Windows Server 2008 - Configuring Active Directory

Windows Server 2008 - Configuring Active Directory

Number: 70-640Passing Score: 800Time Limit: 120 minFile Version: 1.0

http://www.gratisexam.com/

Vendor: MicrosoftExam Code: 70-640 Exam Name: Windows Server 2008 Active Directory, Co nfiguring

Exam A

QUESTION 1Your company has an Active Directory forest .

You plan to install an Enterprise certification authori ty (CA) on a dedicated stand-alone server . When you attempt to add the Active Directory Certificate Ser vices (AD CS) role , you find that theEnterprise CA option is not available .

You need to install the AD CS role as an Enterprise CA .

What should you do first?

A. Add the DNS Server role.B. Add the Active Directory Lightweight Directory Service (AD LDS) role.C. Add the Web server (IIS) role and the AD CS role.D. Join the server to the domain.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspxActive Directory Certificate Services Step-by-Step Guide

http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/Enterprise CA option is greyed out / unavailable

Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannotchoose to install Enterprise Certification Authority, because it’s unavailable as in following picture:

Well, you need to fulfill basic requirements:Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center WindowsEdition. The difference is the number of ADCS features and components that can beenabled. To get full functionality, you need to run on Enterprise or Data CenterWindows Server 2008 /R2/ Editions. It includes functionality like Role separation,Certificate manager restrictions, Delegated enrollm ent agent restrictions,Certificate enrollment across forests, Online Respo nder, Network DeviceEnrollment . In order to install an Enterprise CA, you must be a member of either Enterprise Adminsor Domain Admins in the forest root domain (either directly or through a groupnesting).

If issue still persists, there is probably a problem with getting correct credentials of youraccount. There are many thing that can cause it (network blockage, domain settings, serverconfiguration, and other issues). In all cases I got, this troubleshooting helped perfectly:

First of all, carefully check all above requirements . Secondly, install all available patches and Service Packs with Windows Updatebefore trying to install Enterprise CA. Check network settings on the CA Server . If there is no DNS setting, CertificateAuthority Server cannot resolve and find domain. Sufficient privileges for writing the Enterprise CA configuration information in ADconfiguration partition are required. Determine if you are a member of the EnterpriseAdmins or Domain Admins in the forest root domain . Think about the account youare currently trying to install ADCS with. In fact, you may be sure, that your account is inEnterprise Admins group, but check this how CA Server “sees” your account membershipby typing whoami /groups . You also need to be a member of local Administrators group . If you are not, youwouldn’t be able to run Server Manager, but still needs to be checked. View C:\windows\certocm.log file . There you can find helpful details on problems withgroup membership. For example status ofENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates thatneeded memberships are not correct. Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking accessfrom/to server and Domain Controllers. If so, Certificate Authority Server may not becommunicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName Check also whether Server CA is connected to a writable Domain Controller . Enterprise Admins groups is the most powerful group and has ADCS required full controlpermissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to defau lt context and first of all checkif CN=Public KeyService,CN=Services,CN=Configuration,DC=Your,DC=Dom ain,DC=Com containerdoes exist . If so, check permissions for all subcontainers under Public Key Service ifEnterprise Admins group has full control permission s. The main subcontainers toverify are Certificate Templates, OID, KRA containers.

If no above tips help, disjoin the server from domain and join again . Ultimately reinstalloperation system on CA Server.

QUESTION 2Your company has an Active Directory domain named contoso.com . The company network has two DNS servers named DNS1 and DNS2.

The DNS servers are configured as shown in the following table.

Domain users , who are configured to use DNS2 as the preferred DNS server, are unable to connect toInternet Web sites .

You need to enable Internet name resolution for all cli ent computers .

What should you do?

A. Update the list of root hints servers on DNS2.B. Create a copy of the .(root) zone on DNS1.C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:http://support.microsoft.com/kb/298148How To Remove the Root Zone (Dot Zone)

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.

QUESTION 3Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2003 .

You upgrade all domain controllers to Windows Server 20 08.

You need to configure the Active Directory environment to support the application of multiplepassword policies .

What should you do?

A. Raise the functional level of the domain to Windows Server 2008.B. On one domain controller, run dcpromo /adv.C. Create multiple Active Directory sites.D. On all domain controllers, run dcpromo /adv.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspxAD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

This step-by-step guide provides instructions for configuring and applying fine-grained password and accountlockout policies for different sets of users in Windows Server® 2008 domains.

In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could apply only onepassword and account lockout policy, which is specified in the domain's Default Domain Policy, to all users inthe domain. As a result, if you wanted different password and account lockout settings for different sets ofusers, you had to either create a password filter or deploy multiple domains. Both options were costly fordifferent reasons.

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies andapply different password restrictions and account lockout policies to different sets of users within a singledomain.

Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set to Windows Serv er 2008 or higher .etc...

QUESTION 4Your company has two Active Directory forests named contoso.com and fabrikam.com .The company network has three DNS servers named DNS1, DNS2, and DNS3.

The DNS servers are configured as shown in the following table:

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server . All other computers use DNS1 as the preferred DNS server .

Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.comdomain .

You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries .

What should you do?

A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730756.aspxUnderstanding Forwarders

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNSnames to DNS servers outside that network. You can also forward queries according to specific domain namesusing conditional forwarders.

You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the networkto forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you canmanage name resolution for names outside your network, such as names on the Internet, and improve theefficiency of name resolution for the computers in your network.

The following figure illustrates how external name queries are directed with forwarders.

...

Conditional forwardersA conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNSdomain name in the query. For example, you can configure a DNS server to forward all the queries that itreceives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IPaddresses of multiple DNS servers.

QUESTION 5Your company, Contoso Ltd , has offices in North America and Europe . Contoso has an Active Directory forest that has three domains .

You need to reduce the time required to authenticate us ers from the labs.eu.contoso.com domain whenthey access resources in the eng.na.contoso.com dom ain .

What should you do?

A. Decrease the replication interval for all Connection objects.B. Decrease the replication interval for the DEFAULTIPSITELINK site link.C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754538.aspxUnderstanding When to Create a Shortcut Trust

When to create a shortcut trust

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize theauthentication process.

Authentication requests must first travel a trust path between domain trees. In a complex forest this can taketime, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships thatauthentication requests must traverse between any two domains. Shortcut trusts effectively shorten the paththat authentication requests travel between domains that are located in two separate domain trees.

Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest. Usingthe following illustration as an example, you can form a shortcut trust between domain B and domain D,between domain A and domain 1, and so on.

Using one-way trusts

A one-way, shortcut trust that is established between two domains in separate domain trees can reduce thetime that is necessary to fulfill authentication requests—but in only one direction. For example, when a one-way,shortcut trust is established between domain A and domain B, authentication requests that are made in domainA to domain B can use the new one-way trust path. However, authentication requests that are made in domainB to domain A must still travel the longer trust path.

Using two-way trusts

A two-way, shortcut trust that is established between two domains in separate domain trees reduces the timethat is necessary to fulfill authentication requests that originate in either domain. For example, when a two-waytrust is established between domain A and domain B, authentication requests that are made from either domainto the other domain can use the new, two-way trust path.

QUESTION 6Your company purchases a new application to deploy on 200 computers . The application requires that you modify the registry on each target computer before you install theapplication . The registry modifications are in a file that has an .adm extension.

You need to prepare the target computers for the applic ation .

What should you do?

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unitthat contains the target computers.

B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsrCONTAINER-DN command on each target computer.

C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each targetcomputer.

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmpCONTAINER-DN command on each target computer.


Explanation/Reference:http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htmAdding New Administrative Templates to a GPO

Adding .ADM files to the Administrative Templates in a GPO

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow thenext steps:1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Statmenu, or by typing gpmc.msc in the Run command.2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit....

QUESTION 7Your company has an Active Directory forest that contains eight linked Group Policy Obje cts (GPOs) . One of these GPOs publishes applications to user objects .

A user reports that the application is not available for installation .

You need to identify whether the GPO has been applied .

What should you do?

A. Run the Group Policy Results utility for the user.B. Run the GPRESULT /S <system name> /Z command at the command prompt.C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.D. Run the Group Policy Results utility for the computer.


Explanation/Reference:Personal note:you run the utility for the user and not for the computer because the application publishes to user objects

http://technet.microsoft.com/en-us/library/bb456989.aspxHow to Use the Group Policy Results (GPResult.exe) Command Line Tool

Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policysettings in effect for a specific user or computer. Administrators can run GPResult on any remote computerwithin their scope of management. By default, GPResult returns settings in effect on the computer on whichGPResult is run.

To run GPResult on your own computer:1. Click Start, Run, and enter cmd to open a command window.2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:

Figure 1. Directing GPResult data to a text file

3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.

Figure 2. Verifying policies with GPResult

Administrators can also direct GPResult to other users and computers.

QUESTION 8Your company has an Active Directory domain .

You plan to install the Active Directory Certificate Services (AD CS) serve r role on a member server thatruns Windows Server 2008 R2 .

You need to ensure that members of the Account Operator s group are able to issue smartcardcredentials . They should not be able to revoke certificates .

Which three actions should you perform ? (Each correct answer presents part of the solution. Choose three .)

A. Create an Enrollment Agent certificate.B. Create a Smartcard logon certificate.C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.D. Install the AD CS role and configure it as an Enterprise Root CA.E. Install the AD CS role and configure it as a Standalone CA.F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

Correct Answer: BCDSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspxAD CS: Restricted Enrollment Agent

The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operatingsystem that allows limiting the permissions that users designated as enrollment agents have for enrolling smart

card certificates on behalf of other users.

What does the restricted enrollment agent do?

Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs tobe issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalfof users. Enrollment agents are typically members of the corporate security, Information Technology (IT)security, or help desk teams because these individuals have already been trusted with safeguarding valuableresources. In some organizations, such as banks that have many branches, help desk and security workersmight not be conveniently located to perform this task. In this case, designating a branch manager or othertrusted employee to act as an enrollment agent is required to enable smart card credentials to be issued frommultiple locations.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agentfeatures allow an enrollment agent to be used for one or many certificate templates. For each certificatetemplate, you can choose which users or security groups the enrollment agent can enroll on behalf of. Youcannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) orcontainer; you must use security groups instead. The restricted enrollment agent is not available on a WindowsServer® 2008 Standard-based CA.

http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspxEnterprise certification authorities

The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME(Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure SocketsLayer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domainusing a smart card .

An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the TrustedRoot Certification Authorities certificate store for all users and computers in the domain. You must be aDomain Administrator or be an administrator with write access to Active Directory to install an enterpriseroot CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to ActiveDirectory. In order to publish certificates to Active Directory, the server that the CA is installed on must be amember of the Certificate Publishers group. This is automatic for the domain the server is in, but the servermust be delegated the proper security permissions to publish certificates in other domains. For moreinformation about the exit module, see Policy and exit modules.

An enterprise CA uses certificate types, which are based on a certificate template. The following functionality ispossible when you use certificate templates:

Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate templatehas a security permission set in Active Directory that determines whether the certificate requester isauthorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory orsupplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensionsare defined by the certificate template. This reduces the amount of information a certificate requester has toprovide about the certificate and its intended use.

http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspxStand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs canissue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose

Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) orTransport Layer Security (TLS).

A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directoryservice. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchyor when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for aCA, you would first install a stand-alone CA and then replace the stand-alone policy module with yourcustom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply allidentifying information about themselves and the type of certificate that is wanted in the certificate request.(This does not need to be done when submitting a request to an enterprise CA, since the enterprise user'sinformation is already in Active Directory and the certificate type is described by a certificate template). Theauthentication information for requests is obtained from the local computer's Security Accounts Managerdatabase. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator ofthe stand-alone CA verifies the identity of the requester and approves the request. This is done for securityreasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards,but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trustedroot store or users must perform that task themselves.

When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory,installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authoritiescertificate store for all users and computers in the domain. For this reason, if you install a stand-alone rootCA in an Active Directory domain, you should not change the default action of the CA upon receivingcertificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA thatautomatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain ofa tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CAwill publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

QUESTION 9You create 200 new user accounts . The users are located in six different sites . New users report that they receive the following error message when they try to log on : "The username orpassword is incorrect ."

You confirm that the user accounts exist and are enable d. You also confirm that the user name and password inform ation supplied are correct .

You need to identify the cause of the failure . You also need to ensure that the new users are able to log o n.


Which utility should you run?

A. Active Directory Domains and TrustsB. Repadmin

C. RstoolsD. Rsdiag

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Repadmin allows us to check the replication status and also allows us to force a replication between domaincontrollers.

Reference:http://technet.microsoft.com/en-us/library/cc770963.aspx

Repadmin /replsummaryIdentifies domain controllers that are failing inbound replication or outbound replication, and summarizes theresults in a report.

Repadmin /showreplDisplays the replication status when the specified domain controller last attempted to perform inboundreplication on Active Directory partitions.

Repadmin /syncallSynchronizes a specified domain controller with all replication partners.

QUESTION 10Your network contains an Active Directory forest . All domain controllers run Windows Server 2008 R2 and are configured as DNS servers .

You have an Active Directory-integrated zone for contoso.com .

You have a Unix-based DNS server .

You need to configure your Windows Server 2008 R2 envir onment to allow zone transfers of thecontoso.com zone to the Unix-based DNS server .

What should you do in the DNS Manager console?

A. Enable BIND secondariesB. Create a stub zoneC. Disable recursionD. Create a secondary zone


Explanation/Reference:http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and-2008-dns-server-bind-secondaries/Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BINDSecondaries)

BIND Secondaries controls the zone transfer between different vendor DNS server . It help verifies thetype of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of BIND isBerkeley Internet Name domain (BIND) . BIND is a based on UNIX operating system .Two window servers do not required BIND. BIND is only required when transfer dns zone betwee n twodifferent dns server vendors (UNIX and Microsoft Wi ndow) . If you are using only Window server for dns

and zone transfer you will have to disable this option in the window dns server. However if you want the serverto perform a slow zone transfer and uncompressed data transfer then you will have to enable BIND in the dnsserver.To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server. BIND is understood to have been introduced in window server to support UNIX.System admin will normally disable this option if they want the data in their dns zone transfer to betweenprimary and secondary dns server to be transfer faster in order to improve dns queries efficiency within theirnetwork environmentBind is used in a DNS window server, when the needs to configured zone transfer between window server andUNIX server or operative system.Bind is enabled when a window server is configured as a primary dns server and a UNIX computer isconfigured as a secondary dns server for zone transfer.BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two serveroperating system since they are from different vendors.Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format.However, BIND in window server 2008 and later has improved this problem. This is because it was noted thatBIND in window server 2008 and later uses faster, compressed format during zone transfer between primaryand secondary DNS server configured in for different server operating system (UNIX and Window server).


You log on to the domain controller . The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC) .

You need to access the Active Directory Schema snap-in .

What should you do?

A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by usingServer Manager.

B. Log off and log on again by using an account that is a member of the Schema Administrators group.C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema

for writing.D. Register Schmmgmt.dll.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732110.aspxInstall the Active Directory Schema Snap-In

You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active DirectorySchema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).

To install the Active Directory Schema snap-in1. To open an elevated command prompt, click Start , type command prompt and then right-click CommandPrompt when it appears in the Start menu. Next, click Run as administrator and then click OK . To open an elevated command prompt in Windows Server 2012, click Start , type cmd , right click cmd andthen click Run as administrator .2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll3. Click Start , click Run , type mmc and then click OK .4. On the File menu, click Add/Remove Snap-in .5. Under Available snap-ins , click Active Directory Schema , click Add and then click OK .6. To save this console, on the File menu, click Save .

7. In the Save As dialog box, do one of the following: * To place the snap-in in the Administrative Tools folder, in File name , type a name for the snap-in, andthen click Save . * To save the snap-in to a location other than the Administrative Tools folder, in Save in , navigate to alocation for the snap-in. In File name , type a name for the snap-in, and then click Save .

QUESTION 12Your company has a server that runs Windows Server 2008 R2 . Active Directory Certificate Services (AD CS) is co nfigured as a standalone Certification Authority (C A)on the server .

You need to audit changes to the CA configuration setti ngs and the CA security settings .

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two .)

A. Configure auditing in the Certification Authority snap-in.B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%

\CertSrv directory.C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate

Services (AD CS) server.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772451.aspxConfigure CA Event Auditing

You can audit a variety of events relating to the management and activities of a certification authority (CA): Back up and restore the CA database. Change the CA configuration. Change CA security settings. Issue and manage certificate requests. Revoke certificates and publish certificate revocation lists (CRLs). Store and retrieve archived keys. Start and stop Active Directory Certificate Services (AD CS).

To configure CA event auditing1. Open the Certification Authority snap-in.2. In the console tree, click the name of the CA.3. On the Action menu, click Properties.4. On the Auditing tab, click the events that you want to audit, and then click OK.5. On the Action menu, point to All Tasks, and then click Stop Service.6. On the Action menu, point to All Tasks, and then click Start Service.

Additional considerations To audit events, the computer must also be configured for auditing of object access. Audit policy optionscan be viewed and managed in local or domain Group Policy under Computer Configuration\WindowsSettings\Security Settings\Local Policies.

QUESTION 13Your company has a single-domain Active Directory forest . The functional level of the domain is Windows Server 20 08.

You perform the following activities :

Create a global distribution group .Add users to the global distribution group.Create a shared folder on a Windows Server 2008 member server.Place the global distribution group in a domain local group that has access to the shared folder.

You need to ensure that the users have access to the sh ared folder .

What should you do?

A. Add the global distribution group to the Domain Administrators group.B. Change the group type of the global distribution group to a security group.C. Change the scope of the global distribution group to a Universal distribution group.D. Raise the forest functional level to Windows Server 2008.


Explanation/Reference:http://kb.iu.edu/data/ajlt.htmlIn Microsoft Active Directory, what are security and distribution groups?

In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types,security and distribution, are described below:

Security : Security groups allow you to manage user and computer access to shared resources. You canalso control who receives group policy settings. This simplifies administration by allowing you to setpermissions once on multiple computers, then to change the membership of the group as your needschange. The change in group membership automatically takes effect everywhere. You can also use thesegroups as email distribution lists. Distribution : Distribution groups are intended to be used solely as email distribution lists. These lists arefor use with email applications such as Microsoft Exchange or Outlook. You can add and remove contactsfrom the list so that they will or will not receive email sent to the distribution group. You can't use distributiongroups to assign permissions on any objects, and you can't use them to filter group policy settings.

http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspxGroup types

QUESTION 14Your company hires 10 new employees .

You want the new employees to connect to the main office through a VPN connection .

You create new user accounts and grant the new employees the Allow Read and Allow Executepermissions to shared resources in the main office . The new employees are unable to access shared resources in the main office .

You need to ensure that users are able to establish a V PN connection to the main office .

What should you do?

A. Grant the new employees the Allow Access Dial-in permission.B. Grant the new employees the Allow Full control permission.C. Add the new employees to the Remote Desktop Users security group.D. Add the new employees to the Windows Authorization Access security group.

Correct Answer: A

Section: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspxDial-in properties of a user account

The dial-in properties for a user account are: Remote Access Permission (Dial-in or VPN)

You can use this property to set remote access permission to be explicitly allowed, denied, ordetermined through remote access policies. In all cases, remote access policies are used to authorizethe connection attempt. If access is explicitly allowed, remote access policy conditions, user accountproperties, or profile properties can still deny the connection attempt.

...

QUESTION 15Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2008 R2 .

You need to identify the Lightweight Directory Access P rotocol (LDAP) clients that are using the largestamount of available CPU resources on a domain contr oller .

What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.


Explanation/Reference:http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/Active Directory Diagnostics

Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required theinstallation of SPA. SPA is helpful because the Active Directory data set collects performance data and itgenerates XML based diagnostic reports that make analyzing AD performance issues easier by identifying theIP addresses of the highest volume callers and the type of network traffic that is placing the most loads on theCPU.

Download SPA tool: http://www.microsoft.com/en-us/download/details.aspx?id=15506

Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and youdon’t have to install SPA anymore.

This performance feature is located in the Server Manager snap-in under the Diagnostics node and when theActive Directory Domain Services Role is installed the Active Directory Diagnostics data collector set isautomatically created under System as shown here.

When you will check the properties of the collector you will notice that the data is stored under %systemdrive%\perflogs , only now it is under the \ADDS folder and when a data collection is run it creates a new subfoldercalled YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . ActiveDirectory Diagnostics data collector set runs for a default of 5 minutes . This duration period cannot bemodified for the built-in collector. However, the collection can be stopped manually by clicking the Stop buttonor from the command line.

To start the data collector set, you just have to right click on Active Directory Diagnostics data collector setand select Start . Data will be stored at %systemdrive%\perflogs location.

Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aidin your troubleshooting and server performance trending.

Further information:http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspxMonitoring Your Branch Office Environment

http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-and-beyond.aspxSon of SPA: AD Data Collector Sets in Win2008 and beyond

QUESTION 16Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers .

You need to prepare the Active Directory domain to inst all Windows Server 2008 R2 domain controllers .


A. Run the adprep /domainprep command.B. Raise the forest functional level to Windows Server 2008.C. Raise the domain functional level to Windows Server 2008.D. Run the adprep /forestprep command.


Explanation/Reference:http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htmPrepare your Domain for the Windows Server 2008 R2 Domain Controller

Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000,Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do

so by running a tool called ADPREP.

ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest anddomain for a domain controller that runs the Windows Server 2008 R2 operating system.

Note: You may remember that ADPREP was used on previous operating systems such as Windows Server2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2.

What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare anexisting Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not allversions of ADPREP perform the same operations, but generally the different types of operations that ADPREPcan perform include the following:

Updating the Active Directory schema Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL sharedfolder Creating new objects, as needed Creating new containers, as needed

To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controllerplease perform these tasks:

Lamer note : The following tasks are required ONLY before adding the first Windows Server 2008 R2 domaincontroller . If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as aregular member server, none of the following tasks are required.

Another lamer note : Please make sure you read the system requirements for Windows Server 2008 R2. Forexample, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participateas a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000Server, they must be running Service Pack 4 (SP4).

First, you should review and understand the schema updates and other changes that ADPREP makes as partof the schema management process in Active Directory Domain Services (AD DS). You should test theADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that runin your environment.

You must make a system state backup for your domain controllers, including the schema master and at leastone other domain controller from each domain in the forest (you do have backups, don't you?).

Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep . You must be a member of the Schema Admins group, the Enterprise Admins group, andthe Domain Admins group of the domain that hosts the schema master, which is, by default, the forest rootdomain.

Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have themedia handy, you may use the evaluation version that is available to download from Microsoft's website.

If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you canmount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn,Extract ISO file, ISO/BIN converter/extractor/editor).

Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file calledadprep.exe or adprep32.exe.

Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to getthe right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bitversion. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bitversion (adprep32.exe).

To perform this procedure, you must use an account that has membership in all of the following groups:

Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master

Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu.

Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if youwant, you can always manually type the path of the file in the Command Prompt window if that makes you feelbetter...

Note : You must run adprep.exe from an elevated command prompt. To open an elevated command prompt,click Start, right-click Command Prompt, and then click Run as administrator.

Note : If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt windowwill not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista.

In the Command Prompt window, type the following command:

adprep /forestprep

You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.

ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the ADSchema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be thelargest one.

When completed, you will receive a success message.

Note : As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error:

Adprep cannot run on this platform because it is not an Active Directory Domain Controller. [Status/Consequence] Adprep stopped without making any changes. [User Action] Run Adprep on a Active Directory Domain Controller.

Allow the operation to complete, and then allow the changes to replicate throughout the forest beforeyou prepare any domains for a domain controller tha t runs Windows Server 2008 R2.

In the Command Prompt window, type the following command:

adprep /domainprep

Process will take less than a second.

ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode youwill get this error:

Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep


If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed.

If you're running a Windows 2000 Active Directory domain, you must also the following command:

adprep /domainprep /gpprep

Allow the operation to complete, and then allow the changes to replicate throughout the forest before youprepare any domains for a domain controller that runs Windows Server 2008 R2.

If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, ifyou're planing to run Read Only Domain controllers (RODCs), you must also

type the following command:

adprep /rodcprep

If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server2008 R2.

Process will complete in less than a second.


To verify that adprep /forestprep completed successfully please perform these steps:

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default ondomain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 youmust install the Resource Kit Tools.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, andthen click OK.

5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain whereforest_root_domain is the distinguished name of your forest root domain.

6. Double-click CN=ForestUpdates.

7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, andthen click OK.

9. Click ADSI Edit, click Action, and then click Connect to.

10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and thenclick OK.

11. Double-click Schema.

12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value isset to 47, and then click OK.

QUESTION 17You need to identify all failed logon attempts on the d omain controllers .

What should you do?

A. View the Netlogon.log file.B. View the Security tab on the domain controller computer object.C. Run Event Viewer.D. Run the Security and Configuration Wizard.


Explanation/Reference:http://support.microsoft.com/kb/174074Security Event Descriptions

This article contains descriptions of various security-related and auditing- related events, and tips forinterpreting them.These events will all appear in the Security event log and will be logged with a source of "Security."

Event ID: 529 Type: Failure AuditDescription: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 530 Type: Failure AuditDescription: Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 531 Type: Failure AuditDescription: Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 532 Type: Failure AuditDescription: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 533 Type: Failure AuditDescription: Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 534 Type: Failure Audit

Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 535 Type: Failure AuditDescription: Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 536 Type: Failure AuditDescription: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

Event ID: 537 Type: Failure AuditDescription: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6

QUESTION 18Your company has a DNS server that has 10 Active Directory integrated zones .

You need to provide copies of the zone files of the DNS server to the security department .

What should you do?

A. Run the dnscmd /ZoneInfo command.B. Run the ipconfig /registerdns command.C. Run the dnscmd /ZoneExport command.D. Run the ntdsutil > Partition Management > List commands.


Explanation/Reference:http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/DNS Zone Export

In Non-AD Integrated DNS Zones

DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder. When theDNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondaryzones that are not AD integrated. The files will be named as <ZoneFQDN>.dns .

In AD Integrated DNS Zones

AD-integrated zones are stored in the directory they do not have corresponding zone files i.e. they are notstored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory.

Now it is important task for us to take a backup of these AD integrated zones before making any changes toDNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is:

DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile><ZoneName> — FQDN of zone to export/Cache to export cache

As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The commandto export the file would be:

Dnscmd server1 /ZoneExport habib.local habib.local.bak

You can refer to a complete article on DNSCMD in Microsoft TechNet website

http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx

QUESTION 19Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language versionof the administrative templates .

You create a folder on the PDC emulator for the subsidi ary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR .

You need to ensure that the French-language version of the templates is available .

What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copythe ADM files to the FR folder.

B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder

on the subsidiary PDC emulator.C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR

folder on the subsidiary PDC emulator.D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder

on the subsidiary PDC emulator.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772507%28v=ws.10%29.aspx.admx and .adml File Structure

In order to support the multilingual display of policy settings, the ADMX file structure must be broken into twotypes of files:

A language-neutral file, .admx, describing the structure of the categories and Administrative templatepolicy settings displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor. A set of language-dependent files, .adml, providing the localized portions displayed in the GPMC or LocalGroup Policy Editor. Each .adml file represents a single language you wish to support.

Language-neutral file (.admx) structure..

Language resource file (.adml) structure

The language resource files, .adml, provide the language specific information needed by the language neutralfile. The language neutral file will then reference specific sections of the language resource file in order for theGPMC or Local Group Policy Editor to display a policy setting in the correct language...

QUESTION 20A user in a branch office of your company attempts to join a computer to the domain , but the attemptfails .

You need to enable the user to join a single computer t o the domain .

You must ensure that the user is denied any additional rights beyond those required to complete thetask .

What should you do?

A. Prestage the computer account in the Active Directory domain.B. Add the user to the Domain Administrators group for one day.C. Add the user to the Server Operators group in the Active Directory domain.D. Grant the user the right to log on locally by using a Group Policy Object (GPO).


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc770832%28v=ws.10%29.aspx#BKMK_1Prestaging Client ComputersBenefits of Prestaging Client Computers

Prestaging clients provides three main benefits:An additional layer of security. You can configure Windows Deployment Services to answer only prestaged

clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network.Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. Forinstructions on performing these tasks, see the “Prestage Computers” section of How to Manage ClientComputers.

* The computer account name and location within AD DS.* Which server the client should network boot from.* Which network boot program the client should receive.* Other advanced options — for example, what boot image a client will receive or what WindowsDeployment Services client unattend file the client should use.

The ability for multiple Windows Deployment Services servers to service the same network segment. Youcan do this by restricting the server to answer only a particular set of clients. Note that the prestaged clientmust be in the same forest as the Windows Deployment Services server (trusted forests do not work).

Further information:http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/how can I PRESTAGE a computer for WDS?

QUESTION 21The default domain GPO in your company is configured by using the following account policy settings:

- Minimum password length: 8 characters- Maximum password age: 30 days- Enforce password history: 12 passwords remembered- Account lockout threshold: 3 invalid logon attempts- Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2 . The SQL Server application uses a service account named SQLSrv . The SQLSrv account has domain user rights .

The SQL Server computer fails after running successfull y for several weeks . The SQLSrv user account is not locked out .

You need to resolve the server failure and prevent recu rrence of the failure .

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two .)

A. Reset the password of the SQLSrv user account.B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user

account.C. Configure the properties of the SQLSrv account to Password never expires.D. Configure the properties of the SQLSrv account to User cannot change password.E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon

locally user right.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Personal comment:Maximum password age: 30 daysThe most probable cause for the malfunction is that the password has expired. You need to reset the password and set it to never expire.

QUESTION 22Your company has two Active Directory forests named Forest1 and Forest2 .

The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008 .The forest functional level of Forest2 is set to Windows 2000 , and the domain functional levels in Forest2are set to Windows Server 2003 .

You need to set up a transitive forest trust between Fo rest1 and Forest2 ,


A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode.B. Raise the forest functional level of Forest2 to Windows Server 2003.C. Upgrade the domain controllers in Forest2 to Windows Server 2008.D. Upgrade the domain controllers in Forest2 to Windows Server 2003.


Explanation/Reference:


Creating Forest Trusts

You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way ortwo-way, transitive trust relationship.

The following are required to create forest trusts successfully:

You can create a forest trust between two Windows Server 2003 forests, between two Windows Server2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest anda Windows Server 2008 forest , between a Windows Server 2003 forest and a Windows Server 2008 R2forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trustscannot be extended implicitly to a third forest.To create a forest trust, the minimum forest functional level for the forests that are involved in thetrust relationship is Windows Server 2003 .(...)

QUESTION 23Your company has an Active Directory forest that contains two domains .The forest has universal groups that contain members from each domain . A branch office has a domain controller named DC1. Users at the branch office report that the logon pr ocess takes too long .

You need to decrease the amount of time it takes for th e branch office users to logon .

What should you do?

A. Configure DC1 as a Global Catalog server.B. Configure DC1 as a bridgehead server for the branch office site.C. Decrease the replication interval on the site link that connects the branch office to the corporate network.D. Increase the replication interval on the site link that connects the branch office to the corporate network.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc728188.aspxWhat Is the Global Catalog?

The global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog isstored on domain controllers that have been designated as global catalog servers and is distributed throughmultimaster replication. Searches that are directed to the global catalog ar e faster because they do notinvolve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a forest stores afull, writable replica of a single domain directory partition. Therefore, a domain controller can locate only theobjects in its domain. Locating an object in a different domain would require the user or application to providethe domain of the requested object.

The global catalog provides the ability to locate objects from any domain without having to know the domainname. A global catalog server is a domain controller that, in addition to its full, writable domain directorypartition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. Theadditional domain directory partitions are partial because only a limited set of attributes is included for eachobject. By including only the attributes that are most used for searching, every object in every domain in even

the largest forest can be represented in the database of a single global catalog server.

QUESTION 24Your company has an Active Directory domain . The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS . The branch office has a DNS server named DNS2 that contains a secondary copy of the zone from DNS1 . The two offices are connected with an unreliable WAN link .

You add a new server to the main office . Five minutes after adding the server , a user from the branch office reports that he is un able to connectto the new server .

You need to ensure that the user is able to connect to the new server .

What should you do?

A. Clear the cache on DNS2.B. Reload the zone on DNS1.C. Refresh the zone on DNS2.D. Export the zone from DNS1 and import the zone to DNS2.


Explanation/Reference:!***old answer: Refresh the zone on DNS2.

http://technet.microsoft.com/en-us/library/cc794900%28v=ws.10%29.aspxAdjust the Refresh Interval for a Zone

You can use this procedure to adjust the refresh interval for a Domain Name System (DNS) zone. The refreshinterval determines how often other DNS servers that load and host the zone must attempt to renew the zone.By default, the refresh interval for each zone is set to 15 minutes.

http://blog.ijun.org/2008/11/difference-between-dnscmd-clearcache.htmldifference between dnscmd /clearcache and ipconfig /flushdns

Q: Do "dnscmd /clearcache" and "ipconfig /flushdns" the exact same thing, on a windows 2003 server? What isthe difference, if any?A: Ipconfig /flushdns will flush the local computer cache. And dnscmd /clearcache will clear the dns servercache. Meaning that with the first you will clear the "local" cache of the server you work on. (Even if it is the dnsserver. It will NOT clear the dns server cache.) While with dnscmd you will clear the dns server cache.

QUESTION 25You need to validate whether Active Directory successfu lly replicated between two domain controllers .

What should you do?

A. Run the DSget command.B. Run the Dsquery command.C. Run the RepAdmin command.D. Run the Windows System Resource Manager.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/cc794749.aspx

You can use the repadmin /showrepl command to verify successful replication to a specific domaincontroller.

QUESTION 26You have a domain controller that runs Windows Server 2008 R2 .The Windows Server Backup feature is installed on the d omain controller .

You need to perform a non-authoritative restore of the domain controller by using an existing backupfile .

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to performa critical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-into perform a critical volume restore.

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a criticalvolume restore.

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volumerestore.


Explanation/Reference:almost identical to B26

http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspxPerforming Nonauthoritative Restore of Active Directory Domain Services

A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a systemstate, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its stateat the time of backup and then allows normal replication to overwrite that state with any changes that occurredafter the backup was taken. After you restore AD DS from backup, the domain controller queries its replicationpartners. Replication partners use the standard replication protocols to update AD DS and associatedinformation, including the SYSVOL shared folder, on the restored domain controller.

You can use a nonauthoritative restore to restore the directory service on a domain controller withoutreintroducing or changing objects that have been modified since the backup. The most common use of anonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardwarefailures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that theproblem is with AD DS.

Nonauthoritative Restore Requirements

You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a stand-alone server, member server, or domain controller.

On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service.

Therefore, in Windows Server 2008, performing offline defragm entation and other databasemanagement tasks does not require restarting the do main controller in Directory Services RestoreMode (DSRM) . However, you cannot perform a nonauthoritative rest ore after simply stopping the ADDS service in regular startup mode. You must be abl e to start the domain controller in DirectoryServices Restore Mode (DSRM). If the domain control ler cannot be started in DSRM, you must firstreinstall the operating system.

To perform a nonauthoritative restore, you need one of the following types of backup for your backup source: System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operatingsystem, you must use a critical-volumes or full server backup. If you are restoring a system state backup,use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operatingsystem and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if youwant to restore more than the system state. To restore a critical-volumes backup, use the wbadmin startrecovery command.Full server backup: Use this type of backup only if you cannot start the server or you do not have a systemstate or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup.Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls backall data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritativerestore of AD DS.

QUESTION 27Your company has an Active Directory forest . Not all domain controllers in the forest are configured as Global Catalog Servers . Your domain structure contains one root domain and one child domain .

You modify the folder permissions on a file server that is in the child domain . You discover that some Access Control entries start wit h S-1-5-21 and that no account name is listed .

You need to list the account names .

What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global

Catalog.


Explanation/Reference:????

http://technet.microsoft.com/en-us/library/cc780850%28v=ws.10%29.aspxSecurity identifiers

Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry(ACE), there exists a SID that identifies the user or group for whom access is allowed, denied, or audited.

Well-known security identifiers (special identities):

Network (S-1-5-2) Includes all users who are logged on through a network connection. Access tokens for interactive users donot contain the Network SID.

http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspxOperations master roles

Active Directory supports multimaster replication of the directory data store between all domain controllers (DC)in the domain, so all domain controllers in a domain are essentially peers. However, some changes areimpractical to perform in using multimaster replication, so, for each of these types of changes, one domaincontroller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domaincontrollers. Forest-wide operations master roles must appear only once in every forest. Domain-wideoperations master roles must appear once in every domain in the forest. ..Domain-wide operations master roles

Every domain in the forest must have the following roles: Relative ID (RID) master Primary domain controller (PDC) emulator master Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest can have only one RIDmaster, PDC emulator master, and infrastructure master....

Infrastructure master

At any time, there can be only one domain controller acting as t he infrastructure master in each domain .The infrastructure master is responsible for updating references from objects in its domain to objects in otherdomains. The infrastructure master compares its data with t hat of a global catalog . Global catalogsreceive regular updates for objects in all domains through replication, so the global catalog data will always beup to date. If the infrastructure master finds data that is out of date, it requests the updated data from a globalcatalog. The infrastructure master then replicates that updated data to the other domain controllers in thedomain.

ImportantUnless there is only one domain controller in the domain, the infrastructure master role should not beassigned to the domain controller that is hosting the global catalog. If the infrastructure master and globalcatalog are on the same domain controller, the infrastructure master will not function. The infrastructuremaster will never find data that is out of date, so it will never replicate any changes to the other domaincontrollers in the domain.In the case where all of the domain controllers in a domain are also hosting the global catalog, all of thedomain controllers will have the current data and it does not matter which domain controller holds theinfrastructure master role.

The infrastructure master is also responsible for updating the group-to-user references whenever the membersof groups are renamed or changed. When you rename or move a member of a group (and that memberresides in a different domain from the group), the group may temporarily appear not to contain that member.The infrastructure master of the group's domain is responsible for updating the group so it knows the new nameor location of the member. This prevents the loss of group memberships associated with a user account whenthe user account is renamed or moved. The infrastructure master distributes the update via multimasterreplication.

