNS2.B. Create a copy of the .(root) zone on DNS1.C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2. D.

Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.



QUESTION 38Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One ofthese GPOs publishes applications to user objects. A user reports that the application is not available forinstallation. You need to identify whether the GPO has been applied. What should you do?

A. Run the Group Policy Results utility for the user.B. Run the GPRESULT /S <system name> /Z command at the command prompt.C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.D. Run the Group Policy Results utility for the computer.

Correct Answer: A



QUESTION 39Your company has an Active Directory domain. You log on to the domain controller. The Active DirectorySchema snap-in is not available in the Microsoft Management Console (MMC). You need to access the ActiveDirectory Schema snap-in. What should you do?

A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by usingServer Manager.

B. Log off and log on again by using an account that is a member of the Schema Administrators group.C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema

for writing.D. Register Schmmgmt.dll.



QUESTION 40Your company has a single-domain Active Directory forest. The functional level of the domain is WindowsServer 2008. You perform the following activities:

* Create a global distribution group.* Add users to the global distribution group.* Create a shared folder on a Windows Server 2008 member server.* Place the global distribution group in a domain local group that has access to the shared folder.

You need to ensure that the users have access to the shared folder. What should you do?

A. Add the global distribution group to the Domain Administrators group.B. Change the group type of the global distribution group to a security group.C. Change the scope of the global distribution group to a Universal distribution group.D. Raise the forest functional level to Windows Server 2008.



QUESTION 41Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amountof available CPU resources on a domain controller. What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.

D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.



QUESTION 42You need to identify all failed logon attempts on the domain controllers. What should you do?

A. View the Netlogon.log file.B. View the Security tab on the domain controller computer object.C. Run Event Viewer.D. Run the Security and Configuration Wizard.



QUESTION 43Your company has a DNS server that has 10 Active Directory integrated zones. You need to provide copies ofthe zone files of the DNS server to the security department. What should you do?

A. Run the dnscmd /ZoneInfo command.B. Run the ipconfig /registerdns command.C. Run the dnscmd /ZoneExport command.D. Run the ntdsutil > Partition Management > List commands.



QUESTION 44Your company has a main office and 10 branch offices. Each branch office has an Active Directory site thatcontains one domain controller. Only domain controllers in the main office are configured as Global Catalogservers. You need to deactivate the Universal Group Membership Caching (UGMC) option on the domaincontrollers in the branch offices. At which level should you deactivate UGMC?

A. ServerB. Connection objectC. DomainD. Site




QUESTION 45Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol sharereplicates by using DFS Replication (DFS-R). What should you do?

A. From the command prompt, run dfsutil /addroot:sysvol.B. From the command prompt, run netdom /reset.C. From the command prompt, run dcpromo /unattend:unattendfile.xml.D. Raise the functional level of the domain to Windows Server 2008 R2.



QUESTION 46Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers andDNS servers. All client computers run Windows XP SP3. You need to use your client computers to editdomainbased GPOs by using the ADMX files that are stored in the ADMX central store. What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.C. Install .NET Framework 3.0 on your client computers.D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the

PolicyDefinitions folder.



QUESTION 47Your company has an Active Directory domain. All servers run Windows Server. You deploy a CertificationAuthority (CA) server. You create a new global security group named CertIssuers. You need to ensure thatmembers of the CertIssuers group can issue, approve, and revoke certificates. What should you do?

A. Assign the Certificate Manager role to the CertIssuers group.B. Place CertIssuers group in the Certificate Publisher group.C. Run the certsrv -add CertIssuers command promt of the certificate server.D. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows

Powershell.



QUESTION 48

Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNSservers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that thecontoso.com zone has multiple entries for the host names of computers that do not exist. You need toconfigure the contoso.com zone to automatically remove expired records. What should you do?

A. Enable only secure updates on the contoso.com zone.B. Enable scavenging and configure the refresh interval on the contoso.com zone.C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone.



QUESTION 49Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offlineroot CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.You need to ensure users are able to enroll new certificates. What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on theissuing CA.

B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificatesfolder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations.



QUESTION 50Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certification authority (CA) and an Enterprise Intermediate CA. The Enterprise IntermediateCA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in thedomain. What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.



QUESTION 51A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails. Youneed to enable the user to join a single computer to the domain. You must ensure that the user is denied anyadditional rights beyond those required to complete the task. What should you do?

A. Prestage the computer account in the Active Directory domain.B. Add the user to the Domain Administrators group for one day.C. Add the user to the Server Operators group in the Active Directory domain.D. Grant the user the right to log on locally by using a Group Policy Object (GPO).



QUESTION 52The default domain GPO in your company is configured by using the following account policy settings:

* Minimum password length: 8 characters* Maximum password age: 30 days* Enforce password history: 12 passwords remembered* Account lockout threshold: 3 invalid logon attempts* Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQLServer application uses a service account named SQLSrv. The SQLSrv account has domain user rights. TheSQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not lockedout. You need to resolve the server failure and prevent recurrence of the failure. Which two actions should youperform? (Each Answer presents part of the solution. Choose two.)

A. Reset the password of the SQLSrv user account.B. Configure the local security policy on Serverl to grant the Logon as a service right on the SQLSrv user

account.C. Configure the properties of the SQLSrv account to Password never expires.D. Configure the properties of the SQLSrv account to User cannot change password.E. Configure the local security policy on Serverl to explicitly grant the SQLSrv user account the Allow logon

locally user right.



QUESTION 53Your company has an Active Directory forest that contains two domains, The forest has universal groups thatcontain members from each domain. A branch office has a domain controller named DC1, Users at the branchoffice report that the logon process takes too long. You need to decrease the amount of time it takes for thebranch office users to logon. What should you do?

A. Configure DC1 as a Global Catalog server.B. Configure DC1 as a bridgehead server for the branch office site.C. Decrease the replication interval on the site link that connects the branch office to the corporate network.

D. Increase the replication interval on the site link that connects the branch office to the corporate network.



QUESTION 54Your company has an Active Directory domain. The main office has a DNS server named DNS1 that isconfigured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 thatcontains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.You add a new server to the main office. Five minutes after adding the server, a user from the branch officereports that he is unable to connect to the new server. You need to ensure that the user is able to connect tothe new server. What should you do?

A. Clear the cache on DNS2. B. Export the zone from DNS1 and import the zone to DNS2.C. Reload the zone on DNS1.D. Refresh the zone on DNS2.



QUESTION 55You need to validate whether Active Directory successfully replicated between two domain controllers. Whatshould you do?

A. Run the DSget command.B. Run the Dsquery command.C. Run the RepAdmin command.D. Run the Windows System Resource Manager.



QUESTION 56Your company has an Active Directory forest. Not all domain controllers in the forest are configured as GlobalCatalog Servers. Your domain structure contains one root domain and one child domain. You modify the folderpermissions on a file server that is in the child domain. You discover that some Access Control entries start withS-1-5-21 and that no account name is listed. You need to list the account names. What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global

Catalog.



QUESTION 57Your company security policy requires complex passwords. You have a comma delimited file named import.csvthat contains user account information. You need to create user account in the domain by using the import.csvfile. You also need to ensure that the new user accounts are set to use default passwords and are disabled.What shoulld you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run theDSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Runthe DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADDutility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADDutility to set passwords for the imported user accounts.



QUESTION 58Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 andclient computers that run Windows 7. The domain uses a set of GPO administrative templates that have beenapproved to support regulatory compliance requirements. Your partner company has an Active Directory forestthat contains a single domain. The company has servers that run Windows Server 2008 R2 and clientcomputers that run Windows 7. You need to configure your partner company's domain to use the approved setof administrative templates. What should you do?

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, importthe GPO to the default domain policy.

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Website. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator.



QUESTION 59Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server2008 R2. All domain controllers are configured as DNS Servers. You have a standard primary zone for

dev.contoso.com that is stored on a member server. You need to ensure that all domain controllers can resolvenames from the dev.contoso.com zone. What should you do?

A. On the member server, create a stub zone.B. On the member server, create a NS record for each domain controller.C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the forest.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.



QUESTION 60You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.You need to minimize the amount of time it takes for client computers to download a certificate revocation list(CRL). What should you do?

A. Install and configure an Online Responder.B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.C. Install and configure an additional domain controller.D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.



Exam B

QUESTION 1Your company has three Active Directory domains in a single forest. You install a new Active Directory enabledapplication. The application ads new user attributes to the Active Directory schema. You discover that theActive Directory replication traffic to the Global Catalogs has increased. You need to prevent the new attributesfrom being replicated to the Global Catalog. You must achieve this goal without affecting applicationfunctionality. What should you do?

A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.B. Change the cost for the DEFAULTIPSITELINK object to 9990.C. Make the new attributes in the Active Directory as defunct.D. Modify the properties in the Active Directory schema for the new attributes.



QUESTION 2You are decommissioning one of the domain controllers in a child domain. You need to transfer all domainoperations master roles within the child domain to a newly installed domain controller in the same child domain.Which three domain operations master roles should you transfer? (Each Answer presents part of the solution.Choose three.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: ABDSection: (none)Explanation


QUESTION 3Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has fileservices role installed. You install some disk for additional storage. The disks are configured as shown in theexhibit.

To support data stripping with parity, you have to create a new drive volume. What should you do to achievethis objective?

A. Build a new spanned volume by combining Disk0 and Disk1.B. Create a new Raid-5 volume by adding another disk.C. Create a new virtual volume by combining Disk 1 and Disk 2.D. Build a new striped volume by combining Disk0 and Disk 2.



QUESTION 4Your company asks you to implement Windows Cardspace in the domain. You want to use WindowsCardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you do tocreate a backup copy of Windows Cardspace cards to be used at home?

A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive. B. Employ Windows Cardspace application to backup the data on your USB drive.C. Reformat the C: Drive.D. Back up the system state data by using backup status tool on your USB drive.E. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive. F. None of the above



QUESTION 5One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). Forsecurity reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on

RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (ChooseTwo)

A. Configure RODC filtered attribute set on the server.B. Configure RODC filtered set on the server that holds Schema Operations Master role.C. Delegate local administrative permissions for an RODC to any domain user without granting that user any

user rights for the domain.D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.E. None of the above.

Correct Answer: BDSection: (none)Explanation


QUESTION 6Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Usershave computers with Windows Vista installed on them with an Active Directory domain installed at WindowsServer 2003 functional level. As an administrator at Company, you discover that the users are unable to benefitfrom AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protecttheir documents. What should you do to achieve this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each user.B. Add and configure ADRMSADMIN account in local administrators group on the user computers.C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group.D. Reinstall the Active Directory domain on user computers.E. All of the above.



QUESTION 7Company has an Active Directory forest with six domains. The company has 5 sites. The company requires anew distributed application that uses a custom application directory partition named ResData for datareplication. The application is installed on one member server in five sites. You need to configure the fivemember servers to receive the ResData application directory partition for data replication. What should you do?

A. Run the Dcpromo utility on the five member servers.B. Run the Regsvr32 command on the five member servers.C. Run the Webadmin command on the five member servers.D. Run the RacAgent utility on the five member servers.



QUESTION 8

As an administrator at Company, you have installed an Active Directory forest that has a single domain. Youhave installed an Active Directory Federation services (AD FS) on the domain member server. What should youdo to configure AD FS to make sure that AD FS token contains information from the active directory domain?

A. Add a new account store and configure it.B. Add a new resource partner and configure it.C. Add a new resource store and configure it.D. Add a new administrator account on AD FS and configure it.E. None of the above.



QUESTION 9As the Company administrator you had installed a read-only domain controller (RODC) server at remotelocation. The remote location doesn't provide enough physical security for the server. What should you do toallow administrative accounts to replicate authentication information to Read-Only Domain Controllers?

A. Remove any administrative accounts from RODC's group.B. Add administrative accounts to the domain Allowed RODC Password Replication group.C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account

Security tab for the Group Policy Object (GPO).D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to

the remote location. Activate the Read Allow and the Apply group policy Allow permissions for theadministrators on the Security tab for the GPO.

E. None of the above.



QUESTION 10ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose ofthis cluster is to provide load balancing and high availability of the intranet website only. With monitoring thecluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhoodand they can use it to connect to various services by using the name web. CK1.com. You also discover thatthere is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.comNLB cluster to accept HTTP traffic only. Which two actions should you perform to achieve this objective?(Choose two answers. Each answer is part of the complete solution)

A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster consoleB. Run the wlbs disable command on the cluster nodesC. Assign a unique port rule for NLB cluster by using the NLB Cluster consoleD. Delete the default port rules through Network Load Balancing Cluster console



QUESTION 11ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003. You arethe administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computerthat runs Windows Server 2008. The branch office is located in a physically insecure place. It has no ITpersonnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller(RODC) on the Server Core installation computer in the branch office. What should you do to setup RODC onthe computer in branch office?

A. Execute an attended installation of AD DSB. Execute an unattended installation of AD DSC. Execute RODC through AD DSD. Execute AD DS by using deploying the image of AD DSE. none of the above



QUESTION 12ABC.com has purchased laptop computers that will be used to connect to a wireless network. You create alaptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing thenames of approved wireless networks. You link the GPO to the laptop organizational unit. The new laptop userscomplain to you that they cannot connect to a wireless network. What should you do to enforce the group policywireless settings to the laptop computers?

A. Execute gpupdate/target:computer command at the command prompt on laptop computers.B. Execute Add a network command and leave the SSID (service set identifier) blank.C. Execute gpupdate/boot command at the command prompt on laptops computers.D. Connect each laptop computer to a wired network and log off the laptop computer and then login again.E. None of the above.