There is no compromise to security during the time between the member rename and the group update. Onlyan administrator looking at that particular group membership would notice the temporary inconsistency.

QUESTION 28Your company security policy requires complex passwords .

You have a comma delimited file named import.csv that contains user account information .

You need to create user account in the domain by using the import.csv file .

You also need to ensure that the new user accounts are set t o use default passwords and are disabled .

What shoulld you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run theDSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Runthe DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADDutility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADDutility to set passwords for the imported user accounts.


Explanation/Reference:Personal note:the correct command should be: csvde - i -k -f import.csv

http://support.microsoft.com/kb/305144How to use the UserAccountControl flags to manipulate user account properties

When you open the properties for a user account, click the Account tab, and then either select or clear thecheck boxes in the Account options dialog box, numerical values are assigned to the UserAccountControlattribute. The value that is assigned to the attribute tells Windows which options have been enabled.

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You cannot set some of the values on a user orcomputer object because these values can be set or reset only by the directory service. Note that Ldp.exeshows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. Todisable a user's account, set the UserAccountContro l attribute to 0x0202 (0x002 + 0x0200). In decimal,this is 514 (2 + 512).

http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspxCsvde

Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in thecomma-separated value (CSV) format. You can also support batch operations based on the CSV file formatstandard.

Syntax: Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d<BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a<UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}]

Parameters-i Specifies import mode. If not specified, the default mode is export.-f <FileName> Identifies the import or export file name.-k Ignores errors during an import operation and continues processing.

http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspxDsmod user

Modifies attributes of one or more existing users in the directory.

Syntax: dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display<DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel<PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title<Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv<DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}]

Parameters<UserDN> Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, theyare obtained through standard input (stdin) to support piping of output from another command to input of thiscommand. ..-pwd {<Password> | *} Resets the passwords for the users that you want to modify as Password or an asterisk (*). If you type *, ADDS prompts you for a user password....

QUESTION 29You are installing an application on a computer that runs Windows Server 2008 R2 . During installation , the application will need to install new attributes and classes to the Active Directorydatabase .

You need to ensure that you can install the application .

What should you do?

A. Change the functional level of the forest to Windows Server 2008 R2.B. Log on by using an account that has Server Operator rights.C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the

application.D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install

the application.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspxDefault groups

Default groups, such as the Domain Admins group, are security groups that are created automatically when youcreate an Active Directory domain. You can use these predefined groups to help control access to sharedresources and delegate specific domain-wide administrative roles...Groups in the Builtin containerThe following table provides descriptions of the default groups located in the Builtin container and lists theassigned user rights for each group.

..Groups in the Users containerThe following table provides a description of the default groups located in the Users container and lists theassigned user rights for each group.

QUESTION 30Your company has an Active Directory forest . The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7 . The domain uses a set of GPO administrative templates that have been approved to support regulatorycompliance requirements .

Your partner company has an Active Directory forest that contains a single domain . The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7 .

You need to configure your partner company's domain to use the approved set of administrativetemplates .

What should you do?

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, importthe GPO to the default domain policy.

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partnercompany's PDC emulator.

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web

site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator.


Explanation/Reference:http://support.microsoft.com/kb/929841How to create the Central Store for Group Policy Administrative Template files in Windows Vista

Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settingsappear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The.admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markuplanguage.

In Windows Vista, Administrative Template files are divided into .admx files and language-specific .adml filesthat are available to Group Policy administrators...Administrative Template file storageIn earlier operating systems, all the default Administrative Template files are added to the ADM folder of aGroup Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOLfolder is automatically replicated to other domain controllers in the same domain. A policy file usesapproximately 2 megabytes (MB) of hard disk space. Because each domain controller stores a distinct versionof a policy, replication traffic is increased.

Windows Vista uses a Central Store to store Administrative Template files. In Windows Vista, the ADM folder isnot created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicateredundant copies of .adm files.

The Central StoreTo take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on adomain controller. The Central Store is a file location that is checked by the Group Policy tools. The GroupPolicy tools use any .admx files that are in the Central Store. The files that are in the Central Store are laterreplicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in thefollowing location:\\FQDN\SYSVOL\FQDN\policies

Note: FQDN is a fully qualified domain name....

http://www.frickelsoft.net/blog/?p=31How can I export local Group Policy settings made in gpedit.msc?

Mark Heitbrink, MVP for Group PolicyÃ‚Â came up with a good solution on how you can “export” the GroupPolicy and SecurityÃ‚Â settings you made in on a machine with the Local Group Policy Editor (gpedit.msc) toother machines pretty easy:

Normal settings can be copied like this:

1.) Open %systemroot%\system32\grouppolicy\

Within this folder, there are two folders - “machine” and “user”. Copy these to folders to the “%systemroot%\system32\grouppolicy - folder on the target machine. All it needs now is a reboot or a “gpupdate /force”.

Note: If you cannot see the “grouppolicy” folder on either the source or the target machine, be sure to have yourexplorer folder options set to “Show hidden files and folders”…

For security settings:

1.) Open MMC and add the Snapin “Security Templates”.2.) Create your own customized template and save it as an “*inf” file.3.) Copy the file to the target machine and import it via command line tool “secedit”:

secedit /configure /db %temp%\temp.sdb /cfg yourcreated.inf

Further information on secedit can be found here: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true

If you’re building custom installations, you can pretty easy script the “overwriting” of the “machine”/”user”-foldersor the import via secedit by copying these file to a share and copy and execute them with a script.

QUESTION 31You need to ensure that users who enter three successiv e invalid passwords within 5 minutes arelocked out for 5 minutes .

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three .)

A. Set the Minimum password age setting to one day.B. Set the Maximum password age setting to one day.C. Set the Account lockout duration setting to 5 minutes.D. Set the Reset account lockout counter after setting to 5 minutes.E. Set the Account lockout threshold setting to 3 invalid logon attempts.F. Set the Enforce password history setting to 3 passswords remembered.

Correct Answer: CDESection: (none)Explanation


QUESTION 32

Your company has an Active Directory domain and an organizational unit . The organizational unit is named Web.

You configure and test new security settings for Internet Information Service (IIS) Servers on a servernamed IISServerA .

You need to deploy the new security settings only on the IIS servers that are members of the Weborganizational unit .

What should you do?

A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /dbwebou.inf from the comand prompt.

B. Export the settings on IISServerA to create a security template. Import the security template into a GPO andlink the GPO to the Web organizational unit.

C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf fromthe comand prompt.

D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.


Explanation/Reference:http://www.itninja.com/blog/view/using-secedit-to-apply-security-templatesUsing Secedit To Apply Security Templates

Secedit /configure /db secedit.sdb /cfg"c:\temp\custom.inf" /silent >nul

This command imports a security template file, “custom.inf” into the workstation’s or server’s local securitydatabase. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found thatproviding no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specifieddatabase, appending it to any existing .inf files that have already been imported to this system. You canoptionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silentoption supresses any pop-ups and the >nul hides the command line output stating success or failure of theaction.

QUESTION 33Your network consists of an Active Directory forest that contains two domains . All servers run Windows Server 2008 R2 . All domain controllers are configured as DNS Servers .

You have a standard primary zone for dev.contoso.com that is stored on a member server .

You need to ensure that all domain controllers can resolve name s from the dev.contoso.com zone .

What should you do?

A. On the member server, create a stub zone.B. On the member server, create a NS record for each domain controller.C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the forest.D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to

all DNS servers in the domain.

Correct Answer: CSection: (none)

Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730756.aspxUnderstanding Forwarders




...


Further information :http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspxAssign a Conditional Forwarder for a Domain Name

http://technet.microsoft.com/en-us/library/cc754941.aspxConfigure a DNS Server to Use Forwarders

QUESTION 34Your company has an Active Directory domain . You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain .

You need to register the SRV records .

Which command should you run on the new domain controller?

A. Run the netsh interface reset command.

B. Run the ipconfig /flushdns command.C. Run the dnscmd /EnlistDirectoryPartition command.D. Run the sc stop netlogon command followed by the sc start netlogon command.


Explanation/Reference:Reference:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 62

The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller’s SRV resource records by restartingthis service from the Services branch of Server Man ager or by typing net start netlogon . An examquestion might ask you how to troubleshoot the nonregistration of SRV resource records.

http://technet.microsoft.com/en-us/library/cc742107%28v=ws.10%29.aspxSc stop

Syntaxsc [<ServerName>] stop <ServiceName>

http://cbfive.com/blog/post/Command-Line-Service-Management-%28NET-v-SC%29.aspxCommand Line Service Management (NET v SC)

For the most part, everything that NET does, SC can do. The subtle differences are in how they perform thesame functions.

..

The first, and most consequential, difference is that SC can remotely manage services. For any SC command,simply type the workstation name or IP address of the machine that you would like to manage right after SCand before the command:

SC \\SERVERNAME QUERY

QUESTION 35Your company has an Active Directory domain. All servers run Windows Server 2008 R2 . Your company uses an Enterprise Root certificate authority (CA) .

You need to ensure that revoked certificate information is highly available .

What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security andAcceleration Server array.

B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.


Explanation/Reference:Answer : Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.

Explanation :http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspxAD CS: Online Certificate Status Protocol Support

Certificate revocation is a necessary part of the process of managing certificates issued by certificationauthorities (CAs). The most common means of communicating certificate status is by distributing certificaterevocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs)where the use of conventional CRLs is not an optimal solution , an Online Responder based on theOnline Certificate Status Protocol (OCSP) can be us ed to manage and distribute revocation statusinformation .

What does OCSP support do?

The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of twocommon methods for conveying information about the validity of certificates. Unlike CRLs, which are distributedperiodically and contain information about all certificates that have been revoked or suspended, an OnlineResponder receives and responds only to requests from clients for information about the status of a singlecertificate. The amount of data retrieved per request remains constant no matter how many revoked certificatesthere might be.

In many circumstances, Online Responders can process certificate status r equests more efficiently thanby using CRLs ...Adding one or more Online Responders can significantly enhance the flexibility and scalabili ty of anorganization's PKI ...

Further information :http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability.aspxImplementing an OCSP Responder: Part V High Availability

There are two major pieces in implementing the High Availability Configuration . The first step is to add theOCSP Responders to what is called an Array . When OCSP Responders are configured in an Array, theconfiguration of the OCSP responders can be easily maintained, so that all Responders in the Array have thesame configuration. The configuration of the Array Controller is used as the baseline configuration that is thenapplied to other members of the Array.

The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders iswhat actually provides fault tolerance .

QUESTION 36You have two servers named Server1 and Server2 . Both servers run Windows Server 2008 R2 . Server1 is configured as an enterprise root certification authority (CA) .

You install the Online Responder role service on Server2 .

You need to configure Server1 to support the Online Res ponder .

What should you do?

A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.

C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.


Explanation/Reference:Answer : Configure the Authority Information Access (AIA) extension.

Explanation :http://technet.microsoft.com/en-us/library/cc732526.aspxConfigure a CA to Support OCSP Responders

To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.

Configuring a certification authority (CA) to support OCSP responder services includes the following steps:1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.2. Configure enrollment permissions for any computers that will be hosting Online Responders.3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.4. Add the location of the Online Responder or OCSP responder to the authority information access extension

on the CA.5. Enable the OCSP Response Signing certificate template for the CA.

..To configure a CA to support an Online Responder or OCSP responder services :1. Open the Certification Authority snap-in.2. In the console tree, click the name of the CA.3. On the Action menu, click Properties.4. Click the Extensions tab.5. In the Select extension list, click Authority Information Access (AIA) and then click Add.6. Specify the locations from which users can obtain certificate revocation data, such as http://computername/

ocsp.7. Select the Include in the online certificate status protocol (OCSP) extension check box.8. In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New

Certificate Templates to Issue.9. In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate

templates that you configured previously, and then click OK.10.Double-click Certificate Templates, and verify that the modified certificate templates appear in the list.


A user attempts to log on to a computer that was turned off for twelve weeks . The administrator receives an error message that authentication has failed .

You need to ensure that the user is able to log on to t he computer .

What should you do?

A. Run the netsh command with the set and machine options.B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the

domain.C. Run the netdom TRUST /reset command.D. Run the Active Directory Users and Computers console to disable, and then enable the computer account.


Explanation/Reference:Answer : Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer tothe domain.

Explanation :http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-and-primary-domain-failed.aspxTrust Relationship between Workstation and Primary Domain failed

What are the common causes which generates this message on client systems?

There might be multiple reasons for this kind of behaviour. Below are listed a few of them:1. Single SID has been assigned to multiple computers.2. If the Secure Channel is Broken between Domain controller and workstations3. If there are no SPN or DNSHost Name mentioned in the computer account attributes4. Outdated NIC Drivers.

How to Troubleshoot this behaviour?.. 2. If the Secure Channel is Broken between Domain control ler and workstationsWhen a Computer account is joined to the domain, Secure Channel password is stored with computer accountin domain controller. By default this password will change every 30 days (This is an automatic process, nomanual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for thedomain in which its machine account exists. After locating the appropriate DC, the machine account passwordfrom the workstation is authenticated against the password on the DC.If there are problems with system time, DNS configuration or other settings, secure channel’s passwordbetween Workstation and DCs may not synchronize with each other.

A common cause of broken secure channel [machine account password] is that the secure channel passwordheld by the domain member does not match that held by the AD. Often, this is caused by performing aWindows System Restore (or reverting to previous backup or snapshot) on the member machine, causing anold (previous) machine account password to be presented to the AD.

Resolution:

Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computeraccount back to the domain.(this is a somewhat similar principle to performing a password reset for a user account)

Or

You can go ahead and reset the computer account using netdom.exe tool

http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspxNetdom

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It isavailable if you have the Active Directory Domain Services (AD DS) server role installed. It is also available ifyou install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools(RSAT).

You can use netdom to :Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server

2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. Manage computer accounts for domain member workstations and member servers. Managementoperations include: Establish one-way or two-way trust relationships between domains, including the following kinds of trustrelationships: Verify or reset the secure channel for the following configurations:

* Member workstations and servers . * Backup domain controllers (BDCs) in a Windows NT 4.0 domain. * Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000replicas.

Manage trust relationships between domains.

SyntaxNetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]

http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspxNetdom reset

Resets the secure connection between a workstation and a domain controller.

Syntaxnetdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | /usero:}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]

Further information :http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspxNetdom trust

Establishes, verifies, or resets a trust relationship between domains.

Syntaxnetdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: | /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

QUESTION 38Your company has an Active Directory forest that contains a single domain . The domain member server has an Active Directory Federation Services (AD FS) role i nstalled .

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directorydomain .

What should you do?

A. Add and configure a new account partner.B. Add and configure a new resource partner.C. Add and configure a new account store.D. Add and configure a Claims-aware application.



Answer : ???

Explanation :http://technet.microsoft.com/en-us/library/cc732095.aspxUnderstanding Account Stores

Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claimsfor those users. You can configure multiple account stores for a single Federation Service . You can alsodefine their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) tocommunicate with account stores. AD FS supports the following two account stores:

Active Directory Domain Services (AD DS)Active Directory Lightweight Directory Services (AD LDS)

Further information :

QUESTION 39You network consists of a single Active Directory domain . All domain controllers run Windows Server 2008 R2 .

You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller .

What tool should you use?

A. Active Directory Users and Computers snap-inB. ntdsutilC. Local Users and Groups snap-inD. dsmod


Explanation/Reference:Answer : ntdsutil

Explanation :http://technet.microsoft.com/en-us/library/cc753343%28v=ws.10%29.aspxNtdsutil

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services(AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands toperform database maintenance of AD DS, manage and control single master operations, and remove metadataleft behind by domain controllers that were removed from the network without being properly uninstalled. Thistool is intended for use by experienced administrators.

..Commands..set DSRM password - Resets the Directory Services Restore Mode (DSRM) administrator password.

Further information :http://technet.microsoft.com/en-us/library/cc754363%28v=ws.10%29.aspxset DSRM password

Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM

Administrator Password: prompt, type any of the parameters listed under “Syntax.”

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built intoWindows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active DirectoryDomain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you installthe Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

QUESTION 40Your company has a main office and a branch office . You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to thebranch office .

You need to ensure that users at the branch office are able to log on to the domain by using the RODC .

What should you do?

A. Add another RODC to the branch office.B. Configure a new bridgehead server in the main office.C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services

console.D. Configure the Password Replication Policy on the RODC.


Explanation/Reference:Answer : Configure the Password Replication Policy on the RODC.

Explanation :http://technet.microsoft.com/en-us/library/cc754956%28v=ws.10%29.aspxRODC Frequently Asked Questions

What new attributes support the RODC Password Replication Policy?

Password Replication Policy is the mechanism for determining whether a user or computer's credentials areallowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is alwaysset on a writable domain controller running Windows Server 2008.

..

What operations fail if the WAN is offline, but the RODC is online in the branch office?

If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, thefollowing branch office operations fail:

Password changesAttempts to join a computer to a domainComputer renameAuthentication attempts for accounts whose credentials are not cached on the RODCGroup Policy updates that an administrator might attempt by running the gpupdate /force command

What operations succeed if the WAN is offline, but the RODC is online in the branch office?

If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, thefollowing branch office operations succeed:

Authentication and logon attempts , if the credentials for the resource and the requester are alreadycached.Local RODC server administration performed by a delegated RODC server administrator.


QUESTION 41Your company has a single Active Directory domain named intranet.adatum.com . The domain controllers run Windows Server 2008 and the DNS server role . All computers , including non-domain members , dynamically register their DNS records .

You need to configure the intranet.adatum.com zone to a llow only domain members to dynamicallyregister DNS records .

What should you do?

A. Set dynamic updates to Secure Only.B. Remove the Authenticated Users group.C. Enable zone transfers to Name Servers.D. Deny the Everyone group the Create All Child Objects permission.


Explanation/Reference:Answer : Set dynamic updates to Secure Only.

Explanation :http://technet.microsoft.com/en-us/library/cc753751.aspxAllow Only Secure Dynamic Updates

Domain Name System (DNS) client computers can use dynamic update to register and dynamically updatetheir resource records with a DNS server whenever changes occur. This reduces the need for manualadministration of zone records, especially for clients that frequently move or change locations and use DynamicHost Configuration Protocol (DHCP) to obtain an IP address.

Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that areintegrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access controllist (ACL) editing features are available in DNS Manager so that you can add or remove users or groups fromthe ACL for a specified zone or resource record.

Further information :http://technet.microsoft.com/en-us/library/cc771255.aspxUnderstanding Dynamic Update

QUESTION 42Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2008 R2 and are configured as DNS servers .A domain controller named DC1 has a standard primary zone for contoso.com . A domain controller named DC2 has a standard secondary zone for contoso.com .

You need to ensure that the replication of the contoso. com zone is encrypted .You must not lose any zone data .

What should you do?

A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on thesecondary zone.

D. On both servers, modify the interface that the DNS server listens on.


Explanation/Reference:Answer : Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

Explanation :http://technet.microsoft.com/en-us/library/cc771150.aspxChange the Zone TypeYou can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Servi ces (AD DS) .

http://technet.microsoft.com/en-us/library/cc726034.aspxUnderstanding Active Directory Domain Services Integration

The DNS Server service is integrated into the design and implementation of Active Directory Domain Services(AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in anetwork.

Benefits of AD DS integrationFor networks that deploy DNS to support AD DS, directory-integrated primary zones are stronglyrecommended. They provide the following benefits:

DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master updatemodel. In this model, a single authoritative DNS server for a zone is designated as the primary sourcefor the zone. This server maintains the master copy of the zone in a local file. With this model, theprimary server for the zone represents a single fixed point of failure. If this server is not available,update requests from DNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNSserver and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. Inthis model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because themaster copy of the zone is maintained in the AD DS database, which is fully replicated to all domaincontrollers, the zone can be updated by the DNS servers operating at any domain controller for thedomain. With the multimaster update model of AD DS, any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domaincontroller is available and reachable on the network...

Zones are replicated and synchronized to new domain controllers automatically whenever a new one isadded to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replicationplanning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication.

http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspxDeploy IPsec Policy to DNS Servers

You can deploy IPsec rules through one of the following mechanisms:Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Direct ory-integrated, you can deploy IPsec policy settings us ing the Domain Controllers OU . This option isrecommended to make configuration and deployment easier.DNS Server OU or security group: If you have DNS servers that are not domain controllers, then considercreating a separate OU or a security group with the computer accounts of your DNS servers.Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you

have a small number of DNS servers that you want to configure locally.

http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspxDeploying Secure DNS

Protecting DNS ServersWhen the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data istampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clientsstart communicating with these unauthorized locations, attempts can be made to gain access to informationthat is stored on the client computers. Spoofing and cache pollution are examples of this type of attack.

Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNSinfrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks:

Use IPsec between DNS clients and servers .Monitor network activity.Close all unused firewall ports.

Implementing IPsec Between DNS Clients and ServersIPsec encrypts all traffic over a network connectio n. Encryption minimizes the risk that data that is sentbetween the DNS clients and the DNS servers can be scanned for sensitive information or tampered with byanyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both endsof a connection are validated before communication begins. A client can be certain that the DNS server withwhich it is communicating is a valid server. Also, all communication over the connection is encrypted, therebyeliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, whichare false responses to DNS client queries by unauthorized sources that act like a DNS server.

Further information :http://technet.microsoft.com/en-us/library/cc771898.aspxUnderstanding Zone Types

The DNS Server service provides for three types of zones:Primary zoneSecondary zoneStub zone

Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zonesand stub zones can be stored in AD DS.

The following sections describe each of these zone types:

Primary zoneWhen a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for informationabout this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is storedin a file, by default the primary zone file is named zone_name.dns and it is located in the %windir%\System32\Dns folder on the server.

Secondary zoneWhen a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source forinformation about this zone. The zone at this server must be obtained from another remote DNS servercomputer that also hosts the zone. This DNS server must have network access to the remote DNS server thatsupplies this server with updated information about the zone. Because a secondary zone is merely a copy of aprimary zone that is hosted on another server, it cannot be stored in AD DS.

Stub zoneWhen a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information aboutthe authoritative name servers for this zone. The zone at this server must be obtained from another DNS serverthat hosts the zone. This DNS server must have network access to the remote DNS server to copy theauthoritative name server information about the zone.

You can use stub zones to:Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, theDNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritativeDNS servers for the child zone.Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list ofname servers, without having to query the Internet or an internal root server for the DNS namespace.Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute alist of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do notserve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy andload sharing.

There are two lists of DNS servers involved in the loading and maintenance of a stub zone:The list of master servers from which the DNS server loads and updates a stub zone. A master server maybe a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNSservers for the zone.The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server(NS) resource records.

When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, whichcan be in different locations, for the necessary resource records of the authoritative servers for the zonewidgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it canbe changed anytime.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/Answered what is non-standard dns secondary zone?

Q: While passing through 70-291 exam prep questions, I encountered the term "standard secondary zone".From the context of other questions I understood that "standard", in context of primary zone, mean "non-AD-integrated".A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD databaseand not in a text file .

Q: What does "standard" mean in context of DNS secondary zone?A: It means the same thing in context of a Standard Primary Zone. Simply stated, "Standard" means thezone data is stored in a text file, which can be fo und in system32\dns .

QUESTION 43You are decommissioning domain controllers that hold all forest-wide operations master roles .

You need to transfer all forest-wide operations master roles to another domain controller .

Which two roles should you transfer ? (Each correct answer presents part of the solution. Choose two .)

A. Domain naming masterB. Infrastructure masterC. RID masterD. PDC emulatorE. Schema master

Correct Answer: AESection: (none)Explanation

Explanation/Reference:Answer : Schema master

Domain naming master

Explanation :http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-windows-server-2008.aspxTransferring FSMO Roles in Windows Server 2008

One of any system administrator duties, would be to upgrade a current domain controller to a new hardwareserver. One of the crucial steps required to successfully migrate your domain controller, is to be able tosuccessfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single MasterOperations, and in a forest there are at least five roles.

The five FSMO roles are:Schema MasterDomain Naming MasterInfrastructure MasterRelative ID (RID) MasterPDC Emulator

The first two roles above are forest-wide , meaning there is one of each for the entire forest. The last three aredomain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have fiveFSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.

QUESTION 44Contoso, Ltd. has an Active Directory domain named ad.contoso.com . Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com . Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.

You need to ensure that the Contoso users are able to r esolve names from the intranet.fabrikam.comdomain .

What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.B. Configure conditional forwarding for the intranet.fabrikam.com domain.C. Create a standard secondary zone for the intranet.fabrikam.com domain.D. Create an Active Directory Integrated zone for the intranet.fabrikam.com domain.


Explanation/Reference:Answer : Configure conditional forwarding for the intranet.fabrikam.com domain.

Explanation :http://technet.microsoft.com/en-us/library/cc730756.aspxUnderstanding Forwarders




...


Further information :http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspxAssign a Conditional Forwarder for a Domain Name

http://technet.microsoft.com/en-us/library/cc754941.aspxConfigure a DNS Server to Use Forwarders

QUESTION 45An Active Directory database is installed on the C volume of a domain controller .

You need to move the Active Directory database to a ne w volume .

What should you do?

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.B. Move the ntds.dit file to the new volume by using Windows Explorer.C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows

PowerShell.D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.


Explanation/Reference:Answer : Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

Explanation :http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspxMove the Directory Database and Log Files to a Local Drive

You can use this procedure to move Active Directory database and log files to a local drive.

When you move the files to a folder on the local domain controller, you can move them permanently ortemporarily. Move the files to a temporary destination if you need to reformat the original location, or move thefiles to a permanent location if you have additional disk space. If you reformat the original drive, use the sameprocedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when youmove files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry isalways current.

On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller inDirectory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory DomainServices (AD DS) service and then restart the service after you move the files to their permanent location.

To move the directory database and log files to a local drive:..7. At the ntdsutil prompt , type files , and then press ENTER.8. To move the database file, at the file maintenance: prompt, use the following commands:....

Further information:http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/Moving Active Directory Database and Logs

Step 1

Start the server in Directory Services Restore Mode

Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the filescannot be managed while the server is operating as a domain controller. To perform any files movementrelated activities using ntdsutil, we need to start the server in Directory Services Restore Mode.

To start the server in Directory Services Restore mode, follow these steps: Restart the computer. After the BIOS information is displayed, press F8. Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.

Log on with your local administrative account and password. (Not Domain Administrative account)

Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In commandprompt type SC query ntds

Step 2

How to Move Active Directory Database and Logs

You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that DirectoryService uses the new location when you restart the server.

To move the data file to another folder, follow these steps: Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.

At the Ntdsutil command prompt, type files, and then press ENTER.

At the file maintenance command prompt, type move DB to <new location> (where new location is anexisting folder that you have created for this purpose) and then press ENTER.

In this case, the new location for database is C:\AD\Database

Now to move logs , at the file maintenance command prompt, type move logs to <new location> (where newlocation is an existing folder that you have created for this purpose) and then press ENTER. In our case, thenew location for database is C:\AD\Logs

To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the promptRestart the computer. AD database and Logs are moved successfully to new location.

QUESTION 46Your company has file servers located in an organizational unit named Payroll . The file servers contain payroll files located in a folder named Payroll .

You create a GPO .

You need to track which employees access the Payroll fi les on the file servers .

What should you do?

A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. Onthe file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers,configure Auditing for the Everyone group in the Payroll folder.

C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the fileservers, configure Auditing for the Everyone group in the Payroll folder.

D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configureAuditing for the Authenticated Users group in the Payroll folder.


Explanation/Reference:Answer : Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the fileservers, configure Auditing for the Everyone group in the Payroll folder.

Explanation :http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspxAudit Policy

Establishing an organizational computer system audit policy is an important facet of information security.Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to trackpotential security problems, helps to ensure user accountability, and provides evidence in the event of asecurity breach.

There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of thesekinds of events, Windows® records the events in the Security log, which you can find in Event Viewer...

Object access. Audit this to record when someone has used a file, folder, printer, or other object...

Process tracking. Audit this to record when events such as program activation or a process exiting occur...

When you implement Audit Policy settings:..

If you want to audit directory service access or object access, determine which objects you want to auditaccess of and what type of access you want to audit. For example, if you want to audit all attempts by usersto open a particular file, you can configure audit policy settings in the object access event category so thatboth successful and failed attempts to read a file are recorded.

Further information :http://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspxGroup Policy for Beginners

Group Policy Links

At the top level of AD DS are sites and domains. Simple implementations will have a single site and a singledomain. Within a domain, you can create organizational units (OUs). OUs are like folders in Windows Explorer.Instead of containing files and subfolders, however, they can contain computers, users, and other objects.

For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four

subfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than theDomain Controllers OU that you see in Figure 1, nothing else in the figure is an OU.

What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have noimpact unless you link them to a site, domain, or O U. When you link a GPO to a container, Group Policyapplies the GPO’s settings to the computers and users in that container.

QUESTION 47Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.

You need to implement key archival .

What should you do?

A. Configure the certificate for automatic enrollment for the computers that store encrypted files.B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.C. Apply the Hisecdc security template to the domain controllers.D. Archive the private key on the server.


Explanation/Reference:Answer : Archive the private key on the server.

Explanation :http://technet.microsoft.com/en-us/library/cc753011.aspxEnable Key Archival for a CA

Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled forthe key recovery certificate and be registered as the recovery agent for the certification authority (CA).You must be a CA administrator to complete this procedure.

To enable key archival for a CA:1. Open the Certification Authority snap-in.2. In the console tree, click the name of the CA.3. On the Action menu, click Properties.4. Click the Recovery Agents tab, and then click Archive the key .5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt

the archived key.The Number of recovery agents to use must be between one and the number of key recovery agentcertificates that have been configured.

6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, andclick OK.

7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Notloaded.

8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status ofthe certificates should be listed as Valid.

Further information :http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspxKey Archival and Management in Windows Server 2008

http://technet.microsoft.com/en-us/library/cc730721.aspxManaging Key Archival and Recovery

QUESTION 48Your company has an Active Directory domain that runs Windows Server 2008 R2 . The Sales OU contains an OU for Computers , an OU for Groups and an OU for Users .

You perform nightly backups . An administrator deletes the Groups OU .

You need to restore the Groups OU without affecting us ers and computers in the Sales OU .

What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform a non-authoritative restore of the Sales OU.C. Perform an authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Groups OU.


Explanation/Reference:Answer : Perform an authoritative restore of the Groups OU.

Explanation :http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspxPerforming Authoritative Restore of Active Directory Objects

An authoritative restore process returns a designated, deleted Active Directory object or container of objectsto its predeletion state at the time when it was backed up. For example, you might have to perform anauthoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a largenumber of users. In most cases, there are two parts to the authoritative restore process: a nonauthoritativerestore from backup, followed by an authoritative restore of the deleted objects. If you perform anonauthoritative restore from backup only, the deleted OU is not restored because the restored domaincontroller is updated after the restore process to the current status of its replication partners, which havedeleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and beforeallowing replication to occur, you must perform an authoritative restore procedure. During the authoritativerestore procedure, you mark the OU as authoritative and let the replication process restore it to all the otherdomain controllers in the domain. After an authoritative restore, you also restore group memberships, ifnecessary.

QUESTION 49Your network consists of a single Active Directory domain . The functional level of the forest is Windows Server 2008 R2 .

You need to create multiple password policies for users in your domain .


What should you do?

A. From the Group Policy Management snap-in, create multiple Group Policy objects.B. From the Schema snap-in, create multiple class schema objects.

C. From the ADSI Edit snap-in, create multiple Password Setting objects.D. From the Security Configuration Wizard, create multiple security policies.


Explanation/Reference:Answer : From the ADSI Edit snap-in, create multiple Password Setting objects.

Explanation :http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspxAD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

..In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies andapply different password restrictions and account lockout policies to different sets of users within a singledomain...To store fine-grained password policies, Windows Server 2008 includes two new object classes in the ActiveDirectory Domain Services (AD DS) schema:

Password Settings ContainerPassword Settings

The Password Settings Container (PSC) object class is created by default under the System container in thedomain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or deletethis container. ...Steps to configure fine-grained password and account lockout policies

When the group structure of your organization is defined and implemented, you can configure and apply fine-grained password and account lockout policies to users and global security groups. Configuring fine-grainedpassword and account lockout policies involves the following steps: Step 1: Create a PSO Step 2: Apply PSOs to Users and Global Security Groups Step 3: Manage a PSO Step 4: View a Resultant PSO for a User or a Global Security Group

http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspxStep 1: Create a PSO

You can create Password Settings objects (PSOs): Creating a PSO using the Active Directory module for Windows PowerShell Creating a PSO using ADSI Edit Creating a PSO using ldifde

QUESTION 50You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server .

You need to record all inbound DNS queries to the serve r.

What should you configure in the DNS Manager console?

A. Enable debug logging.B. Enable automatic testing for simple queries.C. Configure event logging to log errors and warnings.D. Enable automatic testing for recursive queries.


Explanation/Reference:Answer : Enable debug logging.

Explanation :http://technet.microsoft.com/en-us/library/cc753579.aspxDNS Tools

Event-monitoring utilities

The Windows Server 2008 family includes two options for monitoring DNS servers:Default logging of DNS server event messages to the DNS server log.DNS server event messages are separated and kept in their own system event log, the DNS server log,which you can view using DNS Manager or Event Viewer.The DNS server log contains events that are logged by the DNS Server service. For example, when theDNS server starts or stops, a corresponding event message is written to this log. Most additional criticalDNS Server service events are also logged here, for example, when the server starts but cannot locateinitializing data and zones or boot information stored in the registry or (in some cases) Active DirectoryDomain Services (AD DS).You can use Event Viewer to view and monitor client-related DNS events. These events appear in theSystem log, and they are written by the DNS Client service at any computers running Windows (allversions).Optional debug options for trace logging to a text file on the DNS server computer.You can also use DNS Manager to selectively enable additional debug logging options for temporary tracelogging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log,is stored in the %systemroot%\System32\Dns folder.

http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspxUsing server debug logging options

The following DNS debug logging options are available:Direction of packets

Send Packets sent by the DNS server are logged in the DNS server log file.Receive Packets received by the DNS server are logged in the log file....

Further information :http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspxSelect and enable debug logging options on the DNS server

QUESTION 51Your company has a main office and a branch office . The company has a single-domain Active Directory forest . The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2 . The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.

All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones . The DNS zones only allow secure updates .

You need to enable dynamic DNS updates on DC3 .

What should you do?

A. Run the Dnscmd.exe /ZoneResetType command on DC3.B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.C. Create a custom application directory partition on DC1. Configure the partition to store Active Directory-

integrated zones.D. Run the Ntdsutil.exe > DS Behavior commands on DC3.


Explanation/Reference:Answer : Reinstall Active Directory Domain Services on DC3 as a writable domain controller.

Explanation :http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNSAppendix A: RODC Technical Reference TopicsDNS updates for clients that are located in an RODC site

When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred DomainName System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as theirpreferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it isqueried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008or later and hosts the Active Directory–integrated zone, just as a secondary DNS server handles updates forzones that are not Active Directory–integrated zones. After it receives the name of a writable domain controllerthat runs Windows Server 2008 or later, the client is then responsible for performing the DNS recordregistration against the writeable server. The RODC waits a certain amount of time, as explained below, andthen it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from theDNS server that it referred the client to through an RSO operation.

Note:For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server thatruns Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNSserver must register a name server (NS) resource record for the zone. The Windows Server 2003 BranchOffice Guide recommended restricting name server (NS) resource record registration to a subset of theavailable DNS servers. If you followed those guidelines and you do not register at least one writable DNS serverthat runs Windows Server 2008 or later as a name server for the zone, the DNS server on the RODC attemptsto perform the RSO operation with a DNS server that runs Windows Server 2003. That operation fails andgenerates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will bedelayed until the next scheduled replication cycle.

Further information :http://technet.microsoft.com/en-us/library/dd737255%28v=ws.10%29.aspxPlan DNS Servers for Branch Office Environments

This topic describes best practices for installing Domain Name System (DNS) servers to support ActiveDirectory Domain Services (AD DS) in branch office environments.

As a best practice, use Active Directory–integrated DNS zones, which are hosted in the application directorypartitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on theassumption that you are following this best practice.

In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so thatclient computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to aDNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS,using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directorypartitions that host Active Directory–integrated DNS zones.

Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its preferredDNS server.

To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at leastone writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which clientcomputers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNSserver must register name server (NS) resource records for that zone.

By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers thatare in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is becausethe updates replicate back to the RODCs in their respective branch offices by means of a replicate-single-object (RSO) operation, rather than waiting for the next scheduled replication cycle.

For example, suppose that you add a new member server in a branch office, Branch1, which includes anRODC. The member server hosts an application that you want client computers in Branch1 to locate by using aDNS query. When the member server attempts to register its host (A or AAAA) resource records for its IPaddress to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hoststhe DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from thewriteable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate thenew member server by querying the RODC in Branch1 for its IP address.

If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can stillsucceed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zonewill not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay clientcomputers that use the RODC DNS server for name resolution from locating the new member server.

QUESTION 52Your company has an Active Directory domain named ad.contoso.com . The domain has two domain controllers named DC1 and DC2.Both domain controllers have the DNS server role installed.

You install a new DNS server named DNS1.contoso.com on the perimeter network . You configure DC1 to forward all unresolved name requests to DNS1.contoso.com .

You discover that the DNS forwarding option is unavaila ble on DC2 .

You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server .


A. Clear the DNS cache on DC2.B. Configure conditional forwarding on DC2.C. Configure the Listen On address on DC2.D. Delete the Root zone on DC2.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer : Delete the Root zone on DC2. Configure conditional forwarding on DC2.

Explanation :http://technet.microsoft.com/en-us/library/cc754941.aspxConfigure a DNS Server to Use Forwarders

A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for

external DNS names to DNS servers outside that network. You can also configure your server to forwardqueries according to specific domain names using conditional forwarders .

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5-a342f9e169f5/Deleting .root dns zone in 2008 DNS

Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external nameresolution is not possible. I had tried to add conditional forwarders but i get an error saying that conditionalforwarders cannot be created on root DNS servers .A 1: If you have a "root" zone created in your DNS, and you no longer want that configuration, you can justsimply delete that zone. There is no reason to have a root "." zone hosted unless you want to make sure thatthe DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for nameresolution.If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries forzones its not authoritative for.A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access whilepromoting the first DC. Jut remove it, and the Forwarders option reappear .s

Further information :http://support.microsoft.com/kb/298148How To Remove the Root Zone (Dot Zone)

http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspxReviewing DNS Concepts

DelegationFor a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in thenamespace. These paths are created by means of delegation. A delegation is a record in a parent zone thatlists a name server that is authoritative for the zone in the next level of the hierarchy. Delegations make itpossible for servers in one zone to refer clients to servers in other zones. The following illustration shows oneexample of delegation.

The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to azone in the next level of the hierarchy, the com zone. The delegation in the root zone tells the DNS root serverthat, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone tells theCom server that, to find the contoso.com zone, it must contact the Contoso server.

Note: A delegation uses two types of records. The name server (NS) resource record provides the name of anauthoritative server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP version 6(IPv6) addresses of an authoritative server.

This system of zones and delegations creates a hierarchical tree that represents the DNS namespace. Eachzone represents a layer in the hierarchy, and each delegation represents a branch of the tree.

By using the hierarchy of zones and delegations, a DNS root server can find any name in the DNS namespace.The root zone includes delegations that lead directly or indirectly to all other zones in the hierarchy. Any serverthat can query the DNS root server can use the information in the delegations to find any name in thenamespace.

QUESTION 53Your company has an organizational unit named Production . The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit .

You create a shadow group for the R&D organizational unit .

You need to deploy an application to users in the Produ ction organizational unit .You also need to ensure that the application is not deployed to users in the R&D organizational unit .

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two .)

A. Configure the Block Inheritance setting on the R&D organizational unit.B. Configure the Enforce setting on the software deployment GPO.C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D

security group.D. Configure the Block Inheritance setting on the Production organizational unit.


Explanation/Reference:Answer : Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&Dsecurity group.

Explanation :http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspxManaging inheritance of Group Policy..Blocking Group Policy inheritanceYou can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOslinked to higher sites, domains, or organizational units from being automatically inherited by the child-level. Bydefault, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, ifyou want to apply a single set of policies to an entire domain except for one organizational unit, you can link therequired GPOs at the domain level (from which all organizational units inherit policies by default) and then blockinheritance only on the organizational unit to which the policies should not be applied.

Enforcing a GPO link

You can specify that the settings in a GPO link should take precedence over the settings of any child object bysetting that link to Enforced . GPO-links that are enforced cannot be blocked from the parent container. Withoutenforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings inGPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parentGPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, "enforced"was known as "No override."..

In addition to using GPO links to apply policies, you can also control how GPOs are applied by using securityfilters or WMI filters.

http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspxSecurity filtering using GPMC

Security filteringSecurity filtering is a way of refining which users and computers will receive and apply the settings in a GroupPolicy object (GPO). Using security filtering, you can specify that only certain security principals within acontainer where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as awhole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO...Notes:

GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites,domains and organizational units. However, by using security filtering, you can narrow the scope of a GPOso that it applies only to a single group, user, or computer.

.. The location of a security group in Active Directory is irrelevant to security group filtering and, moregenerally, irrelevant to Group Policy processing.

Further information :http://technet.microsoft.com/en-us/library/cc731076.aspxBlock Inheritance

http://en.wikipedia.org/wiki/Active_Directory#Shadow_groupsActive DirectoryShadow groups

In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are notautomatically assigned access privileges based on their containing OU. This is a design limitation specific toActive Directory. Other competing directories such as Novell NDS are able to assign access privileges throughobject placement within an OU.

Active Directory requires a separate step for an administrator to assign an object in an OU as a member of agroup also within that OU. Relying on OU location alone to determine access permissions is unreliable,because the object may not have been assigned to the group object for that OU.

A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basicscript to automatically create and maintain a user group for each OU in their directory. The scripts are runperiodically to update the group to match the OU's account membership, but are unable to instantly update thesecurity groups anytime the directory changes, as occurs in competing directories where security is directlyimplemented into the directory itself. Such groups are known as Shadow Groups . Once created, theseshadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how tocreate them. There are no built-in server methods or console snap-ins for managing shadow groups.[5]

The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, orby object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation,

and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the onlytrue security boundary is the forest itself and an administrator of any domain in the forest must be trustedacross all domains in the forest.[6]

QUESTION 54You have an existing Active Directory site named Site1 . You create a new Active Directory site and name it Site2 .

You need to configure Active Directory replication betw een Site1 and Site2 .

You install a new domain controller .You create the site link between Site1 and Site2 .

What should you do next?

A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the newdomain controller object to Site2.

B. Use the Active Directory Sites and Services console to configure a new site link bridge object.C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred

bridgehead server for Site1.


Explanation/Reference:http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-Replication.htmInter-site Replication

The process of creating a custom site link has five basic steps:

1. Create the site link.2. Configure the site link's associated attributes.3. Create site link bridges.4. Configure connection objects. (This step is optional.)5. Designate a preferred bridgehead server. (This step is optional)

http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspxReplication between sites

QUESTION 55Your company has an Active Directory forest . Each branch office has an organizational unit and a child organizational unit named Sales . The Sales organizational unit contains all users and co mputers of the sales department .

You need to install an Office 2007 application only on the computers in the Sales organizational unit .

You create a GPO named SalesApp GPO .

What should you do next ?

A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to thedomain.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.

D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Salesorganizational unit in each location.


Explanation/Reference:Almost the same as B/Q21

Self explanatory.

QUESTION 56Your network consists of an Active Directory forest that contains one domain . All domain controllers run Windows Server 2008 R2 and are configured as DNS servers .

You have an Active Directory-integrated zone .

You have two Active Directory sites . Each site contains five domain controllers .

You add a new NS record to the zone .

You need to ensure that all domain controllers immediat ely receive the new NS record .

What should you do?

A. From the DNS Manager console, reload the zone.B. From the DNS Manager console, increase the version number of the SOA record.C. From the command prompt, run repadmin /syncall.D. From the Services snap-in, restart the DNS Server service.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspxRepadmin /syncall

Synchronizes a specified domain controller with all of its replication partners.

http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/How to force replication of Domain Controllers

From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a goodtoo to check the status of replication between DC’s.Below is a command to replicate from a specified DC to all other DC’s.

Repadmin /syncall DC_name /APed

By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names)parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it inone step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.

If I am running it on the DC itself, I don’t even have to specify the server name.

QUESTION 57Your company has a single Active Directory domain named intranet.contoso.com . All domain controllers run Windows Server 2008 R2 . The domain functional level is Windows 2000 native and the forest functional level is Windows 2000 .

You need to ensure the UPN suffix for contoso.com is av ailable for user accounts .

What should you do first ?

A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.C. Add the new UPN suffix to the forest.D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to

contoso.com.


Explanation/Reference:http://support.microsoft.com/kb/243629HOW TO: Add UPN Suffixes to a Forest

Adding a UPN Suffix to a Forest

Open Active Directory Domains and Trusts. Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties. On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest. Click Add, and then click OK.

Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.

APPLIES TO

Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server

QUESTION 58You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80 from being opened on domain controllers and on theissuing CA .

You need to allow users to request certificates from a Web interface . You install the Active Directory Certificate Services ( AD CS) server role .


A. Configure the Online Responder Role Service on a member server.B. Configure the Online Responder Role Service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd759209.aspxCertificate Enrollment Web Service Overview

The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service thatenables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with theCertificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the clientcomputer is not a member of a domain or when a domain member is not connected to the domain.

Personal note:since domain controllers are off-limits (regarding open ports), you are left to install the Certificate EnrollmentWeb Service role service on a plain member server

QUESTION 59You need to relocate the existing user and computer obj ects in your company to differentorganizational units .


A. Run the move-item command in the Microsoft Windows PowerShell utility.B. Run the Active Directory Users and Computers utility.C. Run the Dsmove utility.D. Run the Active Directory Migration Tool (ADMT).

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Personal note:You can simply drag and drop objects when using the Active Directory Users and Computers utility or use thedsmove command.

http://technet.microsoft.com/en-us/library/cc731094%28v=ws.10%29.aspxDsmove

Moves a single object, within a domain, from its current location in the directory to a new location, or renames asingle object without moving it in the directory tree.

QUESTION 60Your network consists of an Active Directory forest named contoso.com . All servers run Windows Server 2008 R2 . All domain controllers are configured as DNS servers . The contoso.com DNS zone is stored in the ForestDnsZone s Active Directory application partition .

You have a member server that contains a standard primary DNS zone for dev.contos o.com .

You need to ensure that all domain controllers can reso lve names for dev.contoso.com .

What should you do?

A. Modify the properties of the SOA record in the contoso.com zone.B. Create a NS record in the contoso.com zone.C. Create a delegation in the contoso.com zone.D. Create a standard secondary zone on a Global Catalog server.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc771640.aspxUnderstanding Zone Delegation

Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, whichcan then be stored, distributed, and replicated to other DNS servers. When you are deciding whether to divideyour DNS namespace to make additional zones, consider the following reasons to use additional zones:

You want to delegate management of part of your DNS namespace to another location or department inyour organization. You want to divide one large zone into smaller zones to distribute traffic loads among multiple servers,improve DNS name resolution performance, or create a more-fault-tolerant DNS environment. You want to extend the namespace by adding numerous subdomains at once, for example, toaccommodate the opening of a new branch or site.

..When you delegate zones within your namespace, remember that for each new zone that you create, you needdelegation records in other zones that point to the authoritative DNS servers for the new zone. This isnecessary both to transfer authority and to provide correct referral to other DNS servers and clients of the newservers that are being made authoritative for the new zone...

Example: Delegating a subdomain to a new zone

As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is created,delegation from the parent zone (microsoft.com) is needed.

QUESTION 61Your company has a single Active Directory domain . All domain controllers run Windows Server 2003 .

You install Windows Server 2008 R2 on a server .

You need to add the new server as a domain controller i n your domain .


A. On a domain controller run adprep /rodcprep.B. On the new server, run dcpromo /adv.C. On the new server, run dcpromo /createdcaccount.D. On a domain controller, run adprep /forestprep.


Explanation/Reference:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/DC promotion and adprep/forestprep

Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in anexisting domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into thisActive Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility isavailable on the Windows Server 2008 installation media in the Windows\sources\adprep folder"

A1: You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the\sources\adprep folder from the Windows Server 2008 installation DVD to the schema master role holder andrun Adprep from there.

A2:to introduce the first W2K8 DC within an AD forest....

(1) no AD forest exists yet:--> on the stand alone server execute: DCPROMO--> and provide the information needed

(2) an W2K or W2K3 AD forest already exists:--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)--> on the stand alone server execute: DCPROMO--> and provide the information needed

QUESTION 62Your company has a main office and three branch offices . Each office is configured as a separate Active Directory site that has its own domain controller .

You disable an account that has administrative rights .

You need to immediately replicate the disabled account information to all sites .

What are two possible ways to achieve this goal ? (Each correct answer presents a complete solution. Choose two .)

A. From the Active Directory Sites and Services console, configure all domain controllers as global catalogservers.

B. From the Active Directory Sites and Services console, select the existing connection objects and forcereplication.

C. Use Repadmin.exe to force replication between the site connection objects.D. Use Dsmod.exe to configure all domain controllers as global catalog servers.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspxRepadmin /syncall

Synchronizes a specified domain controller with all of its replication partners.

http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/How to force replication of Domain Controllers

From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a goodtoo to check the status of replication between DC’s.Below is a command to replicate from a specified DC to all other DC’s.

Repadmin /syncall DC_name /APed

By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names)parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it inone step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.

If I am running it on the DC itself, I don’t even have to specify the server name.

http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspxForce replication over a connection

To force replication over a connection1. Open Active Directory Sites and Services....

QUESTION 63Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2008 R2 .

You need to capture all replication errors from all dom ain controllers to a central location .

What should you do?

A. Start the Active Directory Diagnostics data collector set.B. Start the System Performance data collector set.C. Install Network Monitor and create a new a new capture.D. Configure event log subscriptions.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc748890.aspxConfigure Computers to Forward and Collect Events

Before you can create a subscription to collect events on a computer, you must configure both the collectingcomputer (collector) and each computer from which events will be collected (source).

http://technet.microsoft.com/en-us/library/cc749183.aspxEvent Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issuemight require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store themlocally. To specify which events to collect, you create an event subscription. Among other details, thesubscription specifies exactly which events will be collected and in which log they will be stored locally. Once asubscription is active and events are being collected, you can view and manipulate these forwarded events asyou would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.The functionality depends on the Windows Remote Management (WinRM) service and the Windows EventCollector (Wecsvc) service. Both of these services must be running on computers participating in theforwarding and collecting process.

http://technet.microsoft.com/en-us/library/cc961808.aspxReplication Issues

QUESTION 64Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP .

You need to ensure that users are able to install appro ved application updates on their computers .


A. Set up Automatic Updates through Control Panel on the client computers.

B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automaticallysearch for updates on the Microsoft Update site.

C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the WindowsServer Update Services (WSUS) server for approved updates.

D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates onthe Internet. Approve all required updates.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspxConfigure Automatic Updates by Using Group Policy

When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) linked to an ActiveDirectory container appropriate for your environment.

QUESTION 65Your company has an Active Directory forest . The company has three locations . Each location has an organizational unit and a child organizational unit named Sales . The Sales organizational unit contains all users and co mputers of the sales department .

The company plans to deploy a Microsoft Office 2007 app lication on all computers within the threeSales organizational units .

You need to ensure that the Office 2007 application is installed only on the computers in the Salesorganizational units .

What should you do?

A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the domain.

B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the applicationto the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the applicationto the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.


Explanation/Reference:Almost the same as A/Q38

Self explanatory.

QUESTION 66Your company has a main office and 10 branch offices . Each branch office has an Active Directory site that contains one domain controller . Only domain controllers in the main office are conf igured as Global Catalog servers .

You need to deactivate the Universal Group Membership C aching (UGMC) option on the domaincontrollers in the branch offices .

At which level should you deactivate UGMC ?

A. ServerB. Connection objectC. DomainD. Site


Explanation/Reference:http://www.ntweekly.com/?p=788Question:How To Enable Or Disable Universal Group Membership Caching Windows Server 2008

Answer: Universal Group Membership Caching enables us to allow users to log on to the network withoutcontacting a Global Catalog server, this is recommended to use in remote sites without global a catalog server.

To enable or disable Universal Group Membership Caching follow the steps below:

Open Active Directory Sites And Service -> Go to the site you need to enable or disable the feature -> Rightclick on the NTDS Site Settings and Click on Properties

Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91Script to Disable Universal Group Membership Caching in all Sites

How to Disable Universal Group Membership Caching in all Sites using a Script

Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC)caches a user’s membership in Universal Groups on domain controllers authenticating the user. This featureallows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting aGlobal Catalog.

Unlike Global group memberships, which are stored in each domain, Universal Group memberships are onlystored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domainthat is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides UniversalGroup membership information for the user’s account at the time the user logs on to the domain to theauthenticating domain controller.

UGMC is generally a good idea for multiple domain forests when:1. Universal Group membership does not change frequently.2. Low WAN bandwidth between Domain Controllers in different sites.

It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.

QUESTION 67Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2003 .

You upgrade all domain controllers to Windows Server 20 08 R2.

You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R) .

What should you do?

A. From the command prompt, run dfsutil /addroot:sysvol.B. From the command prompt, run netdom /reset.C. From the command prompt, run dcpromo /unattend:unattendfile.xml.D. Raise the functional level of the domain to Windows Server 2008 R2.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspxIntroduction to Administering DFS-Replicated SYSVOL

SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies,logon scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be presentand the appropriate subdirectories must be shared on a server before the server can advertise itself on thenetwork as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domaincontroller in the domain.

Note: For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. TheGroup Policy container (GPC), which is stored in the domain, is replicated through Active Directoryreplication. For Group Policy to be effective, both parts must be available on a domain controller.

..

Using DFS Replication for replicating SYSVOL in Windows Server 2008

Distributed File System (DFS) Replication is a repl ication service that is available for replicatingSYSVOL to all domain controllers in domains that ha ve the Windows Server 2008 domain functionallevel. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that arerunning Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

QUESTION 68Your company has a main office and a branch office that are configured as a single Active Directoryforest . The functional level of the Active Directory forest is Windows Server 2003 . There are four Windows Server 2003 domain controllers in the main office .

You need to ensure that you are able to deploy a read-o nly domain controller (RODC) at the branchoffice .


A. Raise the functional level of the forest to Windows Server 2008.B. Deploy a Windows Server 2008 domain controller at the main office.C. Raise the functional level of the domain to Windows Server 2008.D. Run the adprep/rodcprep command.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspxPrerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):Ensure that the forest functional level is Windows Server 2003 or higherRun Adprep.exe commands to prepare your existing forest and domains for domain controllers that runWindows Server 2008 or Windows Server 2008 R2 . The adprep commands extend the Active Directoryschema and update security descriptors so that you can add the new domain controllers. There are differentversions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2.

1. Prepare the forest and domains. There are three adprep commands to complete and have thechanges replicate throughout the forest. Run the three commands as follows:

* Prepare the forest by running adprep /forestprep on the server that holds the schema masteroperations master (also known as flexible single master operations or FSMO) role to update theschema.* Prepare the domain by running adprep /domainprep /gpprep on the server that holds theinfrastructure operations master role. * If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep .

2. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, thecommand line, or an answer file.

Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC and ensure that the writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

QUESTION 69Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllersand DNS servers . All client computers run Windows XP SP3 .

You need to use your client computers to edit domainbas ed GPOs by using the ADMX files that arestored in the ADMX central store .

What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.C. Install .NET Framework 3.0 on your client computers.D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the

PolicyDefinitions folder.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspxManaging Group Policy ADMX Files Step-by-Step Guide

Microsoft Windows Vista® and Windows Server 2008 introduce a new format for displaying registry-basedpolicy settings. Registry-based policy settings (located under the Administrative Templates category in the

Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. Thesenew files replace ADM files, which used their own markup language. The Group Policy tools —Group PolicyObject Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations,you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks.

http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows-2003-environments.aspxQuestions on ADMX in Windows XP and Windows 2003 environments

We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server2003 environments. Essentially the question was:

“…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domainwith or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folderon the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to aW2k8 machine and it seems to work just fine. Is this the right way to do it?…”

The answer is Yes. Again this is one of those things that confuse people. The template format has nothing todo with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the caseof GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. TheseADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloatper policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat.

In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a newXML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relieson a central or local store of these templates (Note that even in the newer tools you can still import customADM files for stuff like Office etc).

In the question above, the person wanted to know if copying the local store, located under c:/windows/policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store andreferenced by the newer admin tools. Again the domain functional mode has little to do with Group Policy. Italked about that one before. The things that we care about are the administrative tools and the client supportfor the policy functions. So of course it can.

Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. ActiveDirectory to store metadata about the policy objects and to allow client discoverability for the location of thepolicy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares.Specific extensions on top of the policy platform may require certain domain functionality but that’s very specificto that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They requireschema updates – not GP itself. So if you don't currently use them then you don't have to update schema.

So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policiesyou get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all thejoys of Group Policy Preferences. Honestly – it amazes us the amount of IT Pros that still haven’t discoveredGPP…especially with the power it has to practically eliminate logon scripts!

As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP tosupport all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XPand Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead!There are some really good benefits in the newer tools and very low impact to your current environment. Youonly need a single Windows Vista SP1 machine to start!

QUESTION 70Your company has a domain controller that runs Windows Server 2008 . The domain controller has the backup features installed .

You need to perform a non-authoritative restore of the doman controller using an existing backup file .

What should you do?

A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore criticalvolume

B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restorecritical volume

C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volumeD. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume


Explanation/Reference:almost identical to B42

http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspxPerforming Nonauthoritative Restore of Active Directory Domain Services

A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a systemstate, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its stateat the time of backup and then allows normal replication to overwrite that state with any changes that occurredafter the backup was taken. After you restore AD DS from backup, the domain controller queries its replicationpartners. Replication partners use the standard replication protocols to update AD DS and associatedinformation, including the SYSVOL shared folder, on the restored domain controller.

You can use a nonauthoritative restore to restore the directory service on a domain controller withoutreintroducing or changing objects that have been modified since the backup. The most common use of anonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardwarefailures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that theproblem is with AD DS.

Nonauthoritative Restore Requirements

You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a stand-alone server, member server, or domain controller.

On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service.Therefore, in Windows Server 2008, performing offline defragm entation and other databasemanagement tasks does not require restarting the do main controller in Directory Services RestoreMode (DSRM) . However, you cannot perform a nonauthoritative rest ore after simply stopping the ADDS service in regular startup mode. You must be abl e to start the domain controller in DirectoryServices Restore Mode (DSRM). If the domain control ler cannot be started in DSRM, you must firstreinstall the operating system.

To perform a nonauthoritative restore, you need one of the following types of backup for your backup source: System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operatingsystem, you must use a critical-volumes or full server backup. If you are restoring a system state backup,use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operatingsystem and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if youwant to restore more than the system state. To restore a critical-volumes backup, use the wbadmin startrecovery command.Full server backup: Use this type of backup only if you cannot start the server or you do not have a systemstate or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup.Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls backall data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritativerestore of AD DS.


All servers run Windows Server .

You deploy a Certification Authority (CA) server .

You create a new global security group named CertIssuer s.

You need to ensure that members of the CertIssuers grou p can issue, approve, and revoke certificates . What should you do?

A. Assign the Certificate Manager role to the CertIssuers groupB. Place CertIssuers group in the Certificate Publisher groupC. Run the certsrv -add CertIssuers command promt of the certificate serverD. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows

Powershell


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspxRole-based administration

Role explanation

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you mustassign the role's corresponding security permissions, group memberships, or user rights to the user or group.These security permissions, group memberships, and user rights are used to distinguish which users havewhich roles. The following table describes the CA roles of role-based administration and the groups relevant torole-based administration.

..

Certificate Manager:Delete multiple rows in database (bulk deletion)Issue and approve certificatesDeny certificatesRevoke certificatesReactivate certificates placed on holdRenew certificatesRecover archived keyRead CA database

Read CA configuration information

...

QUESTION 72Your company has an Active Directory domain . The company has purchased 100 new computers . You want to deploy the computers as members of the doma in .

You need to create the computer accounts in an OU .

What should you do?

A. Run the csvde -f computers.csv commandB. Run the ldifde -f computers.ldf commandC. Run the dsadd computer <computerdn> commandD. Run the dsmod computer <computerdn> command


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754539%28v=ws.10%29.aspxDsadd computer

Syntax:dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof<GroupDN ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Personal comment:you use ldifde and csvde to import and export directory objects to Active Directory

http://support.microsoft.com/kb/237677http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx

QUESTION 73Your network consists of a single Active Directory domain . You have a domain controller and a member server that run Windows Server 2008 R2 . Both servers are configured as DNS servers . Client computers run either Windows XP Service Pack 3 or Windows 7 .

You have a standard primary zone on the domain controller . The member server hosts a secondary copy of the zone .

You need to ensure that only authenticated users are al lowed to update host (A) records in the DNSzone .


A. On the member server, add a conditional forwarder.B. On the member server, install Active Directory Domain Services.C. Add all computer accounts to the DNS UpdateProxy group.D. Convert the standard primary zone to an Active Directory-integrated zone.

Correct Answer: D


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc726034.aspxUnderstanding Active Directory Domain Services Integration


How DNS integrates with AD DSWhen you install AD DS on a server, you promote the server to the role of a domain controller for a specifieddomain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain whichyou are joining and for which you are promoting the server, and you are offered the option to install the DNSServer role. This option is provided because a DNS server is required to locate this server or other domaincontrollers for members of an AD DS domain.


DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master updatemodel. In this model, a single authoritative DNS server for a zone is designated as the primarysource for the zone. This server maintains the master copy of the zone in a local file. With this model,the primary server for the zone represents a single fixed point of failure. If this server is not available,update requests from DNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNSserver and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication.In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Becausethe master copy of the zone is maintained in the AD DS database, which is fully replicated to alldomain controllers, the zone can be updated by the DNS servers operating at any domain controllerfor the domain. With the multimaster update model of AD DS, any of the primary servers for thedirectory-integrated zone can process requests from DNS clients to update the zone as long as adomain controller is available and reachable on the network.

Also, when you use directory-integrated zones, you can use access control list (ACL) editing tosecure a dnsZone object container in the directory tree. This feature provides detailed access toeither the zone or a specified resource record in the zone. For example, an ACL for a zone resourcerecord can be restricted so that dynamic updates are allowed only for a specified client computer or asecure group, such as a domain administrators group. This security feature is not available withstandard primary zones.


QUESTION 74Your company has two domain controllers that are configured as internal DNS servers . All zones on the DNS servers are Active Directory-integrated zones . The zones allow all dynamic updates .

You discover that the contoso.com zone has multiple ent ries for the host names of computers that donot exist .

You need to configure the contoso.com zone to automatic ally remove expired records .

What should you do?

A. Enable only secure updates on the contoso.com zone,B. Enable scavenging and configure the refresh interval on the contoso.com zone.C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone


Explanation/Reference:http://www.it-support.com.au/configure-aging-and-scavenging-of-a-dns-server/2012/12/Configure aging and scavenging of a DNS Server

Resource records that are either outdated or decayed from DNS zone data are removed through the use of theServer aging and scavenging feature in Windows Server 2008. Issues develop if decayed resource records arenot dealt with, such as:

Zone transfers take longer as the DNS server disk space contains a large number of stale recordsThe accumulation of stale records degrades the DNS server performance and response timePotential conflicts can occur, if an IP address in a dynamic DNS environment is assigned to a different host.

By default, the aging and scavenging feature is disabled. In order to use this particular feature, the user isrequired to enable the operations on the zone and at the DNS server.

In addition, a user is able to manually enable individual resource records to be aged and scavenged. Thisprocess involves permitting the records to use the current (non-zero) timestamp value.

The aging and scavenging operation figures out when the records should be cleared by reviewing theirtimestamps. The DNS Server uses a simple equation when setting a time value on a record: current servertime + refresh interval.

Procedure:

Navigate to Start - Administrative Tools – DNS Manager. Right click the relevant DNS server and select SetAging/Scavenging for All Zones from the drop down list.

The Server Aging/Scavenging Properties dialog box opens. Tick the option Scavenge stale resource records.

Under the No-refresh interval heading, specify the duration for which the server must not refresh its records.Configuring this setting reduces replication traffic as unnecessary updates to existing records are prevented.

Under the Refresh interval heading, specify the duration for which the server must refresh its records. The freshinterval is the time required between when a no-refresh interval expires and when a record is considered stale.

When you have configured these settings, click OK to continue.

A confirmation box appears showing a summary of your settings. Tick the Apply these settings to the existingActive Directory-integrated zones option and click OK.

The Aging and Scavenging intervals have now been configured for all zones managed by the DNS server.

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Don't be afraid of DNS Scavenging. Just be patient.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bb556cfb-3217-4dcf-af4f-460366faa1b8Answered Best Practices configuration for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.)

QUESTION 75You have an Active Directory domain that runs Windows Server 2008 R2 .

You need to implement a certification authority (CA) se rver that meets the following requirements :Allows the certification authority to automatically issue certificatesIntegrates with Active Directory Domain Services

What should you do?

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA.D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store

of the schema master.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspxEnterprise certification authorities

The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME(Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure SocketsLayer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using asmart card.

An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the TrustedRoot Certification Authorities certificate store for all users and computers in the domain. You must be aDomain Administrator or be an administrator with write access to Active Directory to install an enterpriseroot CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to ActiveDirectory. In order to publish certificates to Active Directory, the server that the CA is installed on must be amember of the Certificate Publishers group. This is automatic for the domain the server is in, but the servermust be delegated the proper security permissions to publish certificates in other domains. For moreinformation about the exit module, see Policy and exit modules.

An enterprise CA uses certificate types, which are based on a certificate template. The following functionality ispossible when you use certificate templates:

Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate templatehas a security permission set in Active Directory that determines whether the certificate requester isauthorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory orsupplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensionsare defined by the certificate template. This reduces the amount of information a certificate requester has toprovide about the certificate and its intended use.

http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspxStand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs canissue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure MultipurposeInternet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) orTransport Layer Security (TLS).

A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directoryservice. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchyor when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for aCA, you would first install a stand-alone CA and then replace the stand-alone policy module with yourcustom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply allidentifying information about themselves and the type of certificate that is wanted in the certificate request.(This does not need to be done when submitting a request to an enterprise CA, since the enterprise user'sinformation is already in Active Directory and the certificate type is described by a certificate template). Theauthentication information for requests is obtained from the local computer's Security Accounts Managerdatabase. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator ofthe stand-alone CA verifies the identity of the requester and approves the request. This is done for securityreasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards,but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trustedroot store or users must perform that task themselves.

When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory,installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authoritiescertificate store for all users and computers in the domain. For this reason, if you install a stand-alone rootCA in an Active Directory domain, you should not change the default action of the CA upon receivingcertificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA thatautomatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain ofa tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CAwill publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

QUESTION 76You have a Windows Server 2008 R2 Enterprise Root certificatio n authority (CA) .

You need to grant members of the Account Operators grou p the ability to only manage Basic EFScertificates .

You grant the Account Operators group the Issue and Man age Certificates permission on the CA .

Which three tasks should you perform next ? (Each correct answer presents part of the solution. Choose three .)

A. Enable the Restrict Enrollment Agents option on the CA.B. Enable the Restrict Certificate Managers option on the CA.C. Add the Basic EFS certificate template for the Account Operators group.D. Grant the Account Operators group the Manage CA permission on the CA.E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCESection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspxRole-based administration

Role explanation

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you mustassign the role's corresponding security permissions, group memberships, or user rights to the user or group.These security permissions, group memberships, and user rights are used to distinguish which users havewhich roles. The following table describes the CA roles of role-based administration and the groups relevant torole-based administration.

..

Certificate Manager:Delete multiple rows in database (bulk deletion)Issue and approve certificatesDeny certificatesRevoke certificatesReactivate certificates placed on holdRenew certificatesRecover archived keyRead CA databaseRead CA configuration information

...

http://technet.microsoft.com/en-us/library/cc753372.aspxRestrict Certificate Managers

A certificate manager can approve certificate enrollment and revocation requests, issue certificates, andmanage certificates. This role can be configured by assigning a user or group the Issue and ManageCertificatespermission.

When you assign this permission to a user or group, you can further refine their ability to manage certificates bygroup and by certificate template. For example, you might want to implement a restriction that they can onlyapprove requests or revoke smart card logon certificates for users in a certain office or organizational unit thatis the basis for a security group.

This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and

the user groups that have Enroll permissions for that certificate template from that CA...To configure certificate manager restrictions for a CA:1. Open the Certification Authority snap-in, and right-click the name of the CA.2. Click Properties, and then click the Security tab.3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they

do not yet have this permission, select the Allow check box, and then click Apply.4. Click the Certificate Managers tab.5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or

group to manage, and then click OK. Repeat this step until you have selected all certificate templates thatyou want to allow this certificate manager to manage.

7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager tomanage the defined certificate types, and then click OK.

8. If you want to block the certificate manager from managing certificates for a specific user, computer, orgroup, under Permissions, select this user, computer, or group, and click Deny.

9. When you are finished configuring certificate manager restrictions, click OK or Apply.

QUESTION 77Your company has an Active Directory domain . You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA . The Enterprise certification authority is running Windo ws Server 2008 R2 .

You need to ensure users are able to enroll new certif icates .

What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on theissuing CA.

B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificatesfolder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations.


Explanation/Reference:?????

http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspxOffline Root Certification Authority (CA)

A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signedcertificate. This means that the root CA is validating itself (self-validating). This root CA could then havesubordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so thesubordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy andtrust path.

CA CompromiseIf a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized ormalicious person), then all of the certificates that were issued by that CA are also compromised. Sincecertificates are used for data protection, identification, and authorization, the compromise of a CA couldcompromise the security of an entire organizational network. For that reason, many organizations that runinternal PKIs install their root CA offline. That is, the CA is never connected to the company network, which

makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access.To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs mustbe offline. A non-issuing CA is one that is not expected to provide certificates to client computers, networkdevices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turncompromise all the certificates that were issued by the CA.

How Do Offline CAs issue certificates?Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) andthen physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If thesubordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate andthat certificate will be placed on removable media. Each CA receives its authorization to issue certificates fromthe CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CAhierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network devices,mobile devices, and so on.

Do not join offline CAs to an Active Directory Domain Services domainSince offline CAs should not be connected to a network, it does not make sense to join them to an ActiveDirectory Domain Services (AD DS) domain, even with the Offline Domain Join [This link is external to TechNetWiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2.Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with asecure channel when you bring the CA back online after a long offline period. This is because the computeraccount password changes every 30 days. You can get around this by problem and better protect your CA bymaking it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DSdomain, do not attempt to install an offline CA as a Windows Server Enterprise CA.

http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspxRenewing a certification authority

A certification authority may need to be renewed for either of the following reasons: Change in the policy of certificates issued by the CA Expiration of the CA's issuing certificate

QUESTION 78Your company has an Active Directory domain . All servers run Windows Server 2008 R2 . Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA .

The Enterprise Intermediate CA certificate expires .

You need to deploy a new Enterprise Intermediate CA ce rtificate to all computers in the domain .

What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc962065.aspxCertification Authority Trust Model

Certification Authority Hierarchies

The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certificationhierarchy, to provide scalability, ease of administration, and compatibility with a growing number of commercialthird-party CA services and public key-aware products. In its simplest form, a certification hierarchy consists ofa single CA. However, the hierarchy usually contains multiple CAs that have clearly defined parent-childrelationships. Figure 16.5 shows some possible CA hierarchies.

Figure 16.5 Certification Hierarchies

You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a rootCA . Root CAs are self-certified by using a self-signed CA certificate. Root CAs are the most trusted CAs in theorganization and it is recommended that they have the highest security of all. There is no requirement that allCAs in an enterprise share a common top-level CA parent or root. Although trust for CAs depends on eachdomain's CA trust policy, each CA in the hierarchy can be in a different domain.

Child CAs are called subordinate CAs . Subordinate CAs are certified by the parent CAs. A parent CA certifiesthe subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either anintermediate or an issuing CA . An intermediate CA issues certificates only to subo rdinate CAs . Anissuing CA issues certificates to users, computers, or services.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002-c08b9c7d4149Forum FAQ: How to import certificate into Intermediate Certification Authorities store?

Question: How to import certificate into Intermediate Certification Authorities store?

Answer:In Windows Server 2008 or Windows Server 2008 R2 domain, we can import intermediate CA certificates usinggroup policy: Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\IntermediateCertification AUthorities

The policy is not available in Windows Server 2003. For Windows 2003 domain, you can write a script that uses

the following command to push out the intermediate CA certificate via group policy. The server will have to berebooted for this to take effect.

Certutil –f –addstore CA <intermediate CA name>.crt

Note: CA is the programmatic name of the Intermediate Certification Authorities store.

QUESTION 79You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone .

You need to ensure that outdated DNS records are automatically removed from the DNS zone .

What should you do?

A. From the properties of the zone, modify the TTL of the SOA record.B. From the properties of the zone, enable scavenging.C. From the command prompt, run ipconfig /flushdns.D. From the properties of the zone, disable dynamic updates.


Explanation/Reference:Answer : From the properties of the zone, enable scavenging.

Explanation :http://technet.microsoft.com/en-us/library/cc753217.aspxSet Aging and Scavenging Properties for the DNS Server

The DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale resource records, which can accumulate in zone dataover time. You can use this procedure to set the default aging and scavenging properties for the zones on aserver.

Further information :http://technet.microsoft.com/en-us/library/cc771677.aspxUnderstanding Aging and Scavenging

QUESTION 80Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2008 R2 . The Audit account management policy setting and Audit directory services access setting are enabled forthe entire domain .

You need to ensure that changes made to Active Director y objects can be logged . The logged changes must include the old and new values of any attributes .

What should you do?

A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable

directory service changes.C. Enable the Audit account management policy in the Default Domain Controller Policy.

D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.


Explanation/Reference:Answer : Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

Explanation :http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspxAD DS Auditing Step-by-Step Guide

In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and newvalues when changes are made to objects and their attributes...The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory DirectoryService Changes. This guide provides instructions for implementing this audit policy subcategory.

The types of changes that you can audit include a user (or any security principal) creating, modifying, moving,or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:

When a successful modify operation is performed on an attribute, AD DS logs the previous and currentvalues of the attribute . If the attribute has more than one value, only the values that change as a result ofthe modify operation are logged.If a new object is created, values of the attributes that are populated at the time of creation are logged. If theuser adds attributes during the create operation, those new attribute values are logged. In most cases, ADDS assigns default values to attributes (such as samAccountName). The values of such system attributesare not logged.If an object is moved, the previous and new location (distinguished name) is logged for moves within thedomain. When an object is moved to a different domain, a create event is generated on the domaincontroller in the target domain.If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds,modifies, or deletes attributes while performing an undelete operation, the values of those attributes arelogged.

..In Windows Server 2008, you implement the new auditing feature by using the following controls:

Global audit policySystem access control list (SACL)Schema

Global audit policyEnabling the global audit policy, Audit directory service access , enables all directory service policysubcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (underSecurity Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabled bydefault. Although the subcategory Directory Service Access is enabled for success events by default, the othersubcategories are not enabled by default.

You can use the command-line tool Auditpol.exe to view or set audit policy subcategories . There is noWindows interface tool available in Windows Server 2008 to view or set audit policy subcategories.