QUESTION 13The Company has a Windows 2008 domain controller server. This server is routinely backed up over thenetwork from a dedicated backup server that is running Windows 2003 OS. You need to prepare the domaincontroller for disaster recovery apart from the routine backup procedures. You are unable to launch the backuputility while attempting to back up the system state data for the data controller. You need to backup systemstate data from the Windows Server 2008 domain controller server. What should you do?

A. Add your user account to the local Backup Operators group.B. Install the Windows Server backup feature using the Server Manager feature.C. Install the Removable Storage Manager feature using the Server Manager feature.D. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the

Windows 2003 server.E. None of the above.



QUESTION 14You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remotelocation. The remote location doesn't have proper physical security. You need to activate nonadministrativeaccounts passwords on that RODC server. Which of the following action should be considered to populate theRODC server with non-administrative accounts passwords?

A. Delete all administrative accounts from the RODC's group.B. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group

Policy Object (GPO).C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied

group.D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the

security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.E. None of the above.



QUESTION 15ABC.com has a network that is comprise of a single Active Directory Domain. As an administrator at ABC. com,you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificatesfrom a trusted Certification Authority (CA) on the AD LDS server and client computers. Which tool should youuse to test the certificate with AD LDS?

A. Ldp.exeB. Active Directory Domain servicesC. ntdsutil.exeD. Lds.exeE. wsamain.exeF. None of the above



QUESTION 16ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has aRead-Only Domain Controller (RODC) server installed. Users in remote offices complain that they are unable to

log on to their accounts. What should you do to make sure that the cached credentials for user accounts areonly stored in their local branch office RODC server?

A. Open the RODC computer account security tab and set Allow on the Receive as permission only for theusers that are unable to log on to their accounts.

B. Add a password replication policy to the main Domain RODC and add user accounts in the security group.C. Configure a unique security group for each branch office and add user accounts to the respective security

group. Add the security groups to the password replication allowed group on the main RODC server.D. Configure and add a separate password replication policy on each RODC computer account.



QUESTION 17Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one ofthe branch offices. You need to identify the user accounts that were cached on the stolen RODC server. Whichutility should you use?

A. Dsmod.exeB. Ntdsutil.exeC. Active Directory Sites and ServicesD. Active Directory Users and Computers



QUESTION 18ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runsWindows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on anisolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card.ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IPaddress space used by software evaluation lab must not be used by other networks. Similarly, it states the IPaddress space used by other networks should not be used by the evaluation lab network. As an administratoryou find you that the applications tested in the software evaluation lab need to access normal network toconnect to the vendors update servers on the internet. You need to configure all virtual servers on the CKTserver to access the internet. You also need to comply with company's security policy. Which two actionsshould you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution)

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on eachvirtual server.

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS).C. Use ABC.com intranet IP addresses on all virtual servers on CKT.D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and

create a new virtual network.E. None of the above.

Correct Answer: AD



QUESTION 19You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. Ithas an Active Directory domain. You have installed a software application on the servers. As soon as theapplication is installed, one of the member servers shuts down itself. To trace and rectify the problem, youcreate a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdownsand identify the cause of it. What should you do to perform this task?

A. Link the GPO to the domain and enable System Events optionB. Link the GPO to the domain and enable Audit Object Access optionC. Link the GPO to the Domain Controllers and enable Audit Object Access optionD. Link the GPO to the Domain Controllers and enable Audit Process tracking optionE. Perform all of the above actions



QUESTION 20ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deletedan Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process ofrestoring the OU. You need to execute a non-authoritative restore before an authoritative restore of the OU.Which backup should you use to perform non- authoritative restore of Active Directory Domain Services(ADDS) without disturbing other data stored on domain controller?

A. Critical volume backupB. Backup of all the volumesC. Backup of the volume that hosts Operating systemD. Backup of AD DS foldersE. all of the above



QUESTION 21Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Clientcomputers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents,spreadsheets and to provide user authentication. What do you need to configure, in order to complete thedeployment of AD RMS?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _DC1C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _SRV5E. None of the above



QUESTION 22You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensurethat data and log files are backed up regularly. This will also ensure the continued availability of data toapplications and users in the event of a system failure. Because you have limited media resources, you decidedto backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do toaccomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files ofAD LDS

B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instanceC. Move AD LDS database and log files on a separate volume and use windows server backup utilityD. None of the above



QUESTION 23ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boasts 40 WindowsVista client machines. As an administrator at ABC.com, you want to deploy Active Directory Certificate service(AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificatesettings on all machines in a domain from one main location?

A. Configure Enterprise CA certificate settingsB. Configure Enterprise trust certificate settingsC. Configure Advance CA certificate settingsD. Configure Group Policy certificate settingsE. All of the above




QUESTION 24Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS). You need to replicate the AD LDS instance on a testcomputer that is located on the network. What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.B. Create a naming context by running the Dsmgmt command on the test computer.C. Create a new directory partition by running the Dsmgmt command on the test computer.D. Create and install a replica by running the AD LDS Setup wizard on the test computer.



QUESTION 25Your network contains an Active Directory domain. The relevant servers in the domain are configured as shownin the following table.

You need to ensure that all device certificate requests use the MD5 hash algorithm. What should you do?

A. On Server2, run the Certutil tool.B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm

\HashAlgorithm registry key.



QUESTION 26Your network contains two Active Directory forests named contoso.com and adatum.com. The functional levelof both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory CertificateServices (AD CS) is configured in the contoso.com forest to allow users from both forests to automaticallyenroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate fromthe contoso.com certification authority (CA). What should you configure in the adatum.com domain?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.



QUESTION 27You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed:

* Enterprise root certification authority (CA)* Certificate Enrollment Web Service* Certificate Enrollment Policy Web Service

You create a new certificate template. External users report that the new template is unavailable when theyrequest a new certificate. You verify that all other templates are available to the external users. You need toensure that the external users can request certificates by using the new template. What should you do onServer1?

A. Run iisreset.exe /restart. B. Restart the Active Directory Certificate Services service.C. Run gpupdate.exe /force. D. Run certutil.exe dspublish.



QUESTION 28You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.Users are required to log on to the domain by using a smart card. Your company's corporate security policystates that when an employee resigns, his ability to log on to the network must be immediately revoked. Anemployee resigns. You need to immediately prevent the employee from logging on to the domain. What shouldyou do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.



QUESTION 29You add an Online Responder to an Online Responder Array. You need to ensure that the new OnlineResponder resolves synchronization conflicts for all members of the Array. What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.

B. From the Online Responder Management Console, select the new Online Responder, and then select Setas Array Controller.

C. From the Online Responder Management Console, select the new Online Responder, and then selectSynchronize Members with Array Controller.

D. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32



QUESTION 30Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterpriseroot certification authority (CA). You have a Web site that uses x.509 certificates for authentication. The Website is configured to use a many-to-one mapping. You revoke a certificate issued to an external partner. Youneed to prevent the external partner from accessing the Web site. What should you do?

A. Run certutil.exe -crl.B. Run certutil.exe -delkey.C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group. .D. From Active Directory Users and Computers, modify the Contact object for the external partner



QUESTION 31Your company has a main office and five branch offices that are connected by WAN links. The company has anActive Directory domain named contoso.com. Each branch office has a member server configured as a DNSserver. All branch office DNS servers host a secondary zone for contoso.com. You need to configure thecontoso.com zone to resolve client queries for at least four days in the event that a WAN link fails. What shouldyou do?

A. Configure the Expires after option for the contoso.com zone to 4 days.B. Configure the Retry interval option for the contoso.com zone to 4 days.C. Configure the Refresh interval option for the contoso.com zone to 4 days.D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.



QUESTION 32Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. Thedomain has two domain controllers that run Windows Server 2008 R2 operating system. The domaincontrollers also run DNS servers. The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only. A new corporate security policyrequires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member

servers. You need to configure the intranet.adatum.com zone to meet the new security policy requirement.Which two actions should you perform? (Each Answer presents part of the solution. Choose two.)

A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zoneproperties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNSzone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of theintranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tabof the intranet.adatum.com DNS zone properties.



QUESTION 33Your company has two Active Directory forests as shown in the following table.

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest- wideauthentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain toaccess resources in the contoso.com domain. You need to configure the forest trust to meet the new securitypolicy requirement. What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.B. Delete the incoming forest trust in the contoso.com domain.C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide

authentication to Selective authentication.D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng.

fabrikam.com from the Name Suffix Routing trust properties.



QUESTION 34Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.The TempWorkers group is not nested in any other groups. You move the computer objects of three fileservers to a new organizational unit named SecureServers. These file servers contain only confidential data inshared folders. You need to prevent members of the TempWorkers group from accessing the confidential dataon the file servers. You must achieve this goal without affecting access to other domain resources. Whatshould you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this

computer from the network user right to the TempWorkers global group.B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network

user right to the TempWorkers global group.C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers

global group.D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user

right to the TempWorkers global group.



QUESTION 35Your network consists of a single Active Directory domain. User accounts for engineering department arelocated in an OU named Engineering. You need to create a password policy for the engineering departmentthat is different from your domain password policy. What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.



QUESTION 36Your network contains a domain controller that has two network connections named Internal and Private.Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent thedomain controller from registering Host (A) records for the 10.10.10.5 IP address. What should you do?

A. Modify the netlogon.dns file on the domain controller.B. Modify the Name Server settings of the DNS zone for the domain.C. Modify the properties of the Private network connection on the domain controller.D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.



QUESTION 37Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 hosts a standard primary zone for contoso.com. You discover that non-domain

member computers register records in the contoso.com zone. You need to prevent the non-domain membercomputers from registering records in the contoso.com zone. All domain member computers must be allowedto register records in the contoso.com zone. What should you do first?

A. Configure a trust anchor.B. Run the Security Configuration Wizard (SCW).C. Change the contoso.com zone to an Active Directory-integrated zone.D. Modify the security settings of the %SystemRoot%\System32\Dns folder.



QUESTION 38Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. Youadd an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com. When you ping Server1, you discover that the name fails to resolve. You successfully resolveserver2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. Whatshould you do?

A. From the command prompt, use the netsh tool.B. From the command prompt, use the dnscmd tool.C. From DNS Manager, modify the properties of the GlobalNames zone.D. From DNS Manager, modify the advanced settings of the DNS server.



QUESTION 39Your network contains an Active Directory domain named contoso.com. The domain contains the serversshown in the following table.

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2003. DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise. Youneed to ensure that all of the names in the contoso.com zone are secured by using DNSSEC. What should youdo first?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2. .D. Upgrade DNS1 to Windows Server 2008 R2



QUESTION 40Your network contains a domain controller that is configured as a DNS server. The server hosts an ActiveDirectory-integrated zone for the domain. You need to reduce how long it takes until stale records are deletedfrom the zone. What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime.B. From the configuration directory partition of the forest, modify the garbage collection interval.C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.



QUESTION 41Your network contains a single Active Directory domain named contoso.com. The domain contains two domaincontrollers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone forcontoso.com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an ActiveDirectory-integrated zone and configure the zone to accept secure dynamic updates only. You need to ensurethat DC2 can accept secure dynamic updates to the contoso.com zone. Which command should you run?

A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.comB. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimaryC. dnslint.exe /qlD. repadmin.exe /syncall /force



QUESTION 42Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in thefollowing Command Prompt window.

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records forcontoso.com. What should you modify?

A. the root hints of the DNS serverB. the security settings of the zoneC. the Windows Firewall settings on the DNS serverD. the zone transfer settings of the zone



QUESTION 43Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is storedin Active Directory. All domain controllers run Windows Server 2008 R2. You need to identify if all of the DNSrecords used for Active Directory replication are correctly registered. What should you do?

A. From the command prompt, use netsh.exe.B. From the command prompt, use dnslint.exe.C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.



QUESTION 44Your network contains a single Active Directory forest. The forest contains two domains named contoso. comand sales.contoso.com. The domain controllers are configured as shown in the following table.

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integratedzones. You need to ensure that contoso.com records are available on DC3. Which command should you run?

A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainB. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forestC. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest



QUESTION 45You have a DNS zone that is stored in a custom application directory partition. You install a new domaincontroller. You need to ensure that the custom application directory partition replicates to the new domaincontroller. What should you use?

A. the Active Directory Administrative Center consoleB. the Active Directory Sites and Services consoleC. the DNS Manager consoleD. the Dnscmd tool



QUESTION 46Your network contains two Active Directory forests. One forest contains two domains named contoso.com andna.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configuredbetween the two forests. You have a user named User1 in the na.contoso.com domain. User1 reports that hefails to log on to a computer in the nwtraders.com domain by using the user name NA \User1. Other users fromna.contoso.com report that they can log on to the computers in the nwtraders. com domain. You need toensure that User1 can log on to the computer in the nwtraders.com domain. What should you do?

A. Enable selective authentication over the forest trust.B. Create an external one-way trust from na.contoso.com to nwtraders.com.C. Instruct User1 to log on to the computer by using his user principal name (UPN).D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.



QUESTION 47Your company has a main office and a branch office. The main office contains two domain controllers. Youcreate an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branch office,and then add the domain controller to the BranchOfficeSite site. You discover that users in the branch office arerandomly authenticated by either the domain controller in the branch office or the domain controllers in the mainoffice. You need to ensure that the users in the branch office always attempt to authenticate to the domaincontroller in the branch office first. What should you do?