Further information :http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspxAuditpol

Displays information about and performs functions to manipulate audit policies.

http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/AD Scenario – Auditing Directory Services

Auditing of Directory Services depends on several controls, these are:1. Global Audit Policy (at category level using gpmc.msc tool)2. Individual Audit Policy (at subcategory level using auditpol.exe tool)3. System ACLs – to specify which operations are to be audited for a security principal.4. Schema (optional) – this is an additional control in the schema that you can use to create exceptions to

what is audited.

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a newaudit policy subcategory (Directory Service Changes) to log old and new values when changes are made to ADDS objects and their attributes. This can be done using auditpol.exe tool.

Command to check which audit policies are active on your machine:auditpol /get /category:*

Command to view the audit policy categories and Subcategories:

How to enable the global audit policy using the Windows interface i.e. gpmc tool

Click Start , point to Administrative Tools , and then Group Policy Management or run gpmc.msccommandIn the console tree, double-click the name of the forest, double-click Domains , double-click the name ofyour domain, double-click Domain Controllers , right-click Default Domain Controllers Policy , and thenclick Edit .

Under Computer Configuration , double-click Policies , double-click Windows Settings , double-click

Security Settings , double-click Local Policies , and then click Audit Policy .

In the details pane, right-click Audit directory service access , and then click Properties .Select the Define these policy settings check box.Under Audit these attempts , select the Success , check box, and then click OK.

How to enable the change auditing policy using a command line

Click Start , right-click Command Prompt , and then click Run as administrator .

Type the following command, and then press ENTER:auditpol /set /subcategory:”directory service changes” /success:enable

To verify if the auditing is enabled or not for “Directory Service Changes”, you can run below command:auditpol /get /category:”DS Access”

How to set up auditing in object SACLs

Click Start , point to Administrative Tools , and then click Active Directory Users and Computers .Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties .Click the Security tab, click Advanced , and then click the Auditing tab.

Click Add , and under Enter the object name to select , type Authenticated Users (or any other securityprincipal) and then click OK.

In Apply onto , click Descendant User objects (or any other objects).Under Access , select the Successful check box for Write all properties .

Click OK until you exit the property sheet for the OU or other object.

To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check theSecurity event logs.

I just created a new user account in Finance OU named f4.

If you check the security event logs you will find eventid 5137 (Create)

Note:Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create),5138 (Undelete), 5139 (Move).

QUESTION 81Your company, Contoso Ltd has a main office and a branch office . The offices are connected by a WAN link . Contoso has an Active Directory forest that contains a single domain named ad.contoso.com .

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office.DC1 is configured as a DNS server for the ad.contoso.com DNS zone.This zone is configured as a standard primary zone .

You install a new domain controller named DC2 in the branch office . You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails .

What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.B. Create a new standard secondary zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.


Explanation/Reference:Answer : Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Explanation :http://technet.microsoft.com/en-us/library/cc726034.aspxUnderstanding Active Directory Domain Services Integration









QUESTION 82Your company has a server that runs an instance of Active Directory Lightweight Directory Service (ADLDS).

You need to create new organizational units in the AD LDS appli cation directory partition .

What should you do?

A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.B. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS

application directory partition.C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.


Explanation/Reference:Answer : Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directorypartition.

Explanation :http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspxADSI Edit (adsiedit.msc)

Active Directory® Service Interfaces Editor (ADSI Edit ) is a Lightweight Directory Access Protocol (LDAP)editor that you can use to manage objects and attributes in Active Directory . ADSI Edit (adsiedit.msc)provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view,and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC)snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domainsand Trusts, and Active Directory Schema.

http://technet.microsoft.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1Step 4: Practice Managing AD LDS Organizational Units, Groups, and UsersCreate an OU

To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In ActiveDirectory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol(LDAP)–based directories, OUs are most commonly used for keeping users and groups organized.

To create an OU1. Click Start, point to Administrative Tools, and then click ADSI Edit .2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU . 3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container to

which you want to add the OU, point to New, and the n click Object .4. In Select a class, click organizationalUnit, and then click Next.5. In Value, type a name for the new OU, and then click Next. 6. If you want to set values for additional attributes, click More attributes.

Further information :http://technet.microsoft.com/en-us/library/cc754663%28v=ws.10%29.aspxStep 5: Practice Working with Application Directory Partitions

The Active Directory Lightweight Directory Services (AD LDS) directory store is organized into logical directorypartitions. There are three different types of directory partitions:

Configuration directory partitionsSchema directory partitionsApplication directory partitions

Each AD LDS directory store must contain a single configuration directory partition and a single schemadirectory partition. The directory store can contain zero or more application directory partitions.

Application directory partitions hold the data that your applications use. You can create an application directorypartition during AD LDS setup or anytime after installation.

QUESTION 83Your company has an Active Directory domain . The company has two domain controllers named DC1 and DC2.DC1 holds the Schema Master role .

DC1 fails . You log on to Active Directory by using the administrator account .You are not able to transfer the Schema Master operations r ole .

You need to ensure that DC2 holds the Schema Master role .

What should you do?

A. Configure DC2 as a bridgehead server.B. On DC2, seize the Schema Master role.C. Log off and log on again to Active Directory by using an account that is a member of the Schema

Administrators group. Start the Active Directory Schema snap-in.D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.


Explanation/Reference:Answer : On DC2, seize the Schema Master role.

Explanation :http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspxTransfer the Schema Master

You can use this procedure to transfer the schema operations master role if the domain controller that currentlyhosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wideoperations master (also known as flexible single master operations or FSMO) role...Note: You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you canalso transfer this role by using Ntdsutil.exe.

Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure.

http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspxSeize the AD LDS Schema Master Role

The schema master is responsible for performing updates to the Active Directory Lightweight DirectoryServices (AD LDS) schema. Each configuration set has only one schema master. All write operations to the ADLDS schema can be performed only when connected to the AD LDS instance that holds the schema masterrole within its configuration set. Those schema updates are replicated from the schema master to all otherinstances in the configuration set.

Membership in the AD LDS Administrators group , or equivalent, is the minimum required to complete thisprocedure.

Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is adrastic step that should be considered only if the current operations master will never be available again.

QUESTION 84Your company has an Active Directory forest that runs at the functional level of Windows Server 2008 .

You implement Active Directory Rights Management Servic es (AD RMS) .

You install Microsoft SQL Server 2005 . When you attempt to open the AD RMS administration Web site , you receive the following error message:"SQL Server does not exist or access denied ."

You need to open the AD RMS administration Web site .


A. Restart IIS.B. Manually delete the Service Connection Point in AD DS and restart AD RMS.C. Install Message Queuing.D. Start the MSSQLSVC service.


Explanation/Reference:Answer : Start the MSSQLSVC service. Restart IIS.

Explanation :http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1RMS Administration Issues"SQL Server does not exist or access denied" message received when attempting to open the RMSAdministration Web site

If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQLServer Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured toautomatically start when the server is started. If you have restarted your SQL Server since installing RMS andhave not configured this service to automatically restart RMS will not be able to function and only the RMSGlobal Administration page will be accessible.

After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in thecluster to restore RMS functionality.

QUESTION 85Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers . You have two Active Directory-integrated zones : contoso.com and nwtraders.com .

You need to ensure a user is able to modify records in the contoso.com zone . You must prevent the user from modifying the SOA record in the nwtraders.com zone .

What should you do?

A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers

organizational unit (OU).

C. From the DNS Manager console, modify the permissions of the contoso.com zone.D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.


Explanation/Reference:Answer : From the DNS Manager console, modify the permissions of the contoso.com zone.

Explanation :http://technet.microsoft.com/en-us/library/cc753213.aspxModify Security for a Directory-Integrated Zone

You can manage the discretionary access control list (DACL) on the DNS zones that are stored in ActiveDirectory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directoryusers and groups that may control the DNS zones.

Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required tocomplete this procedure.

To modify security for a directory-integrated zone:1. Open DNS Manager .2. In the console tree, click the applicable zone .

Where?DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone

3. On the Action menu, click Properties.4. On the General tab, verify that the zone type is Active Directory-integrated.5. On the Security tab , modify the list of member users or groups that are allowed to securely update the

applicable zone and reset their permissions as needed.

Further information :http://support.microsoft.com/kb/163971The Structure of a DNS SOA Record

The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA)resource record. The SOA resource record indicates that this DNS name server is the best source ofinformation for the data within this DNS domain.

The SOA resource record contains the following information:

Source host - The host where the file was created.

Contact e-mail - The e-mail address of the person responsible for administering the domain's zone file. Notethat a "." is used instead of an "@" in the e-mail name.

Serial number - The revision number of this zone file. Increment this number each time the zone file ischanged. It is important to increment this value each time a change is made, so that the changes will bedistributed to any secondary DNS servers.

Refresh Time - The time, in seconds, a secondary DNS server waits before querying the primary DNS server'sSOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copyof the current SOA record from the primary. The primary DNS server complies with this request. The secondaryDNS server compares the serial number of the primary DNS server's current SOA record and the serial numberin it's own SOA record. If they are different, the secondary DNS server will request a zone transfer from theprimary DNS server. The default value is 3,600.

Retry time - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the

retry time is less than the refresh time. The default value is 600.

Expire time - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If thistime expires prior to a successful zone transfer, the secondary server will expire its zone file. This means thesecondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.

Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file. This value issupplied in query responses to inform other servers how long they should keep the data in cache. The defaultvalue is 3,600.

http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspxModify the start of authority (SOA) record for a zone..Notes: To perform this procedure , you must be a member of the Administrators group on the local computer,or you must have been delegated the appropriate authority . If the computer is joined to a domain, membersof the Domain Admins group might be able to perform this procedure. As a security best practice, considerusing Run as to perform this procedure...

QUESTION 86Your company has a branch office that is configured as a separate Active Directory site and has an ActiveDirectory domain controller . The Active Directory site requires a local Global Catalog server to support a new application.

You need to configure the domain controller as a Global Catalog server .

Which tool should you use?

A. The Server Manager consoleB. The Active Directory Sites and Services consoleC. The Dcpromo.exe utilityD. The Computer Management consoleE. The Active Directory Domains and Trusts console


Explanation/Reference:Answer : The Active Directory Sites and Services console

Explanation :http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspxConfigure a domain controller as a global catalog server

To configure a domain controller as a global catalog server1. Open Active Directory Sites and Services ....

Further information :http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspxWhat Is the Global Catalog?

The global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog isstored on domain controllers that have been designated as global catalog servers and is distributed throughmultimaster replication. Searches that are directed to the global catalog are faster because they do not involve

referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a forest stores afull, writable replica of a single domain directory partition. Therefore, a domain controller can locate only theobjects in its domain. Locating an object in a different domain would require the user or application to providethe domain of the requested object.

The global catalog provides the ability to locate objects from any domain without having to know the domainname. A global catalog server is a domain controller that, in addition to its full, writable domain directorypartition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. Theadditional domain directory partitions are partial because only a limited set of attributes is included for eachobject. By including only the attributes that are most used for searching, every object in every domain in eventhe largest forest can be represented in the database of a single global catalog server.

Note: A global catalog server can also store a full, writable replica of an application directory partition, butobjects in application directory partitions are not replicated to the global catalog as partial, read-only directorypartitions.

The global catalog is built and updated automatically by the AD DS replication system. The attributes that arereplicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined bydefault by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributesthat are stored in the global catalog.

In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of allattributes) of the global catalog. Later versions of Windows Server reduce the impact of updating the globalcatalog by replicating only the attributes that change.

In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not storeany partial replica. A global catalog server in a single-domain forest functions in the same manner as a non-global-catalog server except for the processing of forest-wide searches.

QUESTION 87Your company has a main office and three branch offices . The company has an Active Directory forest that has a single domain . Each office has one domain controller . Each office is configured as an Active Directory site . All sites are connected with the DEFAULTIPSITELINK object .

You need to decrease the replication latency between th e domain controllers .

What should you do?

A. Decrease the replication schedule for the DEFAULTIPSITELINK object.B. Decrease the replication interval for the DEFAULTIPSITELINK object.C. Decrease the cost between the connection objects.D. Decrease the replication interval for all connection objects.


Explanation/Reference:Answer : Decrease the replication interval for the DEFAULTIPSITELINK object.

Personal comment:All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into all sites areconnected with the first domain controller in the forestSo the topology is star shaped.Thus, decreasing the cost between the connection objects will offer no benefit.

We know we have multiple sites linked and are using a DEFAULTIPSITELINK object.Thus, the most plausible answer is to decrease the replication interval for DEFAULTIPSITELINK.

Explanation :http://www.informit.com/articles/article.aspx?p=26866&seqNum=5Understanding Active Directory, Part IIIReplication

Active Directory replication between domain controllers is managed by the system administrator on a site-by-site basis. As domain controllers are added, a replication path must be established. This is done by theKnowledge Consistency Checker (KCC), coupled with Active Directory replication components. The KCC is adynamic process that runs on all domain controllers to create and modify the replication topology. If a domaincontroller fails, the KCC automatically creates new paths to the remaining domain controllers. Manualintervention with the KCC will also force a new path.

The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain controllerretains a copy of the entire directory for that particular domain. As changes are made in one domain controller,the originator communicates these changes to the peer domain controllers. The directory data itself is stored inthe ntds.dit file.

Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site.Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for datatransmission. The default intersite replication protocol is RPC.Intersite and Intrasite Replication

There are distinct differences in internal and intersite domain controller replication. In theory, the networkbandwidth within a site is sufficient to handle all network traffic associated with replication and other ActiveDirectory activities. By the definition of a site, the network must be reliable and fast. A change notificationprocess is initiated when modifications occur on a domain controller. The domain controller waits for aconfigurable period (by default, five minutes) before it forwards a message to its replication partners. Duringthis interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copy themodification from the original domain controller. In the event that no changes were noted during a configurableperiod (six hours, by default), a replication sequence ensures that all possible modifications are communicated.Replication within a site involves the transmission of uncompressed data.

NOTE

Security-related modifications are replicated within a site immediately. These changes include account andindividual user lockout policies, changes to password policies, changes to computer account passwords, andmodifications to the Local Security Authority (LSA).

Replication between sites assumes that there are network-connectivity problems, including insufficientbandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make decisionson the type, frequency, and timing of intersite replication. All replication objects transmitted between sites arecompressed, which may reduce traffic by 10 to 25 percent, but because this is not sufficient to guaranteeproper replication, the system administrator has the responsibility of scheduling intersite replication.Replication Component Objects

Whereas the KCC represents the process elements associated with replication, the following comprise theActive Directory object components:

Connection object. Domain controllers become replication "partners" when linked by a connection object.This is represented by a one-way path between two domain controller server objects. Connection objectsare created by the KCC by default. They can also be manually created by the system administrator.NTDS settings object. The NTDS settings object is a container that is automatically created by the ActiveDirectory. It contains all of the connection objects, and is a child of the server object.Server object. The Active Directory represents every computer as a computer object. The domain controlleris also represented by a computer object, plus a specially created server object. The server object's parentis the site object that defines its IP subnet. However, in the event that the domain controller server objectwas created prior to site creation, it will be necessary to manually define the IP subnet to properly assign the

domain controller a site.

When it is necessary to link multiple sites, two additional objects are created to manage the replicationtopology.

Site link . The site link object specifies a series of values (cost, interval, and schedule) that define theconnection between sites. The KCC uses these values to manage replication and to modify the replicationpath if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default untilthe system administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of theactual cost of data transmission as defined bandwidth. The interval value sets the number of timesreplication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; threehours is the default. The schedule interval establishes the time when replication should occur. Althoughreplication can be at any time by default, the system administrator may want to schedule it only during off-peak network hours.Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol.By default, all site links use the same protocol, and are transitive. Moreover, they belong to a single site linkbridge. No configuration is necessary to the site link bridge if the IP network is fully routed. Otherwise,manual configuration may be necessary.


http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspxWhat Is Active Directory Replication Topology?

Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keepreplicas of directory partitions synchronized. Multiple domains are common in large organizations, as aremultiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placedin more than one site.

Therefore, replication must often occur both within sites and between sites to keep domain and forest dataconsistent among domain controllers that store the same directory partitions. Site objects can be configured toinclude a set of subnets that provide local area network (LAN) network speeds. As such, replication within sitesgenerally occurs at high speeds between domain controllers that are on the same network segment. Similarly,site link objects can be configured to represent the wide area network (WAN) links that connect LANs.Replication between sites usually occurs over these WAN links, which might be costly in terms of bandwidth. Toaccommodate the differences in distance and cost of replication within a site and replication between sites, theintrasite replication topology is created to optimize speed, and the intersite replication topology is created tominimize cost.

The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controllerand is responsible for creating the connections between domain controllers that collectively form the replicationtopology. The KCC uses Active Directory data to determine where (from what source domain controller to whatdestination domain controller) to create these connections.

..

The following diagram shows the interaction of these technologies with the replication topology, which isindicated by the two-way connections between each set of domain controllers.

Replication Topology and Dependent Technologies

http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspxHow Active Directory Replication Topology Works

..Replication Topology Physical StructureThe Active Directory replication topology can use many different components. Some components are requiredand others are not required but are available for optimization. The following diagram illustrates most replicationtopology components and their place in a sample Active Directory multisite and multidomain forest. Thedepiction of the intersite topology that uses multiple bridgehead servers for each domain assumes that at leastone domain controller in each site is running at least Windows Server 2003. All components of this diagram andtheir interactions are explained in detail later in this section.

Replication Topology Physical Structure

In the preceding diagram, all servers are domain controllers. They independently use global knowledge ofconfiguration data to generate one-way, inbound connection objects. The KCCs in a site collectively create anintrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an intersitetopology. Within sites, one-way arrows indicate the inbound connections by which each domain controllerreplicates changes from its partner in the ring. For intersite replication, one-way arrows represent inboundconnections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain (orfrom a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sitesthat share a site link. Domains are indicated as D1, D2, D3, and D4.

Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a siteobject in Active Directory. Heavy solid lines between sites indicate WAN links over which two-way replicationcan occur, and each WAN link is represented in Active Directory as a site link object. Site link objects allowconnections to be created between bridgehead servers in each site that is connected by the site link.

Not shown in the diagram is that where TCP/IP WAN links are available, replication between sites uses theRPC replication transport. RPC is always used within sites. The site link between Site A and Site D uses theSMTP protocol for the replication transport to replicate the configuration and schema directory partitions andglobal catalog partial, read-only directory partitions. Although the SMTP transport cannot be used to replicate

writable domain directory partitions, this transport is required because a TCP/IP connection is not availablebetween Site A and Site D. This configuration is acceptable for replication because Site D does not hostdomain controllers for any domains that must be replicated over the site link A-D.

By default, site links A-B and A-C are transitive (bridged), which means that replication of domain D2 is possiblebetween Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are site link settings that determine the routing preference for replication, which is based on the aggregatedcost of available site links. The cost of a direct connection between Site C and Site B is the sum of costs on sitelinks A-B and A-C. For this reason, replication between Site B and Site C is automatically routed through Site Ato avoid the more expensive, transitive route. Connections are created between Site B and Site C only ifreplication through Site A becomes impossible due to network or bridgehead server conditions.

...

Control Replication Latency and CostReplication latency is inherent in a multimaster directory service. A period of replication latency begins when adirectory update occurs on an originating domain controller and ends when replication of the change is receivedon the last domain controller in the forest that requires the change. Generally, the latency that is inherent in aWAN link is relative to a combination of the speed of the connection and the available bandwidth. Replicationcost is an administrative value that can be used to indicate the latency that is associated with differentreplication routes between sites. A lower-cost route is preferred by the ISTG when generating the replicationtopology.

Site topology is the topology as represented by the physical network: the LANs and WANs that connect domaincontrollers in a forest. The replication topology is built to use the site topology. The site topology is representedin Active Directory by site objects and site link objects. These objects influence Active Directory replication toachieve the best balance between replication speed and the cost of bandwidth utilization by distinguishingbetween replication that occurs within a site and replication that must span sites. When the KCC createsreplication connections between domain controllers to generate the replication topology, it creates moreconnections between domain controllers in the same site than between domain controllers in different sites.The results are lower replication latency within a site and less replication bandwidth utilization between sites.

Within sites, replication is optimized for speed as follows:Connections between domain controllers in the same site are always arranged in a ring, with possibleadditional connections to reduce latency.Replication within a site is triggered by a change notification mechanism when an update occurs, moderatedby a short, configurable delay (because groups of updates frequently occur together).Data is sent uncompressed, and thus without the processing overhead of data compression.

Between sites, replication is optimized for minimal bandwidth usage (cost) as follows:Replication data is compressed to minimize bandwidth consumption over WAN links.Store-and-forward replication makes efficient use of WAN links — each update crosses an expensive linkonly once.Replication occurs at intervals that you can schedule so that use of expensive WAN links is managed.The intersite topology is a layering of spanning trees (one intersite connection between any two sites foreach directory partition) and generally does not contain redundant connections.

...

Topology-Related Objects in Active DirectoryActive Directory stores replication topology information in the configuration directory partition. Severalconfiguration objects define the components that are required by the KCC to establish and implement thereplication topology:

..Site Link ObjectsFor a connection object to be created on a destination domain controller in one site that specifies a sourcedomain controller in another site, you must manually create a site link object (class siteLink ) that connectsthe two sites. Site link objects identify the transport protocol and scheduling required to replicate between twoor more sites. You can use Active Directory Sites and Services to create the site links. The KCC uses theinformation stored in the properties of these site links to create the intersite topology connections.

A site link is associated with a network transport by creating the site link object in the appropriate transportcontainer (either IP or SMTP). All intersite domain replication must use IP site links. The Simple Mail TransferProtocol (SMTP) transport can be used for replication between sites that contain domain controllers that donot host any common domain directory partition replicas.Site Link Properties

A site link specifies the following:Two or more sites that are permitted to replicate with each other.An administrator-defined cost value associated with that replication path. The cost value controls the routethat replication takes, and thus the remote sites that are used as sources of replication information.A schedule during which replication is permitted to occur .An interval that determines how frequently replication occurs over this site link during the times when theschedule allows replication.

Default Site LinkWhen you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transportscontainer). This site link contains only one site, Default-First-Site-Name.

QUESTION 88Your company has two Active Directory forests named contoso.com and fabrikam.com . Both forests run only domain controllers that run Windows Server 2008 . The domain functional level of contoso.com is Windows Server 2008 . The domain functional level of fabrikam.com is Windows Server 2003 Native mode .

You configure an external trust between contoso.com and fabrikam.com .

You need to enable the Kerberos AES encryption option .

What should you do?

A. Raise the forest functional level of fabrikam.com to Windows Server 2008.B. Raise the domain functional level of fabrikam.com to Windows Server 2008.C. Raise the forest functional level of contoso.com to Windows Server 2008.D. Create a new forest trust and enable forest-wide authentication.


Explanation/Reference:Answer : Raise the domain functional level of fabrikam.com to Windows Server 2008.

Explanation :http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspxUnderstanding Active Directory Domain Services (AD DS) Functional Levels

Functional levels determine the available Active Directory Domain Services (AD DS) domain or forestcapabilities. They also determine which Windows Server operating systems you can run on domain controllersin the domain or forest. However, functional levels do not affect which operating systems you can run onworkstations and member servers that are joined to the domain or forest. ..Features that are available at domain functional levels..Windows Server 2008

All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level,and the following features are available:..* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order forTGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and thedomain password needs to be changed.

...

Further information :http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspxKerberos Enhancements..RequirementsAll Kerberos authentication requests involve three different parties: the client requesting a connection, theserver that will provide the requested data, and the Kerberos KDC that provides the keys that are used toprotect the various messages.

This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messagesand data structures that are exchanged among the three parties. Typically, when the parties are operatingsystems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of theparties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP,or Windows Server 2003 , the exchange will not use AES .

QUESTION 89All consultants belong to a global group named TempWorkers . You place three file servers in a new organizational unit named SecureServers . The three file servers contain confidential data located in shared folders .

You need to record any failed attempts made by the cons ultants to access the confidential data .


A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to thiscomputer from the network user rights setting for the TempWorkers global group.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege useFailure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object accessFailure audit policy setting.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure theFailed Full control setting in the Auditing Entry dialog box.

E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.Configure the Failed Full control setting in the Auditing Entry dialog box.

Correct Answer: CESection: (none)Explanation

Explanation/Reference:Answer : On each shared folder on the three file servers, add the TempWorkers global group to the Auditingtab. Configure the Failed Full control setting in the Auditing Entry dialog box. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit objectaccess Failure audit policy setting.

Explanation :http://technet.microsoft.com/en-us/library/cc771070.aspxApply or Modify Auditing Policy Settings for a Local File or Folder

You can apply audit policies to individual files and folders on your computer by setting the permission type torecord successful access attempts or failed access attempts in the security log. ..To apply or modify auditing policy settings for a local file or folder1. Open Windows Explorer.2. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.3. Click Edit, and then click Advanced.4. In the Advanced Security Settings for <object> dialog box, click the Auditing tab ...7. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:

..* To audit unsuccessful events, select the Failed check box...

...

http://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspxAudit object access

DescriptionThis security setting determines whether to audit the event of a user accessing an object --for example, afile , folder , registry key, printer, and so forth--that has its own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit successes, audit failures , or not audit theevent type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriateSACL specified.Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has aSACL specified.


Practically the same as J/Q5.

Reference:Windows Server 2008 R2 Unleashed (SAMS, 2010)page 671

Auditing Resource AccessObject access can be audited, although it is not one of the recommended settings. Auditing object access canplace a significant load on the servers, so it should only be enabled when it is specifically needed. Auditingobject access is a two-step process : Step one is enabling “Audit object access” and step two is selecting theobjects to be audited. When enabling Audit object access, you need to decide if both failure and successevents will be logged. The two options are as follows:

Audit object access failure enables you to see if users are attempting to access objects to which theyhave no rights. This shows unauthorized attempts.Audit object access success enables you to see usage patterns. This shows misuse of privilege.

After object access auditing is enabled, you can easily monitor access to resources such as folders, files, andprinters.

Auditing Files and FoldersThe network administrator can tailor the way Windows Server 2008 R2 audits files and folders through theproperty pages for those files or folders. Keep in mind that the more files and folders that are audited, the moreevents that can be generated, which can increase administrative overhead and system resource requirements.Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

1. In Windows Explorer, right-click the file or folder to audit and select Properties.2. Select the Security tab and then click the Advanced button.

3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.4. Click the Add button to display the Select User or Group window.5. Enter the name of the user or group to audit when a ccessing the file or folder . Click the Check Names

button to verify the name.

QUESTION 90You have two servers named Server1 and Server2 . Both servers run Windows Server 2008 R2 . Server1 is configured as an Enterprise Root certification authority (CA) .

You install the Online Responder role service on Server 2.

You need to configure Server2 to issue certificate revo cation lists (CRLs) for the enterprise root CA .


A. Import the enterprise root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:Answer : ???

Explanation :

Further information :http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspxOnline Responder Installation, Configuration, and Troubleshooting Guide

Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists(CRLs) and certification authorities (CAs). In most cases, applications that depend on X.509 certificates, suchas Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, arerequired to validate the status of the certificates used when performing authentication, signing, or encryptionoperations. The certificate status and revocation checking is the process by which the validity of certificates isverified based on two main categories: time and revocation status...Although validating the revocation status of certificates can be performed in multiple ways, the commonmechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP) responses. ...

http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspxActive Directory Certificate Services Step-by-Step Guide

http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspxDesigning and Implementing a PKI: Part I Design and Planning

http://technet.microsoft.com/en-us/library/cc725937.aspxSet Up an Online Responder

http://technet.microsoft.com/en-us/library/cc731099.aspxCreating a Revocation Configuration

QUESTION 91Your company has an Active Directory forest . The forest includes organizational units corresponding to thefollowing four locations :

LondonChicagoNew YorkMadrid

Each location has a child organizational unit named Sales . The Sales organizational unit contains all the users and computers from the sales department .

The offices in London, Chicago, and New York are connected by T1 connections .The office in Madrid is connected by a 256-Kbps ISDN connection .

You need to install an application on all the computers in the sales department .


A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.Link the GPO to each Sales organizational unit.

B. Disable the slow link detection setting in the Group Policy Object (GPO).C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers.

Link the GPO to each Sales organizational unit.


Explanation/Reference:Answer : Disable the slow link detection setting in the Group Policy Object (GPO). Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers.Link the GPO to each Sales organizational unit.

Explanation :http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspxSpecifying Group Policy for Slow Link Detection

Administrators can partially control which Group Policy extensions are processed over a slow link. By default,when processing over a slow link, not all components of Group Policy are processed.

Table 2.6 shows the default settings for processing Group Policy over slow links.

Administrators can use a Group Policy setting to define a slow link for the purposes of applying and updatingGroup Policy. The default value defines a rate slower than 500 Kbps as a slow link.

http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspxAssigning and Publishing Software..Assigning software to computersAfter you assign a software package to computers in a site, domain, or OU, the software is installed the nexttime the computer restarts or the user logs on.

Further information :http://technet.microsoft.com/en-us/library/cc978717.aspxGroup Policy slow link detection

QUESTION 92Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. The server is a backup server . The server has a single 500-GB hard disk that has three partitions for the operating system, applications,and data. You perform daily backups of the server .

The hard disk fails . You replace the hard disk with a new hard disk of the same capacity . You restart the computer on the installation media . You select the Repair your computer option .

You need to restore the operating system and all files .

What should you do?

A. Select the System Image Recovery option.B. Run the Imagex utility at the command prompt.C. Run the Wbadmin utility at the command prompt.D. Run the Rollback utility at the command prompt.



!***Old answer: Run the Wbadmin utility at the command prompt.

Answer: Select the System Image Recovery option.

Explanation:http://technet.microsoft.com/en-us/library/cc755163.aspxRecover the Operating System or Full Server

Applies To: Windows Server 2008 R2

You can recover your server operating system or full server by using Windows Recovery Environment and abackup that you created earlier with Windows Server Backup.

You can access the recovery and troubleshooting tools in Windows Recovery Environment through the SystemRecovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard,use the Windows Setup disc or start/restart the computer, press F8, and then select Repair Your Computerfrom the list of startup options...

To recover your operating system or full server using a backup created earlier and Windows Setup disc1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to recover

into the CD or DVD drive and start or restart the computer. If needed, press the required key to boot fromthe disc. The Install Windows Wizard should appear.

2. In Install Windows, specify language settings, and then click Next.3. Click Repair your computer.4. Setup searches the hard disk drives for an existing Windows installation and then displays the results in

System Recovery Options. If you are recovering the operating system onto separate hardware, the listshould be empty (there should be no operating system on the computer). Click Next.

5. On the System Recovery Options page, click System Image Recovery . This opens the Re-image yourcomputer page.

...

http://technet.microsoft.com/en-us/magazine/dd767786.aspxUse the Wbadmin Backup Command Line Utility in Windows Server 2008

Wbadmin is the command-line counterpart to Windows Server Backup. You use Wbadmin to manage allaspects of backup configuration that you would otherwise manage in Windows Server Backup. This means thatyou can typically use either tool to manage backup and recovery.

After you’ve installed the Backup Command-Line Tools feature, you can use Wbadmin to manage backup andrecovery. Wbadmin is located in the %SystemRoot%\System32\ directory. As this directory is in your commandpath by default, you do not need to add this directory to your command path.

Further information:http://technet.microsoft.com/en-us/library/cc754015%28v=ws.10%29.aspxWbadmin

Enables you to back up and restore your operating system, volumes, files, fold ers, and applications froma command prompt .

Subcommands..

..

RemarksThe wbadmin command replaces the ntbackup command that was released with previous versions ofWindows. You cannot recover backups that you created with ntbackup by using wbadmin. However, a versionof ntbackup is available as a download for Windows Server 2008, Windows Vista, Windows Server 2008 R2, orWindows 7 users who want to recover backups that they created using ntbackup. This downloadable version ofntbackup enables you to perform recoveries only of legacy backups, and it cannot be used on computersrunning Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 to create newbackups.

http://technet.microsoft.com/en-us/library/dd979562%28v=ws.10%29.aspxBackup and Recovery Overview for Windows Server 2008 R2

Windows Server 2008 R2 contains features to help you create backups and, if needed, perform a recovery ofyour operating system, applications, and data. By using these features appropriately and implementing goodoperational practices, you can improve your organization's ability to recover from damaged or lost data,hardware failures, and disasters. For Windows Server 2008 R2, there are new features that expand what youcan back up, where you can store backups, and how you can perform recoveries...This table summarizes the tools you can use to perform the following backup or recovery tasks for yourcomputers running Windows Server 2008 R2:

...

What is Windows Recovery Environment?You can access the recovery and troubleshooting tools in Windows Recovery Environment through the SystemRecovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the computer,

press F8, and then select Repair Your Computer from the list of startup options.

Features in Windows Recovery EnvironmentThe tools in Windows Recovery Environment include:

System Image Recovery. You can use this tool and a backup that you created earlier with Windows ServerBackup to restore your operating system or full server.Windows Memory Diagnostic. You can use this tool (which is a memory diagnostic schedule) to check yourcomputer's RAM. Doing this requires a restart. In addition, this tool requires a valid Windows Server 2008,Windows Vista, Windows Server 2008 R2, or Windows 7 installation to function.Command Prompt . This opens a command prompt window with Administrator privileges that provides fullaccess to your file system and volumes. In addition, certain Wbadmin commands are only availablefrom this command window .

QUESTION 93You need to remove the Active Directory Domain Services role from a domain controller named DC1 .

What should you do?

A. Run the netdom remove DC1 command.B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.C. Run the nltest /remove_server: DC1 command.D. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.


Explanation/Reference:Answer : Run the Dcpromo utility. Remove the Active Directory Domain Services role.

Explanation :http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspxRemoving a Domain Controller from a Domain..To remove a domain controller by using the Windows interface1. Click Start, click Run, type dcpromo , and then press ENTER....

Further information :http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspxNetdom



CommandsNetdom remove..

Removes a workstation or server from the domain....

http://technet.microsoft.com/en-us/library/cc731935%28v=ws.10%29.aspxNltest

Performs network administrative tasks.

Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It isavailable if you have the AD DS or the AD LDS server role installed. It is also available if you install the ActiveDirectory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

You can use nltest to:Get a list of domain controllersForce a remote shutdownQuery the status of trustTest trust relationships and the state of domain controller replication in a Windows domainForce a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

Personal comment #1:There is no /remove_server switch for the nltest command

Personal comment #2:Resetting the Domain Controller's computer account has nothing to do with this question

QUESTION 94Your company has an Active Directory forest . The company has branch offices in three locations . Each location has an organizational unit .

You need to ensure that the branch office administrator s are able to create and apply GPOs only totheir respective organizational units .


A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizationalunits to the branch office administrators.

B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their

respective organizational units.D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office

administrators.


Explanation/Reference:Answer : Run the Delegation of Control wizard and delegate the right to link GPOs for their branchorganizational units to the branch office administrators. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.

Explanation :http://technet.microsoft.com/en-us/library/cc732524.aspxDelegate Control of an Organizational Unit1. To delegate control of an organizational unit2. To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative

Tools and then double-click Active Directory Users and Computers .3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.

Where? Active Directory Users and Computers\ domain node \ organizational unit

4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the

wizard.

http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspxDelegating Administration of Group Policy

Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.Determining to what degree to centralize or distribute administrative control of Group Policy is one of the mostimportant factors to consider when assessing the needs of your organization. In organizations that use acentralized administration model, an IT group provides services, makes decisions, and sets standards for theentire company. In organizations that use a distributed administration model, each business unit manages itsown IT group.You can delegate the following Group Policy tasks:

Creating GPOs Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.

...

Delegating Creation of GPOsThe ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, onlyDomain Administrators, Enterprise Administrators, Group Policy Creator Owners , and SYSTEM can createnew Group Policy objects . If the domain administrator wants a non-administrator or non-administrative groupto be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group.Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegatecreation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners groupcreates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modifypermissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs tocontainers unless they have been separately delegated the right to do so on a particular site, domain, or OU.Being a member of the Group Policy Creator Owners group gives the non-administrator full control of onlythose GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOsthat they do not create.

Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner ofthe Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.

The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Besure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non-Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and linka GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group PolicyCreator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someoneelse who has been delegated permissions to link GPOs an a container can link the GPO as appropriate.

Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or userthis permission:

Add the group or user to the Group Policy Creator Owners group . This was the only method availableprior to GPMC.Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.

You can manage this permission by using the Delegation tab on the Group Policy objects container for a givendomain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including theGroup Policy Creator Owners group. From this tab, you can modify the membership of existing groups thathave this permission, or add new groups.

Because the Group Policy Creator Owners group is a domain global group, it cannot contain members fromoutside the domain. Being able to grant users permissions to create GPOs without using Group Policy CreatorOwners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot bedelegated to members outside the domain.

If you require that users outside the domain have the ability to create GPOs, create a new domain local group inthe domain (for example, "GPCO – External"), grant that group GPO creation permissions in the domain, and

then add domain global groups from external domains to that group. For users and groups in the domain, youshould continue to use the Group Policy Creator Owners group to grant GPO-creation permissions.

Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creationpermissions directly using the new method available in GPMC are identical in terms of permissions.

QUESTION 95Your company has an Active Directory domain . A user attempts to log on to the domain from a client computer and receives the following message :

"This user account has expired . Ask your administrator to reactivate the account."

You need to ensure that the user is able to log on to t he domain .

What should you do?

A. Modify the properties of the user account to set the account to never expire.B. Modify the properties of the user account to extend the Logon Hours setting.C. Modify the default domain policy to decrease the account lockout duration.D. Modify the properties of the user account to set the password to never expire.


Explanation/Reference:Answer : Modify the properties of the user account to set the account to never expire.

Explanation :

Further information :http://technet.microsoft.com/en-us/library/dd145547.aspxUser Properties - Account Tab

Account expiresSets the account expiration policy for this user. You can select between the following options:

Use Never to specify that the selected account will never expire. This option is the default for new users.Select End of and then select a date if you want to have the user's account expire on a specified date.