A. Create organizational units (OUs).B. Create Active Directory subnet objects.C. Modify the slow link detection threshold.D. Modify the Location attribute of the computer objects.



QUESTION 48Your company has a main office and 50 branch offices. Each office contains multiple subnets. You need toautomate the creation of Active Directory subnet objects. What should you use?

A. the Dsadd toolB. the Netsh toolC. the New-ADObject cmdletD. the New-Object cmdlet



QUESTION 49You need to ensure that domain controllers only replicate between domain controllers in adjacent sites. Whatshould you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.B. From the IP properties, select Disable site link bridging.C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection

objects.D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each

site.



QUESTION 50Your network contains an Active Directory domain. The domain is configured as shown in the following table.

Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure that users inBranch2 only authenticate to the domain controllers in Main. What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.B. On DC3, set the AutoSiteCoverage value to 1.C. On DC1 and DC2, set the AutoSiteCoverage value to 0.D. On DC1 and DC2, set the AutoSiteCoverage value to 1.



QUESTION 51Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that runWindows Server 2008 R2. You need to ensure that SYSVOL is replicated by using Distributed File SystemReplication (DFSR). What should you do first?

A. Run dfsrdiag.exe PollAD.B. Run dfsrmig.exe /SetGlobalState 0.C. Upgrade all domain controllers to Windows Server 2008 R2.D. Raise the functional level of the domain to Windows Server 2008.



QUESTION 52Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com. You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associatedto User objects. You need to ensure that Attribute1 is replicated to the global catalog. What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.B. In Active Directory Sites and Services, configure the universal group membership caching.C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.



QUESTION 53Your network contains an Active Directory domain. The domain contains three domain controllers. One of thedomain controllers fails. Seven days later, the help desk reports that it can no longer create user accounts. Youneed to ensure that the help desk can create new user accounts. Which operations master role should youseize?

A. domain naming masterB. infrastructure masterC. primary domain controller (PDC) emulatorD. RID masterE. schema master

Correct Answer: DSection: (none)

Explanation


QUESTION 54Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create anActive Directory Lightweight Directory Services (AD LDS) instance named Instance1. You connect to Instance1by using ADSI Edit. You run the Create Object wizard and you discover that there is no User object class. Youneed to ensure that you can create user objects in Instance1. What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).



QUESTION 55Your network contains an Active Directory domain. The domain contains a server named Server1. Server1 runsWindows Server 2008 R2. You need to mount an Active Directory Lightweight Directory Services (AD LDS)snapshot from Server1. What should you do?

A. Run ldp.exe and use the Bind option.B. Run diskpart.exe and use the Attach option.C. Run dsdbutil.exe and use the snapshot option.D. Run imagex.exe and specify the /mount parameter.



QUESTION 56Your network contains a single Active Directory domain. Active Directory Rights Management Services(ADRMS) is deployed on the network. A user named User1 is a member of only the AD RMS EnterpriseAdministrators group. You need to ensure that User1 can change the service connection point (SCP) for the ADRMS installation. The solution must minimize the administrative rights of User1. To which group should you addUser1?

A. AD RMS AuditorsB. AD RMS Service GroupC. Domain AdminsD. Schema Admins



QUESTION 57Your network contains an Active Directory domain named contoso.com. The network contains client computersthat run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) isdeployed on the network. You create a new AD RMS template that is distributed by using the AD RMS pipeline.The template is updated every month. You need to ensure that all the computers can use the most up-to-dateversion of the AD RMS template. You want to achieve this goal by using the minimum amount of administrativeeffort. What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.



QUESTION 58Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS. You needto ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices. Whatshould you do?

A. Modify the security of the ServerCertification.asmx file.B. Modify the security of the MobileDeviceCertification.asmx file.C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.



QUESTION 59Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1. An administrator changes the password of the user account that is used byAD RMS. You need to update AD RMS to use the new password. Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Component ServicesD. Services



QUESTION 60Your company has a main office and a branch office. The branch office contains a read-only domain controllernamed RODC1. You need to ensure that a user named Admin1 can install updates on RODC1. The solutionmust prevent Admin1 from logging on to other domain controllers. What should you do?

A. Run ntdsutil.exe and use the Roles option.B. Run dsmgmt.exe and use the Local Roles option.C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.



QUESTION 61Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1contains four domain controllers. Site2 contains a read-only domain controller (RODC). You add a user namedUser1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails. User1restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored and User1reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if the WANlink fails. What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.



QUESTION 62Your network contains an Active Directory domain named contoso.com. The network has a branch office sitethat contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. Auser named User1 logs on to a computer in the branch office site. You discover that the password of User1 isnot stored on RODC1. You need to ensure that User1's password is stored on RODC1. What should youmodify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1



QUESTION 63Your company has a main office and a branch office. The branch office has an Active Directory site thatcontains a read-only domain controller (RODC). A user from the branch office reports that his account is lockedout. From a writable domain controller in the main office, you discover that the user's account is not locked out.You need to ensure that the user can log on to the domain. What should you do?

A. Modify the Password Replication Policy.B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.



QUESTION 64You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate byusing AD FS. Which inbound TCP port should you allow on Server1?

A. 88B. 135C. 443D. 445



Exam C

QUESTION 1Your network contains an Active Directory forest. You set the W indows PowerShell execution policy to allowunsigned scripts on a domain controller in the network. You create a W indows PowerShell script named new-users.ps1 that contains the following lines:

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the script fails tocreate the user accounts. You need to ensure that the script creates the user accounts. Which cmdlet shouldyou add to the script?

A. Import-ModuleB. Register-ObjectEventC. Set-ADDomainD. Set-ADUser



QUESTION 2Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects. You need to give the human resources department a file that contains the last logon time and thecustom attribute values for each user in the forest. What should you use?

A. the Dsquery toolB. the Export-CSV cmdletC. the Get-ADUser cmdletD. the Net.exe user command



QUESTION 3Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.Your company's corporate security policy states that the password for each user account must be changed atleast every 45 days. You have a user account named Service1. Service1 is used by a network applicationnamed Application1. Every 45 days, Application1 fails. After resetting the password for Service1, Application1runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to thecorporate security policy. What should you do?

A. Run the cmdlet.B. Run the Set-ADServiceAccount cmdlet.C. Create a new password policy.

D. Create a new Password Settings object (PSO).



QUESTION 4Your network contains an Active Directory forest. You add an additional user principal name (UPN) suffix to theforest. You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimumamount of administrative effort. What should you use?

A. the Active Directory Domains and Trusts consoleB. the Active Directory Users and Computers consoleC. the Csvde toolD. the Ldifde tool



QUESTION 5Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2(SP2). You need to prevent all users from running an application named App1.exe. Which Group Policy settingsshould you configure?

A. Application CompatibilityB. AppLockerC. Software InstallationD. Software Restriction Policies



QUESTION 6Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You need to ensure that all clientcomputers can apply Group Policy preferences. W hat should you do?

A. Upgrade all Windows XP client computers to W indows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to W indows Vista Service Pack 2 (SP2).



QUESTION 7Your network contains an Active Directory domain named contoso.com. You need to create a central store forthe Group Policy Administrative templates. W hat should you do?

A. Run dfsrmig.exe /createglobalobjects.B. Run adprep.exe /domainprep /gpprep.C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\ contoso.com\SYSVOL\contoso.com\Policies

folder.D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\contoso.com

\Policies folder.



QUESTION 8You configure and deploy a Group Policy object (GPO) that contains AppLocker settings. You need to identifywhether a specific application file is allowed to run on a computer. Which Windows PowerShell cmdlet shouldyou use?

A. Get-AppLockerFileInformationB. Get-GPOReportC. Get-GPPermissionsD. Test-AppLockerPolicy



QUESTION 9You need to create a Password Settings object (PSO). Which tool should you use?

A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. Ntdsutil



QUESTION 10Your network contains an Active Directory domain. All servers run W indows Server 2008 R2. You need to audit

the deletion of registry keys on each server. What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.B. From Audit Policy, modify the System Events settings and the Privilege Use settings.C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object

Access Auditing settings.



QUESTION 11Your network contains a single Active Directory domain. The functional level of the forest is W indows Server2008 R2. You need to enable the Active Directory Recycle Bin. What should you use?

A. the Dsmod toolB. the Enable-ADOptionalFeature cmdletC. the Ntdsutil toolD. the Set-ADDomainMode cmdlet



QUESTION 12Your network contains a single Active Directory domain. A domain controller named DC2 fails. You need toremove DC2 from Active Directory. Which two actions should you perform? (Each Answer presents part of thesolution. Choose two.)

A. At the command prompt, run dcdiag.exe /fix.B. At the command prompt, run netdom.exe remove dc2.C. From Active Directory Sites and Services, delete DC2.D. From Active Directory Users and Computers, delete DC2.



QUESTION 13Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server2008. All domain controllers run Windows Server 2008 R2. You need to ensure that you can enable the ActiveDirectory Recycle Bin. What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.

C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.



QUESTION 14Your network contains an Active Directory domain. The domain contains several domain controllers. All domaincontrollers run Windows Server 2008 R2. You need to restore the Default Domain Controllers Policy GroupPolicy object (GPO) to the W indows Server 2008 R2 default settings. What should you do?

A. Run dcgpofix.exe /target:dc.B. Run dcgpofix.exe /target:domain.C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.



QUESTION 15Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2. You perform a full backup of the domain controllers every night by using W indows Server Backup.You update a script in the SYSVOL folder. You discover that the new script fails to run properly. You need torestore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of timerequired to restore the script. W hat should you do first?

A. Run the Restore-ADObject cmdlet.B. Restore the system state to its original location. .C. Attach the VHD file created by Windows Server Backup.D. Restore the system state to an alternate location



QUESTION 16Your network contains an Active Directory domain. You need to restore a deleted computer account from theActive Directory Recycle Bin. What should you do?

A. From the command prompt, run recover.exe.B. From the command prompt, run ntdsutil.exe.C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.

Correct Answer: D



QUESTION 17You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.What should you use?

A. the Add-WBSystemState cmdletB. the Group Policy Management consoleC. the W badmin toolD. the W indows Server Backup feature



QUESTION 18Your company has a main office and a branch office. The network contains a single Active Directory domain.The main office contains a domain controller named DC1. You need to install a domain controller in the branchoffice by using an offline copy of the Active Directory database. What should you do first?

A. From the Ntdsutil tool, create an IFM media set.B. From the command prompt, run djoin.exe /loadfile.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the get-ADDomainController cmdlet.



QUESTION 19Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. Thefunctional level of the domain is W indows Server 2003. All client computers run W indows 7. You installWindows Server 2008 R2 on a server named Server1. You need to perform an offline domain join of Server1.W hich two actions should you perform? (Each Answer presents part of the solution. Choose two.)

A. From Server1, run djoin.exe.B. From Server1, run netdom.exe.C. From a W indows 7 computer, run djoin.exe.D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.




QUESTION 20You have an Active Directory snapshot. You need to view the contents of the organizational units (OUs) in thesnapshot. Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.mscB. ntdsutil.exe, dsamain.exe, and dsa.mscC. wbadmin.msc, dsamain.exe, and netdom.exeD. wbadmin.msc, ntdsutil.exe, and explorer.exe



QUESTION 21Your network contains a domain controller that runs W indows Server 2008 R2. You run the following commandon the domain controller:

dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport 389 -allowNonAdminAccess

The command fails. You need to ensure that the command completes successfully. How should you modify thecommand?

A. Include the path to Dsamain.B. Change the value of the -dbpath parameter.C. Change the value of the -ldapport parameter.D. Remove the allowNonAdminAccess



QUESTION 22Your network contains an Active Directory domain. The domain contains five domain controllers. A domaincontroller named DC1 has the DHCP role and the file server role installed. You need to move the ActiveDirectory database on DC1 to an alternate location. The solution must minimize impact on the network duringthe database move. What should you do first?

A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.




QUESTION 23Your company has a main office and a branch office. The network contains an Active Directory forest. Theforest contains three domains. The branch office contains one domain controller named DC5. DC5 isconfigured as a global catalog server, a DHCP server, and a file server. You remove the global catalog fromDC5. You need to reduce the size of the Active Directory database on DC5. The solution must minimize theimpact on all users in the branch office. What should you do first?

A. Start DC5 in Safe Mode.B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.



QUESTION 24Your network contains a single Active Directory domain. All servers run W indows Server 2008 R2. You deploya new server that runs Windows Server 2008 R2. The server is not connected to the internal network. You needto ensure that the new server is already joined to the domain when it first connects to the internal network.What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, runsysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server,run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server,run djoin.exe and specify the /provision parameter.



QUESTION 25Your network contains an Active Directory domain. The domain contains four domain controllers. You modifythe Active Directory schema. You need to verify that all the domain controllers received the schemamodification. Which command should you run?

A. dcdiag.exe /aB. netdom.exe query fsmo C. repadmin.exe /showrepl * D. sc.exe query ntds



QUESTION 26You remotely monitor several domain controllers. You run winrm.exe quickconfig on each domain controller.You need to create a W MI script query to retrieve information from the bios of each domain controller. Whichformat should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML



QUESTION 27Your network contains an Active Directory domain named contoso.com. The domain contains five domaincontrollers. You add a logoff script to an existing Group Policy object (GPO). You need to verify that eachdomain controller successfully replicates the updated group policy. W hich two objects should you verify oneach domain controller? (Each Answer presents part of the solution. Choose two.)