QUESTION 96Your company has an Active Directory domain that has an organizational unit named Sales . The Sales organizational unit contains two global secur ity groups named Sales Managers and SalesExecutives .

You need to apply desktop restrictions to the Sales Exe cutives group .You must not apply these desktop restrictions to the Sales Managers group .

You create a GPO named DesktopLockdown and link it to t he Sales organizational unit .


A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

B. Configure the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown GPO.C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.D. Configure the Deny Apply Group Policy permission for the Sales Managers on the DesktopLockdown GPO.


Explanation/Reference:http://support.microsoft.com/kb/816100How to prevent domain Group Policies from applying to certain user or computer accounts

Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts,or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizationalunit level. However, there may be situations where you want to apply Group Policy to a whole domain, althoughyou may not want those policy settings to also apply to administrator accounts or to other specific users orgroups.

http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/Best Practice: How to exclude individual users or computers from a Group Policy Object

One of the common question I see on the forums from time to time is how to exclude a user and/or a computerfrom having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I shouldstress this should be used sparingly and should always be done via group membership to avoid theadministrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation”tab and then click on the “Advanced” button.

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from havingthis policy applied.

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group inthe “Group or user names” list and then scroll down the permission and tick the “Deny” option against the“Apply Group Policy” permission.

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied.Having a security group to control this exception makes it much easier to control as someone only needs tomodify the group membership of the group to makes changes to who (or what) get the policy applied. Thismakes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grantthem permission to the Group Policy Objects.

QUESTION 97Your company network has an Active Directory forest that has one parent domain and one child domain . The child domain has two domain controllers that run Windows Server 2008 .

All user accounts from the child domain are migrate d to the parent domain . The child domain is scheduled to be decommissioned .

You need to remove the child domain from the Active Dir ectory forest .


A. Run the Computer Management console to stop the Domain Controller service on both domain controllersin the child domain.

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationshipbetween the parent domain and the child domain.

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domainservices role.

D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.

Correct Answer: CD


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspxDecommissioning a Domain Controller

To complete this task, perform the following procedures:1. View the current operations master role holders 2. Transfer the schema master 3. Transfer the domain naming master4. Transfer the domain-level operations master roles5. Determine whether a domain controller is a global catalog server 6. Verify DNS registration and functionality7. Verify communication with other domain controllers 8. Verify the availability of the operations masters 9. If the domain controller hosts encrypted documents, perform the following procedure before you remove

Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed:Export a certificate with the private key

10.Uninstall Active Directory 11. If the domain controller hosts encrypted documents and you backed up the certificate and private key before

you remove Active Directory, perform the following procedure to re-import the certificate to the server:Import a certificate

12.Determine whether a Server object has child objects13.Delete a Server object from a site

http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspxUninstall Active Directory

To uninstall Active Directory1. Click Start, click Run, type dcpromo and then click OK....

QUESTION 98Your network consists of a single Active Directory domain . The domain contains 10 domain controllers . The domain controllers run Windows Server 2008 R2 and are configured as DNS servers .

You plan to create a new Active Directory-integrated zo ne.

You need to ensure that the new zone is only replicated to four of your domain controllers .


A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.B. Create a new delegation in the ForestDnsZones application directory partition.C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.D. Create a new delegation in the DomainDnsZones application directory partition.


Explanation/Reference:Practically the same question as D/Q25 and K/Q17, different set of answers.

To control which servers get a copy of the zone we have to store the zone in an application directory partition.That application directory partition must be created before we create the zone, otherwise it won't work. So that's

what we have to do first. Directory partitions are also called naming contexts and we can create one usingntdsutil .

Here I tried to create a zone with dnscmd /zoneadd . It failed because the directory partition I wanted to use didnot exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com.Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to createthe new zone again, and this time it worked.

Reference 1:http://technet.microsoft.com/en-us/library/cc725739.aspx

Store Data in an AD DS Application PartitionYou can store Domain Name System (DNS) zones in the domain or application directory partitions of ActiveDirectory Domain Services (AD DS). An application directory partition is a data structure in AD DS thatdistinguishes data for different replication purposes. When you store a DNS zone in an application directo rypartition, you can control the zone replication sco pe by controlling the replication scope of theapplication directory partition.


partition managementManages directory partitions for Active Directory Domain Services (AD DS) or Active Directory LightweightDirectory Services (AD LDS).This is a subcommand of Ntdsutil and Dsmgmt.

ExamplesTo create an application directory partition named AppPartition in the contoso.com domain, complete thefollowing steps:

1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. Type: ntdsutil3. Type: Ac in ntds4. Type: partition management5. Type: connections6. Type: Connect to server DC_Name7. Type: quit8. Type: list

The following partitions will be listed:0 CN=Configuration,DC=Contoso,DC=com1 DC=Contoso,DC=com2 CN=Schema,CN=Configuration,DC=Contoso,DC=com3 DC=DomainDnsZones,DC=Contoso,DC=com4 DC=ForestDnsZones,DC=Contoso,DC=com

9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=comConDc1.contoso.com

10.Run the list command again to refresh the list of partitions.

QUESTION 99You have a domain controller named DC1 that runs Windows Server 2008 R2 . DC1 is configured as a DNS Server for contoso.com.

You install the DNS Server role on a member server named Server1 and then you create a standardsecondary zone for contoso.com. You configure DC1 as the master server for the zone .

You need to ensure that Server1 receives zone updates f rom DC1 .

What should you do?

A. On DC1, modify the permissions of contoso.com zone.B. On Server1, add a conditional forwarder.C. On DC1, modify the zone transfer settings for the contoso.com zone.

D. Add the Server1 computer account to the DNSUpdateProxy group.


Explanation/Reference:Practically the same question as J/Q23 and K/Q45.


Modify Zone Transfer SettingsYou can use the following procedure to control whether a zone will be transferred to other servers and whichservers can receive the zone transfer.

To modify zone transfer settings using the Windows interface1. Open DNS Manager.

2. Right-click a DNS zone, and then click Properties.

3. On the Zone Transfers tab, do one of the following:To disable zone transfers, clear the Allow zone transfers check box.To allow zone transfers , select the Allow zone transfers check box.

4. If you allowed zone transfers, do one of the follow ing:To allow zone transfers to any server, click To any server.To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only toservers listed on the Name Servers tab.To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IPaddress of one or more DNS servers.

QUESTION 100Your company has an Active Directory domain . All servers run Windows Server 2008 R2 . Your company runs an Enterprise Root certification authority (CA) .

You need to ensure that only administrators can sign c ode .


A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage TrustedPublishers.

B. Modify the security settings on the template to allow only administrators to request code signing certificates.C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only administrators to apply the policy.D. Publish the code signing template.


Explanation/Reference:http://techblog.mirabito.net.au/?p=297Generating and working with code signing certificates

A code signing certificate is a security measure designed to assist in the prevention of malicious code

execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on whichthe code is executed. The trust is verified by contacting the certification authority for the certificate, which couldbe either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as anenterprise certification authority) or external certification authority (third party, such as Verisign or Thawte).

For an Active Directory domain with an enterprise root certification authority, the enterprise root certificationauthority infrastructure is trusted by all machines that are a member of the Active Directory domain, andtherefore any certificates issued by this certification authority are automatically trusted.

In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers”store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issuedby a trusted certification authority. Therefore, it is required to ensure that certificates are added to this storewhere user interaction is unavailable, such as running automated processes that call signed code.

A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question.Generally, this should be the user, and the user will then become the trusted publisher. As an example,members of the development team in your organisation will probably each have their own code signingcertificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, aspecial domain account might exist specifically for signing code, although one of the advantages of codesigning is to be able to determine the person who signed it.

...

Exam B

QUESTION 1Your network consists of a single Active Directory domain . User accounts for engineering department are located in an OU named Engineering .

You need to create a password policy for the engineerin g department that is different from your domainpassword policy .

What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.


Explanation/Reference:http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-f1b69441175bComplex Password Policy on an OU

Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'munder the impression it can only be applied to either a security group or an individual user.

A1:I beleive you are referering to PSC and PSO. The Password Settings Container (PSC) object class is created by default under the System container in thedomain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or deletethis container.PSOs cannot be applied to organizational units (OUs ) directly . If your users are organized into OUs,consider creating global security groups that conta in the users from these OUs and then applying thenewly defined fine-grained password and account loc kout policies to them . If you move a user fromone OU to another, you must update user memberships in the corresponding global security groups .Groups offer better flexibility for managing various sets of users than OUs.For the fine-grained password and account lockout policies to function properly in a given domain, the domainfunctional level of that domain must be set to Windows Server 2008.Fine-grained password policies apply only to user objects and global security groups. They cannot be applied toComputer objects.For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspxAD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

A2:Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

A3:In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single userand only global security group.Find the step by step info.

http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx

http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/Tutorial: How to setup Default and Fine Grain Password Policy

One strange thing that still seems to catch a lot of people out is that you can only have one password policy foryour user per domain. This catches a lot of people out as they apply a password policy to an OU in their ADthinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine GrainPassword Policies with Windows Server 2008 however this can only be set based on a security groupmembership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to thepolicy.

Below I will go through how you change the default domain password policy and how you then apply a fine grainpassword policy to your environment. The Good news is setting the default password policy for a domain isreally easy. The Bad news is that setting a fine grain password policy is really hard.

How to set a Default Domain Password Policy

Step 1 . Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”).

Note: I have elected to create a new GPO at the top of the domain in this case as I always try to avoidmodifying the “Default Domain Policy”, see references below.

Reference:http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspxTechNet: Linking GPOs

If you need to modify some of the settings contained in the Default Domain Policy GPO, it isrecommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.

http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspxTechNet: Establishing Group Policy Operational Guidelines

Do not modify the default domain policy or default domain controller policy unless necessary. Instead,create a new GPO at the domain level and set it to override the default settings in the default policies.

Step 2 . Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>WindowsSettings>Security Settings>Account Policy>Password Policy and configured the password policies settings tothe configuration you desire.

Step 3 . Once you have configured the password policy settings make the “Domain Password Policy” GPO thehighest in the Linked GPO processing order.

TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change theirpassword the next time they logon.

Done… told you it was easy….

Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’spassword policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As youcan see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is stillapplied to the domain controller even though I have another GPO linking to the “Domain Controllers” OUconfiguration the same setting.

For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is usedfor the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password andAccount Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain useraccounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-account-lockout-policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-user-accounts.aspx)

How to set a Fine Grain Password Policy

Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before thisthe only way to have different password polices for the users in your environment was to have separatedomains… OUCH!

Pre-Requisites/Restrictions

You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must berunning Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” onthe top of the domain in Active Directory Users and Computers.

Referencehttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxAD DS: Fine-Grained Password Policies

The domain functional level must be Windows Server 2008.

The other restriction with this option is that you can only apply FGPP to users object or users in global securitygroups (not computers).

Referencehttp://technet.microsoft.com/en-us/library/cc770394(WS.10).aspxAD DS: Fine-Grained Password Policies

Fine-grained password policies apply only to user objects … and global security groups.

TIP: If you setup an “Automatic Shadow Group (http://policelli.com/blog/archive/2008/01/15/manage-shadow-groups-in-windows-server-2008/)” you can apply these password policies to users automatically to any userslocated in an OU.

Creating a Password Setting Object (PSO)

Step 1 . Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you wantto setup the new password policy.

Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and ADLDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\

Step 2 . Double click on the “CN=DomainName” then double click on “CN=System” and then double click on“CN=Password Settings Container”.

Step 3 . Right click on “CN=Password Settings Container” and then click on “New” then “Object…”

Step 4 . Click on “Next”

Step 5 . Type the name of the PSO in the “Value” field and then click “Next”

Note: With the exception of the password length the following values are all the same as the default values inthe “Default Domain Policy”.

Step 6 . Type in a number that will be the Precedence for this Password Policy then click “Next”.

Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.

Step 7 . Type “FALSE” in the value field and click “Next”

Note: You should almost never use “TRUE” for this setting.

Step 8 . Type “24” in the “Value” field and click “Next”

Step 9 . Type “TRUE” in the “Value” field and click “Next”


Step 11 . Type “1:00:00:00” in the “Value” field and click “Next”



Step 14 . Type “0:00:30:00” field and click “Next”


Step 16 . Click “Finish”

You have now created the Password Settings Object (PSO) and you can close the ADSIEdit tool.

Now to apply the PSO to a users or group…

Step 17 . Open Active Directory Users and Computers and navigate to “System > Password SettingsContainer”

Note: Advanced Mode needs to be enabled.

Step 18 . Double click on the PSO you created then click on the “Attribute Editor” tab and then select the“msDS-PSOAppliedTo” attribute and click “Edit”

Step 19 . Click “Add Windows Accounts….” button.

Step 20 . Select the user or group you want to apply this PSO and click “OK”

Step 21 . Click “OK”

Step 22 . Click “OK”

And your are done… (told you it was hard).

Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best youuse them sparingly in your organisation… But if you really have to have a simple password or extra complicatedpassword then at least it give you away to do this without having to spin up another domain.

QUESTION 2Your network contains an Active Directory domain . The domain contains two domain controllers named DC1 and DC2.

DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone . DC2 hosts a standard secondary DNS zone for the domain.

You need to configure DNS to allow only secure dynamic updates .


A. On DC1 and DC2, configure a trust anchor.B. On DC1 and DC2, configure a connection security rule.C. On DC1, configure the zone transfer settings.D. On DC1, configure the zone to be stored in Active Directory.


Explanation/Reference:http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/Configuring DNS Server for Secure Only Dynamic Updates

About Dynamic Updates

During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installationprocess automatically installs the DNS server on the computer, in case it does not already exist in the network.After the successful installation of Active Directory Domain Services, the DNS server is by default configured toautomatically update the records of only the domain client computers as soon as it receives the registrationrequest from them. This automatic update of DNS records in the DNS database is technically known as‘Dynamic Updates’.

Types of DNS Updates

Dynamic updates that DNS server in Windows Server 2008 R2 supports include: Nonsecure and Secure – When this type of dynamic update is selected, any computer can sendregistration request to the DNS server. The DNS server in return automatically adds the record of therequesting computer in the DNS database, even if the computer does not belong to the same DNS domain.Although this configuration remarkably reduces administrative overhead, this setting is not recommendedfor the organizations that have highly sensitive information available in the computers. Secure only – When this type of dynamic update is selected, only the computers that are members of theDNS domain can register themselves with the DNS server. The DNS server automatically rejects therequests from the computers that do not belong to the domain. This protects the DNS server from gettingautomatically populated with records of unwanted, suspicious and/or fake computers. None – When this option is selected, the DNS server does not accept any registration request from anycomputers whatsoever. In such cases, DNS administrators must manually add the IP addresses and theFully Qualified Domain Names (FQDNs) of the client computers to the DNS database.

In most production environments, systems administrators configure Secure Only dynamic updates for DNS.This remarkably reduces the security risks by allowing only the authentic domain client computers to registerthemselves with the DNS server automatically, and decreases the administrative overhead at the same time.

However in some scenarios, administrators choose to have non-Active Directory integrated zone to staycompliant with the policies of the organization. This configuration is not at all recommended because it does notallow administrators to configure DNS server for Secure only updates, and it does not allow the DNS databaseto get replicated automatically to the other DNS servers along with the Active Directory replication process.When DNS zone is not Active Directory integrated, DNS database replication process must be performedmanually by the administrators.

Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server

To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow thesteps given as below:

1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise adminaccount on which ‘Secure only’ dynamic updates are to be configured.2. On the desktop screen, click Start.3. From the Start menu, go to Administrator Tools > DNS.4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name.5. From the expanded list, double-click Forward Lookup Zones.6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to beconfigured.7. From the displayed context menu, click Properties.

8. On the zone’s properties box, make sure that the General tab is selected.9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list.Note: Secure only option is available only if the DNS zon e is Active Directory integrated .

Secure Only Dynamic Update

10. Click OK to apply the modified changes.11. Close DNS Manager snap-in when done.

QUESTION 3Your network contains a domain controller that has two network connections named Internal and Private .

Internal has an IP address of 192.168.0.20 . Private has an IP address of 10.10.10.5 .

You need to prevent the domain controller from register ing Host (A) records for the 10.10.10.5 IPaddress .

What should you do?

A. Modify the netlogon.dns file on the domain controller.B. Modify the Name Server settings of the DNS zone for the domain.C. Modify the properties of the Private network connection on the domain controller.D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.


Explanation/Reference:http://support.microsoft.com/kb/2023004Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller

Symptoms

On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is apossibility that the Host A DNS registration can occur for unwanted NIC(s).If the client queries for DC’s DNS records and gets an unwanted record or the record of a different networkwhich is not reachable to client, the client will fail to contact the DC causing authentication and many otherissues.

Cause

The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered inDNS. The DNS will serve the client with all the records available for that DC.

To prevent this, we need to make sure the unwanted NIC address is not registered in DNS.

Below are the services that are responsible for Host A record registration on a DC 1. Netlogon service 2. DNS server service (if the DC is running DNS server service) 3. DHCP client /DNS client (2003/2008)

If the NIC card is configured to register the connection address in DNS, then the DHCP /DNS client service will

Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS

If the DC is running DNS server service, then the DNS service will register the interface Host A record that ithas set to listen on. The Zone properties, “Name server” tab list out the IP addresses of interfaces present onthe DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses.

We need to make sure only the required interface listens for DNS and the zone properties, name server tabhas required IP address information

Resolution

To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid theissue).

1. Under Network Connections Properties : On the Unwanted NIC TCP/IP Properties -> Advanced -> DNS - >Uncheck "Register this connections Address in DNS"2. Open the DNS server console: highlight the server on the left pane Action-> Properties and on the"Interfaces" tab select "listen on only the following IP addresses". Remove unwanted IP address from the list3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP addressassociated with the DC. Remove unwanted IP address if it is listed.

After performing this delete the existing unwanted Host A record of the DC.

QUESTION 4Your network contains an Active Directory forest named contoso.com . You plan to add a new domain named nwtraders.com to the forest .

All DNS servers are domain controllers .

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any ofthe DNS servers in the forest .

What should you do?

A. Add the computer accounts of all the domain controllers to the DnsAdmins group.B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.C. Create a standard primary zone on a domain controller in the forest root domain.D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.


Explanation/Reference:???

QUESTION 5Your network contains an Active Directory domain named contoso.com . The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com .

You discover that non-domain member computers register records in the contoso.com zone .

You need to prevent the non-domain member computers fro m registering records in the contoso.comzone .

All domain member computers must be allowed to regi ster records in the contoso.com zone .


A. Configure a trust anchor.B. Run the Security Configuration Wizard (SCW).C. Change the contoso.com zone to an Active Directory-integrated zone.D. Modify the security settings of the %SystemRoot%\System32\Dns folder.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspxActive Directory-Integrated Zones

DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is notnecessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because allzone data is replicated automatically by means of Active Directory replication. This simplifies the process ofdeploying DNS and provides the following advantages:

Multiple masters are created for DNS replication. Therefore: Any domain controller in the domain running the DNS server service can write updates to the ActiveDirectory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfertopology is not needed.

Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control whichcomputers update which names, and prevent unauthorized computers from overwriting existing names inDNS

QUESTION 6Your network contains an Active Directory domain named contoso.com .

You create a GlobalNames zone . You add an alias (CNAME) resource record named Server1 to the zone . The target host of the record is server2.contoso.com .

When you ping Server1 , you discover that the name fails to resolve .You successfully resolve server2.contoso.com .

You need to ensure that you can resolve names by using the GlobalNames zone .

What should you do?

A. From the command prompt, use the netsh tool.B. From the command prompt, use the dnscmd tool.C. From DNS Manager, modify the properties of the GlobalNames zone.D. From DNS Manager, modify the advanced settings of the DNS server.



Enable GlobalNames zone supportThe GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitlyenabled by using the following command on every authoritative DNS server in the forest:

dnscmd <ServerName> /config /enableglobalnamessuppo rt 1

QUESTION 7Your company has a main office and a branch office .

The network contains an Active Directory domain named contoso.com .

The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated toall domain controllers in the domain .

The main office contains a writable domain controller named DC1. The branch office contains a read-only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers .

You uninstall the DNS server role from RODC1 .

You need to prevent DNS records from replicating to ROD C1.

What should you do?

A. Modify the replication scope for the contoso.com zone.B. Flush the DNS cache and enable cache locking on RODC1.C. Configure conditional forwarding for the contoso.com zone.D. Modify the zone transfer settings for the contoso.com zone.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754916.aspxChange the Zone Replication Scope

You can use the following procedure to change the replication scope for a zone. Only Active Directory DomainServices (AD DS)–integrated primary and stub forward lookup zones can change their replication scope.Secondary forward lookup zones cannot change their replication scope.

http://technet.microsoft.com/en-us/library/cc772101.aspxUnderstanding DNS Zone Replication in Active Directory Domain Services

You can store Domain Name System (DNS) zones in the domain or application directory partitions of ActiveDirectory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for differentreplication purposes.

The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.

When you decide which replication scope to choose, consider that the broader the replication scope, thegreater the network traffic caused by replication. For example, if you decide to have AD DS–integrated DNSzone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating theDNS zone data to all DNS servers in a single AD DS domain in that forest.

AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the globalcatalog for the forest. The domain controller that contains the global catalog can also host application directorypartitions, but it will not replicate this data to its global catalog.

AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in itsAD DS domain, and a portion of this data is stored in the global catalog. This setting is used to supportWindows 2000.

If an application directory partition's replication scope replicates across AD DS sites, replication will occur withthe same intersite replication schedule as is used for domain partition data.

By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for theapplication directory partitions that are hosted on a domain controller in the same manner as it registers domaincontroller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller.


The domain contains the servers shown in the following table.

The functional level of the forest is Windows Server 2003 . The functional level of the domain is Windows Server 2003 .

DNS1 and DNS2 host the contoso.com zone .

All client computers run Windows 7 Enterprise .

You need to ensure that all of the names in the contoso .com zone are secured by using DNSSEC .


A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade DNS1 to Windows Server 2008 R2.


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspxDNS Security Extensions (DNSSEC)

What are the major changes?

Support for Domain Name System Security Extensions (DNSSEC) is introduced in Windows Server®2008 R2 and Windows® 7 . With Windows Server 2008 R2 DNS server, you can now sign and host DNSSEC-signed zones to provide security for your DNS infrastructure.

The following changes are available in DNS server in Windows Server 2008 R2: Ability to sign a zone and host signed zones. Support for changes to the DNSSEC protocol. Support for DNSKEY, RRSIG, NSEC, and DS resource records.

The following changes are available in DNS client in Windows 7: Ability to indicate knowledge of DNSSEC in queries. Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records. Ability to check whether the DNS server with which it communicated has performed validation on theclient’s behalf.

The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table(NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed throughGroup Policy.

What does DNSSEC do?

DNSSEC is a suite of extensions that add security t o the DNS protocol . The core DNSSEC extensions arespecified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial ofexistence to DNS. In addition to several new concepts and operations for both the DNS server and the DNSclient, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS.

In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed .When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to therecords queried for. A resolver or another server can obtain the public key of the public/private key pair andvalidate that the responses are authentic and have not been tampered with. In order to do so, the resolver orserver must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.

..

QUESTION 9Your network contains a domain controller that is configured as a DNS server . The server hosts an Active Directory-integrated zone for the domain .

You need to reduce how long it takes until stale record s are deleted from the zone .

What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime.B. From the configuration directory partition of the forest, modify the garbage collection interval.C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.



http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspxSet Aging and Scavenging Properties for a Zone

The DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale resource records, which can accumulate in zone dataover time.

You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNSManager snap-in or the dnscmd command-line tool.

To set aging and scavenging properties for a zone using the Windows interface1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click

DNS.2. In the console tree, right-click the applicable zone, and then click Properties.3. On the General tab, click Aging.4. Select the Scavenge stale resource records check box.5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All

Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.2. At the command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>}

QUESTION 10You have an Active Directory domain named contoso.com . You have a domain controller named Server1 that is configured as a DNS server . Server1 hosts a standard primary zone for contoso.com .

The DNS configuration of Server1 is shown below:

You discover that stale resource records are not automa tically removed from the contoso.com zone . You need to ensure that the stale resource records are automatically removed from the contoso.comzone .

What should you do?

A. Set the scavenging period of Server1 to 0 days.B. Modify the Server Aging/Scavenging properties.C. Configure the aging properties for the contoso.com zone.D. Convert the contoso.com zone to an Active Directory-integrated zone.












You remove several computers from the network .

You need to ensure that the host (A) records for the re moved computers are automatically deleted fromthe contoso.com DNS zone .

What should you do?

A. Configure dynamic updates.B. Configure aging and scavenging.C. Create a scheduled task that runs the Dnscmd /ClearCache command.D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.











QUESTION 12You need to force a domain controller to register all s ervice location (SRV) resource records in DNS .

Which command should you run?

A. ipconfig.exe /registerdnsB. net.exe stop dnscache & net.exe start dnscacheC. net.exe stop netlogon & net.exe start netlogonD. regsvr32.exe dnsrslvr.dll



The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller’s SRV resource records by restarting thisservice from the Services branch of Server Manager or by typing net start netlogon . An exam questionmight ask you how to troubleshoot the nonregistration of SRV resource records.


You plan to deploy a child domain named sales.contoso.c om .

The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com .

You need to ensure that users in contoso.com can connec t to servers in sales.contoso.com by usingfully qualified domain names (FQDNs) .

What should you do?

A. Create a DNS forwarder.B. Create a DNS delegation.C. Configure root hint servers.D. Configure an alternate DNS server on all client computers.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784494%28v=ws.10%29.aspxDelegating zones

DNS provides the option of dividing up the namespace into one or more zones, which can then be stored,distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace tomake additional zones, consider the following reasons to use additional zones:

A need to delegate management of part of your DNS namespace to another location or department withinyour organization. A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers,improve DNS name resolution performance, or create a more fault-tolerant DNS environment. A need to extend the namespace by adding numerous subdomains at once, such as to accommodate theopening of a new branch or site.

If, for any of these reasons, you could benefit from delegating zones, it might make sense to restructure yournamespace by adding additional zones. When choosing how to structure zones, you should use a plan thatreflects the structure of your organization.

When delegating zones within your namespace, be aware that for each new zone you create, you will needdelegation records in other zones that point to the authoritative DNS servers for the new zone. This isnecessary both to transfer authority and to provide correct referral to other DNS servers and clients of the newservers being made authoritative for the new zone.

When a standard primary zone is first created, it is stored as a text file containing all resource recordinformation on a single DNS server. This server acts as the primary master for the zone. Zone information canbe replicated to other DNS servers to improve fault tolerance and server performance.

When structuring your zones, there are several good reasons to use additional DNS servers for zonereplication:1. Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients

if a primary server for the zone stops responding.2. Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS

server to the opposing side of a low-speed WAN link can be useful in managing and reducing networktraffic.

3. Additional secondary servers can be used to reduce loads on a primary server for a zone.

Example: Delegating a subdomain to a new zone

As shown in the following figure, when a new zone for a subdomain (example.microsoft.com) is created,delegation from the parent zone (microsoft.com) is needed.

In this example, an authoritative DNS server computer for the newly delegated example.microsoft.comsubdomain is named based on a derivative subdomain included in the new zone(ns1.us.example.microsoft.com). To make this server known to others outside of the new delegated zone, twoRRs are needed in the microsoft.com zone to complete delegation to the new zone.

These RRs include: An NS RR to effect the delegation. This RR is used to advertise that the server namedns1.us.example.microsoft.com is an authoritative server for the delegated subdomain. An A RR (also known as a glue record) is needed to resolve the name of the server specified in the NSRR to its IP address. The process of resolving the host name in this RR to the delegated DNS server in theNS RR is sometimes referred to as glue chasing.

Note When zone delegations are correctly configured, normal zone referral behavior can sometimes becircumvented if you are using forwarders in your DNS server configuration.

QUESTION 14Your network contains a single Active Directory domain named contoso.com . The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2 . DC1 hosts a primary zone for contoso.com . DC2 hosts a secondary zone for contosto.com .

On DC1, you change the zone to an Active Directory-integrated z one and configure the zone to acceptsecure dynamic updates only .

You need to ensure that DC2 can accept secure dynamic u pdates to the contoso.com zone .


A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.comB. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary

C. dnslint.exe /qlD. repadmin.exe /syncall /force


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_29Dnscmd

A command-line interface for managing DNS servers. This utility is useful in scripting batch files to helpautomate routine DNS management tasks, or to perform simple unattended setup and configuration of newDNS servers on your network.

dnscmd /zoneresettype Changes the zone type.

Syntax

dnscmd [<ServerName>] /zoneresettype <ZoneName> <ZoneType> [/overwrite_mem | /overwrite_ds]

Parameters

<ServerName> Specifies the DNS server to manage, represented by local computer syntax, IP address, FQDN, or hostname. If this parameter is omitted, the local server is used.

<ZoneName> Identifies the zone on which the type will be changed.

<ZoneType> Specifies the type of zone to create. Each type has different required parameters:

/dsprimary Creates an Active Directory–integrated zone .

/primary /file <FileName> Creates a standard primary zone.

/secondary <MasterIPAddress> [,<MasterIPAddress>...] Creates a standard secondary zone.

/stub <MasterIPAddress>[,<MasterIPAddress>...] /file <FileName> Creates a file-backed stub zone.

/dsstub <MasterIPAddress>[,<MasterIPAddress>...] Creates an Active Directory–integrated stub zone.

/forwarder <MasterIPAddress[,<MasterIPAddress>]... /file<FileName> Specifies that the created zone forwards unresolved queries to another DNS server.

/dsforwarder Specifies that the created Active Directory–integrated zone forwards unresolved queries to another DNSserver.

/overwrite_mem | /overwrite_ds Specifies how to overwrite existing data:

/overwrite_mem Overwrites DNS data from data in AD DS.

/overwrite_ds Overwrites existing data in AD DS.

Remarks

Setting the zone type as /dsforwarder creates a zone that performs conditional forwarding.


You run nslookup.exe as shown in the following Command Prompt window:

You need to ensure that you can use Nslookup to list al l of the service location (SRV) resource recordsfor contoso.com .

What should you modify?

A. the root hints of the DNS serverB. the security settings of the zoneC. the Windows Firewall settings on the DNS serverD. the zone transfer settings of the zone


Explanation/Reference:http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm11.7 Troubleshooting nslookup Problems

11.7.4 Query RefusedRefused queries can cause problems at startup, and they can cause lookup failures during a session. Here'swhat it looks like when nslookup exits on startup because of a refused query:

% nslookup *** Can't find server name for address 192.249.249.3: Query refused *** Default servers are not available %

This one has two possible causes. Either your name server does not support inverse queries (older nslookupsonly), or zone security is stopping the lookup .

Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zonetransfers to fail in the middle of a session when you point nslookup to a remote name server. This is what youwill see:

% nslookup Default Server: hp.com

Address: 15.255.152.4

> server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3

> carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3

*** terminator.movie.edu can't find carrie.movie.edu.: Query refused

> ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused >


The contoso.com DNS zone is stored in Active Directory . All domain controllers run Windows Server 2008 R2 .

You need to identify if all of the DNS records used for Active Directory replication are correctlyregistered .

What should you do?

A. From the command prompt, use netsh.exe.B. From the command prompt, use dnslint.exe.C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/dd197560.aspx

Dnslint.exeDNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues.It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNSservers. It can also be used to verify that DNS records used specifically for Active Directory replication arecorrect.

QUESTION 17Your network contains an Active Directory forest . The forest contains one domain and three sites . Each site contains two domain controllers . All domain controllers are DNS servers .

You create a new Active Directory-integrated zone .

You need to ensure that the new zone is replicated to t he domain controllers in only one of the sites .


A. Modify the NTDS Site Settings object for the site.B. Modify the replication settings of the default site link.C. Create an Active Directory connection object.D. Create an Active Directory application directory partition.


Explanation/Reference:Practically the same question as A/Q50 and K/Q17, different set of answers.

To control which servers get a copy of the zone we have to store the zone in an application directory partition.That application directory partition must be created before we create the zone, otherwise it won't work. So that'swhat we have to do first. Directory partitions are also called naming contexts and we can create one usingntdsutil .



Store Data in an AD DS Application PartitionYou can store Domain Name System (DNS) zones in the domain or application directory partitions of ActiveDirectory Domain Services (AD DS). An application directory partition is a data structure in AD DS thatdistinguishes data for different replication purposes. When you store a DNS zone in an application directo rypartition, you can control the zone replication sco pe by controlling the replication scope of the

application directory partition.









QUESTION 18Your network contains a single Active Directory forest . The forest contains two domains named contoso.com and sales.contoso.com .

The domain controllers are configured as shown in the following table:

All domain controllers run Windows Server 2008 R2 . All zones are configured as Active Directory- integrated zones .

You need to ensure that contoso.com records are availab le on DC3 .


A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainB. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forestC. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domainD. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest



http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_23Dnscmd

A command-line interface for managing DNS servers. This utility is useful in scripting batch files to helpautomate routine DNS management tasks, or to perform simple unattended setup and configuration of newDNS servers on your network.

dnscmd /zonechangedirectorypartition

Changes the directory partition on which the specif ied zone resides.

Syntax

dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] |[<ZoneType>] }

Parameters

<ServerName> Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If this parameter isomitted, the local server is used.

<ZoneName> The FQDN of the current directory partition on which the zone resides.

<NewPartitionName> The FQDN of the directory partition that the zone will be moved to.

<ZoneType> Specifies the type of directory partition that the zone will be moved to.

/domain Moves the zone to the built-in domain directory partition.

/forest Moves the zone to the built-in forest direc tory partition.

/legacy Moves the zone to the directory partition that is created for pre–Active Directory domain controllers. Thesedirectory partitions are not necessary for native mode.

QUESTION 19You have a DNS zone that is stored in a custom application directory partition .

You install a new domain controller .

You need to ensure that the custom application director y partition replicates to the new domaincontroller .

What should you use?

A. the Active Directory Administrative Center consoleB. the Active Directory Sites and Services consoleC. the DNS Manager consoleD. the Dnscmd tool



dnscmd /enlistdirectorypartitionAdds the DNS server to the specified directory partition's replica set.

QUESTION 20Your network contains an Active Directory domain named contoso.com . All domain controllers run Windows Server 2008 R2 . The functional level of the domain is Windows Server 2008 R2 . The functional level of the forest is Windows Server 2008 .

You have a member server named Server1 that runs Windows Server 2008 .

You need to ensure that you can add Server1 to contoso. com as a domain controller .

What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccountB. dcpromo.exe /ReplicaOrNewDomain:replicaC. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008DomainD. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels.aspx

After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back orlower the domain functional level, with one exception: when you raise the domain functional level to WindowsServer 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rollingthe domain functional level back to Windows Server 2008. You can lower the domain functional level only fromWindows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

QUESTION 21Your network contains an Active Directory forest . The forest contains a single domain .

You want to access resources in a domain that is locat ed in another forest .

You need to configure a trust between the domain in you r forest and the domain in the other forest .

What should you create?

A. an incoming external trustB. an incoming realm trustC. an outgoing external trustD. an outgoing realm trust



A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at thetime that you run the New Trust Wizard) to access resources in another Active Directory domain (outside yourforest).

QUESTION 22Your network contains two Active Directory forests . One forest contains two domains named contoso.com and na.contoso.com . The other forest contains a domain named nwtraders.com . A forest trust is configured between the two forests .

You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.c om domain by using the user nameNA\User1 .Other users from na.contoso.com report that they ca n log on to the computers in the nwtraders.comdomain .

You need to ensure that User1 can log on to the compute r in the nwtraders.com domain .

What should you do?

A. Enable selective authentication over the forest trust.B. Create an external one-way trust from na.contoso.com to nwtraders.com.C. Instruct User1 to log on to the computer by using his user principal name (UPN).D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.


Explanation/Reference:http://apttech.wordpress.com/2012/02/29/what-is-upn-and-why-to-use-it/What is UPN and why to use it?

UPN or User Principal Name is a logon method of authentication when you enter the credentials [email protected] instead of Windows authentication method: domainname\username to be usedas login.So UPN is BASICALLY a suffix that is added after a username which can be used in place of “Samaccount”name to authenticate a user. So lets say your company is called ABC, then instead of ABC\Username you canuse [email protected] at the authentication popup.

The additional UPN suffix can help users to simplify the logon information in long domain names with an easiername. Example: instead of “[email protected]”, change it to“username@atlanta”, if you create an UPN suffix called Atlanta.

http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1.aspxAccessing Resources across forest and achieve Single Sign ON (Part1)

http://technet.microsoft.com/en-us/library/cc772808%28v=ws.10%29.aspxAccessing resources across forests

...When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forestand stores the information in a TDO. Trusted namespaces include domain tree names, user principal name(UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the otherforest. TDO objects are replicated to the global catalog....

QUESTION 23Your company has a main office and a branch office .The main office contains two domain controllers .

You create an Active Directory site named BranchOfficeSite . You deploy a domain controller in the branch office , and then add the domain controller to theBranchOfficeSite site .

You discover that users in the branch office are random ly authenticated by either the domain controllerin the branch office or the domain controllers in t he main office .

You need to ensure that the users in the branch office always attempt to authenticate to the domaincontroller in the branch office first .

What should you do?

A. Create organizational units (OUs).B. Create Active Directory subnet objects.C. Modify the slow link detection threshold.D. Modify the Location attribute of the computer objects.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754697.aspxUnderstanding Sites, Subnets, and Site Links

Sites overview

Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topologyinformation, which is stored in the directory as site, subnet, and site link objects, to build the most efficientreplication topology. The replication topology itself consists of the set of connection objects that enable inboundreplication from a source domain controller to the destination domain controller that stores the connectionobject. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on eachdomain controller.

..Associating sites and subnets

A subnet object in AD DS groups neighboring computers in much the same way that postal codes groupneighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses

to the site.

NoteThe term "subnet" in AD DS does not have the strict networking definition of the set of all addressesbehind a single router. The only requirement for an AD DS subnet is that the address prefix conforms tothe IP version 4 (IPv4) or IP version 6 (IPv6) format.

When you add the Active Directory Domain Services server role to create the first domain controller in a forest,a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory,all domain controllers that you add to the forest are assigned to this site. However, if your forest will havemultiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to alladditional sites.

..Locating domain controllers by site

Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify theirsite names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses.When a client requests a domain controller, it prov ides its site name to DNS. DNS uses the site name t olocate a domain controller in that site (or in the next closest site to the client). DNS then provides the IPaddress of the domain controller to the client for the purpose of connecting to the domain controller.For this reason, it is important to ensure that the IP address that you assign to a domain controllermaps to a subnet that is associated with the site o f the respective server object. Otherwise, when aclient requests a domain controller, the IP address that is returned might be the IP address of a doma incontroller in a distant site. When a client connect s to a distant site, the result can be slow perform anceand unnecessary traffic on expensive WAN links.

QUESTION 24Your company has a main office and 50 branch offices . Each office contains multiple subnets .

You need to automate the creation of Active Directory s ubnet objects .


A. the Dsadd toolB. the Netsh toolC. the New-ADObject cmdletD. the New-Object cmdlet


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617260.aspxNew-ADObject

Creates an Active Directory object.

Syntax:New-ADObject [-Name] <string> [-Type] <string> [-AuthType {<Negotiate> | <Basic>}] [-Credential<PSCredential>] [-Description <string>] [-DisplayName <string>] [-Instance <ADObject>] [-OtherAttributes<hashtable>] [-PassThru <switch>] [-Path <string>] [-ProtectedFromAccidentalDeletion <System.Nullable[bool]>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>]

Detailed Description

The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new useraccount. You can use this cmdlet to create any type of Active Directory object. Many object properties aredefined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using theOtherAttributes parameter.You must set the Name and Type parameters to create a new Active Directory object. The Name specifies thename of the new object. The Type parameter specifies the LDAP display name of the Active Directory SchemaClass that represents the type of object you want to create. Examples of Type values include computer, group,organizational unit, and user.The Path parameter specifies the container where the object will be created.. When you do not specify the Pathparameter, the cmdlet creates an object in the default naming context container for Active Directory objects inthe domain.

QUESTION 25Your network contains an Active Directory forest . The forest contains multiple sites .

You need to enable universal group membership caching f or a site .

What should you do?

A. From Active Directory Sites and Services, modify the NTDS Settings.B. From Active Directory Sites and Services, modify the NTDS Site Settings.C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the

site.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspxEnabling Universal Group Membership Caching in a Site

In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted todetermine the universal group memberships of the user. A universal group can contain users from otherdomains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore,universal group memberships must be ascertained at domain logon so that the user has appropriate access inthe domain and in other domains during the logon session. Only global catalog servers store the membershipsof all universal groups in the forest.

If a global catalog server is not available in the site when a user logs on to a domain, the domain controllermust contact a global catalog server in another site.

In multidomain forests where remote sites do not have a global catalog server, the need to contact a globalcatalog server over a potentially slow wide are network (WAN) connection can be problematic and a user canpotentially be unable to log on to the domain if a global catalog server is not available. You can enableUniversal Group Membership Caching on domain controllers that are running Windows Server 2008 so thatwhen the domain controller contacts a global catalog server for the user’s initial domain logon, the domaincontroller retrieves universal group memberships for the user. On subsequent logon requests by the sameuser, the domain controller uses cached universal group memberships and does not have to contact a globalcatalog server.

To complete this task, perform the following procedure:

http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspxEnable Universal Group Membership Caching in a Site

1. Open Active Directory Sites and Services : On the Start menu, point to Administrative Tools, and thenclick Active Directory Sites and Services.

2. In the console tree, expand Sites, and then click the site in which you want to enable Universal GroupMembership Caching.

3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.5. In the Refresh cache from list, click the site that you want the domain controller to contact when the

Universal Group membership cache must be updated, and then click OK.

QUESTION 26You need to ensure that domain controllers only replica te between domain controllers in adjacent sites .

What should you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.B. From the IP properties, select Disable site link bridging.C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection

objects.D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each

site.


Explanation/Reference:http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htmWhat is Site Link Bridge and How to create Site Link Bridge

A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Eachsite link in a bridge must have a site in common with another site link in the bridge.

By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing thedefault value of "Bridge all site links" (enabled by default).

We may need to disable "Bridge all site links" and create a site link bridge design if• When the IP network is not fully routed.• When we need to control the replication flow in Active Directory.

QUESTION 27Your company has a main office and a branch office .

You discover that when you disable IPv4 on a computer i n the branch office, the computerauthenticates by using a domain controller in the m ain office .

You need to ensure that IPv6-only computers authenticat e to domain controllers in the same site .

What should you do?

A. Configure the NTDS Site Settings object.B. Create Active Directory subnet objects.C. Create Active Directory Domain Services connection objects.D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc754697.aspx

Understanding Sites, Subnets, and Site Links

Sites overview

Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topologyinformation, which is stored in the directory as site, subnet, and site link objects, to build the most efficientreplication topology. The replication topology itself consists of the set of connection objects that enable inboundreplication from a source domain controller to the destination domain controller that stores the connectionobject. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on eachdomain controller.

..Associating sites and subnets

A subnet object in AD DS groups neighboring computers in much the same way that postal codes groupneighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addressesto the site.

NoteThe term "subnet" in AD DS does not have the strict networking definition of the set of all addressesbehind a single router. The only requirement for an AD DS subnet is that the address prefix conforms tothe IP version 4 (IPv4) or IP version 6 (IPv6) format.

When you add the Active Directory Domain Services server role to create the first domain controller in a forest,a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory,all domain controllers that you add to the forest are assigned to this site. However, if your forest will havemultiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to alladditional sites.

QUESTION 28Your network contains an Active Directory domain .

The domain is configured as shown in the following table:

Users in Branch2 sometimes authenticate to a domain controller in Br anch1 .

You need to ensure that users in Branch2 only authentic ate to the domain controllers in Main .

What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.B. On DC3, set the AutoSiteCoverage value to 1.C. On DC1 and DC2, set the AutoSiteCoverage value to 0.D. On DC1 and DC2, set the AutoSiteCoverage value to 1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc787491%28v=ws.10%29.aspxParameters\AutoSiteCoverage

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Description

Specifies whether the system can add sites to the coverage area of this domain controller.

Domain controllers cover, that is, provide services to, the site in which they reside and to other sites listed in thevalue of the entry SiteCoverage . In addition, when the value of AutoSiteCoverage is 1, the system can addsites that do not have domain controllers to this domain controller's coverage area.

The sites added to the domain controller's coverage are stored in memory, and a new list is assembled eachtime the Net Logon service starts or when Netlogon is notified of the site object changes. While Net Logon runs,it updates this list at an interval specified by the value of the entry DnsRefreshInterval ....

http://technet.microsoft.com/en-us/library/cc749944.aspxPlanning Active Directory for Branch Office

..Disabling AutoSiteCoverage Registration in DNS

Another situation that requires configuration of SRV records results from not having a domain controller in aparticular site. This may happen because there are no users needing constant logon access, or becausereplication to the site might be too expensive or too slow. To ensure that a domain controller can be located inthe site closest to a client computer, if not the same site, Windows 2000 automatically attempts to register adomain controller in every site by using an "autositecoverage" algorithm. The algorithm determines how onesite can "cover" another site when no domain controller exists in the second site. By default, the process usesthe replication topology.

The algorithm works as follows. Each domain controller checks all sites in the forest and then checks thereplication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in anysite that does not have a domain controller for that domain and for which its site has the lowest-costconnections. This process ensures that every site has a domain controller even though its domain controllermay not be located in that site. The domain controllers that are published in DNS are those from the closest site(as defined by the replication topology).

In the branch office scenario, any computer from other sites should not discover branch office domaincontrollers. A client should always communicate with a local domain controller, and if that is not available, use adomain controller in the hub site. To achieve this:1. Disable AutoSiteCoverage on all of the domain controllers, not only for the branch domain controllers, but

also hub domain controllers.2. Do not register generic records as described above.

If both of these configurations (1. and 2.) are performed, then all-site clients will discover the local domaincontroller if it is available, or its hub domain controller (if no local domain controller is available).

In the unusual scenario when a site with a domain controller for some domain is closer to another site than thecentral hub, the administrator has the ability to configure that domain controller with the specific ("close") sitesto be covered using the following registry values: SiteCoverage, GcSiteCoverage. Alternatively, theadministrator can use the following Group Policy settings:

Sites Covered by the domain controller Locator DNS SRV Records

Sites Covered by the global catalog server Locator DNS SRV Records Sites Covered by the NDNC Locator DNS SRV Records

QUESTION 29Your network contains a single Active Directory domain that has two sites named Site1 and Site2 . Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.

DC3 fails .

You discover that replication no longer occurs between the sites .You verify the connectivity between DC4 and the domain controllers in Site1 .

On DC4, you run repadmin.exe /kcc .Replication between the sites continues to fail .

You need to ensure that Active Directory data replicate s between the sites .

What should you do?

A. From Active Directory Sites and Services, modify the properties of DC3.B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.C. From Active Directory Users and Computers, modify the location settings of DC4.D. From Active Directory Users and Computers, modify the delegation settings of DC4.


Explanation/Reference:Same question as J/Q10.

By modifying the properties of DC3 we can remove the preferred bridgehead status of DC3.

Reference 1:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 193, 194

Bridgehead ServersA bridgehead server is the domain controller designated by each site’s KCC to take control of intersitereplication. The bridgehead server receives information replicated from other sites and replicates it to its site’sother domain controllers. It ensures that the greatest portion of replication occurs within sites rather thanbetween them.

In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However,you can use Active Directory Sites and Services to specify which domain controller will be the preferredbridgehead server by using the following steps:1. In Active Directory Sites and Services , expand the site in which you want to specify the preferred

bridgehead server.2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties .3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want

to designate this server as a preferred bridgehead server and then click Add.

Reference 2:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012)pages 589, 590

Preferred Bridgehead Servers

(...)It’s important to understand that if you have specified one or more bridgehead servers and none of thebridgeheads is available, no other server is automatically selected, and replication does not occur for the siteeven if there are servers that could act as bridgehead servers.

QUESTION 30Your network contains an Active Directory domain . The functional level of the domain is Windows Server 2003 .

The domain contains five domain controllers that run Windows Server 2008 and five domain controllersthat run Windows Server 2008 R2 .

You need to ensure that SYSVOL is replicated by using D istributed File System Replication (DFSR) .


A. Run dfsrdiag.exe PollAD.B. Run dfsrmig.exe /SetGlobalState 0.C. Upgrade all domain controllers to Windows Server 2008 R2.D. Raise the functional level of the domain to Windows Server 2008.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspxDistributed File System

Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly-available access tofiles, load sharing, and WAN-friendly replication. In the Windows Server® 2003 R2 operating system, Microsoftrevised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snap-inwith the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows Server®2008 operating system, Microsoft added the Windows Server 2008 mode of domain-based namespaces andadded a number of usability and performance improvements.

What does Distributed File System (DFS) do?

The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well assimplified, highly-available access to geographically dispersed files. The two technologies in DFS are thefollowing:

DFS Namespaces . Enables you to group shared folders that are located on different servers into one ormore logically structured namespaces. Each namespace appears to users as a single shared folder with aseries of subfolders. This structure increases availability and automatically connects users to shared foldersin the same Active Directory Domain Services site, when available, instead of routing them over WANconnections.DFS Replication . DFS Replication is an efficient, multiple-master replication engine that you can use tokeep folders synchronized between servers across limited bandwidth network connections. It replaces theFile Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicatingthe AD DS SYSVOL folder in domains that use the Win dows Server 2008 domain functional level .

QUESTION 31Your network contains an Active Directory forest .The forest contains two domains named contoso.com and woodgrovebank.com .

You have a custom attribute named Attibute1 in Active Directory . Attribute1 is associated to User objects .

You need to ensure that Attribute1 is replicated to the global catalog .

What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.B. In Active Directory Sites and Services, configure the universal group membership caching.C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.


Explanation/Reference:http://www.tech-faq.com/the-global-catalog-server.htmlThe Global Catalog Server

The Global Catalog (GC) is an important component in Active Directory because it serves as the centralinformation store of the Active Directory objects located in domains and forests. Because the GC maintains alist of the Active Directory objects in domains and forests without actually including all information on the objectsand it is used when users search for Active Directory objects or for specific attributes of an object, the GCimproves network performance and provides maximum accessibility to Active Directory objects.

..

How to Include Additional Attributes in the GC

The number of attributes in the GC affects GC replication. The more attributes the GC servers have toreplicate, the more network traffic GC replication creates. Default attributes are included in the GC when ActiveDirectory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute tothe GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it tothe MMC before it can be used to customize the GC.

To add the Active Directory Schema snap-in in the MMC:1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.3. Click OK to acknowledge that the dll was successfully registered.4. Click Start, Run, and enter mmc in the Run dialog box.5. When the MMC opens, select Add/Remove Snap-in from the File menu.6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the

Add Standalone Snap-in dialog box.7. Close all open dialog boxes.

To include additional attributes in the GC:1. Open the Active Directory Schema snap-in.2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the

shortcut menu.3. Additional attributes are added on the General tab.4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.5. Click OK.

QUESTION 32Your network contains an Active Directory domain . The domain contains three domain controllers .

One of the domain controllers fails .Seven days later , the help desk reports that it can no longer create user accounts .

You need to ensure that the help desk can create new us er accounts .

Which operations master role should you seize ?

A. domain naming masterB. infrastructure masterC. primary domain controller (PDC) emulatorD. RID masterE. schema master


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspxOperations master roles

Active Directory supports multimaster replication of the directory data store between all domain controllers (DC)in the domain, so all domain controllers in a domain are essentially peers. However, some changes areimpractical to perform in using multimaster replication, so, for each of these types of changes, one domaincontroller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domaincontrollers. Forest-wide operations master roles must appear only once in every forest. Domain-wideoperations master roles must appear once in every domain in the forest.

..RID master

The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in itsdomain. At any time, there can be only one domain controller acting as the RID master in each domain in theforest.Whenever a domain controller creates a user, group, or computer object, it assigns the object a uniquesecurity ID (SID) . The SID consists of a domain SID, which is the same for all SIDs created in the domain, anda RID, which is unique for each SID created in the domain.To move an object between domains (using Movetree.exe), you must initiate the move on the domain controlleracting as the RID master of the domain that currently contains the object.

http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-active-directory/5081138Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory

http://www.petri.co.il/seizing_fsmo_roles.htmSeizing FSMO Roles

QUESTION 33Your network contains two standalone servers named Server1 and Server2 that have Active DirectoryLightweight Directory Services (AD LDS) installed .Server1 has an AD LDS instance .

You need to ensure that you can replicate the instance from Server1 to Server2 .

What should you do on both servers?

A. Obtain a server certificate.B. Import the MS-User.ldf file.

C. Create a service user account for AD LDS.D. Register the service location (SRV) resource records.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspxAdministering AD LDS Instances

Each AD LDS instance runs as an independent—and separately administered—service on a computer. Youcan configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, andchange the AD LDS instance service display name and service description. In addition, you can enable SecureSockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, eachAD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used forreplication authentication. Depending on the network environment into which you install AD LDS, you may haveto create SPNs manually.

AD LDS service account

The service account that an AD LDS instance uses determines the access that the AD LDS instance hason the local computer and on other computers in the network . AD LDS instances also use the serviceaccount to authenticate other AD LDS instances in t heir configuration set, to ensure replicationsecurity . You determine the AD LDS service account during AD LDS installation.

QUESTION 34Your network contains a server named Server1 that runs Windows Server 2008 R2 .

You create an Active Directory Lightweight Directory Se rvices (AD LDS) instance on Server1 .

You need to create an additional AD LDS application dir ectory partition in the existing instance .


A. AdaminstallB. DsaddC. DsmodD. Ldp



Create an Application Directory PartitionYou use Ldp.exe to add a new application directory partition to an existing instance of Active DirectoryLightweight Directory Services (AD LDS).

QUESTION 35Your network contains a server named Server1 that runs Windows Server 2008 R2 .

On Server1 , you create an Active Directory Lightweight Directory Se rvices (AD LDS) instance namedInstance1 .You connect to Instance1 by using ADSI Edit .

You run the Create Object wizard and you discover that there is no User object class .

You need to ensure that you can create user objects in Instance1 .

What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).


Explanation/Reference:Reference: http://technet.microsoft.com/en-us/library/cc772194.aspx

To create users in AD LDS, you must first import the optional user classes that are pr ovided with AD LDSinto the AD LDS schema . These user classes are provided in importable .ldf files, which you can find in thedirectory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the ADLDS user class definitions into the schema.

QUESTION 36Your network contains an Active Directory domain . The domain contains a server named Server1 .

Server1 runs Windows Server 2008 R2 .

You need to mount an Active Directory Lightweight Direc tory Services (AD LDS) snapshot fromServer1 .

What should you do?

A. Run ldp.exe and use the Bind option.B. Run diskpart.exe and use the Attach option.C. Run dsdbutil.exe and use the snapshot option.D. Run imagex.exe and specify the /mount parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753151%28v=ws.10%29.aspxDsdbutilPerforms database maintenance of the Active Directory Domain Services (AD DS) store, facilitatesconfiguration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views ADLDS instances that are installed on a computer.

..Commands..snapshot

Manages snapshots.

http://technet.microsoft.com/en-us/library/cc731620%28v=ws.10%29.aspxsnapshot

Manages snapshots of the volumes that contain the Active Directory database and log files, which you can viewon a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run thesnapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. ..This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built intoWindows Server 2008 and Windows Server 2008 R2.

Syntaxactivate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]

Parameters..mount %s Mounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of itsGUID.

QUESTION 37Your network contains a single Active Directory domain . Active Directory Rights Management Services (AD RMS ) is deployed on the network.

A user named User1 is a member of only the AD RMS Enterprise Administrators group .

You need to ensure that User1 can change the service co nnection point (SCP) for the AD RMSinstallation .

The solution must minimize the administrative rights of User1 .

To which group should you add User1?

A. AD RMS AuditorsB. AD RMS Service GroupC. Domain AdminsD. Schema Admins


Explanation/Reference:http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspxThe AD RMS Service Connection Point

The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object inActive Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applicationsuse the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMSweb services.

..The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered afterinstallation has completed. To register the SCP you must be a member of the local AD RMS EnterpriseAdministrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group , oryou must have been given the appropriate authority...

QUESTION 38Your network contains two Active Directory forests named contoso.com and adatum.com . Active Directory Rights Management Services (AD RMS ) is deployed in contoso.com . An AD RMS trusted user domain (TUD) exists between con toso.com and adatum.com .

From the AD RMS logs , you discover that some clients that have IP addresses i n the adatum.com forestare authenticating as users from contoso.com .

You need to prevent users from impersonating contoso.co m users .

What should you do?

A. Configure trusted e-mail domains.B. Enable lockbox exclusion in AD RMS.C. Create a forest trust between adatum.com and contoso.com.D. Add a certificate from a third-party trusted certification authority (CA).


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753930.aspxAdd a Trusted User Domain

By default, Active Directory Rights Management Services (AD RMS) does not service requests from userswhose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can adduser domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests.

For each trusted user domain (TUD), you can also add and remove specific users or groups of users. Inaddition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forestfrom the list of TUDs. Every AD RMS server trusts the root cluster in its own forest.

You can add TUDs as follows:To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that isin your company to process licensing requests that include a RAC that was issued by Microsoft’s onlineRMS service. For more information about trusting Windows Live ID in your organization, see Use WindowsLive ID to Establish RACs for Users.To trust external users from another organization’s AD RMS installation, you can add the organization to thelist of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that wasissued by an AD RMS server that is in the other organization.In the same manner, to process licensing requests from users within your own organization who reside in adifferent Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. Thisallows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that wasissued by an AD RMS cluster in the other forest.For each TUD, you can specify which e-mail domains are trusted . For trusted Windows Live ID sitesand services, you can specify which e-mail users or domains are not trusted.

QUESTION 39Your network contains an Active Directory domain named contoso.com . The network contains client computers that run either Windows Vista or Windows 7 . Active Directory Rights Management Services (AD RMS ) is deployed on the network .

You create a new AD RMS template that is distributed by using the AD RMS pipeline . The template is updated every month .

You need to ensure that all the computers can use the m ost up-to-date version of the AD RMS template .

You want to achieve this goal by using the minimum amou nt of administrative effort .

What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.


Explanation/Reference:http://social.technet.microsoft.com/wiki/contents/articles/3911.how-to-deploy-ad-rms-policy-templates.aspxHow to Deploy AD RMS Policy Templates

Table of Contents

Method 1 - Using Group Policy with Office Administrative Templates Method 2 - Automatic AD RMS Rights Policy Template Distribution Method 3 - Manually copy the ADRMS Rights Policy Templates Method 4 - Offline Folders

..Method 2 - Automatic AD RMS Rights Policy Template Distribution

Documented in the AD RMS Rights Policy Templates Deployment Step-by-Step Guide (http://technet.microsoft.com/en-us/library/cc731070%28WS.10%29.aspx).

Essentially involves the following elements Network share where the ADRMS Rights Policy Templates can be stored Desktop clients that are Windows Vista SP2 and above Creating a Scheduled task Few registry edits

...

QUESTION 40Active Directory Rights Management Services (AD RMS ) is deployed on your network . Users who have Windows Mobile 6 devices report that they cannot access documents that areprotected by AD RMS .

You need to ensure that all users can access AD RMS pro tected content by using Windows Mobile 6devices .

What should you do?

A. Modify the security of the ServerCertification.asmx file.B. Modify the security of the MobileDeviceCertification.asmx file.C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.

Correct Answer: B


Explanation/Reference:http://technet.microsoft.com/en-us/library/ff608252%28v=ws.10%29.aspxWindows Mobile Considerations for AD RMS

AD RMS and Windows Mobile Requirements

Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile® inWindows Mobile 6 and later devices. End users can create and consume protected e-mail messages and canread protected Microsoft Office documents on their Windows Mobile device....AD RMS client capabilities are embedded in the oper ating system of Windows Mobile 6 and laterdevices . There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only ondevices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected contentbetween the different versions and editions of Windows Mobile 6 or later.

By default the Discretionary access control lists ( DACLs) of the AD RMS mobile certification pipeline isrestricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates andlicenses to create and consume AD RMS protected con tent. You can enable the certification of mobiledevices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabledapplication Read and Read & Execute permissions to the MobileDeviceCertification.asmx file. This fileis located under %systemdrive%\Inetpub\wwwroot\_wmc s\Certification by default. You must completethis process on each AD RMS server in the cluster.

QUESTION 41Your network contains a server named Server1 . The Active Directory Rights Management Services (AD RMS ) server role is installed on Server1 .

An administrator changes the password of the user a ccount that is used by AD RMS .

You need to update AD RMS to use the new password .

Which console should you use?

A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Component ServicesD. Services


Explanation/Reference:http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-service-account-password.aspxAD RMS How To: Change the RMS Service Account Password

The Active Directory Rights Management Services management console provides a wizard to change orupdate the AD RMS service account. The most common use for this process is to update the service accountpassword when it has been changed.

It is important to use this process to update or change the AD RMS service account. This ensures thenecessary components are updated properly. These processes include, but are not limited to the followingitems.

Ensure the service account meets the criteria (is a domain account, is not the domain account that

provisioned RMS, and etc.) Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups Updates the database role for the service account Updates and restarts the MSMQ and logging services Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables

There are important requirements to run this wizard. Must be logged on to the AD RMS server Account running the wizard must be:

* A local administrator on the RMS server, * A member of the AD RMS Enterprise Administrators group, and * A SQL SysAdmin on the AD RMS instance

Lastly, this must be performed on each server of the AD RMS cluster

QUESTION 42Your network contains an Active Directory Rights Management Services (AD RMS) cluster .

You have several custom policy templates . The custom policy templates are updated frequently .

Some users report that it takes as many as 30 days to receive the updated policy templates .

You need to ensure that users receive the updated custo m policy templates within seven days .

What should you do?

A. Modify the registry on the AD RMS servers.B. Modify the registry on the users' computers.C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.



Configuring the AD RMS client

The automated scheduled task will not query the AD RMS template distribution pipeline each time that thisscheduled task runs. Instead, it checks updateFrequency DWORD value registry entry . This registry entryspecifies the time interval (in days) after which the client should update its rights policy templates. By default theregistry key is not present on the client computer. In this scenario, the client checks for new, deleted, ormodified rights policy templates every 30 days. To configure an interval other than 30 days, create a registryentry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, whichforces the client computer to update its rights policy templates.

QUESTION 43Your company has a main office and a branch office . The branch office contains a read-only domain controller named RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1 . The solution must prevent Admin1 from logging on to oth er domain controllers .

What should you do?

A. Run ntdsutil.exe and use the Roles option.B. Run dsmgmt.exe and use the Local Roles option.C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.


Explanation/Reference:Reference:

http://technet.microsoft.com/en-us/library/cc732301.aspx

Administrator Role Separation ConfigurationThis section provides procedures for creating a local administrator role for an RODC and for adding a user tothat role.

To configure Administrator Role Separation for an RODC1. Click Start, click Run, type cmd, and then press ENTER.2. At the command prompt, type dsmgmt.exe , and then press ENTER.3. At the DSMGMT prompt, type local roles , and then press ENTER.4. (...)

QUESTION 44You install a read-only domain controller (RODC) named RODC1.

You need to ensure that a user named User1 can administ er RODC1. The solution must minimize the number of permissions as signed to User1 .


A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. DsaddD. Dsmgmt


Explanation/Reference:Many thanks to Luffy for pointing me in the right direction with this question!

There are a couple of ways to achieve this and two of them are mentioned in the listed answers, ActiveDirectory Users and Computers and Dsmgmt.

Referenced below are two Technet articles. The first explains the different ways to implement AdministratorRole Separation on an RODC, and why the use of Active Directory Users is recommended over Dsmgmt. Thesecond reference is now a kind of bonus, explaining how to use dsmgmt for this task. (In version 1 of this dumpI used it to explain why dsmgmt should be the answer.)


Delegating local administration of an RODCAdministrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administeran RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or asecurity group, the user or group is not added the Domain Admins group and therefore does not have additionalrights to perform directory service operations.

Steps and best practices for setting up ARSYou can specify a delegated RODC administrator during an RODC installation or after it.

To specify the delegated RODC administrator after installation, you can use either of the following options:

Modify the Managed By tab of the RODC account properties in the Active Directory Users andComputers snap-in, as shown in the following figure. You can click Change to change which securityprincipal is the delegated RODC administrator. You can choose only one security principal. Specify asecurity group rather than an individual user so you can control RODC administration permissions most

efficiently. This method changes the managedBy attribute of the computer object that corresponds to theRODC to the SID of the security principal that you specify. This is the recommended way to specify thedelegated RODC administrator account because the information is stored in AD DS, where it can becentrally managed by domain administrators.

Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command toview, add, or remove members from the Administrators group and other built-in groups on the RODC. [Seealso the second reference for more information on how to use dsmgmt.]

Using ntdsutil or dsmgmt to specify the delegated R ODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles todelegate an administrator for the RODC, the account that you specify does not appear on the Managed By tabof the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or asimilar tool will not reveal that the RODC has a delegated administrator.

In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local rolesremains stored in the registry of the server. This can be a security concern if you demote an RODC in onedomain and then promote it to be an RODC again in a different domain. In that case, the original securityprincipal would have administrative rights on the new RODC in the different domain.


Administrator Role Separation Configuration

This section provides procedures for creating a local administrator role for an RODC and for adding a user tothat role.

To configure Administrator Role Separation for an RODC1. Click Start, click Run, type cmd, and then press ENTER.2. At the command prompt, type dsmgmt.exe , and then press ENTER.3. At the DSMGMT prompt, type local roles , and then press ENTER.4. For a list of valid parameters, type ? and then press ENTER.

By default, no local administrator role is defined on the RODC after AD DS installation. To add the localadministrator role, use the Add parameter.

5. Type add <DOMAIN>\<user> <administrative role>For example, type add CONTOSO\testuser administrators

QUESTION 45Your network contains an Active Directory domain . The domain contains two sites named Site1 and Site2 . Site1 contains four domain controllers . Site2 contains a read-only domain controller (RODC) .

You add a user named User1 to the Allowed RODC Password Replication Group .

The WAN link between Site1 and Site2 fails .User1 restarts his computer and reports that he is unable to log on to the domain . The WAN link is restored and User1 reports that he is able to log on to the domain .

You need to prevent the problem from reoccurring if the WAN link fails .

What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspxPassword Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domaincontroller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should bepermitted to cache a password. After the RODC receives an authenticated user or computer logon request, itrefers to the Password Replication Policy to determine if the password for the account should be cached. Thesame account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub site is offline.

Note You must include the appropriate user, computer, and service accounts in the Password Replication Policy in

order to allow the RODC to satisfy authentication and service ticket requests locally.

When only users from the branch are encompassed by the allow list, the RODC is not able to satisfy requestsfor service tickets locally and it relies on access to a writable Windows Server 2008 domain controller to do so.In the WAN offline scenario, this is likely to lead to a service outage.

..Password Replication Policy Allowed and Denied lists

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC PasswordReplication Group.These groups help implement a default Allowed List and Denied List for the RODC Password ReplicationPolicy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup Active Directory attributes mentioned earlier.

By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed Listattribute contains only the Allowed RODC Password Replication Group.

By default, the Denied RODC Password Replication Group contains the following members: Enterprise Domain Controllers Enterprise Read-Only Domain Controllers Group Policy Creator Owners Domain Admins Cert Publishers Enterprise Admins Schema Admins Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups: Denied RODC Password Replication Group Account Operators Server Operators Backup Operators Administrators

The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide DeniedRODC Password Replication Group and Allowed RODC Password Replication Group give administrators greatflexibility. They can decide precisely which accounts can be cached on specific RODCs.

QUESTION 46Your company has a main office and a branch office . The network contains an Active Directory domain . The main office contains a writable domain controller named DC1. The branch office contains a read-only domain controller (RODC) named DC2.

You discover that the password of an administrator name d Admin1 is cached on DC2 .

You need to prevent Admin1's password from being cached on DC2 .

What should you do?

A. Modify the NTDS Site Settings.B. Modify the properties of the domain.C. Create a Password Setting object (PSO).D. Modify the properties of DC2's computer account.

Correct Answer: DSection: (none)

Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspxAdministering the Password Replication Policy

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP)and password caching for read-only domain controllers (RODCs).

Viewing the PRP

You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computerssnap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe howto view the PRP.

To view the PRP using Active Directory Users and Computers1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start.

In Start Search, type dsa.msc, and then press ENTER.2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details

pane, right-click the Active Directory Users and Computers object, and then click Change Domain.3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP,

and then click Properties.4. Click the Password Replication Policy tab. An example is shown in the following illustration.

QUESTION 47Your network contains an Active Directory domain named contoso.com . The network has a branch office site that contains a read-only domain controller (RODC) named RODC1 . RODC1 runs Windows Server 2008 R2 .

A user named User1 logs on to a computer in the branch office si te.You discover that the password of User1 is not stored o n RODC1.

You need to ensure that User1's password is stored on R ODC1.

What should you modify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1


Explanation/Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspxAdministering the Password Replication Policy

Personal comment:

Basically, these are the default settings for the Password Replication Policy of a specific RODC:

So, if you would add a user to be a member of a group that is allowed to store passwords on that specificRODC, then that user's password would be stored on that RODC.

QUESTION 48Your company has an active directory forest on a single domain .Your company needs a distributed application that employs a cus tom application . The application uses a custom application directory partition named PARDAT .

You need to implement this application for data replica tion .

Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution)

A. Dnscmd.B. Ntdsutil.C. Ipconfig

D. DnsutilE. All of the above


Explanation/Reference:http://support.microsoft.com/kb/884116How to create and apply a custom application directory partition on an Active Directory integrated DNS zone inWindows Server 2003

..You can create a custom Active Directory partition by using the DnsCmd command....If the new naming context that you created does not appear in the Repadmin output, you can verify the state ofthis naming context by using the Ntdsutil command. ..

QUESTION 49Your company has an Active Directory forest with six domains . The company has 5 sites . The company requires a new distributed application that uses a custom application directory partitionnamed ResData for data replication.

The application is installed on one member server in fi ve sites .

You need to configure the five member servers to receiv e the ResData application directory partition fordata replication . What should you do?

A. Run the Dcpromo utility on the five member servers.B. Run the Regsvr32 command on the five member serversC. Run the Webadmin command on the five member serversD. Run the RacAgent utility on the five member servers


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732887%28v=ws.10%29.aspxDcpromo

Syntaxdcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv] /uninstallBinaries [/CreateDCAccount| /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount | UseExistingAccount | Demotion}]

..dcpromo Promotion operation parameters:

ApplicationPartitionsToReplicate:""Specifies the application directory partitions that dcpromo will replicate. Use the following format:"partition1" "partition2" "partitionN"Use * to replicate all application directory partitions.

QUESTION 50

As an administrator at your company, you have installed an Active Directory forest that has a singledomain .You have installed an Active Directory Federation services (AD FS) on the domain member server .

What should you do to configure AD FS to make sure that AD FS token contains information from theactive directory domain ?

A. Add a new account store and configure it.B. Add a new resource partner and configure itC. Add a new resource store and configure itD. Add a new administrator account on AD FS and configure itE. None of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772309%28v=ws.10%29.aspxStep 3: Installing and Configuring AD FS

Now that you have configured the computers that will be used as federation servers, you are ready to installActive Directory Federation Services (AD FS) components on each of the computers. This section includes thefollowing procedures:

Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT Configure ADFS-ACCOUNT to work with AD RMS Configure ADFS-RESOURCE to Work with AD RMS

QUESTION 51Your company runs Window Server 2008 on all of its servers . It has a single Active Directory domain and it uses Enterprise Certificate Authority . The security policy at ABC.com makes it necessary to examine revoked certificate information .

You need to make sure that the revoked certificate info rmation is available at all times . What should you do to achieve that?

A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and linkthe GPO to the domain.

B. Configure and use a GPO to publish a list of trusted certificate authorities to the domainC. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet

Security and Acceleration Server) array.D. Use network load balancing and publish an OCSP responder.E. None of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspxHow Certificate Revocation Works

QUESTION 52

As the company administrator you had installed a read-only domain controller (RODC) server at remotelocation .The remote location doesn't provide enough physical security for the se rver .

What should you do to allow administrative accounts to replicate authenti cation information to Read-Only Domain Controllers ?

A. Remove any administrative accounts from RODC's groupB. Add administrative accounts to the domain Allowed RODC Password Replication groupC. Set the Deny on Receive as permission for administrative accounts on the RODC computer account

Security tab for the Group Policy Object (GPO)D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to

the remote location. Activate the Read Allow and the Apply group policy Allow permissions for theadministrators on the Security tab for the GPO.

E. None of the above



http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspxPassword Replication Policy



The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that areexplicitly denied from being cached. The list of user and computer accounts that are permitted to be cacheddoes not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can,for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticatethose accounts, even if the WAN link to the hub site is offline. ..

Password Replication Policy Allowed and Denied lists

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC PasswordReplication Group.These groups help implement a default Allowed List and Denied List for the RODC Password ReplicationPolicy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup Active Directory attributes mentioned earlier.By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed Listattribute contains only the Allowed RODC Password Replication Group.

By default, the Denied RODC Password Replication Group contains the following members: Enterprise Domain Controllers Enterprise Read-Only Domain Controllers Group Policy Creator Owners Domain Admins Cert Publishers Enterprise Admins Schema Admins Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups: Denied RODC Password Replication Group Account Operators Server Operators Backup Operators Administrators

The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide DeniedRODC Password Replication Group and Allowed RODC Password Replication Group give administrators greatflexibility. They can decide precisely which accounts can be cached on specific RODCs.

The following table summarizes the three possible administrative models for the Password Replication Policy.

QUESTION 53ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com . The purpose of this cluster is to provide load balancing and high availability of the intranet website only .

With monitoring the cluster, you discover that the users can view the Network Load B alancing cluster intheir Network Neighborhood and they can use it to connect to various services by u sing the nameweb.CK1.com .You also discover that there is only one port rule configure d for Network Load Balancing cluster . Youhave to configure web.CK1.com NLB cluster to accept HTTP traffic only .

Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part ofthe complete solution)

A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster consoleB. Run the wlbs disable command on the cluster nodesC. Assign a unique port rule for NLB cluster by using the NLB Cluster consoleD. Delete the default port rules through Network Load Balancing Cluster console


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc733056.aspxCreate a new Network Load Balancing Port Rule

Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various typesof TCP/IP traffic, you can set up port rules to control how each port's cluster-network traffic is handled. Themethod by which a port's network traffic is handled is called its filtering mode. There are three possible filteringmodes: Multiple hosts , Single host , and Disabled .

You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rulewith a set of configuration parameters that define the filtering mode. Each rule consists of the followingconfiguration parameters:

The virtual IP address that the rule should apply to The TCP or UDP port range that this rule should apply to The protocols that this rule should apply to, including TCP, UDP, or both The filtering mode that specifies how the cluster handles traffic, which is described by the port range andthe protocols

In addition, you can select one of three options for client affinity: None , Single , or Network . Single and Network

are used to ensure that all network traffic from a particular client is directed to the same cluster host. To allowNLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for yourprotocol setting. As an extension to the Single and Network options, you can configure a time-out setting topreserve client affinity when the configuration of an NLB cluster is changed. This extension also allows clientsto keep affinity to a cluster host even if there are no active, existing connections from the client to the host.