A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.polC. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com containerD. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container



QUESTION 28You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. Thedomain contains five domain controllers. You need to monitor the replication of the group policy template files.Which tool should you use?

A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl



QUESTION 29You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. Thedomain contains five domain controllers that run Windows Server 2008 R2. You need to monitor the replicationof the group policy template files. W hich tool should you use?

A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl



QUESTION 30You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine thesize of the Active Directory database on Server1. What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.



QUESTION 31Your network contains an Active Directory domain named contoso.com. You have a management computernamed Computer1 that runs Windows 7. You need to forward the logon events of all the domain controllers incontoso.com to Computer1. All new domain controllers must be dynamically added to the subscription. Whatshould you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate onComputer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).



QUESTION 32

Your network contains an Active Directory domain that has two sites. You need to identify whether logon scriptsare replicated to all domain controllers. W hich folder should you verify?

A. GroupPolicyB. NTDSC. SoftwareDistributionD. SYSVOL



QUESTION 33Your network contains an Active Directory forest. The forest contains two domains. You have a standalone rootcertification authority (CA). On a server in the child domain, you run the Add Roles W izard and discover thatthe option to select an enterprise CA is disabled. You need to install an enterprise subordinate CA on theserver. What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domainC. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain



QUESTION 34You have an enterprise subordinate certification authority (CA). You have a group named Group1. You need toallow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed torevoke certificates. What should you do?

A. Add Group1 to the local Administrators group. B. Assign the Issue and Manage Certificates permission to Group1.C. Add Group1 to the Certificate Publishers group. D. Assign the Manage CA permission to Group1.



QUESTION 35You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued. The CA is configured to use two recovery agents. You need to ensure that all ofthe recovery agent certificates can be used to recover all new private keys. W hat should you do?

A. Add a data recovery agent to the Default Domain Policy.

B. Modify the value in the Number of recovery agents to use box.C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.



QUESTION 36You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template. Which two actions should you perform? (Each Answer presents part of the solution.Choose two.)

A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.



QUESTION 37You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificatetemplate. Users can enroll for certificates based on the custom certificate template by using the Certificatesconsole. The certificate template is unavailable for Web enrollment. You need to ensure that the certificatetemplate is available on the Web enrollment pages. W hat should you do?

A. Run certutil.exe pulse.B. Run certutil.exe installcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.



QUESTION 38Your network contains an Active Directory forest. All domain controllers run W indows Server 2008 Standard.The functional level of the domain is Windows Server 2003. You have a certification authority (CA). Therelevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network. What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the W indows Server 2008 R2 Active Directory Schema updates.



QUESTION 39You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation ofthe Active Directory database on the domain controller. You must achieve this goal without affecting theavailability of the DHCP service. W hat should you do?

A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.



QUESTION 40Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way foresttrust exists between contoso.com and nwtraders.com. The forest trust is configured to use selectiveauthentication. Contoso.com contains a server named Server1. Server1 contains a shared folder namedMarketing. Nwtraders.com contains a global group named G_Marketing. The Change share permission and theModify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members ofG_Marketing report that they cannot access the Marketing folder. You need to ensure that the G_Marketingmembers can access the folder from the network. What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folder.B. From Windows Explorer, modify the share permissions of the folder.C. From Active Directory Users and Computers, modify the computer object for Server1. D. From Active Directory Users and Computers, modify the group object for G_Marketing.



QUESTION 41Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2connect to each other by using a slow W AN link. You discover that the cached password for a user namedUser1 is compromised on the RODC. On a domain controller in Site1, you change the password for User1. Youneed to replicate the new password for User1 to the RODC immediately. The solution must not replicate otherobjects to the RODC. W hich tool should you use?

A. Active Directory Sites and ServicesB. Active Directory Users and ComputersC. RepadminD. Replmon



QUESTION 42Your network contains an Active Directory domain named contoso.com. The properties of the contoso.comDNS zone are configured as shown in the exhibit.

You need to update all service location (SRV) records for a domain controller in the domain. W hat should youdo?

A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.



QUESTION 43Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You have a listthat contains the mobile phone number of each user. You need to add the mobile number of each user toActive Directory. What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.B. Create a file that contains the mobile phone numbers, and then run csvde.exe.C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.

D. From Active Directory Users and Computers, select all of the users, and then modify the properties of theusers.



QUESTION 44Your network contains an Active Directory domain named contoso.com. All domain controllers and memberservers run W indows Server 2008. All client computers run Windows 7. From a client computer, you create anaudit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy GroupPolicy object (GPO). You discover that the audit policy is not applied to the member servers. The audit policy isapplied to the client computers. You need to ensure that the audit policy is applied to all member servers and allclient computers. What should you do?

A. Add a W MI filter to the Default Domain Policy GPO.B. Modify the security settings of the Default Domain Policy GPO.C. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.



QUESTION 45Your network contains an Active Directory domain. The domain contains a group named Group1. The minimumpassword length for the domain is set to six characters. You need to ensure that the passwords for all users inGroup1 are at least 10 characters long. All other users must be able to use passwords that are six characterslong. What should you do first?

A. Run the New-ADFineGrainedPasswordPolicy cmdlet.B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.



QUESTION 46Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains amember server that is configured to collect all of the events that occur on the domain controllers. You need toensure that administrators are notified when a specific event occurs on any of the domain controllers. You wantto achieve this goal by using the minimum amount of administrative effort. What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.

C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.



QUESTION 47Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.W hat should you do first?

A. At the command prompt, run net stop ntds.B. At the command prompt, run net stop netlogon.C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).



QUESTION 48Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domaincontrollers. You add multiple DNS records to the zone. You need to ensure that the records are replicated to allDNS servers. W hich tool should you use?

A. DnslintB. LdpC. NslookupD. Repadmin



QUESTION 49Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zonefor contoso.com. The domain controllers in eu. contoso.com host the zone for eu.contoso.com. The DNS zonefor contoso.com is configured as shown in the exhibit.

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com. Whichtwo actions should you perform? (Each Answer presents part of the solution. Choose two.)

A. Create a zone delegation record in the contoso.com zone.B. Create a zone delegation record in the eu.contoso.com zone.C. Create an Active Directory-integrated zone for _msdsc.contoso.com.D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.



QUESTION 50Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.The servers are configured as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the CertificateEnrollment Web Service. Which two actions should you perform? (Each Answer presents part of the solution.Choose two.)

A. Configure the policy module settings.B. Configure the issuance requirements for the certificate templates.

C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.D. Configure the delegation settings for the Certificate Enrollment Web Service application pool account.



QUESTION 51Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 Standard. You need to install an enterprise subordinate certificationauthority (CA) that supports private key archival. You must achieve this goal by using the minimum amount ofadministrative effort. What should you do first?

A. Initialize the Trusted Platform Module (TPM).B. Upgrade the member server to W indows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration W izard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.



QUESTION 52You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificatetemplate. Users can enroll for certificates based on the custom certificate template by using the Certificatesconsole. The certificate template is unavailable for Web enrollment. You need to ensure that the certificatetemplate is available on the Web enrollment pages. W hat should you do?

A. Run certutil.exe Cpulse.B. Run certutil.exe Cinstallcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.

Correct Answer: Section: (none)Explanation


QUESTION 53Your network contains an Active Directory domain. The domain contains a member server named Server1 thatruns Windows Server 2008 R2. You need to configure Server1 as a global catalog server. What should you do?

A. Modify the Active Directory schema.B. From Ntdsutil, use the Roles option.C. Run the Active Directory Domain Services Installation W izard on Server1.D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).



QUESTION 54Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forestcontains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trustexists between Forest2 and Forest3. You need to configure the forests to meet the following requirements:

* Users in Forest3 must be able to access resources in Forest1.* Users in Forest1 must be able to access resources in Forest3.* The number of trusts must be minimized.

What should you do?

A. In Forest2, modify the name suffix routing settings.B. In Forest1 and Forest3, configure selective authentication.C. In Forest1 and Forest3, modify the name suffix routing settings.D. Create a two-way forest trust between Forest1 and Forest3.E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.



QUESTION 55Your network contains an Active Directory domain. All domain controller run Windows Server 2003. Youreplace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise thefunctional level of the domain to W indows Server 2008 R2. You need to minimize the amount of SYSVOLreplication traffic on the network. What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.

Correct Answer: Section: (none)Explanation


QUESTION 56Your network contains an Active Directory forest. The forest contains two domain controllers. The domaincontrollers are configured as shown in the following table.

All client computers run W indows 7. You need to ensure that all client computers in the domain keep the sametime as an external time server. What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.



QUESTION 57Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configureAD RMS to use Kerberos authentication. W hich two actions should you perform? (Each Answer presents partof the solution. Choose two.)

A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS).



QUESTION 58Your network contains an Active Directory forest. The forest contains an Active Directory site for a remoteoffice. The remote site contains a read-only domain controller (RODC). You need to configure the RODC tostore only the passwords of users in the remote site. What should you do?

A. Create a Password Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication

Group.



QUESTION 59Your company has four offices. The network contains a single Active Directory domain. Each office has adomain controller. Each office has an organizational unit (OU) that contains the user accounts for the users inthat office. In each office, support technicians perform basic troubleshooting for the users in their respectiveoffice. You need to ensure that the support technicians can reset the passwords for the user accounts in theirrespective office only. The solution must prevent the technicians from creating user accounts. W hat should youdo?

A. For each OU, run the Delegation of Control W izard.B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security settings for each group.D. For each office, create an Active Directory group, and then modify the controlAccessRights attribute for

each group.



QUESTION 60Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from thenwtraders.com forest can access AD RMS protected content in the contoso.com forest. What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Create an external trust from nwtraders.com to contoso.com.C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.D. Create an external trust from contoso.com to nwtraders.com.



QUESTION 61Your network contains a server named Server1 that runs W indows Server 2008 R2. Server1 is configured asan Active Directory Federation Services (AD FS) 2.0 standalone server. You plan to add a new token- signingcertificate to Server1. You import the certificate to the server as shown in the exhibit.

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.You need to ensure that you can use the new certificate for AD FS. What should you do?

A. From the properties of the certificate, modify the Certificate Policy OIDs setting.B. Import the certificate to the AD FS 2.0 W indows Service personal certificate store.C. From the properties of the certificate, modify the Certificate purposes setting.D. Import the certificate to the local computer personal certificate store.



QUESTION 62Your company has a main office and four branch offices. An Active Directory site exists for each office. Eachsite contains one domain controller. Each branch office site has a site link to the main office site. You discoverthat the domain controllers in the branch offices sometimes replicate directly to each other. You need to ensurethat the domain controllers in the branch offices only replicate to the domain controller in the main office. Whatshould you do?

A. Modify the firewall settings for the main office site.B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.C. Disable site link bridging.D. Modify the security settings for the main office site.



QUESTION 63Your network contains an Active Directory forest. The forest contains one domain. The domain contains two

domain controllers named DC1 and DC2 that run W indows Server 2008 R2. DC1 was installed before DC2.DC1 fails. You need to ensure that you can add 1,000 new user accounts to the domain. What should you do?

A. Modify the permissions of the DC2 computer account.B. Seize the schema master FSMO role.C. Configure DC2 as a global catalog server.D. Seize the RID master FSMO role.



QUESTION 64Your network contains an Active Directory domain. You create and mount an Active Directory snapshot. Yourun dsamain.exe as shown in the exhibit.

You need to ensure that you can browse the contents of the Active Directory snapshot. W hat should you?

A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.B. Change the value of the dbpath parameter, and then rerun dsamain.exe.C. Change the value of the ldapport parameter, and then rerun dsamain.exe.D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.



QUESTION 65Your network contains an Active Directory domain. You need to back up all of the Group Policy objects (GPOs),

Group Policy permissions, and Group Policy links for the domain. What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Backup-GPO cmdlet.



QUESTION 66Your network contains a domain controller that runs W indows Server 2008 R2. You need to reset the DirectoryServices Restore Mode (DSRM) password on the domain controller. Which tool should you use?

A. NtdsutilB. DsamainC. Active Directory Users and ComputersD. Local Users and Groups



QUESTION 67Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance,HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in theexhibit.

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solutionmust prevent GPO1 from being applied to users in the Dev OU. What should you do?

A. Enforce GPO1.B. Modify the security settings of the Dev OU.C. Link GPO1 to the Finance OU.D. Modify the security settings of the Finance OU.



QUESTION 68Your network contains an Active Directory domain. The domain contains an organizational unit (OU) namedOU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed serviceaccounts from being deleted accidentally from OU1. W hich cmdlet should you use?

A. Set-ADUserB. Set-ADOrganizationalUnitC. Set-ADServiceAccountD. Set-ADObject



QUESTION 69

Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writabledomain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllersrun W indows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remotesite. The solution must minimize the amount of replication traffic that occurs during the installation of ActiveDirectory Domain Services (AD DS) on DC3. What should you do first?

A. Run dcpromo.exe /createdcaccount on DC3.B. Run ntdsutil.exe on DC2.C. Run dcpromo.exe /adv on DC3.D. Run ntdsutil.exe on DC1.



QUESTION 70Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers areconfigured as global catalog servers. You remove the global catalog role from a domain controller named DC5.You need to reclaim the hard disk space used by the global catalog on DC5. What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).B. From Active Directory Sites and Services, modify the general properties of DC5.C. From Ntdsutil, use the Semantic database analysis option.D. From Ntdsutil, use the Files option.



QUESTION 71A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone aredomain controllers. You add multiple DNS records to the zone. You need to ensure that the new records areavailable on all DNS servers as soon as possible. Which tool should you use?

A. LdpB. RepadminC. NtdsutilD. NslookupE. Active Directory Sites And Services consoleF. DnscmdG. Active Directory Domains And Trusts console H. Dnslint



QUESTION 72Your network contains a server named Server1 that runs W indows Server 2008 R2 Standard. Server1 has theActive Directory Certificate Services (AD CS) role installed. You configure a certificate template namedTemplate1 for autoenrollment. You discover that certificates are not being issued to any client computers. Theevent logs on the client computers do not contain any autoenrollment errors. You need to ensure that all of theclient computers automatically receive certificates based on Template1. What should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).B. Modify the Default Domain Controllers Policy Group Policy object (GPO).C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.D. Restart Certificate Services on Server1.



QUESTION 73Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) roleinstalled. You need to perform an automated installation of an AD LDS instance. Which tool should you use?

A. Dism.exeB. Servermanagercmd.exeC. Adaminstall.exeD. Ocsetup.exe



QUESTION 74Your network contains an Active Directory domain named contoso.com. A partner company has an ActiveDirectory domain named nwtraders.com. The networks for contoso.com and nwtraders.com connect to eachother by using a W AN link. You need to ensure that users in contoso.com can access resources innwtraders.com and resources on the Internet. W hat should you do first?

A. Modify the Trusted Root Certification Authorities store.B. Modify the Intermediate Certification Authorities store.C. Create conditional forwarders.D. Add a root hint to the DNS server.



Exam D

QUESTION 1Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that thezone includes DNS records for computers that were removed from the network. You need to ensure that theDNS records are deleted automatically from the zone. What should you do?

A. From DNS Manager, set the aging properties.B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.D. Create a scheduled task that runs ipconfig.exe /flushdns.



QUESTION 2Your network contains a domain controller that runs Windows Server 2008 R2. You run the following commandon the domain controller:

dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -allowNonAdminAccess

The command fails. You need to ensure that the command completes successfully. How should you modify thecommand?

A. Change the value of the -dbpath parameter.B. Include the path to Dsamain.C. Change the value of the -ldapport parameter.D. Remove the CallowNonAdminAccess parameter.



QUESTION 3Your network contains an Active Directory domain named contoso.com. Contoso.com contains a domaincontroller named DC1 and a read-only domain controller (RODC) named RODC1. You need to view the mostrecent user accounts authenticated by RODC1. What should you do first?

A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.

Correct Answer: C



QUESTION 4Your network contains an Active Directory domain. The domain contains 3,000 client computers. All of the clientcomputers run Windows 7. Users log on to their client computers by using standard user accounts. You plan todeploy a new application named App1. The vendor of App1 provides a Setup.exe file to install App1. Setup.exerequires administrative rights to run. You need to deploy App1 to all client computers. The solution must meetthe following requirements:

* App1 must automatically detect and replace corrupt application files.* App1 must be available from the Start menu on each client computer.

What should you do first?

A. Create a logon script that calls Setup.exe for App1.B. Create a .zap file.C. Create a startup script that calls Setup.exe for App1.D. Repackage App1 as a Windows Installer package.



QUESTION 5Your network contains an Active Directory domain named contoso.com. Contoso.com contains a server namedServer2. You open the System properties on Server2 as shown in the exhibit.

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discoverthat the enterprise subordinate CA option is unavailable. You need to configure Server2 as an enterprisesubordinate CA. What should you do first?

A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.C. Import the root CA certificate.D. Join Server2 to the domain.



QUESTION 6Your network contains an Active Directory domain. The domain contains an enterprise certification authority(CA). You need to ensure that only members of a group named Admin1 can create certificate templates. Whichtool should you use to assign permissions to Admin1?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services



QUESTION 7Your network contains an Active Directory domain. All DNS servers are domain controllers. You view theproperties of the DNS zone as shown in the exhibit.

You need to ensure that only domain members can register DNS records in the zone. What should you do first?

A. Modify the zone type.B. Create a trust anchor.C. Modify the Advanced properties of the DNS server.D. Modify the Dynamic updates setting.



QUESTION 8Your company has a single Active Directory forest with a single domain. Consultants in different departments of

the company require access to different network resources. The consultants belong to a global group namedTempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The fileservers contain confidential data in shared folders. You need to prevent the consultants from accessing theconfidential data. What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign theDeny access to this computer from the network user right to the TempWorkers global group.

B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computerfrom the network user right to the TempWorkers global group.

C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full controlpermission for the TempWorkers global group on the share.

D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user rightto the TempWorkers global group.

E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign theDeny log on locally user right to the TempWorkers global group.



QUESTION 9You install an Active Directory domain in a test environment. You need to reset the passwords of all the useraccounts in the domain from a domain controller. Which two Windows PowerShell commands should you run?(Each Answer presents part of the solution, choose two.)

A. $ newPassword = *B. Import-Module ActiveDirectoryC. Import-Module WebAdministrationD. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - ResetE. Set- ADAccountPossword - NewPassword - ResetF. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )G. Import-Module ServerManager

Correct Answer: DFSection: (none)Explanation


QUESTION 10Your network contains two forests named adatum.com and litwareinc.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create aforest trust between adatum.com and litwareinc.com. What should you do first?

A. Create an external trust.B. Raise the functional level of both forests.C. Configure SID filtering.D. Raise the functional level of all the domains.

Correct Answer: BSection: (none)

Explanation


QUESTION 11Your network contains an Active Directory forest named adatum.com. All client computers used by themarketing department are in an organizational unit (OU) named Marketing Computers. All user accounts for themarketing department are in an OU named Marketing Users. You purchase a new application. You need toensure that every user in the domain who logs on to a marketing department computer can use the application.The application must only be available from the marketing department computers. What should you do?

A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to ashared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a shared folder on the network. Assign the application.

C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a local drive on each marketing department computer. Publish the application.

D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to afolder on each marketing department computer. Publish the application.



QUESTION 12Your network contains an Active Directory forest named adatum.com. You need to create an Active DirectoryRights Management Services (AD RMS) licensing-only cluster. What should you install before you create theAD RMS root cluster?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008

Correct Answer: ESection: (none)Explanation


QUESTION 13Your network contains an Active Directory domain named contoso.com. The network has a branch office sitethat contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. Auser logs on to a computer in the branch office site. You discover that the user's password is not stored onRODC1. You need to ensure that the user's password is stored on RODC1 when he logs on to a branch officesite computer. What should you do?

A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC PasswordReplication Group.

B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowedusers, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1.D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1.



QUESTION 14You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate byusing AD FS. Which protocol should you allow on Server1?

A. KerberosB. SSLC. SMBD. RPC



QUESTION 15Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 R2 Standard. You need to create an enterprise subordinate certificationauthority (CA) that can issue certificates based on version 3 certificate templates. You must achieve this goalby using the minimum amount of administrative effort. What should you do first?

A. Run the certutil.exe - addenrollmentserver command.B. Install the Active Directory Certificate Services (AD CS) role on the member server.C. Upgrade the member server to Windows Server 2008 R2 Enterprise.D. Run the certutil.exe - installdefaulttemplates command.



QUESTION 16Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 isconfigured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primaryzone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You needto ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.B. Create a new stub zone named ad.contoso.com on DC2.

C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.



QUESTION 17Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted FileSystem (EFS) certificates. You need to archive the private key for all new EFS certificates. Which snap-inshould you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Group Policy ManagementD. Enterprise PKIE. Security TemplatesF. TPM ManagementG. CertificatesH. Certification AuthorityI. Certificate Templates

Correct Answer: ISection: (none)Explanation


QUESTION 18Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You need to ensure that all of the members of a group named Group1 can view the event log entries forCertificate Services. Which snap-in should you use?

A. Certificate TemplatesB. Certification AuthorityC. Authorization ManagerD. Active Directory Users and ComputersE. TPM ManagementF. Security TemplatesG. Group Policy ManagementH. Enterprise PKII. Certificates



QUESTION 19Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You have a custom certificate template named Template 1. Template1 is published to the CA. You need toensure that all of the members of a group named Group1 can enroll for certificates that use Template1. Whichsnap-in should you use?

A. Security TemplatesB. Enterprise PKIC. Certification AuthorityD. Certificate TemplatesE. CertificatesF. TPM ManagementG. Authorization ManagerH. Group Policy ManagementI. Active Directory Users and Computers



QUESTION 20Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.You need to approve a pending certificate request. Which snap-in should you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Certification AuthorityD. Group Policy ManagementE. Certificate TemplatesF. TPM ManagementG. CertificatesH. Enterprise PKII. Security Templates



QUESTION 21Your network contains an Active Directory domain named adatum.com. You need to ensure that IP addressescan be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap- in should youadd a zone?

A. Reverse Lookup ZonesB. adatum.comC. Forward Lookup ZonesD. Conditional Forwarders

E. _msdcs.adatum.com



QUESTION 22Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails. You rebuildthe DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) recordsin DNS. Which service should you restart on the domain controllers?

A. NetlogonB. DNS ServerC. Network Location AwarenessD. Network Store Interface ServiceE. Online Responder Service



QUESTION 23Your network contains an Active Directory domain named adatum.com. The password policy of the domainrequires that the passwords for all user accounts be changed every 50 days. You need to create several useraccounts that will be used by services. The passwords for these accounts must be changed automatically every50 days. Which tool should you use to create the accounts?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. Active Directory Module for Windows PowerShellD. ADSI EditE. Active Directory Domains and Trusts



QUESTION 24Your network contains an Active Directory domain. The domain contains several domain controllers. You needto modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should youuse?

A. Group Policy ManagementB. Active Directory Domains and TrustsC. Active Directory Users and ComputersD. Computer Management

E. Security Configuration Wizard



QUESTION 25Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com. You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 isassociated to User objects. You need to ensure that Attribute1 is included in the global catalog. What shouldyou do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User

objects.C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the

forest.



QUESTION 26Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the ActiveDirectory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances namedInstance1 and Instance2. You need to remove Instance2 from Server1 without affecting Instance1. Which toolshould you use?

A. NTDSUtilB. DsdbutilC. Programs and Features in the Control PanelD. Server Manager



QUESTION 27Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Youneed to compact the Active Directory database. What should you do?

A. Run the Get-ADForest cmdlet.B. Configure subscriptions from Event Viewer.C. Run the eventcreate.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (OCS).E. Create a Data Collector Set (DCS).

F. Run the repadmin.exe command.G. Run the ntdsutil.exe command.H. Run the dsquery.exe command. I.

Run the dsamain.exe command.I. Create custom views from Event Viewer.

Correct Answer: GSection: (none)Explanation


QUESTION 28Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Youneed to collect all of the Directory Services events from all of the domain controllers and store the events in asingle central computer. What should you do?

A. Run the ntdsutil.exe command.B. Run the repodmin.exe command.C. Run the Get-ADForest cmdlet.D. Run the dsamain.exe command.E. Create custom views from Event Viewer.F. Run the dsquery.exe command.G. Configure the Active Directory Diagnostics Data Collector Set (DCS).H. Configure subscriptions from Event Viewer.I. Run the eventcreate.exe command.J. Create a Data Collector Set (DCS).

Correct Answer: HSection: (none)Explanation


QUESTION 29Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Youneed to receive a notification when more than 100 Active Directory objects are deleted per second. Whatshould you do?

A. Create custom views from Event Viewer.B. Run the Get-ADForest cmdlet.C. Run the ntdsutil.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (DCS).E. Create a Data Collector Set (DCS).F. Run the dsamain.exe command.G. Run the dsquery.exe command.H. Run the repadmin.exe command.I. Configure subscriptions from Event Viewer.J. Run the eventcreate.exe command.

Correct Answer: E



QUESTION 30Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Youmount an Active Directory snapshot. You need to ensure that you can query the snapshot by using LDAP. Whatshould you do?

A. Run the dsamain.exe command.B. Create custom views from Event Viewer.C. Run the ntdsutil.exe command.D. Configure subscriptions from Event Viewer.E. Run the Get-ADForest cmdlet.F. Create a Data Collector Set (DCS).G. Run the eventcreate.exe command.H. Configure the Active Directory Diagnostics Data Collector Set (DCS).I. Run the repadmin.exe command.J. Run the dsquery.exe command.



QUESTION 31Your network contains an Active Directory forest named adatum.com. The forest contains four child domainsnamed europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum. com. You needto create four new groups in the forest root domain. The groups must be configured as shown in the followingtable.

What should you do?

To answer, drag the appropriate group type to the correct group name in the answer area.

Select and Place:

A.B.C.D. Correct Answer:

Correct Answer: Section: Exam CExplanation


QUESTION 32Your network contains an Active Directory domain named adatum.com. You need to use Group Policies todeploy the line-of-business applications shown in the following table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:




QUESTION 33Your network contains an Active Directory forest. The DNS infrastructure fails. You rebuild the DNSinfrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.Which service should you restart on the domain controllers?

To answer, select the appropriate service in the answer area.

Point and Shoot:




QUESTION 34Your network contains an Active Directory forest named contoso.com. The password policy of the forestrequires that the passwords for all of the user accounts be changed every 30 days. You need to create useraccounts that will be used by services. The passwords for these accounts must be changed automatically every30 days. Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

Point and Shoot:




QUESTION 35Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named Server1. Server1 has an IP address of 192.168.200.100. You need to view the Pointer (PTR)record for Server1. Which zone should you open in the DNS snap-in to view the record?