QUESTION 54ABC.com has a main office and a branch office . ABC.com's network consists of a single Active Directory forest . Some of the servers in the network run Windows Server 2008 and the rest run Windows Server 2003 .

You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008 . The branch office is located in a physically insecure place . It has no IT personnel onsite and there are no administrators over there .

You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in thebranch office .

What should you do to setup RODC on the computer in branch office?

A. Execute an attended installation of AD DSB. Execute an unattended installation of AD DSC. Execute RODC through AD DSD. Execute AD DS by using deploying the image of AD DSE. none of the above



Install an RODC on a Server Core installationTo install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattendedinstallation of AD DS .

QUESTION 55You have installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in yourorganization.

Now you need to test the connectivity of clients in the net work to ensure that they can successfullyreach the new Federation server and Federation serv er is operational .

What should you do? (Select all that apply)

A. Go to Services tab, and check if Active Directory Federation Services is runningB. In the event viewer, Applications, Event ID column look for event ID 674.C. Open a browser window, and then type the Federation Service URL for the new federation server.D. None of the above

Correct Answer: BCSection: (none)

Explanation


VerifyVerify that a specific event (ID 674) was generated on the federation server proxy computer. This event isgenerated when the federation server proxy is able to successfully communicate with the FederationService.

To perform this procedure, you must be a member of the local Administrators group, or you must have beendelegated the appropriate authority.1. Log on to a client computer with Internet access.2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Fe deration Service

endpoint , along with the path to the clientlogon.aspx page that is stored on the federation server proxy.3. Press ENTER.

Note -At this point your browser should display the error Server Error in '/adfs' Application. This step isnecessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly byInternet Information Services (IIS).

4. Log on to the federation server proxy.5. Click Start, point to Administrative Tools, and then click Event Viewer .6. In the details pane, double-click Application.7. In the Event column, look for event ID 674 .

QUESTION 56ABC.com has purchased laptop computers that will be used to connect to a wireless network .

You create a laptop organizational unit and create a Group Policy Object (GPO) and configure userprofiles by utilizing the names of approved wireless networks .You link the GPO to the laptop organizational unit .

The new laptop users complain to you that they cannot connect to a wireless network .

What should you do to enforce the group policy wireless settings to the l aptop computers ?

A. Execute gpupdate/target:computer command at the command prompt on laptop computersB. Execute Add a network command and leave the SSID (service set identifier) blankC. Execute gpupdate/boot command at the command prompt on laptops computersD. Connect each laptop computer to a wired network and log off the laptop computer and then login again.E. None of the above


Explanation/Reference:Personal note:In order for the client computers to download the new Group Policy settings the laptops first need to beconnected to one of the DCs.Since they cannot connect through wirelessly (due to previous GP settings denying such connections), theyhave to use one time a wired connection.

QUESTION 57Your company has a Windows 2008 domain controller server .This server is routinely backed up over the network to a dedicated backup server that is running

Windows 2003 OS.

You need to prepare the domain controller for disaster recovery apart from the routine backup procedures.You are unable to launch the backup utility while attemptin g to back up the system state data for thedata controller .

You need to backup system state data from the Windows S erver 2008 domain controller server .

What should you do?

A. Add your user account to the local Backup Operators groupB. Install the Windows Server backup feature using the Server Manager feature.C. Install the Removable Storage Manager feature using the Server Manager featureD. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the

Windows 2003 server.E. None of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspxWindows Server Backup Step-by-Step Guide for Windows Server 2008

The Windows Server Backup feature provides a basic backup and recovery solution for computers running theWindows Server® 2008 operating system. Windows Server Backup introduces new backup and recoverytechnology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlierversions of the Windows operating system.

What is Windows Server Backup?

The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console(MMC) snap-in and command-line tools that provide a complete solution for your day-to-day backup andrecovery needs. You can use four wizards to guide you through running backups and recoveries. You can useWindows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You canrecover volumes, folders, files, certain applications, and the system state. And, in case of disasters like harddisk failures, you can perform a system recovery, which will restore your complete system onto the new harddisk, by using a full server backup and the Windows Recovery Environment.

You can use Windows Server Backup to create and manage backups for the local computer or a remotecomputer. You can also schedule backups to run automatically and you can perform one-time backups toaugment the scheduled backups.

QUESTION 58You are an administrator at ABC.com . Company has a RODC (read-only domain controller) server at a remote location . The remote location doesn't have proper physical security .

You need to activate nonadministrative accounts passwor ds on that RODC server .

Which of the following actions should be considered to populate the RODC server with non-administrativeaccounts passwords ?

A. Delete all administrative accounts from the RODC's groupB. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group

Policy Object (GPO)

C. Configure the administrative accounts to be added in the Domain RODC Password Replication Deniedgroup

D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on thesecurity tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.




http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspxAdvantages That an RODC Can Provide to an Existing Deployment

Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can useto delegate administration of an RODC to a nonadminist rative user or group . This means that it is notnecessary for a highly privileged administrator to log on to the domain controller in the branch office to performroutine server maintenance.

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspxPassword Replication Policy




Password Replication Policy Allowed and Denied lists

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC PasswordReplication Group. ..The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide DeniedRODC Password Replication Group and Allowed RODC Password Replication Group give administrators greatflexibility. They can decide precisely which accounts can be cached on specific RODCs.

QUESTION 59ABC.com has a network that is comprised of a single Active Directory Domain .

As an administrator at ABC.com, you install Active Directory Lightweight Directory Serv ices (AD LDS) on a

server that runs Windows Server 2008 . To enable Secure Sockets Layer (SSL) based connections to the AD LDS server , you install certificatesfrom a trusted Certification Authority (CA) on the AD LDS server and client computers .

Which tool should you use to test the certificate with AD LDS?

A. Ldp.exeB. Active Directory Domain servicesC. ntdsutil.exeD. Lds.exeE. wsamain.exeF. None of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc725767%28v=ws.10%29.aspxAppendix A: Configuring LDAP over SSL Requirements for AD LDS

The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active DirectoryLightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can makeLDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS)technology.

...Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exeTo test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDSinstance and then connect to this AD LDS instance that has the SSL option enabled...

QUESTION 60ABC.com boasts a main office and 20 branch offices . Configured as a separate site , each branch office has a Read-Only Domain Controlle r (RODC) serverinstalled .

Users in remote offices complain that they are unable to log on to their ac counts .

What should you do to make sure that the cached credentials for user acco unts are only stored in theirlocal branch office RODC server ?

A. Open the RODC computer account security tab and set Allow on the Receive as permission only for theusers that are unable to log on to their accounts

B. Add a password replication policy to the main Domain RODC and add user accounts in the security groupC. Configure a unique security group for each branch office and add user accounts to the respective security

group. Add the security groups to the password replication allowed group on the main RODC serverD. Configure and add a separate password replication policy on each RODC computer account


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspxPassword Replication Policy




QUESTION 61The corporate network of your company consists of a Windows Server 2008 single Active Directorydomain . The domain has two servers named Company 1 and Company 2 .

To ensure central monitoring of events you decided to collect all the events on one server.To collect events from Company 2 , and transfer them to Company 1 .

You configure the required event subscriptions .You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol .

However, you discovered that none of the subscriptions work .

Which of the following actions would you perform to configure the event collection and event forwarding onthe two servers ? (Select three . Each answer is a part of the complete solution).

A. Run window execute the winrm quickconfig command on Company 2.B. Run window execute the wecutil qc command on Company 2.C. Add the Company 1 account to the Administrators group on Company 2.D. Run window execute the winrm quickconfig command on Company 1.E. Add the Company 2 account to the Administrators group on Company 1.F. Run window execute the wecutil qc command on Company 1.

Correct Answer: ACFSection: (none)Explanation

Explanation/Reference:We need to do three things:1 - run winrm quickconfig on the source computer (Company 2)2 - run wecutil qc on the collector computer (Company 1)3 - add the computer account of the collector computer to the local Administrators group on the sourcecomputer

Had the Event delivery optimization setting been set to Minimize Bandwidth or Minimize Latency, then wewould need to run winrm quickconfig on the collector computer too. Because it's set to Normal we can skip thatstep.

If the HTTPS protocol had been used we also would have had to configure Windows Firewall exceptions forport 443. But it's not, and it's not even listed, so that's cool.

Reference:


Configure Computers to Forward and Collect EventsBefore you can create a subscription to collect events on a computer, you must configure both the collectingcomputer (collector) and each computer from which events will be collected (source).

To configure computers in a domain to forward and c ollect events1. Log on to all collector and source computers. It is a best practice to use a domain account with

administrative privileges.2. On each source computer, type the following at an elevated comman d prompt: winrm

quickconfig

NoteIf you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then youmust also run the above command on the collector computer.

3. On the collector computer, type the following at an elevated comman d prompt: wecutil qc4. Add the computer account of the collector computer to the local Administrators group on each of

the source computers.5. The computers are now configured to forward and collect events. Follow the steps in Create a New

Subscription to specify the events you want to have forwarded to the collector.

QUESTION 62Your company has a main office and 40 branch offices . Each branch office is configured as a separate Active Directory site that has a dedicated read-onlydomain controller (RODC) . An RODC server is stolen from one of the branch offices.

You need to identify the user accounts that were cached on the stolen RODC server .

Which utility should you use ?

A. Dsmod.exeB. Ntdsutil.exeC. Active Directory Sites and ServicesD. Active Directory Users and Computers


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835486%28v=ws.10%29.aspxSecuring Accounts After an RODC Is Stolen

If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you shouldact quickly to delete the RODC account from the domain and to reset the passwords of the accounts whosecurrent passwords are stored on the RODC.

An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts thatwere authenticated to it is the Active Directory Users and Computers snap-in.

QUESTION 63ABC.com has a software evaluation lab . There is a server in the evaluation lab named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2 . CKT has 200 virtual servers running on an isolated virtual segment to evaluate software .

To connect to the internet , it uses physical network interface card .

ABC.com requires every server in the company to acc ess the Internet . ABC.com security policy dictates that the IP address space used by software evaluation la b must not beused by other networks . Similarly, it states the IP address space used by other networks should not be used by the evaluation labnetwork .

As an administrator you find you that the applications tested in the softwa re evaluation lab need toaccess normal network to connect to the vendors upd ate servers on the internet .

You need to configure all virtual servers on the CKT se rver to access the internet . You also need to comply with company's security policy .

Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution)

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on eachvirtual server

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)C. Use ABC.com intranet IP addresses on all virtual servers on CKT.D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and

create a new virtual network.E. None of the above


Explanation/Reference:http://class10e.com/Microsoft/which-two-actions-should-you-perform-to-achieve-this-task-choose-two-answers/

To configure all virtual servers on the CKT server to access the internet and comply with company’s securitypolicy, you should trigger the virtual DHCP server for the external virtual network and run ipconfig/renewcommand on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT.Create a virtual network using the new interface.When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses areassigned to the virtual servers on CKT server. By running ipconfig/renew command, the new IP addresses willbe renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used byother networks are not been used by the virtual servers on CKT server. You create a new virtual network on thenew network interface which will enable you to access internet.

QUESTION 64You are an administrator at ABC.com . The company has a network of 5 member servers acting as file servers . It has an Active Directory domain .

You have installed a software application on the servers . As soon as the application is installed, one of the member servers shuts down . To trace and rectify the problem , you create a Group Policy Object (GPO).

You need to change the domain security settings to trac e the shutdowns and identify the cause of it .

What should you do to perform this task?

A. Link the GPO to the domain and enable System Events optionB. Link the GPO to the domain and enable Audit Object Access option

C. Link the GPO to the Domain Controllers and enable Audit Object Access optionD. Link the GPO to the Domain Controllers and enable Audit Process tracking optionE. Perform all of the above actions


Explanation/Reference:http://msdn.microsoft.com/en-us/library/ms813610.aspxAudit system events

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Description

Determines whether to audit when a user restarts or shuts down the computer; or an event has occurred thataffects either the system security or the security log.

By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and inthe local policies of workstations and servers.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit theevent type at all. Success audits generate an audit entry when a system event is successfully executed.Failure audits generate an audit entry when a system event is unsuccessfully attempted. You can select Noauditing by defining the policy setting and unchecking Success and Failure .

QUESTION 65You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server roleinstalled .

You need to minimize the amount of time it takes for client com puters to download a certificaterevocation list (CRL) .

What should you do?

A. Install and configure an Online Responder.B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.C. Install and configure an additional domain controller.D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc725958.aspxWhat Is an Online Responder?

An Online Responder is a trusted server that receives and responds to individual client requests for informationabout the status of a certificate.

The use of Online Responders is one of two common methods for conveying information about the validity ofcertificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain informationabout all certificates that have been revoked or suspended, an Online Responder receives and responds onlyto individual requests from clients for information about the status of a certificate. The amount of data retrievedper request remains constant no matter how many revoked certificates there might be.

In many circumstances, Online Responders can process certificate status requests more efficiently than byusing CRLs.

QUESTION 66You want users to log on to Active Directory by using a new Principal Name (UPN) .

You need to modify the UPN suffix for all user accounts .


A. DsmodB. NetdomC. RedirusrD. Active Directory Domains and Trusts


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspxDsmod user

dsmod user -upn <UPN> Specifies the user principal names (UPNs) of the users that you want to modify, for example,[email protected].

QUESTION 67Your network consists of a single Active Directory domain . All domain controllers run Windows Server 2008 R2 . Auditing is configured to log changes made to the Managed By attribute on group objects in anorganizational unit named OU1.

You need to log changes made to the Description attribute on al l group objects in OU1 only .

What should you do?

A. Run auditpol.exe.B. Modify the auditing entry for OU1.C. Modify the auditing entry for the domain.D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO

to OU1.


Explanation/Reference:http://ithompson.wordpress.com/tag/organizational-unit-move/Do you need to track who/where/when for activities done against the OU’s in your AD?

With Windows 2003 those were difficult questions to answer, we could get some very basic information fromDirectory Services Auditing; but it was limited and you had to read through several cryptic events (id 566). Withthe advanced auditing settings with Windows 2008 R2 you can get some better information (you can do thissame thing with Windows 2008 but it has to be done via command line and applied every time servers restart).

I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains(if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, becausewe can now apply the advanced auditing settings via Group Policy.

Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard AuditPolicies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granularlevel. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on ourDomain Controllers, the other systems in your environment will be a different discussion.

So where do we start so that we can answer our question at the top of this discussion?

First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1. **Take note of the green highlight.

For this discussion we are focusing on DS Access and its subcategories. We only want to turn on AuditDirectory Service Changes, see Fig 2. This category only generates events on domain controllers and is veryuseful for tracking changes to Active Directory objects that have object level auditing enabled. These events notonly tell you what object and property was changed and by whom but also the new value of the affectedproperties.

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit. This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drilldown to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

Now we need to add more granularity so we need to do this process 1 more time and this time instead ofchecking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

Now that our auditing is setup what type of events can we expect to see?

Here are a few examples:

In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

Figure 6 shows a Sub OU being created.

Figure 7 shows id 5139, an OU being moved.

Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136.

Figure 8 shows the first part of the rename process.

Figure 9 shows the second part of the rename process.

Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving anOU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id4662 that you would get for the same thing with standard auditing, fig 10.

With standard auditing some of the other items that we looked at would be next to impossible with auditing,such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if youdid get an event.

Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.

QUESTION 68Your company uses shared folders . Users are granted access to the shared folders by using domain local groups . One of the shared folders contains confidential data .

You need to ensure that unauthorized users are not able to access the shared folder that containsconfidential data .

What should you do?

A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users byusing the Dsmod utility.

B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full controlpermission on the shared folders that hold the confidential data for the Guest account.

C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in tothe Deny DLG group. Configure the Allow Full control permission on the shared folder that hold theconfidential data for the Deny DLG group.

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorizedusers in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that holdthe confidential data for the Deny DLG group.



http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspxGroup scope

Group scope

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies theextent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope isalso determined by the domain functional level setting of the domain in which it resides. There are three groupscopes: universal, global, and domain local.

The following table describes the differences between the scopes of each group.

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a single domain. Forexample, to give five users access to a particular printer, you can add all five user accounts in the printerpermissions list. If, however, you later want to give the five users access to a new printer, you must againspecify all five accounts in the permissions list for the new printer....

QUESTION 69Your company has an Active Directory domain . You install an Enterprise Root certification authority (CA) on a member server named Server1 .

You need to ensure that only the Security Manager is au thorized to revoke certificates that are suppliedby Server1 .

What should you do?

A. Remove the Request Certificates permission from the Domain Users group.B. Remove the Request Certificated permission from the Authenticated Users group.C. Assign the Allow - Manage CA permission to only the Security Manager user Account.D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account



Implement Role-Based AdministrationYou can use role-based administration to organize certification authority (CA) administrators into separate,

predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings.You assign a role to a user by assigning that user the specific security settings that are associated with the role.A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that auser with another type of permission, such as Issue and Manage Certificates permission, cannot perform.

The following table describes the roles, users, and groups that can be used to implement role-basedadministration.

Roles and groupsCertificate manager

Security permissionIssue and Manage Certificates

DescriptionApprove certificate enrollment and revocation reque sts. This is a CA role. This role is sometimes referredto as CA officer. These permissions are assigned by using the Certification Authority snap-in.

QUESTION 70You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2 .

What is the minimal forest functional level that you should use?

A. Windows Server 2008 R2B. Windows Server 2008C. Windows Server 2003D. Windows 2000



Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):Ensure that the forest functional level is Windows Server 2003 or higher , so that linked-valuereplication (LVR) is available.(...)

QUESTION 71Your company has three Active Directory domains in a single forest . You install a new Active Directory enabled application . The application ads new user attributes to the Active D irectory schema .

You discover that the Active Directory replication traf fic to the Global Catalogs has increased .

You need to prevent the new attributes from being repli cated to the Global Catalog . You must achieve this goal without affecting application functionality .

What should you do?

A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.B. Change the cost for the DEFAULTIPSITELINK object to 9990.

C. Make the new attributes in the Active Directory as defunct.D. Modify the properties in the Active Directory schema for the new attributes.


Explanation/Reference:http://support.microsoft.com/kb/248717How to Modify Attributes That Replicate to the Global Catalog

The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses howto manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes willreplicate (in addition to the default attributes) requires careful planning with consideration for network traffic andnecessary disk space.

Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has onnetwork replication traffic.

After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a fullreplication (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on theversions of Windows 2000 listed in this article.

Every server has a full and write-able copy of its own domain. If that server is also a GC, the remainingdomains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes iskept.

When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causesthe GC to perform a "full sync" of all the read-only copies again to repopulate itself with only the partialattributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSetis set to "True." Thus, it only does a full sync on the read-only partial copy domains and not its own write-abledomain, the configuration directory partition or schema directory partition.

In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. Tomodify the schema, an administrator must be made a member of the "Schema Admins" group. In addition tobeing a member of this group, a registry key must be set on the Schema master.

QUESTION 72You are decommissioning one of the domain controllers in a child domain .

You need to transfer all domain operations master roles within the child domain to a newly installeddomain controller in the same child domain .

Which three domain operations master roles should you tra nsfer ? (Each correct answer presents part of the solution. Choose three.)

A. RID masterB. PDC emulatorC. Schema masterD. Infrastructure masterE. Domain naming master

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc781578%28v=ws.10%29.aspx

Transferring operations master roles

Transferring an operations master role means moving it from one domain controller to another with thecooperation of the original role holder. Depending upon the operations master role to be transferred, youperform the role transfer using one of the three Active Directory consoles in Microsoft Management Console(MMC).

QUESTION 73There are 100 servers and 2000 computers present at your company's headquarters.

The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the highavailability of the service.The nodes are named as CKMFON1 and CKMFON2.

The cluster on CKMFO has one physical shared disk of 400 GB capacity.A 200GB single volume is configured on the shared disk.

The company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.The DHCP and WINS services will be hosted on other nodes.

Using High Availability Wizard , you begin creating the WINS service group on the cluster available onCKMFON1 node.The wizard shows an error "no disks are available " during configuration.

Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINSService group to CKMFON1?

A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table andcreate two volumes. Restore the backed up data on one of the volumes and use the other for WINS servicegroup

B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volumeto fix the error in the wizard.

C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk anddirect CKMOFON1 to use CKMFON2 volume for the WINS service group

D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume tofix the error in the wizard



Explanation/Reference:http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage-volumes-on-ckmfon1-to-successfully-add-the-wins-service-group-to-ckmfon1/

To configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1, you

need to add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it.Use this volume to fix the error in the wizard.This is because a cluster does not use shared storage.A cluster must use a hardware solution based either on shared storage or on replication between nodes.

QUESTION 74Exhibit :

Company servers run Windows Server 2008 . It has a single Active Directory domain . A server called S4 has file services role installed . You install some disks for additional storage . The disks are configured as shown in the exhibit.

To support data striping with parity , you have to create a new drive volume .

What should you do to achieve this objective?

A. Build a new spanned volume by combining Disk0 and Disk1B. Create a new Raid-5 volume by adding another disk.C. Create a new virtual volume by combining Disk 1 and Disk 2D. Build a new striped volume by combining Disk0 and Disk 2


Explanation/Reference:https://sort.symantec.com/public/documents/sf/5.0/solaris/html/vxvm_admin/ag_ch_intro_vm17.html RAID-5 (striping with parity)

QUESTION 75Your company asks you to implement Windows Cardspace in the domain.You want to use Windows Cardspace at your home .

Your home and office computers run Windows Vista Ultimat e.

What should you do to create a backup copy of Windows Cardspace cards to be used at home ?

A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB driveB. Backup \Windows\Globalization folder by using backup status and save the folder on your USB driveC. Back up the system state data by using backup status tool on your USB driveD. Employ Windows Cardspace application to backup the data on your USB drive.E. Reformat the C: DriveF. None of the above


Explanation/Reference:http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-it-pros#BKMK_HowdoIbackupmycardsortransferthemtoanothercomputerWindows CardSpace for IT pros

Microsoft Windows CardSpace™ is a system for creating relationships with websites and online services.Windows CardSpace provides a consistent way for:

Sites to request information from you. You to review the identity of a site. You to manage your information by using Information Cards. You to review card information before you send it.

Windows CardSpace can replace the user names and passwords that you use to register with and log on towebsites and online services.

15. How do I back up my cards or transfer them to another computer?

Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of yourcards or to use a card on a different computer, you can save cards to a backup card file.To back up your cards:1. Start Windows CardSpace.2. View all your cards.3. In the pane on the right of your screen, click Back up cards.4. Select the cards that you want to back up.5. Browse to the folder where you want to save the backup card file, and then give it a name.

When you complete these steps, you save a file containing some or all of your cards. You can copy the backupcard file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You canrestore the backup card file on this computer or on another computer.To restore your cards1. Save the backup card file to the computer.2. Browse to the location of the file on the computer.3. Double-click the file, and then follow the instructions to restore the cards.

QUESTION 76Your company has servers on the main network that run Windows Server 2008 . It also has two domain controllers . Active Directory services are running on a domain controller named CKDC1.

You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server .

What should you do to perform offline critical updates on CKDC1 without rebooting the server?

A. Start the Active Directory Domain Services on CKDC1B. Disconnect from the network and start the Windows update featureC. Stop the Active Directory domain services and install the updates. Start the Active Directory domain

services after installing the updates.D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect

again.E. None of the above


Explanation/Reference:Personal comment: I don't believe you can avoid restarting the server when installing some (not all) updates

http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on-ckdc1-without-rebooting-the-server/

To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directorydomain services and install the updates. Start the Active Directory domain services after installing the updates.By stopping the Active Directory domain services, you don’t need to reboot the server.The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domainservices and start it again after the installation of the updates, the Server will perform in a normal way.

QUESTION 77One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don't want some critical credentials like (pass words, encryption keys) to bestored on RODC .

What should you do so that these credentials are not replicated to any RODC's in the forest ? (Select 2 )

A. Configure RODC filtered attribute set on the serverB. Configure RODC filtered set on the server that holds Schema Operations Master role.C. Delegate local administrative permissions for an RODC to any domain user without granting that user any

user rights for the domainD. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.E. None of the above



Adding attributes to the RODC filtered attribute se tThe RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in theforest . You can configure the RODC filtered attribute set on a schema master that runs Windows Server2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposedunnecessarily if an RODC is stolen or compromised.

A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicateattributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes froma domain controller that is running Windows Server 2008, the replication request is denied. However, if theRODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, thereplication request could succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan toconfigure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODCthat is compromised cannot be exploited in this manner because domain controllers that are running WindowsServer 2003 are not allowed in the forest.

QUESTION 78Your company has a server with Active Directory Rights Management Services (AD RMS) server installed . Users have computers with Windows Vista installed on them with an Active Directory domain installed atWindows Server 2003 functional level .

As an administrator at your company, you discover that the users are unable to benefit from AD RMS toprotect their documents .

You need to configure AD RMS to enable users to use it and prot ect their documents .

What should you do to achieve this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each user.B. Add and configure ADRMSADMIN account in local administrators group on the user computersC. Add and configure the ADRMSSRVC account in AD RMS server's local administrator groupD. Reinstall the Active Directory domain on user computersE. All of the above


Explanation/Reference:same as D/Q7

http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspxAD RMS Step-by-Step Guide

...For each user account and group that you configure with AD RMS, you need to add an e-mail address and thenassign the users to groups. ...

QUESTION 79ABC.com has a network that consists of a single Active Directory domain . A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU .

You need to execute a non-authoritative restore before an authoritative restore of the OU .

Which backup should you use to perform non-authorit ative restore of Active Directory Domain Services(AD DS) without disturbing other data stored on dom ain controller ?

A. Critical volume backupB. Backup of all the volumesC. Backup of the volume that hosts Operating systemD. Backup of AD DS foldersE. all of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730683%28v=ws.10%29.aspxPerforming a Nonauthoritative Restore of AD DS

To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a systemstate backup.To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in thistopic uses the wbadmin start systemstaterecovery command.

You can also use a critical-volume backup to perform a nonauthoritative restore , or a full server backup ifyou do not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to thetime of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessaryto achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use thewbadmin start recovery command.

QUESTION 80ABC.com has a network that consists of a single Active Directory domain .Windows Server 2008 is installed on all domain controllers in the network.

You are instructed to capture all replication errors from a ll domain controllers to a central location .

What should you do to achieve this task?

A. Initiate the Active Directory Diagnostics data collector setB. Set event log subscriptions and configure itC. Initiate the System Performance data collector setD. Create a new capture in the Network Monitor


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc748890.aspx

Configure Computers to Forward and Collect Events







QUESTION 81Your company has a single domain network with Windows 2000, Windows 2003, and Windows 2008servers . Client computers running Windows XP and Windows Vista . All domain controllers are running Windows server 2008 .

You need to deploy Active Directory Rights Management S ystem (AD RMS) to secure all documents,spreadsheets and to provide user authentication .

What do you need to configure, in order to complete the deploym ent of AD RMS ?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _DC1C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _SRV5E. None of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd772753%28v=ws.10%29.aspxAD RMS Client Requirements

Windows AD RMS ClientWindows 7, all editionsWindows Server 2008 R2, all editions except Core EditionsWindows Vista, all editionsWindows Server 2008, all editions except Core EditionsWindows XP SP3 32-bit EditionWindows XP SP3 64-bit EditionWindows Server 2003 with SP1 32-bit EditionWindows Server 2003 with SP1 64-bit EditionWindows Server 2003 for Itanium-based systems with SP1Windows Server 2003 R2 32-bit EditionWindows Server 2003 R2 64-bit EditionWindows Server 2003 R2 for Itanium-based systemsWindows Small Business Server 2003 32-bit EditionWindows Server 2000 SP4 32-bit Edition

http://technet.microsoft.com/en-us/library/dd772659%28v=ws.10%29.aspxAD RMS Prerequisites

Before you install AD RMSBefore you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 forthe first time, there are several requirements that must be met.

Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS)forest as the user accounts that will be using rights-protected content.

...

QUESTION 82You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS ) toensure that data and log files are backed up regula rly . This will also need to ensure the continued availability of data to applic ations and users in the event of asystem failure .

Because you have limited media resources , you decided to backup only specific ADLDS instance inst eadof taking backup of the entire volume .

What should you do to accomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files ofAD LDS

B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instanceC. Move AD LDS database and log files on a separate volume and use windows server backup utilityD. None of the above



Backing up AD LDS instance data with Dsdbutil.exeWith the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance thatyou want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.

QUESTION 83

You had installed Windows Server 2008 on a computer and configured it as a file server , named FileSrv1 . The FileSrv1 computer contains four hard disks , which are configured as basic disks .

For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1on FileSrv1 .

Which utility you will use to convert basic disks to dynamic disks on FileSrv1 ?

A. Diskpart.exeB. Chkdsk.exeC. Fsutil.exeD. Fdisk.exeE. None of the above



[Diskpart] Convert dynamicConverts a basic disk into a dynamic disk.

QUESTION 84ABC.com has a domain controller that runs Windows Server 2008 . The ABC.com network boasts 40 Windows Vista client machines .

As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) toauthorize the network users by issuing digital cert ificates .

What should you do to manage certificate settings on all machines in a do main from one main location ?

A. Configure Enterprise CA certificate settingsB. Configure Enterprise trust certificate settingsC. Configure Advance CA certificate settingsD. Configure Group Policy certificate settingsE. All of the above



AD CS: Policy SettingsIn the Windows Server® 2008 operating system, certificate-related Group Policy settings enable administratorsto manage certificate validation settings according to the security needs of the organization.

What are certificate settings in Group Policy?Certificate settings in Group Policy enable administrators to manage the certificate settings on all thecomputers in the domain from a central location.

QUESTION 85A domain controller named DC12 runs critical services . Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessaryobjects have been deleted.

You need to perform an offline defragmentation of the A ctive Directory database on DC12 . You also need to ensure that the critical services remain on line .

What should you do?

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Defrag utility.D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the

Ntdsutil utility.


Explanation/Reference:http://support.microsoft.com/kb/232122Performing offline defragmentation of the Active Directory database

Active Directory automatically performs online defragmentation of the database at certain intervals (by default,every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size ofthe database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in thedirectory for new objects.

Performing an offline defragmentation creates a new, compacted version of the database file. Depending onhow fragmented the original database file was, the new file may be considerably smaller.

http://rickardnobel.se/when-to-offline-defrag-ntds-dit/When to offline defrag the Active Directory database

This article will show a simple way to determine if there is any gain to do an offline defrag of your ActiveDirectory database.

During normal operations the Active Directory service will do an online defragmentation of the Active Directorydatabase (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal wayinternal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years ofoperations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers,dns records and more are added and later removed. When deleted objects are finally removed (after the socalled tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.

The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is inthis example around 575 MB. Note that Active Directory does not use a file level replication, so the file could beof various size on each Domain Controller in your domain. If wanted there is the possibility to take the ADservices offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pagesthe best possible way, and also to reclaim any empty space inside the database, which could make backup andrestore faster and also possible increase AD performance.

The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will haveto stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is fareasier, but still something that you do not want to do if not necessary.

There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here.However, we will see the perhaps most important information and that is to be able to see in advance theamount of space that we could reclaim. With this information we could make our decision based on fact and notguesses. This has been possible since at least Windows 2003, but is not well documented.

To enable this you will have to alter a registry value on the Domain Controller you will investigate thereclaimable MBs. Use regedit and find the following key:

HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics

Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collectionprocess which runs together with the online defrag. So now wait for the next online defragmentation which runstwice a day and then study the Directory Service log in Event Viewer.

Search for event id 1646, usually together with event ids 700 and 701.

Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is thenumber of MB that the offline defrag would recover, here almost half the database size. If the amount isnegligible then do not worry about this any more, and if there is a considerable amount of MBs reported thenyou could plan to do the offline defrag.

Note that both the change of registry key and the actual offline defrag has to be done on each domaincontroller, since neither does replicate.

As noted above we will not look at the commands for the offline defragmentation here, since they are welldocumented already.

QUESTION 86Your company has a server that runs Windows Server 2008 R2 . The server runs an instance of Active Directory Lightweight Directory Services (AD LDS) .

You need to replicate the AD LDS instance on a test com puter that is located on the network .

What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.B. Create a naming context by running the Dsmgmt command on the test computer.C. Create a new directory partition by running the Dsmgmt command on the test computer.D. Create and install a replica by running the AD LDS Setup wizard on the test computer.

Correct Answer: D



Create a Replica AD LDS InstanceTo create an AD LDS instance and join it to an existing configuration set, use the Active Directory LightweightDirectory Services Set Wizard to create a replica AD LDS instance.

To create a replica AD LDS instance1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services

Setup Wizard .2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.3. On the Setup Options page, click A replica of an existing instance, and then click Next.4. Finish creating the new instance by following the wizard instructions.


The relevant servers in the domain are configured as shown in the following table:

Server name Operating System Server role

Server1 Windows 2008 Domain controller

Server2 Windows 2008 R2 Enterprise root certification authority (CA)

Server3 Windows 2008 R2 Network Device Enrollment Service (NDES)

You need to ensure that all device certificate requests use the MD5 hash algorithm .

What should you do?

A. On Server2, run the Certutil tool.B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm

\HashAlgorithm registry key.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/ff955642.aspx

Managing Network Device Enrollment Service

Configuring NDESNDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.

To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restartIIS. If necessary, create the key and value using the names and data types described in the following table.

Key nameHashAlgorithm \ HashAlgorithm

Value Data TypeString

Default value SHA1

Description Accepted values are SHA1 and MD5.


You have a server named Server1 that runs Windows Server 2008 R2 . Server1 is an enterprise root certification authority (CA) .

You have a client computer named Computer1 that runs Windows 7 .

You enable automatic certificate enrollment for all cli ent computers that run Windows 7 . You need to verify that the Windows 7 client computers can automatically enroll for certificates .

Which command should you run on Computer1 ?

A. certreq.exe retrieveB. certreq.exe submitC. certutil.exe getkeyD. certutil.exe pulse


Explanation/Reference:http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/What does "certutil -pulse" command do?

Certutil -pulse will initiate autoenrollment requests.It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)Right-click Certificates , point to All Tasks , click Automatically Enroll and RetrieveCertificates .The command does require that- any autoenrollment GPO settings have already been applied to the target user orcomputer- a certificate template enables Read, Enroll and Autoenroll permissions for the user or aglobal or universal group containing the user- The group membership is recognized in the users Token (they have logged on after themembership was added

http://technet.microsoft.com/library/cc732443.aspxCertutil

Certutil.exe is a command-line program that is installed as part of Certificate Services. Youcan use Certutil.exe to dump and display certification authority (CA) configuration

information, configure Certificate Services, backup and restore CA components, and verifycertificates, key pairs, and certificate chains.

When certutil is run on a certification authority without additional parameters, it displays thecurrent certification authority configuration. When cerutil is run on a non-certificationauthority, the command defaults to running the certutil -dump verb.

VerbsThe following table describes the verbs that can be used with the certutil command... -pulse

Pulse auto enrollment events

..

QUESTION 89Your network contains two Active Directory forests named contoso.com and adatum.com . The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain .

Active Directory Certificate Services (AD CS) is co nfigured in the contoso.com forest to allow usersfrom both forests to automatically enroll user cert ificates .

You need to ensure that all users in the adatum.com for est have a user certificate from thecontoso.com certification authority (CA) .

What should you configure in the adatum.com domain ?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd851772.aspxManage Certificate Enrollment Policy by Using Group Policy

Configuring certificate enrollment policy settings by using Group Policy

QUESTION 90You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed :

Enterprise root certification authority (CA)Certificate Enrollment Web ServiceCertificate Enrollment Policy Web Service

You create a new certificate template .

External users report that the new template is unavailable when they request a new certificate . You verify that all other templates are available to th e external users .

You need to ensure that the external users can request certificates by using the new template .

What should you do on Server1 ?

A. Run iisreset.exe /restart.B. Run gpupdate.exe /force.C. Run certutil.exe dspublish.D. Restart the Active Directory Certificate Services service.


Explanation/Reference:http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspxCertificate Enrollment Web Services in Active Directory Certificate Services

..TroubleshootingManaging Certificate Enrollment Policy Web Service Polling for Certificate Templates

Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DSperiodically for template changes. Changes made to templates are not reflected in real time on the CertificateEnrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lagbetween the time at which the change is made and wh en the new templates are available . By default, theCertificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The CertificateEnrollment Policy Web Service can be manually forced to refresh its template cach e by recycling IISusing the command iisreset .

QUESTION 91Your network contains an enterprise root certification authority (CA).

You need to ensure that a certificate issued by the CA is valid .

What should you do?

A. Run syskey.exe and use the Update option.B. Run sigverif.exe and use the Advanced option.C. Run certutil.exe and specify the -verify parameter.D. Run certreq.exe and specify the -retrieve parameter.


Explanation/Reference:http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspxBasic CRL checking with certutil

Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, youmust use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificatemight be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that thecertificate is actually invalid.

QUESTION 92

You have an enterprise subordinate certification authority (CA) . The CA issues smart card logon certificates .

Users are required to log on to the domain by using a smart card . Your company's corporate security policy states that when an employee resigns , his ability to log on tothe network must be immediately revoked .

An employee resigns .

You need to immediately prevent the employee from logg ing on to the domain .

What should you do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.


Explanation/Reference:http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practiceDelete or disable an Active Directory account? One best practice.

I was recently talking to a customer about the best practice for deprovisioning a terminated employee in ActiveDirectory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does.

The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account itcannot do anything. The case for disabling an account is that all of the SIDs are still attached to the accountand you can bring it back and get the same access right away...And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. Thisparticular customer is a public school system and they often lay off an employee and have to re-hire them thenext month or semester. They need that account back....

QUESTION 93You add an Online Responder to an Online Responder Array .

You need to ensure that the new Online Responder resolv es synchronization conflicts for all membersof the Array .

What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.C. From the Online Responder Management Console, select the new Online Responder, and then select Set

as Array Controller.D. From the Online Responder Management Console, select the new Online Responder, and then select

Synchronize Members with Array Controller.