To answer, select the appropriate zone in the answer area.

Point and Shoot:

A.B.C.

D. Correct Answer:



QUESTION 36Your network contains an Active Directory domain. You need to create a new site link between two sites namedSite1 and Site3. The site link must support the replication of domain objects. Under which node in ActiveDirectory Sites and Services should you create the site link?

To answer, select the appropriate node in the answer area.

Point and Shoot:


Correct Answer: Section: Exam C

Explanation


QUESTION 37Your company has a main office and a branch office. All servers are located in the main office. The networkcontains an Active Directory forest named adatum.com. The forest contains a domain controller namedMainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runsWindows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs Windows 7.Public_Computer is not connected to the network. You need to join Public_Computer to the adatum.comdomain. What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

Build List and Reorder:




QUESTION 38Your network contains two forests named contoso.com and fabrikam.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create atrust between contoso.com and fabrikam.com. The solution must ensure that users from contoso. com can onlyaccess the servers in fabrikam.com that have the Allowed to Authenticate permission set.What should you do?






QUESTION 39Your network contains an Active Directory forest named contoso.com. The forest contains a domain controllernamed DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runsWindows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows7. Computer1 is not connected to the network. You need to join Computer1 to the contoso.com domain.

What should you do?






QUESTION 40You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which toolshould you use?

To answer, select the appropriate tool in the answer area.

Point and Shoot:




QUESTION 41Your network contains an Active Directory domain named contoso.com. You need to ensure that IP addressescan be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap- in should youadd a zone?To answer, select the appropriate node in the answer area.

Point and Shoot:


Correct Answer: DSection: Exam CExplanation


QUESTION 42A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active DirectoryLightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on theC: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform insequence?

To answer, move the three appropriate actions from the list of actions to the answer area and arrange them inthe correct order.





QUESTION 43You need to perform an offline defragmentation of an Active Directory database. Which four actions should youperform in sequence?

To answer, move the appropriate four actions from the list of actions to the answer area and arrange them inthe correct order.





QUESTION 44Your company has an Active Directory forest that contains multiple domain controllers. The domain controllersrun Windows Server 2008. You need to perform an an authoritative restore of a deleted orgainzational unit andits child objects. Which four actions should you perform in sequence?

To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them inthe correct order.





QUESTION 45ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. Anew administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts6000 objects. You have backed up the system state data using third-party backup software. To restore backup,you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform anauthoritative restore of the organizational unit and restore the domain controller to its original state. Which threeactions should you perform?





QUESTION 46A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured asshown in the following table.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003. Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to1:00 A.M. every day. At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001. Youneed to restore the deleted user account. You must achieve this goal by using the minimum administrativeeffort. What should you do?

A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.B. On DC001, run the Restore-ADObject cmdlet.C. On DC006, run the Restore-ADObject cmdlet.D. On DC001, stop AD DS, restore the system state, and then start AD DS.



QUESTION 47Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPOare not processed by user accounts or computer accounts in the Finance organizational unit (OU). You mustachieve this goal by using the minimum amount of administrative effort. What should you do?

A. Modify the Group Policy permissions.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.



QUESTION 48Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU)named Sales and an OU named Engineering. You have two Group Policy Objects (GPOs) named GPO1 andGPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings. You discover that GPO2 hasa setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure thatall non-conflicting settings in both GPOs are applied. What should you do?

A. Configure Restricted Groups.B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineer OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI filtering.H. Configure Group Policy Permissions.I. Enable loopback processing in replace mode.J. Enable block inheritance.



QUESTION 49All vendors belong to a global group named vendors. You place three file servers in a new organizational unit(OU) named ConfidentialFileServers. The three file servers contain confidential data located in shared folders.You need to record any failed attempts made by the vendors to access the confidential data. Which two actionsshould you perform? (Each Answer presents part of the solution. Choose two.)

A. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU.Configure the Audit object access failure audit policy setting.

B. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU.Configure the Audit privilege use Failure audit policy setting.

C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab.Configure Failed Full control setting in the AuditingEntry dialog box.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure FailedFull control setting in the AuditingEntry dialog box.

E. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU.Configure the Deny access to this computer from the network user rights setting for the Vendors globalgroup.



QUESTION 50A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular useraccounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OUnamed Admins. You need to ensure that any time an administrator modifies an employee's name in AD DS, the

change is audited. What should you do first?

A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to theEmployees OU.

B. Modify the searchFlags property for the Name attribute in the Schema.C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Admins OU.D. Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategory.



QUESTION 51Your network contains an Active Directory forest named contoso.com. You need to provide a user namedUser1 with the ability to create and manage subnet objects. The solution must minimize the number ofpermissions assigned to User1. What should you do?

A. From Active Directory Users and Computers, run the Delegation of Control wizard.B. From Active Directory Administrative Centre, add User1 to the Schema Admins group.C. From Active Directory Sites and Services, run the Delegation of Control wizard.D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.



QUESTION 52Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has twodomain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. DC3 fails.You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 andthe domain controllers in Site1. On DC4, you run repadmin.exe /kcc. Replication between the sites continues tofail. You need to ensure that Active Directory data replicates between the sites. What should you do?

A. From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.B. From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server.C. From Active Directory Users and Computers, configure the NTDS settings of DC4.D. From Active Directory Users and Computers, configure the location settings of DC4.



QUESTION 53Your network contains an Active Directory domain named contoso.com. All domain controllers were upgradedfrom Windows Server 2003 to Windows Server 2008 R2 Service Pack 1 (SP1). The functional level of thedomain is Windows Server 2003. You need to configure SYSVOL to use DFS Replication. Which tools should

you use? (Each Answer presents part of the solution. Choose two.)

A. DfsrmigB. FrsdiagC. NtdsutilD. Set-ADForestE. RepadminF. Set-ADDomainModeG. DFS Management

Correct Answer: AFSection: (none)Explanation


QUESTION 54Your network contains an Active Directory forest. The forest contains one domain named contoso.com. Youattempt to run adprep /domainprep and the operation fails. You discover that the first domain controllerdeployed to the forest failed. You need to run adprep /domainprep successfully. What should you do?

A. Move the domain naming master role.B. Install a read-only domain controller (RODC).C. Move the PDC emulator role.D. Move the RID master role.E. Move the infrastructure master role.F. Deploy an additional global catalog server.G. Move the bridgehead server.H. Move the schema master role.I. Restart the Active Directory Domain Services (AD DS) service.J. Move the global catalog server.



QUESTION 55Your network contains an Active Directory forest. The forest contains one domain named contoso.com. Youdiscover the following event in the Event log of client computers: "The time provider NtpClient was unable tofind a domain controller to use as a time source. NtpClient will try again in %1 minutes." You need to ensurethat the client computers can synchronize their clocks properly. What should you do?

A. Move the domain naming master role.B. Restart Active Directory Domain Services (AD DS) service.C. Move the PDC emulator role.D. Move the infrastructure master role.E. Move the global catalog server.F. Move the RID master role.G. Move the bridgehead server. H.

Move the schema master role.H. Deploy an additional global catalog server.I. Install a read-only domain controller (RODC).



QUESTION 56Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server role on RODC1. You discover thatRODC1 does not have any application directory partitions. You need to ensure that RODC1 has a directorypartition of contoso.com. What should you do?

A. From DNS Manager, create secondary zones.B. Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter.C. From DNS Manager, right-click RODC1 and click Update Server Data Files.D. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.



QUESTION 57Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group. Which tool should you use?

A. Credential ManagerB. Group Policy Management EditorC. Active Directory Users and ComputersD. Active Directory Sites and Services



QUESTION 58Your network contains an Active Directory domain named contoso.com. You need to create one passwordpolicy for administrators and another password policy for all other users. Which tool should you use?

A. Group Policy Management EditorB. Group Policy Management Console (GPMC)C. Authorization ManagerD. Ldifde



QUESTION 59Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forestcontains one domain. A two-way forest trust exists between the forests. You plan to add users fromfabrikam.com to groups in contoso.com. You need to identify which group you must use to assign users infabrikam.com access to the shared folders in contoso.com. To which group should you add the users?

A. Group 1: Security Group - Domain Local.B. Group 2: Distribution Group - Domain Local.C. Group 3: Security Group - Global.D. Group 4: Distribution Group - Global.E. Group 5: Security Group - Universal.F. Group 6: Distribution Group - Univeral.



QUESTION 60Your network contains an Active Directory domain. The domain contains 5,000 user accounts. You need todisable all of the user accounts that have a description of Temp. You must achieve this goal by using theminimum amount of administrative effort. Which tools should you use? (Each Answer presents part of thesolution. Choose two.)

A. Find B. Net accountsC. DsqueryD. Dsget E. Dsmod F. Dsadd

Correct Answer: CESection: (none)Explanation


QUESTION 61Your network contains an Active Directory domain. The domain contains two file servers. The file servers areconfigured as shown in the following table.

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1. You configure the advancedaudit policy. You discover that the settings are not applied to Server1. The settings are applied to Server2. Youneed to ensure that access to the file shares on Server1 is audited. What should you do?

A. From Active Directory Users and Computers, modify the permissions of the computer account for Server1.B. From GPO1, configure the Security Options.C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.D. On Server1, run seceditexe and specify the /configure parameter.E. On Server1, run auditpol.exe and specify the /set parameter.



QUESTION 62Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU)named Sales and an OU named Engineering. Each OU contains over 200 user accounts. The Sales OU andthe Engineering OU contain several user accounts that are members of a universal group named Group1. Youhave a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to themembers of Group1 only. What should you do?

A. Modify the Group Policy permissions.B. Configure Restricted Groups.C. Configure WMI filtering.D. Configure the link order.E. Enable loopback processing in merge mode.F. Link the GPO to the Sales OU.G. Configure Group Policy Preferences.H. Link the GPO to the Engineering OU.I. Enable block inheritance.J. Enable loopback processing in replace mode.



QUESTION 63You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNSserver for contoso.com. You install the DNS server role on a member server named server1 and then youcreate a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. Youneed to ensure that Server1 receives zone updates from DC1. What should you do?

A. On DC1, modify the permissions of contoso.com zone.B. On Server1, add a conditional forwarder.C. Add the Server1 computer account to the DNsUpdateProxy group.D. On DC1, modify the zone transfer settings for the contoso.com zone.



QUESTION 64A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone aredomain controllers. You add multiple DNS records to the zone. You need to ensure that the new records areavailable on all DNS servers as soon as possible. Which tool should you use?

A. Active Directory Sites And Services consoleB. NtdsutilC. DnslintD. Nslookup



QUESTION 65Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the Active Directory-integrated zone for contoso.com. From DNS Manager on DC1, you enable scavenging for the contoso.comzone. You discover stale DNS records in the zone. You need to ensure that the stale DNS records are deletedfrom contoso.com. What should you do?

A. From DNS Manager, enable scavenging on DC1.B. From DNS Manager, reload the zone.C. Run dnscmd.exe and specify the ageallrecords parameter.D. Run dnscmd.exe and specify the startscavenging parameter.



QUESTION 66Your network contains an Active Directory forest. The forest contains one domain named contoso.com. Youdiscover the following event in the Event log of domain controllers: ‘The request for a new account- identifierpool failed. The operation will be retried until the request succeeds. The error is " %1 "". You need to ensurethat the domain controllers can acquire new account-identifier pools successfully. What should you do?

A. Move the domain naming master role.B. Move the global catalog server.

C. Restart the Active Directory Domain Services (AD DS) service.D. Deploy an additional global catalog server.E. Move the infrastructure master role.F. Move the PDC emulator role.G. Install a read-only domain controller (RODC).H. Move the RID master role.I. Move the bridgehead server.J. Move the schema master role.



QUESTION 67Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprisecertification authority (CA). You enable key archival on the CA. The CA is configured to use custom certificatetemplates for Encrypted File System (EFS) certificates. All users plan to encrypt files by using EFS. You needto ensure that the private keys for all new EFS certificates are archived. Which snap-in should you use?

A. Share and Storage ManagementB. Security Configuration wizardC. Enterprise PKID. Active Directory Administrative CenterE. Certification AuthorityF. Group Policy ManagementG. Certificate TemplatesH. Authorization ManagerI. Certificates



QUESTION 68Your network contains an Active Directory forest named adatum.com. All domain controllers currently runWindows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is WindowsServer 2003. You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.What should you do first?

A. Deploy a writable domain controller that runs Windows Server 2008 R2.B. Raise the functional level of the forest to Windows Server 2008.C. Run adprep.exe.D. Raise the functional level of the domain to Windows Server 2003.



QUESTION 69Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from thenwtraders.com forest can access AD RMS protected content in the contoso.com forest. What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.C. Create an external trust from nwtraders.com to contoso.com.D. Create an external trust from contoso.com to nwtraders.corn.



QUESTION 70Your company plans to open a new branch office. The new office will have a Iow-speed connection to theInternet. You plan to deploy a read-only domain controller (RODC) in the branch office. You need to create anoffline copy of the Active Directory database that can be used to install Active Directory on the new RODC.Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.





QUESTION 71Your network contains an Active Directory forest. All users have a value set for the Department attribute. FromActive Directory Users and computers, you search a domain for all users who have a Department attributevalue of Marketing. The search returns 50 users. From Active Directory Users and Computers, you search theentire directory for all users who have a Department attribute value of Marketing. The search does not returnany users. You need to ensure that a search of the entire directory for users in the marketing departmentreturns all of the users who have the Marketing Department attribute. What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the user class.



QUESTION 72A corporate environment includes two Active Directory Domain Services (AD DS) forests, as shown in thefollowing table.

You need to ensure that users in the contoso.com domain can access resources in the eng.fabrikam.comdomain. What should you do?

A. Enable selective authentication.B. Enable forest-wide authentication.C. Create an external trust between contoso.com and eng.fabrikam.com.D. Enable domain-wide authentication.



QUESTION 73Your network contains an Active Directory domain. You need to activate the Active Directory Recycle Bin in thedomain. Which tool should you use?

A. DsamainB. Set-ADDomainC. Add-WindowsFeatureD. Ldp



QUESTION 74Your network contains an Active Directory domain named contoso.com. You need to create a script that runsthe Best Practices Analyzer (BPA) each week for all of the server roles that BPA supports on each domaincontroller. You must achieve this goal by using the minimum amount of administrative effort. Which toolsshould you use? (Each Answer presents part of the solution. Choose three.)

A. Get-Troubleshooting Pack / Invoke-Troubleshooting Pack.B. Import-Module Best Practices.C. Get-BPA Model / Invoke-BPA Model.D. Import-Module Troubleshooting Pack.E. Get- BPA Result.

Correct Answer: BCESection: (none)Explanation


QUESTION 75Your network contains an Active Directory domain named contoso.com. The Administrator deletes an OUnamed OU1 accidentally. You need to restore OU1. Which cmdlet should you use?

A. Set-ADObject cmdlet.B. Set-ADOrganizationalUnit cmdlet.C. Set-ADUser cmdlet.D. Set-ADGroup cmdlet.



QUESTION 76Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU)named Sales and an OU named Engineering. You have two Group Policy objects (GPOs) named GP01 andGPO2. GP01 and GP02 are linked to the Sales OU and contain multiple settings. You discover that GPO2 hasa setting that conflicts with a setting in GP01. When the policies are applied, the setting in GPO2 takes effect.You need to ensure that the settings in GP01 supersede the settings in GP02. The solution must ensure that allnon-conflicting settings in both GPOs are applied.

A. Configure Restricted Groups.

B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineering OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI Filtering.H. Configure Group Policy Preferences.I. Enable loopback processing in replace mode.J. Enable block inheritance.



QUESTION 77Your network contains an Active Directory forest. The forest contains one domain named contoso.com. Youdiscover the following event in the Event log of domain controllers: "The request for a new account- identifierpool failed. The operation will be retried until the request succeeds. The error is " %1 "". You need to ensurethat the domain controllers can acquire new account-identifier pools successfully. What should you do?

A. Move the PDC emulator role. B. Move the domain naming master role.C. Move the infrastructure master role.D. Move the RID master role.E. Restart the Active Directory Domain Services (AD DS) service.F. Deploy an additional global catalog server.G. Move the bridgehead server.H. Install a read-only domain controller (RODC).I. Move the schema master role. J. Move the global catalog server

Correct Answer: FSection: (none)Explanation


Exam E

QUESTION 1Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group. Which tool should you use?

A. Active Directory Sites and ServicesB. Authorization ManagerC. Local Security PolicyD. ADSI Edit




A. RepadminB. Active Directory Domains and Trusts consoleC. LdpD. Ntdsutil



QUESTION 3Your network contains an Active Directory forest named contoso.com. The forest contains two domains namedcontoso.com and child.contoso.com. The forest contains two sites named Seattle and Denver. Both sitescontain users, client computers, and domain controllers from both domains. The Seattle site contains the firstdomain controller deployed to the forest. The Seattle site also contains the primary domain controller (PDC)emulator for both domains. All of the domain controllers are configured as DNS servers. All DNS zones arereplicated to all of the domain controllers in the forest. The users in the Denver site report that is takes a longtime to log on to their client computer when they use their user principal name (UPN). The users in the Seattlesite do not experience the same issue. You need to reduce the amount of time it takes for the Denver users tolog on to their client computer by using their UPN. What should you do?

A. Reduce the cost of the site link between the Denver site and the Seattle site.B. Enable the global catalog on a domain controller in the Denver site.C. Enable universal group membership caching in the Denver site.D. Move a PDC emulator to the Denver site.E. Reduce the replication interval of the site link between the Denver site and the Seattle site.F. Add an additional domain controller to the Denver site.



QUESTION 4Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU)named Sales and an OU named Engineering. Users in the Sates OU frequently log on to client computers inthe Engineering OU. You need to meet the following requirements:

* All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the EngineeringOU must be applied to sales users when they log on to client computers in the Engineering OU.* Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log onto client computers in the Sales OU.* Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



QUESTION 5You have an Active Directory domain named contoso.com. You need to view the account lockout threshold andduration for the domain. Which tool should you use?

A. Computer ManagementB. Net ConfigC. Active Directory Users and ComputersD. Gpresult



QUESTION 6Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeast.contoso.com. The contoso.com domain contains a domain controller named DC1. The east. contoso.comdomain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed.You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone

transfers are encrypted. What should you do?

A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rulesand outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2and select DC1 as the master.

B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=comnaming context.

C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com namingcontext. Create a secondary zone on DC1 and select DC2 as the master.

D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create asecondary zone on DC2 and select DC1 as the master.



QUESTION 7Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprisecertification authority (CA). You need to approve a pending certificate request. Which snap-in should you use?

A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management



QUESTION 8Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU)named Sales and an OU named Engineering. You have a Group Policy object (GPO) linked to the domain. Youneed to ensure that the settings in the GPO are not processed by user accounts or computer accounts in theSales OU. You must achieve this goal by using the minimum amount of administrative effort. What should youdo?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.

G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



QUESTION 9A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNSservers. You plan to create an Active Directory-integrated zone. You need to ensure that the new zone isreplicated to only four of the domain controllers. What should you do first?

A. Use the ntdsutil tool to modify the DS behavior for the domain.B. Use the ntdsutil tool to add a naming context.C. Create a new delegation in the ForestDnsZones application directory partition.D. Use the dnscmd tool with the /zoneadd parameter.



QUESTION 10Your network contains an Active Directory forest named fabrikam.com. The forest contains the followingdomains:

* Fabrikam.com* Eu.fabrikam.com* Na.fabrikam.com* Eu.contoso.com* Na.contoso.com

You need to configure the forest to ensure that the administrators of any of the domains can specify a userprincipal name (UPN) suffix of contoso.com when they create user accounts from Active Directory Users andComputers. Which tool should you use?

A. Active Directory Sites and ServicesB. Set-ADDomainC. Set-ADForestD. Active Directory Administrative Center



QUESTION 11Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains aread-only domain controller (RODC) named RODC1. You need to identify which user accounts can have theirpassword cached on RODC1. Which tool should you use?

A. RepadminB. DcdiagC. Get-ADDomainControllerPasswordReplicationPolicyUsageD. Adtest



QUESTION 12A network contains an Active Directory forest. The forest contains three domains and two sites. You remove theglobal catalog from a domain controller named DC2. DC2 is located in Site1. You need to reduce the size of theActive Directory database on DC2. The solution must minimize the impact on all users in Site1. What shouldyou do first?

A. On DC2, start the Protected Storage service.B. On DC2, stop the Active Directory Domain Services service.C. Start DC2 in Safe Mode.D. Start DC2 in Directory Services Restore Mode.



QUESTION 13Your network contains an Active Directory domain named adatum.com. The functional level of the domain isWindows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows7 Enterprise. You need to receive a notification when more than 50 Active Directory objects are deleted persecond. What should you do?

A. Run the Get-ADDomain cmdlet.B. Run the dsget.exe command.C. Run the ntdsutil.exe command.D. Run the ocsetup.exe command.E. Run the dsamain.exe command.F. Run the eventcreate.exe command.G. Create a Data Collector Set (DCS).H. Create custom views from Event Viewer.I. Configure subscriptions from Event Viewer.J. Import the Active Directory module for Windows PowerShell.



QUESTION 14You have an enterprise subordinate certification authority (CA). You have a custom certificate template that hasa key length of 1,024 bits. The template is enabled for autoenrollment. You increase the template key length to2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that usesthe new template. Which console should you use?

A. Group Policy Management MMC Snap-InB. Certificates MMC Snap-In on the Certificate AuthorityC. Certificate Templates MMC Snap-InD. Certification Authority MMC Snap-In



QUESTION 15Your network contains an Active Directory domain named adatum.com. The functional level of the domain isWindows Server 2003. All domain controllers run Windows Server 2008 R2. You mount an Active Directorysnapshot. You need to ensure that you can connect to the snapshot by using LDAP. What should you do?

A. Run the Get-ADDomain cmdlet.B. Run the dsget.exe command.C. Run the ntdsutil.exe command.D. Run the ocsetup.exe command.E. Run the dsamain.exe command.F. Run the eventcreate.exe command.G. Create a Data Collector Set (DCS).H. Create custom views from Event Viewer.I. Configure subscriptions from Event Viewer.J. Import the Active Directory module for Windows PowerShell.



QUESTION 16Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU)named Sales and an OU named Engineering. You need to ensure that when users log on to client computers,they are added automatically to the local Administrators group. The users must be removed from the groupwhen they log off of the client computers. What should you do?


A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Sales OU.J. Link the Group Policy object (GPO) to the Engineering OU.



QUESTION 17Your network contains an Active Directory forest named contoso.com. The forest contains two member serversnamed Server1 and Server2. Server1 and Server2 have the DNS Server server role installed. Server1 hosts astandard primary zone for contoso.com. Server2 is configured as a secondary name server for contoso.com.You experience issues with the copy of the zone on Server2. You verify that both copies of the zone have thesame serial number. You need to transfer a complete copy of the zone from Server1 to Server2. What shouldyou do on Server2?

A. From DNS Manager, right-click contoso.com and click Transfer from Master.B. From Services, right-click DNS Server and click Refresh.C. From Services, right-click DNS Server and click Restart.D. From DNS Manager, right-click contoso.com and click Reload.E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.



QUESTION 18Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllernamed DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level ofthe forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1. You need torestore the deleted user account. You want to achieve this goal by using the minimum amount of administrative

effort. What should you do?

A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start ActiveDirectory Domain Services.

B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, run the Restore-ADObject cmdlet.D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory

Domain Services.



QUESTION 19Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server role on RODC1. You discover thatRODC1 does not have any DNS application directory partitions. You need to ensure that RODC1 has a copy ofthe DNS application directory partition of contoso.com. What should you do? (Each Answer presents acomplete solution. Choose two.)

A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.B. Run ntdsutil.exe. From the Partition Management context, run the create nc command.C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DESection: (none)Explanation



A. NtdsutilB. DnscmdC. RepadminD. Nslookup



QUESTION 21Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2.

ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed. Youplan to deploy AD FS 2.0 on ADFS2 and ADFS3. You need to export the token-signing certificate from ADFS1,and then import the certificate to ADFS2 and ADFS3.

A. Personal Information Exchange PKCS #12 (.pfx)B. DER encoded binary X.509 (.cer)C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)D. Base-64 encoded X.S09 (.cer)



QUESTION 22Your network contains an Active Directory domain named contoso.com. The functional level of the forest isWindows Server 2008 R2. The Default Domain Controller Policy Group Policy object (GPO) contains auditpolicy settings. On a domain controller named DC1, an administrator configures the Advanced Audit PolicyConfiguration settings by using a local GPO. You need to identify what will be audited on DC1. Which toolshould you use?

A. Get-ADObjectB. SeceditC. Security Configuration and AnalysisD. Auditpol



QUESTION 23A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table. Which tool shouldyou use?

A. DsmodB. CsvdeC. LdifdeD. Dsrm



QUESTION 24Your network contains an Active Directory forest named contoso.com. The forest contains two domains namedcontoso.com and child.contoso.com. All domain controllers run Windows Server 2008. All forest- wideoperations master roles are in child.contoso.com. An administrator successfully runs adprep.exe / forestprep

from the Windows Server 2008 R2 Service Pack 1 (SP1) installation media. You plan to run adprep.exe /domainprep in each domain. You need to ensure that you have the required user rights to run the commandsuccessfully in each domain. Of which groups should you be a member? (Each Answer presents part of thesolution. Choose two.)

A. Administrators in child.contoso.comB. Enterprise Admins in contoso.comC. Domain Admins in child.contoso.comD. Domain Admins in contoso.comE. Administrators in contoso.comF. Schema Admins in contoso.com



QUESTION 25Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1). Theforest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controllernamed DC1 has a copy of the application directory partition. You need to configure a domain controller namedDC2 to receive a copy of dc=app1, dc=contoso,dc=corn. Which tool should you use?

A. Active Directory Sites and ServicesB. DsmodC. DcpromoD. Dsmgmt



QUESTION 26A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS)domain. You need to enable Universal Group Membership Caching on several domain controllers in thedomain. Which tool should you use?

A. DsmodB. DscmdC. NtdsutilD. Active Directory Sites and Services console



QUESTION 27

Your network contains an Active Directory forest. The forest contains three domains. All domain controllershave the DNS Server server role installed. The forest contains three sites named Site1, Site2, and Site3. Eachsite contains the users, client computers, and domain controllers of each domain. Site1 contains the firstdomain controller deployed to the forest. The sites connect to each other by using unreliable WAN links. Theusers in Site2 and Site3 report that is takes a long time to log on to their client computer when they use theiruser principal name (UPN). The users in Site1 do not experience the same issue. You need to reduce theamount of time it takes for the Site2 users and the Site3 users to log on to their client computer by using theirUPN. What should you do?

A. Configure a global catalog server in Site2 and a global catalog server in Site3.B. Reduce the replication interval of the site links.C. Move a primary domain controller (PDC) emulator to Site2 and to Site3.D. Add additional domain controllers to Site2 and to Site3.E. Reduce the cost of the site links.F. Enable universal group membership caching in Site2 and in Site3.



QUESTION 28You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a source-initiated subscription. You configure the subscription to retrieve all events from the Windows logs of a domaincontroller named DC1. The subscription is configured to use the HTTP protocol. You discover that events fromthe Security log of DC1 are not collected on Computer1. Events from the Application log of DC1 and theSystem log of DC1 are collected on Computer1. You need to ensure that events from the Security log of DC1are collected on Computer1. What should you do?

A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller.B. Add the Network Service security principal to the Event Log Readers group on the domain.C. Configure the subscription to use custom Event Delivery Optimization settings.D. Configure the subscription to use the HTTPS protocol.



QUESTION 29Your network contains an Active Directory forest named contoso.com. The forest contains six domains. Youneed to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffixoflitwareinc.com when they create user accounts by using Active Directory Users and Computers. Which toolshould you use?

A. Active Directory Administrative CenterB. Set-ADDomainC. Active Directory Sites and ServicesD. Set-ADForest


Explanation


QUESTION 30Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Sitel and Site2. Site2 contains a read-only domain controller (RODC). You need to identify which useraccounts attempted to authenticate to the RODC. Which tool should you use?

A. Active Directory Users and ComputersB. NtdsutilC. Get-ADAccountResultantPasswordReplicationPolicyD. Adtest



QUESTION 31Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects. You need to generate a file that contains the last logon time and the custom attribute values for eachuser in the forest. What should you use?

A. the Get-ADUser cmdletB. the Export-CSV cmdletC. the Net User commandD. the Dsquery User tool

Correct Answer: ASection: Exam DExplanation


QUESTION 32You have an Active Directory domain named contoso.com. You need to view the account lockout threshold andduration for the domain. Which tool should you use?

A. Net UserB. Active Directory Users and ComputersC. Group Policy Management Console (GPMC)D. Computer Management



QUESTION 33

A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server forfabrikam.com. You install the DNS Server server role on a member server named DNS1 and then you create astandard secondary zone for fabrikam.com. You configure DC4 as the master server for the zone. You need toensure that DNS1 receives zone updates from DC4. What should you do?

A. Add the DNS1 computer account to the DNSUpdateProxy group.B. On DC4, modify the permissions offabrikam.com zone.C. On DNS1, add a conditional forwarder.D. On DC4, modify the zone transfer settings for the fabrikam.com zone.



QUESTION 34Your company has an Active Directory forest. Each regional office has an organizational unit (OU) namedMarketing. The Marketing OU contains all users and computers in the region's Marketing department. Youneed to install a Microsoft Office 2007 application only on the computers in the Marketing OUs. You create aGPO named MarketingApps. What should you do next?

A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain.B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU.D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.



QUESTION 35Your network contains an Active Directory domain named contoso.com. The Active Directory sites areconfigured as shown in the Sites exhibit.

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between thesites. What should you do?

A. Configure DC1 as a preferred bridgehead server for IP transport.B. Configure DC4 as a preferred bridgehead server for IP transport.C. From the DC4 server object, create a Connection object for DC1.D. From the DC1 server object, create a Connection object for DC4.



QUESTION 36Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directory- integratedzone for contoso.com. The no-refresh interval and the refresh interval are both set to three days.

The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit.

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.

You discover that the scavenging process ran today, but the record for Server1 was not deleted. You rundnscmd.exe and specify the ageallrecords parameter. You need to identify when the record for Server1 will bedeleted from the zone. In how many days will the record be deleted?

A. 13B. 10C. 23D. 7




Each organizational unit (OU) contains over 500 user accounts. The Finance OU and the Human ResourcesOU contain several user accounts that are members of a universal group named Group1. You have a GroupPolicy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members ofGroup1 only. What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.



QUESTION 38Your network contains an Active Directory domain. The domain contains a domain controller named DC1 thatruns windows Server 2008 R2 Service Pack 1 (SP1). You need to implement a central store for domain policytemplates. What should you do?

To answer, select the source content that should be copied to the destination folder in the answer area.

Hot Area:


Correct Answer: Section: Exam DExplanation


QUESTION 39Your network contains an Active Directory domain. The password policy for the domain is configured as shownin the Current Policy exhibit.

You change the password policy for the domain as shown in the New Policy exhibit.

You need to provide users with examples of a valid password. Which password examples should you provide tothe users? (Each Answer presents a complete solution. Choose three.)

A. 123456!@#$%^B. !@#$1234ABCDC. passwordl234D. 1-2-3-4-5-a-b-c-eE. %%PASS1234%%F. 111111aaaaaaa

Correct Answer: BDESection: (none)Explanation


QUESTION 40Your network contains an Active Directory domain named contoso.com. The Active Directory sites areconfigured as shown in the Sites exhibit.

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between thesites. What should you do?

A. Configure DC1 as a preferred bridgehead server for IP transport.B. Configure DC4 as a preferred bridgehead server for IP transport.C. From the DC4 server object, create a Connection object for DC1.D. From the DC1 server object, create a Connection object for DC4.



QUESTION 41Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The forest contains a single domain. You need to ensure that objects can berestored from the Active Directory Recycle Bin. Which tool should you use?

A. NtdsutilB. Set-ADDomainC. DsamainD. Enable-ADOptionalFeature




Users in the Finance organizational unit (OU) frequently log on to client computers in the Human ResourcesOU. You need to meet the following requirements:

* All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the HumanResources OU must be applied to finance users when they log on to client computers in the Engineering OU.* Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they logon to client computers in the Finance OU.* Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human ResourcesOU.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.




You need to ensure that when users log on to client computers, they are added automatically to the localAdministrators group. The users must be removed from the group when they log off of the client computers.What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).



QUESTION 44Your company plans to open a new branch office. The new office will have a low-speed connection to theInternet. You plan to deploy a read-only domain controller (RODC) in the branch office. You need to create anoffline copy of the Active Directory database that can be used to install the Active Directory on the new RODC.Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.

Select and Place:




QUESTION 45Your network contains an Active Directory forest named contoso.com. You need to use Group Policies todeploy the applications shown in the following table. What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:




QUESTION 46Your network contains an Active Directory domain named contoso.com. You need to view which passwordsetting object is applied to a user. Which filter option in Attribute Editor should you enable? To answer, selectthe appropriate filter option in the answer area.

Hot Area:




QUESTION 47Your network contains an Active Directory forest named contoso.com. The forest contains two sites namedSeattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configuredas shown in the following table.

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.You need to configure DC2 as a global catalog server. Which object's properties should you modify?

To answer, select the appropriate object in the answer area.

Hot Area:




QUESTION 48Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directorysites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-onlydomain controller (RODC). You accidentally delete the site link between the two sites. You recreate the site linkwhile you are connected to a domain controller in Seattle. You need to replicate the change to the RODC inMontreal. Which node in Active Directory Sites and Services should you use?

To answer, select the appropriate node in the answer area.

Hot Area:




QUESTION 49Your network contains an Active Directory forest named contoso.com. The forest contains two sites namedSeattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured

as shown in the following table.

You need to enable universal group membership caching in the Seattle site. Which object's properties shouldyou modify?

To answer, select the appropriate object in the answer area.

Hot Area:




QUESTION 50You are the administrator for a large organization with multiple remote sites. Your supervisor would like to haveremote sites log in locally to their own site, but he is nervous about security. What type of server can youimplement to ease their concerns?

A. Domain controllerB. Global CatalogC. Read-only domain controllerD. Universal Group Membership Caching Server



QUESTION 51You are the network administrator for the ABC Company. Your network consists of two DNS servers namedDNS1 and DNS2. The users who are configured to use DNS2 complain because they are unable to connect toInternet websites. The following table shows the configuration of both servers.

The users connected to DNS2 need to be able to access the Internet. What needs to be done?

A. Build a new Active Directory Integrated zone on DNS2.B. Delete the .(root) zone from DNS2 and configure Conditional forwarding on DNS2.C. Delete the current cache.dns file.D. Update your cache.dns file and root hints.



QUESTION 52You are the network administrator for a large company that has one main site and one branch office. Yourcompany has a single Active Directory forest, ABC.com. You have a single domain controller(Server A) in themain site that has the DNS role installed. Server A is configured as a primary DNS zone. You have decided toplace a domain controller(Server B) in the remote site and implement the DNS role on that server. You want toconfigure DNS so that if the WAN link fails, users in both sites can still update records and resolve any DNSqueries. How should you configure the DNS servers?

A. Configure Server B as a secondary DNS server. Set replication to occur every 5 minutes.B. Configure Server B as s stub zone.C. Configure Server B as an Active Directory Integrated zone and convert Server A to an Active Directory

Integrated zone.D. Configure Server A as an Active Directory Integrated zone and configure Server B as a secondary zone.



QUESTION 53You are the network administrator for an organization that has two location, New York and London. Eachlocation has multiple domains but all domains fall under the same tree, Stellacon.com. Users in the NY.us.stellacon.com domain need to access resources in the London.uk.stellacon.com domain. You need to reducethe amount of time it takes for authentication when users from NY.us.stellacon.com access resources inLondon.uk.stellacon.com. What can you do?

A. Set up a one-way shortcut trust from London.uk.stellacon.com to NY.us.stellacon.com.B. Set up a one-way shortcut trust from NY.us.stellacon.com to London.uk.stellacon.com.C. Enable Universal Group Membership Caching in NY.us.stellacon.com.

D. Enable Universal Group Membership Caching in London.uk.stellacon.com.



QUESTION 54You are hired as a consultant by ABC Corporation to implement a Windows Server 2008 R2 computer ontotheir Windows Server 2003 domain. All of the client machines are Windows 7. You install Windows Server2008 R2 onto a new computer and join that computer to the Windows 2003 domain. You want to upgrade theWindows Server 2008 R2 to a domain controller. What should you do first?

A. On the new server, run adprep /domainprep.B. On the new server, run adprep /forestprep.C. On a Windows Server 2003 domain controller, run adprep /domainprep.D. On a Windows Server 2003 domain controller, run adprep /forestprep.



QUESTION 55You work for an organization with a single domain forest. Your company has one main location and two branchlocations. All locations are configured as Active Directory sites and all sites are connected with theDEFAULTIPSITELINK object. Your connections are running slower than the company policy allows. You wantto decrease the replication latency between all domain controllers in the various sites. What should you do?

A. Decrease the Replication interval for the DEFAULTIPSITELINK object.B. Decrease the Replication interval for the site.C. Decrease the Replication schedule for the site.D. Decrease the Replication schedule for all domain controllers.



QUESTION 56You are the network administrator for the ABC Company. The ABC Company has all Windows Server 2008 R2Active Directory domains and uses an Enterprise Root certificate server. You need to verify that revokedcertificate data is highly available.

A. Implement a Group Policy Object(GPO) that has the Certificate Verification Enabled option.B. Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP) responder.C. Implement a Group Policy object(GPO) that enables the Online Certificate Status Protocol(OCSP)

responder.D. Using Network Load Balancing, implement the Certificate Verification Enabled option.



QUESTION 57You are the network administrator for your organization. Your company uses a Windows Server 2008 R2Enterprise Root CA. The company has issued a new policy that prevents port 443 and port 80 from beingopened on domain controllers and on issuing CAs. Your users need to request certificates from a webinterface. You have already installed the AD CS role. What do you need to do next?

A. Configure the Certificate Authority Web Enrollment Service on a member server.B. Configure the Certificate Authority Web Enrollment Service on a domain server.C. Configure AD FS on member server to allow secure web-based access.D. Configure AD FS on domain controller to allow secure web-based access.



QUESTION 58You are the administrator of an organization with a single Active Directory domain. One of your seniorexecutives tries to log onto a machine and receives the error "This user account has expired. Ask youradministrator to reactivate your account." You need to make sure this doesn`t happen again to this user. Whatdo you do?

A. Configure the domain policy to disable account lockouts.B. Configure the password policy to extend the maximum password age to 0.C. Modify the user`s properties to set the Account Never Expires setting.D. Modify the user`s properties to extend the maximum password age to 0.



QUESTION 59You work for an organization with a single Windows Server 2008 R2 Active Directory domain. The domain hasOUs for Sales, Marketing, Admin, R&D, and Finance. You need only the users in the Finance OU to getWindows Office 2010 installed automatically onto their computers. You create a GPO named OfficeApp. Whatis the next step in getting all the Finance users Office 2010?

A. Edit the GPO and assign the Office application to the users account. Link the GPO to the Finance OU.B. Edit the GPO and assign the Office application to the users account. Link the GPO to the domain.C. Edit the GPO and assign the Office application to the computer account. Link the GPO to the domain.D. Edit the GPO and assign the Office application to the computer account. Link the GPO to the Finance OU.


Explanation


QUESTION 60You are the network administrator for an organization that has all Windows Server 2008 R2 domain controllers.You need to capture all replication errors that occur between all domain controllers. What should you do?

A. Use System Performance data collector sets.B. Use ntdsutil.C. Configure event log subscriptions.D. Use the ADSI Edit tool.




Date post:	22-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Microsoft 70-640 Exam Preparation · 10/5/2013 · C. Log off and log on again to Active Directory...

Documents