Explanation/Reference:Reference 1:http://technet.microsoft.com/en-us/library/cc770413.aspx

Managing Array membersFor each Array, one member is defined as the Array controller ; the role of the Array controller is to helpresolve synchronization conflicts and to apply updated revocation configuration information to all Arraymembers.


To designate an Array controller1. Open the Online Responder snap-in .2. In the console tree, click Array Configuration Members.3. Select the Online Responder that you want to designate as the Array controller.4. In the Actions pane, click Set as Array Controller .

QUESTION 94Your network contains a server that runs Windows Server 2008 R2 . The server is configured as an enterprise root certification authority (CA) .

You have a Web site that uses x.509 certificates for authentication . The Web site is configured to use a many-to-one mapping .

You revoke a certificate issued to an external partner . You need to prevent the external partner from accessing the Web site .

What should you do?

A. Run certutil.exe -crl.B. Run certutil.exe -delkey.C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.D. From Active Directory Users and Computers, modify the Contact object for the external partner.


Explanation/Reference:http://technet.microsoft.com/library/cc732443.aspxCertutil

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exeto dump and display certification authority (CA) configuration information, configure Certificate Services, backupand restore CA components, and verify certificates, key pairs, and certificate chains.

Verbs

-CRL Publish new certificate revocation lists (CRLs) [or only delta CRLs]

http://technet.microsoft.com/en-us/library/cc783835%28v=ws.10%29.aspxRequesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management)

If you have determined the keycontainername for a specific certificate, you can delete the key container with thefollowing command.

certutil.exe -delkey <KeyContainerName>

The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, youmust add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 versionof certutil to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used.

QUESTION 95Your company has a main office and five branch offices that are connected by WAN links . The company has an Active Directory domain named contoso.com . Each branch office has a member server configured as a DNS server . All branch office DNS servers host a secondary zone for contoso.com .

You need to configure the contoso.com zone to resolve c lient queries for at least four days in the eventthat a WAN link fails .

What should you do?

A. Configure the Expires after option for the contoso.com zone to 4 days.B. Configure the Retry interval option for the contoso.com zone to 4 days.C. Configure the Refresh interval option for the contoso.com zone to 4 days.D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspxAdjust the Expire Interval for a Zone

You can use this procedure to adjust the expire interval for a Domain Name System (DNS) zone. Other DNSservers that are configured to load and host the zone use the expire interval to determine when zone dataexpires if it is not successfully transferred. By default, the expire interval for each zone is set to one day.

You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.

To adjust the expire interval for a zone using the Windows interface1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click

DNS.2. In the console tree, right-click the applicable zone, and then click Properties.3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated.4. Click the Start of Authority (SOA) tab.5. In Expires after , click a time period in minutes, hours, or days, and then type a number in the text box.6. Click OK to save the adjusted interval.

QUESTION 96Your company has an Active Directory domain named contoso.com . FS1 is a member server in contoso.com .

You add a second network interface card , NIC2, to FS1 and connect NIC2 to a subnet that containscomputers in a DNS domain named fabrikam.com . Fabrikam.com has a DHCP server and a DNS server .

Users in fabrikam.com are unable to resolve FS1 by using DNS .

You need to ensure that FS1 has an A record in the fabr ikam.com DNS zone .


A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the

domain name fabrikam.com.



QUESTION 97Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com . The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers .

The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with theDynamic updates setting configured to Secure only .

A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated onlyby domain controllers or member servers .

You need to configure the intranet.adatum.com zone to m eet the new security policy requirement .


A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zoneproperties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNSzone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of theintranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tabof the intranet.adatum.com DNS zone properties.


Explanation/Reference:http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/Managing DNS Dynamic Updates in Windows Server 2008 R2

What Is DNS Dynamic Update?

When a DNS server is installed in a network, during the installation administrators can configure it to acceptdynamic updates of client records. Dynamic updates means that DNS client computers can automaticallyregister their names along with their IP addresses in the DNS server. When this happens DNS server

automatically creates a Host (A) record for that client computer that contains hostname of the client and itsassociated IP address.

Also, during the installation of DNS server administrators can choose an option according to which DNS servershould not automatically update its records and in this condition administrators must manually create Host (A)records in the DNS database.

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.htmlDNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC

In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secureyour Windows DNS infrastructure:

Decide who can resolve Internet host names Don’t co-locate internal and external zones Lock down the DNS cache Enable recursion only where needed Restrict DNS servers to listen on specific addresses Consider using a private root hints file Randomize your DNS source ports Be aware of the Global Query Block List Limit zone transfers Take advantage of Active Directory integrated zone security

..

Take advantage of Active Directory integrated zone security

Active Directory integrated zones enable you to secure the registration of resource records when dynamicname registration is enabled. Members of the Active Directory domain can register their resource recordsdynamically while non-domain members will be unable to register their names. You can also use discretionaryaccess control lists (DACLs) to control which computers are able to register or change their addressinginformation.

The figure below shows how you configure secure dynamic updates.

http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/Configuring DNS Server for Secure Only Dynamic Updates..

QUESTION 98Your company has two Active Directory forests as shown in the following table.

Forest name Forest functional level Domain(s)

contoso.com Windows Server 2008 contoso.com

fabrikam.com Windows Server 2008 fabrikam.com eng.fabrikam.com

The forests are connected by using a two-way forest trust . Each trust direction is configured with forest-wide authentication . The new security policy of the company prohibits users from the eng.fabrikam.com domain to accessresources in the contoso.com domain.

You need to configure the forest trust to meet the new security policy requirement .

What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.B. Delete the incoming forest trust in the contoso.com domain.

C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wideauthentication to Selective authentication.

D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude*.eng.fabrikam.com from the Name Suffix Routing trust properties.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspxHow Domain and Forest Trusts Work

Active Directory provides security across multiple domains or forests through domain and forest trustrelationships. Before authentication can occur across trusts, Windows must first determine whether the domainbeing requested by a user, computer or service has a trust relationship with the logon domain of the requestingaccount. To make this determination, the Windows security system computes a trust path between the domaincontroller for the server that receives the request and a domain controller in the domain of the requestingaccount.

..

Trust Flow

The flow of secured communications over trusts determines the elasticity of a trust: how you create or configurea trust determines how far the communication extends within a forest or across forests. The flow ofcommunication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity ofthe trust (transitive or nontransitive).

One-Way and Two-Way Trusts

Trust relationships that are established to enable access to resources can be either one-way or two-way . Aone-way trust is a unidirectional authentication path created between two domains. In a one-way trust betweenDomain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain Bcannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive dependingon the type of trust being created.

All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain iscreated, a two-way, transitive trust is automatically created between the new child domain and the parentdomain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means thatauthentication requests can be passed between the two domains in both directions. Some two-wayrelationships can be nontransitive or transitive depending on the type of trust being created. An Active Directorydomain can establish a one-way or two-way trust with:

Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains. Kerberos V5 realms.

Transitive and Nontransitive TrustsTransitivity determines whether a trust can be extended outside of the two domains with which it was formed. Atransitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used todeny trust relationships with other domains.

Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically createdbetween the new domain and its parent domain. If child domains are added to the new domain, the trust pathflows upward through the domain hierarchy extending the initial trust path created between the new domain andits parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creatingtransitive trusts between all domains in the domain tree.

Authentication requests follow these trust paths, so accounts from any domain in the forest can beauthenticated by any other domain in the forest. With a single logon process, accounts with the properpermissions can access resources in any domain in the forest. The following figure shows that all domains inTree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can accessresources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the properpermissions are assigned at the resource.

Default Transitive Trust Relationships

In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New TrustWizard you can manually create the following transitive trusts.

Shortcut trust . A transitive trust between domains in the same domain tree or forest that is used toshorten the trust path in a large and complex domain tree or forest. Forest trust . A transitive trust between one forest root domain and another forest root domain. Realm trust . A transitive trust between an Active Directory domain and a Kerberos V5 realm.

A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any otherdomains in the forest. A nontransitive trust can be a two-way trust or a one-way trust.

Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating twoone-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between:

A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a foresttrust)

By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust . A nontransitive trust created between a Windows Server 2003 domain and a Windows

NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NTdomain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trustrelationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust . A nontransitive trust between an Active Directory domain and a Kerberos V5 realm.

...

QUESTION 99Your company has an Active Directory Rights Management Services (AD RMS) server . Users have Windows Vista computers . An Active Directory domain is configured at the Windows Server 2003 functional level .

You need to configure AD RMS so that users are able to protect their documents .

What should you do?

A. Install the AD RMS client 2.0 on each client computer.B. Add the RMS service account to the local administrators group on the AD RMS server.C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.


Explanation/Reference:same as C17

http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspxAD RMS Step-by-Step Guide

...For each user account and group that you configure with AD RMS, you need to add an e-mail address and thenassign the users to groups. ...

QUESTION 100Your company has an Active Directory domain . All consultants belong to a global group named TempWorkers . The TempWorkers group is not nested in any other groups .

You move the computer objects of three file servers to a new organizational unit named SecureServers . These file servers contain only confidential data in shar ed folders .

You need to prevent members of the TempWorkers group fr om accessing the confidential data on thefile servers .You must achieve this goal without affecting access to other domain resources .

What should you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to thiscomputer from the network user right to the TempWorkers global group.

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the networkuser right to the TempWorkers global group.

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkersglobal group.

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally userright to the TempWorkers global group.


Explanation/Reference:Personal comment :

Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the sharedfolders (implies access from the network)."Deny log on locally" makes no sense in this instance, because we are reffering to shared folder andsupposedly physical access to servers should be highly restricted.And best practices recommend that you link GPOs at the domain level only for domain wide purposes.

Exam C

QUESTION 1Your company has a main office and a branch office . The branch office has an Active Directory site that contains a read-only domain controller (RODC) .

A user from the branch office reports that his account is locked out .From a writable domain controller in the main offic e, you discover that the user's account is not lock edout .

You need to ensure that the user can log on to the doma in .

What should you do?

A. Modify the Password Replication Policy.B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.



not sure if:Run the Knowledge Consistency Checker (KCC) on the RODC.orRestore network communication between the branch office and the main office.

QUESTION 2Your network contains a single Active Directory domain . The domain contains five read-only domain controllers (RODCs) and five writable domain controllers . All servers run Windows Server 2008 .

You plan to install a new RODC that runs Windows Server 2008 R2 . You need to ensure that you can add the new RODC to the domain .

You want to achieve this goal by using the minimum amou nt of administrative effort .


A. At the command prompt, run adprep.exe /rodcprep.B. At the command prompt, run adprep.exe /forestprep.C. At the command prompt, run adprep.exe /domainprep.D. From Active Directory Domains and Trusts, raise the functional level of the domain.E. From Active Directory Users and Computers, pre-stage the RODC computer account.


Explanation/Reference:Because the domain has only Windows Server 2008 domain controllers, the current domain and forestfunctional levels are 2008 at most. Introducing a 2008 R2 domain controller requires adprep /forestprep and

adprep /domainprep to be run. There's no other way, it has to be done.

On top of that, the current domain already has five Windows Server 2008 RODCs. This means that adprep /rodcprep has already run and doesn't need to be run again in this case.

Reference:http://technet.microsoft.com/en-us/library/dd464018.aspx

What is Adprep.exe?Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server.Adprep.exe performs operations that must be completed in an existing Active Directory environment before youcan add a domain controller that runs that version of Windows Server. You must run various Adprep.execommands on your existing domain controllers to complete these operations in the following cases:

Before you add the first domain controller that runs a version of Windows Server that is later than the latestversion that is running in your existing domain.(...)

Running Adprep.exeTo complete the required operations, you must run the Adprep.exe commands that are listed in the followingtable. You must run adprep /forestprep before you run other commands.

adprep /forestprepMust be run on the schema operations master for the forest.Once for the entire forest

adprep /domainprepMust be run on the infrastructure operations master for the domain.Once in each domain where you plan to install an additional domain controller that runs a later version ofWindows Server than the latest version that is running in the domain.

adprep /rodcprepIf you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server2008 R2.

QUESTION 3You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a servernamed Server1 .

You need to configure the Windows Firewall on Server1 t o allow external users to authenticate by usingAD FS.

Which inbound TCP port should you allow on Server1?

A. 88B. 135C. 443D. 445


Explanation/Reference:http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-things-to-check%28v=ws.10%29.aspxThings to Check Before Troubleshooting AD FS 2.0

Verify router, firewall, and HTTP proxy configurations

In addition to verifying network connectivity, you may also have to verify that any routers, firewalls, or HTTPproxies in your network (or any routers, firewalls, or HTTP proxies that your federation partner is using) havebeen configured properly to support Web applications and protocols required with AD FS 2.0. For example,Web applications can require both TCP port exceptions to be enabled for HTTP and HTTPS traffic usingSecure Sockets Layer (SSL). To ensure that the exceptions are configured appropriately, you may have to verify that the default TCP port numbers (80 for HT TP and 443 for HTTPS) , which typically allow Webtraffic, are in use. Also, check to see whether alternate TCP port numbers have been configured in any part ofthe network route between the client computer and all server computers that are involved. If alternate TCP portnumbers are configured for Web application protocols, you may have to update your AD FS 2.0 deployment sothat federation server and federation server proxy computers can support the alternate TCP ports.

QUESTION 4You deploy a new Active Directory Federation Services ( AD FS) federation server .

You request new certificates for the AD FS federation server.

You need to ensure that the AD FS federation server ca n use the new certificates .

To which certificate store should you import the ce rtificates ?

A. ComputerB. IIS Admin Service service accountC. Local AdministratorD. World Wide Web Publishing Service service account


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_13Step 2: Installing AD FS Role Services and Configuring Certificates

To import the server authentication certificate for adfsresource to adfsweb1. Click Start, click Run, type mmc, and then click OK.2. Click File, and then click Add/Remove Snap-in.3. Select Certificates, click Add, click Computer account , and then click Next.4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root

Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.6. On the Welcome to the Certificate Import Wizard page, click Next.7. On the File to Import page, type \\adfsresource\d$\adfsresource.pfx, and then click Next.8. On the Password page, type the password for the adfsresource.pfx file, and then click Next.9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.10. On the Completing the Certificate Import Wizard page, verify that the information you provided is

accurate, and then click Finish.

QUESTION 5Your network contains an Active Directory domain named contoso.com . The domain contains a server named Server1 . Server1 has the Active Directory Federation Services (AD FS) role i nstalled .You have an application named App1 that is configured to use Server1 for AD FS authentication .

You deploy a new server named Server2 . Server2 is configured as an AD FS 2.0 server .

You need to ensure that App1 can use Server2 for authen tication .

What should you do on Server2?

A. Add an attribute store.B. Create a relying party trust.C. Create a claims provider trust.D. Create a relaying provider trust.



http://technet.microsoft.com/en-us/library/dd807132%28v=ws.10%29.aspxCreate a Relying Party Trust Using Federation Metadata

http://pipe2text.com/?page_id=815Setting up a Relying Party Trust in ADFS 2.0

http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspxUsing Federation Metadata to establish a Relying Party Trust in AD FS 2.0

QUESTION 6Your network contains an Active Directory domain named contoso.com . The domain contains a server named Server1 . The Active Directory Federation Services (AD FS) ro le is installed on Server1 . Contoso.com is defined as an account store .

A partner company has a Web-based application that uses AD FS authentication . The partner company plans to provide users from contoso .com access to the Web application .

You need to configure AD FS on contoso.com to allow contoso. com users to be authenticated by thepartner company .

What should you create on Server1?

A. a new applicationB. a resource partnerC. an account partnerD. an organization claim


Explanation/Reference:Many thanks to Luffy for helping me out with this one!

Since the account store has already been configured, what needs to be done is to use the account store to mapan AD DS global security group to an organization claim (called group claim extraction). So that's what we needto create for authentication: an organization claim.

Creating a resource/account partner is part of setting up the Federation Trust.

Reference 1:http://technet.microsoft.com/en-us/library/dd378957.aspx

Configuring the Federation Servers[All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to posthere.]


Add an AD DS Account StoreIf user and computer accounts that require access to a resource that is protected by Active Directory FederationServices (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as an account store on a federation server in the Federation Service that authenticates the accounts.


Map an Organization Group Claim to an AD DS Group ( Group Claim Extraction)When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS) account store for an account Federation Service, you map an organization group claim to a security groupin AD DS. This mapping is called a group claim extraction.

QUESTION 7Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2 . Server1 has the Active Directory Federation Services (AD FS) Federa tion Service role service installed .

You plan to deploy AD FS 2.0 on Server2 .

You need to export the token-signing certificate from S erver1, and then import the certificate toServer2 .

Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)C. DER encoded binary X.509 (.cer)D. Personal Information Exchange PKCS #12 (.pfx)


Explanation/Reference:Many thanks to 'confused' from Algeria and Luffy for noting this question needed a correction and for their help!

Practically the same question as K/Q32

Reference 1:http://technet.microsoft.com/en-us/library/ff678038.aspx

Checklist: Migrating Settings in the AD FS 1.x Fede ration Service to AD FS 2.0If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certificationauthority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.

[The site provides also a link for instructions on how to export the token-signing certificate. That link point to thesite mentioned in reference 2.]


Export the private key portion of a token-signing c ertificate

To export the private key of a token-signing certificate1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.2. Right-click Federation Service, and then click Properties.3. On the General tab, click View.4. In the Certificate dialog box, click the Details tab.5. On the Details tab, click Copy to File.6. On the Welcome to the Certificate Export Wizard page, click Next.7. On the Export Private Key page, select Yes, export the private key, and then click Next.8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX) and then

click Next.9. (...)

QUESTION 8Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2 . Server1 has Active Directory Federation Services (AD FS) 2.0 in stalled . Server1 is a member of an AD FS farm . The AD FS farm is configured to use a configuration dat abase that is stored on a separate MicrosoftSQL Server .

You install AD FS 2.0 on Server2 .

You need to add Server2 to the existing AD FS farm .

What should you do?

A. On Server1, run fsconfig.exe.B. On Server1, run fsconfigwizard.exe.C. On Server2, run fsconfig.exe.D. On Server2, run fsconfigwizard.exe.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx

Configure a New Federation Server

To configure a new federation server using the command line1. Open a Command Prompt window.2. Change the directory to the path where AD FS 2.0 was installed.3. To configure this computer as a federation server, type the applicable syntax using either of the following

command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm|CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment spe cific parameters]

ParameterJoinSQLFarmJoins this computer to an existing federation server farm that is using SQL Server.

QUESTION 9Your network contains an Active Directory forest .

You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller inthe network .

You create a Windows PowerShell script named new-users.ps1 that contains the following lines :

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller , you double-click the script and the script runs . You discover that the script fails to create the user a ccounts .

You need to ensure that the script creates the user acc ounts .

Which cmdlet should you add to the script?

A. Import-ModuleB. Register-ObjectEventC. Set-ADDomainD. Set-ADUser


Explanation/Reference:http://blog.coretech.dk/jgs/powershell-creating-new-users-from-csv-with-password-and-enabled-accounts-or-how-to-pipe-into-multiple-cmdlets/PowerShell: Creating new users from CSV with password and enabled accounts or How to Pipe into multiplecmdlets

..

1. Import-Module ActiveDirectory2. import-csv e:\users\newusers.csv |3. New-ADUser -path "ou=test1,dc=contoso,dc=com" -passthru |4. ForEach-Object {5. $_ | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)6. $_ | Enable-ADAccount }

QUESTION 10Your network contains an Active Directory forest .The forest schema contains a custom attribute for user objects .

You need to modify the custom attribute value of 500 us er accounts .


A. CsvdeB. DsmodC. DsrmD. Ldifde


Explanation/Reference:We cannot use Dsmod here, because it supports only a subset of commonly used object class attributes.Csvde can only import and export data.Dsrm is used to delete objects from the directory.


LdifdeCreates, modifies , and deletes directory objects.

QUESTION 11Your network contains an Active Directory forest . The forest schema contains a custom attribute for user objects .

You need to give the human resources department a file that contains the last logon time and thecustom attribute values for each user in the forest .


A. the Dsquery toolB. the Export-CSV cmdletC. the Get-ADUser cmdletD. the Net.exe user command


Explanation/Reference:Practically the same question as K/Q43.

I find this one a bit tricky, as both the Get-ADUser cmdlet and the Dsquery tool seem to get the job done, Ithink. The other two options play no role here:

Export-CSV cannot perform queries. It is used to save queries that have been piped through.Net User is too limited for our question.

Get-ADUserReferences:https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838-e0f5f3a591d7

http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Export-CsvReference:http://technet.microsoft.com/en-us/library/ee176825.aspxSaving Data as a Comma-Separated Values FileThe Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need todo is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process to

grab information about all the processes running on the computer, then uses Export-Csv to write that data to afile named C:\Scripts\Test.txt:Get-Process | Export-Csv c:\scripts\test.txt .

Net UserReference:http://technet.microsoft.com/en-us/library/cc771865.aspxAdds or modifies user accounts, or displays user account information.

DSQUERYReference 1:http://technet.microsoft.com/en-us/library/cc754232.aspx

Parameters{<StartNode> | forestroot | domainroot}Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot ),domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specifyforestroot , AD DS searches by using the global catalog.

-attr {<AttributeList> | *}Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in theresult set. If you specify the value of this parameter as a wildcard character (*), this parameter displays allattributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses thedefault output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is adistinguished name.

Reference 2:http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b

Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot asthe startnode, instead of forestroot what we need.

Reference 3:http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/List all last login times for all users, regardless of whether they are disabled.dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountNamelastLogon >>c:\last_logon_for_all.txt

QUESTION 12You have a Windows PowerShell script that contains the following code:

import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword$_.password}

When you run the script , you receive an error message indicating that the fo rmat of the password isincorrect .

The script fails .

You need to run a script that successfully creates the user accounts by using the password containedin accounts.csv .

Which script should you run?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)}

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)}

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString "Password")}

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword(Read-Host -AsSecureString $_.Password)}


Explanation/Reference:import-csv Accounts.csv | Foreach { New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)}

Personal comment:import comma separated values file (most probably containing a column for Name and one for Password )for each line of valuescreate a new AD userwith the name contained in the Name columnenable the accountand set the password with the value contained in the Password column; import the password from plain text asa secure string and ignore warnings/errors

http://technet.microsoft.com/en-us/library/hh849818.aspxConvertTo-SecureString

..Parameters

-AsPlainTextSpecifies a plain text string to convert to a secure string. The secure string cmdlets help protectconfidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. Ifyou use this parameter to provide plain text as input, the system cannot protect that input in this manner.To use this parameter, you must also specify the Force parameter.

-ForceConfirms that you understand the implications of using the AsPlainText parameter and still want to use it.

...

QUESTION 13Your network contains an Active Directory forest .The functional level of the forest is Windows Server 2008 R2 .

Your company's corporate security policy states that the password for each user account must bechanged at least every 45 days .

You have a user account named Service1 . Service1 is used by a network application named Application1 .Every 45 days, Application1 fails .After resetting the password for Service1, Applicat ion1 runs properly .

You need to resolve the issue that causes Application1 to fail . The solution must adhere to the corporate security policy .

What should you do?

A. Run the cmdlet.B. Run the Set-ADServiceAccount cmdlet.C. Create a new password policy.D. Create a new Password Settings object (PSO).


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee617252.aspxSet-ADServiceAccount

Syntax

Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <System.Nullable[System.DateTime]>] [-AccountNotDelegated <System.Nullable[bool]>] [-Add <hashtable>] [-Certificates <string[]>] [-Clear <string[]>] [-Description <string>] [-DisplayName <string>] [-Enabled <System.Nullable[bool]>] [-HomePage <string>] [-Remove <hashtable>] [-Replace <hashtable>] [-SamAccountName <string>] [-ServicePrincipalNames <hashtable>] [-TrustedForDelegation <System.Nullable[bool]>] [-AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [-PassThru <switch>] [-Server<string>] [-Confirm] [-WhatIf] [<CommonParameters>]

Detailed Description

The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You canmodify commonly used property values by using the cmdlet parameters. Property values that are notassociated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters.

The Identity parameter specifies the Active Directory service account to modify. You can identify a serviceaccount by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM)account name. You can also set the Identity parameter to an object variable such as$<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. Forexample, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass theobject through the pipeline to the Set-ADServiceAccount cmdlet.

The Instance parameter provides a way to update a service account object by applying the changes made to acopy of the object. When you set the Instance parameter to a copy of an Active Directory service account objectthat has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original serviceaccount object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specifythe Instance parameter you should not pass the Identity parameter. For more information about the Instanceparameter, see the Instance parameter description.


You add an additional user principal name (UPN) suffix to the forest .

You need to modify the UPN suffix of all users . You want to achieve this goal by using the minimum amo unt of administrative effort .


A. the Active Directory Domains and Trusts consoleB. the Active Directory Users and Computers consoleC. the Csvde toolD. the Ldifde tool


Explanation/Reference:!***Old answer : the Ldifde tool

http://technet.microsoft.com/en-us/library/cc772007.aspxAdd User Principal Name Suffixes

You can use Active Directory Domains and Trusts to add user principal name (UPN) suffixes for the existinguser account. The default UPN suffix for a user account is the Domain Name System (DNS) domain name ofthe domain that contains the user account. You can add alternative UPN suffixes to simplify administration anduser logon processes by providing a single UPN suffix for all users. The UPN suffix is used only within theActive Directory forest, and it is not required to be a valid DNS domain name.

To add UPN suffixes1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start ,

click Administrative Tools and then click Active Directory Domains and Trusts .2. In the console tree, right-click Active Directory Domains and Trusts and then click Properties .3. On the UPN Suffixes tab , type an alternative UPN suffix for the forest, and then click Add .4. Repeat step 3 to add additional alternative UPN suffixes.

Additional considerations..

You can also perform the task in this procedure by using the Active Directory module for WindowsPowerShell.

Community Additions

Sample AD PowerShell command to update UPNs in bulk:

Get-ADUser-Filter * -properties homemdb | where {$_.homemdb -ne $null} | ForEach-Object($_.SamAccountName) {$CompleteUPN = $_.SamAccountName + "@contoso.com"; Set-ADUser -Identity$_.DistinguishedName -UserPrincipalName $CompleteUPN}

The above script:Gets all users with something in their homemdb attribute (i.e. mailbox users)Creates a temporary variable called $completeUPN which is a combination of every user’ssamaccountname plus @contoso.comSets each user to this new upn

QUESTION 15Your network contains a single Active Directory domain . All client computers run Windows Vista Service Pack 2 (SP2).

You need to prevent all users from running an applicati on named App1.exe .

Which Group Policy settings should you configure?

A. Application CompatibilityB. AppLockerC. Software InstallationD. Software Restriction Policies


Explanation/Reference:http://gpfaq.se/2007/09/30/how-to-using-software-restriction-policies/How-to: Using Software Restriction Policies

Using SRP is not that common today and what I will write here is a small how-to so that you can start trying ittoday and maybe even sometime soon apply it in your production environment.

First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users inproduction.

First you need to choose your default level which you do at Security Levels:

Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Whichmeans you can use SRP to block specific programs but the power is that you can change this so “Disallowed”is the default level which means you specify which programs you can run (all others are blocked) instead ofblocking specific programs.

So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set asDefault”

This means that all clients affected by this policy now would be able to run anything except what you define asexclusions which you do at “Additional rules”:

As you can see in the above picture you have two default values already included. These two values areregistry paths which makes all programs defined in these two registry paths to unrestricted which of coursemakes them available to run even if you selected “Disallowed” as your default choice in the above selection at“Security Levels”.

There are four different choices on how to enable/disable programs to run: Hash-rule Path-rule Network zone-rule Certificate-rule

The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if theuser tries to run a program it looks at the hash-value and evaluates if you can run the program or not.Sometimes when you have different versions of a program for example it might be a problem to use HASH,then you use PATH instead. Also if you don’t have the program installed in the same location on each computerbut you know somewhere in the registry where it types the path to the program you can use PATH and use theregistry location instead.

I will show you the two ways of allowing Windows Live Messenger to run

Hash:

As what you can see above is that it takes the values from the executable and stores the hash-value of the file.When someone tries to run the program the system evaluates this hash-value and compare it with the one youdefined and then selecting if you can run the program or not.

Path:

As you can see above is that you need to select the path to the executable. This path needs to be same oneach computer you would like to use this on but of course you can use environment variables as I have done inthe above picture. You could also use a registry location if you did know where the path to the program wherestored.

You can of course also use this to block programs instead of allowing them. This is not really the preferredmethod on how to use SRP but fully functional.On my computer I have “Unrestricted” as my default and I added an application on my desktop namedradio.exe as “Disallowed”

So the result if I’m trying to run the file is:

As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with theresult that your users will have a large problem messing up the computer :)

This only covers some parts of SRP. For example local administrators also get these rules but that you canexclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too.Make sure to try this in a safe environment before applying it to production as you might get a big headache ifyou have made some wrong turns in setting this up. :)

QUESTION 16Your network contains an Active Directory domain . All domain controllers run Windows Server 2008 R2 . Client computers run either Windows XP Service Pack 3 (SP3) or Windows V ista .

You need to ensure that all client computers can apply Group Policy preferences .

What should you do?

A. Upgrade all Windows XP client computers to Windows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).


Explanation/Reference:http://www.microsoft.com/en-us/download/details.aspx?id=3628Group Policy Preference Client Side Extensions for Windows XP (KB943729)

Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy ManagementConsole (which are also available through the Remote Server Administration Toolset (RSAT) for Windows VistaSP1).

Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy ManagementConsole (which are also available through the Remote Server Administration Toolset (RSAT) for Windows VistaSP1). Group Policy Preferences enable information technology professionals to configure, deploy, and manageoperating system and application settings they previously were not able to manage using Group Policy. Afteryou install this update, your computer will be able to process the new Group Policy Preference extensions.

http://www.petenetlive.com/KB/Article/0000389.htmServer 2008 Group Policy Preferences and Client Side Extensions

Problem

Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To beable to apply them to older Windows clients, you need to install the "Client side Extensions" (CSE), You caneither script this, deploy with a group policy, or if you have WSUS you can send out the update that way.

Solution

You may not have noticed, but if you edit or create a group policy in Server 2008 now, you will see there is a"Preferences" branch. Most IT Pro's will have seen the addition of the "Policies" folder some time ago becauseit adds an extra level to get to the policies that were there before :)

OK Cool! What can you do with them?

1. Computer Preferences: Windows SettingsEnvironment: Lets you control, and send out Environment variables via Group Policy.Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section).Folder: As above, but for folders.Ini Files: Allows you to Create, Replace, Update or Delete an ini file.Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually typein the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.

2. Computer Preferences: Control Panel SettingsData Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings viagroup policy. (Note: there's a bug if your using SQL authentication see here).Devices: Lets you enable and disable hardware devices by type and class, to be honest it's a little "clunky".Folder Options: Allows you to set "File Associations" and set the default programs that will open particularfile extensions.Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups.Handy if you want to create an additional admin account, or reset all the local administrators passwordsvia group policy.Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you usePPTP Windows Server VPN's.Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS's they arePower Plans. This is much needed, I've seen many "Is there a group policy for power options?" ordisabling hibernation questions in forums. And you can use the options Tab, to target particular machinetypes (i.e. only apply if there is a battery present). Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to havethe accounts printer. Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could behandy to deploy a patch or some virus/malware removal process.

Service: Essentially anything you can do in the services snap in you can push out through group policy, setservices to disables or change the logon credentials used for a service. In addition you can set therecovery option should a service fail.

3. User Configuration: Windows SettingsApplications: Answers on a Postcard? I can't work out what these are for!Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assignmapped drives on a user/group basis. Environment: As above lets you control and send out Environment variables via Group Policy, but on auser basis.Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the nextsection), but on a user basis.Folders: As above, but for folders on a user by user basis.Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can eithermanually type in the reference use a Wizard, or extract the key(s) values you want to send out via grouppolicy, this time for users not computers.Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via grouppolicy for users.

4. User Configuration: Control Panel SettingsAll of the following options are covered above on "Computer Configuration"

Data SourcesDevicesFolder OptionsLocal Users and GroupsNetwork OptionsPower OptionsPrintersScheduled Tasks

Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user byuser basis.Regional Options: Designed so you can change a users Locale, handy if you have one user who wants anAmerican keyboard.Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu >Customise, only set user by user.

References:http://technet.microsoft.com/en-us/library/dd367850%28WS.10%29.aspxGroup Policy Preferences

QUESTION 17Your network contains an Active Directory domain . All domain controllers run Windows Server 2008 R2 . Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2).

You need to audit user access to the administrative sha res on the client computers .

What should you do?

A. Deploy a logon script that runs Icacls.exe.B. Deploy a logon script that runs Auditpol.exe.C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.


Explanation/Reference:Reference:http://support.microsoft.com/kb/921469

Administrators can use the procedure that is described in this article to deploy a custom audit policy that appliesdetailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in aWindows Server 2003 domain or in a Windows 2000 domain.

Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.


You need to create a central store for the Group Policy Administrative templates .

What should you do?

A. Run dfsrmig.exe /createglobalobjects.B. Run adprep.exe /domainprep /gpprep.C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\SYSVOL\contoso.com\Policies

folder.D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\SYSVOL\contoso.com

\Policies folder.


Explanation/Reference:http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstoreCreating an ADMX central store for group policies

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. TheCentral Store is a location that is checked by GPMC. The GPMC will use .admx files that are in the CentralStore. The files that are in the Central Store are replicated to all domain controllers in the domain.First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and languagetemplate files in %SYSTEMROOT%\PolicyDefinitions need copying to %SYSTEMROOT%\SYSVOL\domain\Policies\PolicyDefinitions.

Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domaincontrollers (the default ADMX policies and EN-US language templates (ADML) are about 6.5 MB in total).

xcopy /E "%SYSTEMROOT%\PolicyDefinitions" "%SYSTEMROOT%\SYSVOL\domain\Policies\PolicyDefinitions\"

Next ensure you have remote server administration tools (RSAT) installed on your client computer you areusing to edit the GPO's. This will need to be Windows Vista or Windows 7.For Windows Vista enable the RSAT feature (GPMC).For Windows 7 download and install RSAT then enable the RSAT feature (GPMC).

When editing a GPO in the GMPC you will find that the Administrative Templates show as "Policy Definitions(ADMX files) retrieved from the central store".This confirms it is working as expected.

Further information :http://support.microsoft.com/kb/929841/en-usHow to create the Central Store for Group Policy Administrative Template files in Windows Vista

http://msdn.microsoft.com/en-us/library/bb530196.aspxManaging Group Policy ADMX Files Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspxScenario 2: Editing Domain-Based GPOs Using ADMX Files

QUESTION 19You configure and deploy a Group Policy object (GPO) that contains AppLocker settings .

You need to identify whether a specific application fil e is allowed to run on a computer .

Which Windows PowerShell cmdlet should you use?

A. Get-AppLockerFileInformationB. Get-GPOReportC. Get-GPPermissionsD. Test-AppLockerPolicy


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/ee460960.aspx

Test-AppLockerPolicyTests whether the input files are allowed to run for a given user based on the specified AppLocker policy.

QUESTION 20You create a Password Settings object (PSO) .

You need to apply the PSO to a domain user named User1 .

What should you do?

A. Modify the properties of the PSO.B. Modify the account options of the User1 account.C. Modify the security settings of the User1 account.D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).


Explanation/Reference:http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspxWindows Server 2008 - Fine Grained Password Policy Walkthrough...1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active

Directory Users and Computers).2. On the View menu, ensure that Advanced Features is checked.3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password

Settings Container4. In the details pane, right-click the PSO , and then click Properties .5. Click the Attribute Editor tab .6. Select the msDS-PsoAppliesTo attribute , and then click Edit .

..

If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.

7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user orthe global security group that you want to apply this PSO to, click Add, and then click OK.

To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the useror the global security group, and then click Properties. On the Attribute Editor tab, view the value of theDistinguished Name attribute in the Attributes list.

Voila! Hit "OK" a couple of times, and your users/groups now have a custom password policy assigned tothem. No longer do you have to have separate domains for your developers and standard users. Good times:)

QUESTION 21You need to create a Password Settings object (PSO) .


A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. Ntdsutil



You can create Password Settings objects (PSOs):

using the Active Directory module for Windows PowerShellusing ADSI Editusing ldifde

QUESTION 22Your network contains an Active Directory domain . All servers run Windows Server 2008 R2 .

You need to audit the deletion of registry keys on each server .

What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.B. From Audit Policy, modify the System Events settings and the Privilege Use settings.C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object

Access Auditing settings.



Advanced Security Audit Policy Step-by-Step GuideA global object access audit policy can be used to enforce object access audit policy for a computer, fileshare, or registry .

QUESTION 23Your network contains a single Active Directory domain . The functional level of the forest is Windows Server 2008 R2 .

You need to enable the Active Directory Recycle Bin .


A. the Dsmod toolB. the Enable-ADOptionalFeature cmdletC. the Ntdsutil toolD. the Set-ADDomainMode cmdlet


Explanation/Reference:Similar question to question L/Q5.


Enabling Active Directory Recycle BinAfter the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cm dlet (This is the recommended method.)Ldp.exe

QUESTION 24Your network contains a single Active Directory domain .

You need to create an Active Directory Domain Services snapshot .

What should you do?

A. Use the Ldp tool.B. Use the NTDSUtil tool.C. Use the Wbadmin tool.D. From Windows Server Backup, perform a full backup.



To create an AD DS or AD LDS snapshot

1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.2. Click Start, right-click Command Prompt, and then click Run as administrator.3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then

click Continue.4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds7. At the snapshot prompt, type the following command, and then press ENTER: create

QUESTION 25Your network contains a single Active Directory domain .

A domain controller named DC2 fails .

You need to remove DC2 from Active Directory .


A. At the command prompt, run dcdiag.exe /fix.B. At the command prompt, run netdom.exe remove dc2.C. From Active Directory Sites and Services, delete DC2.D. From Active Directory Users and Computers, delete DC2.



Clean Up Server MetadataMetadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS).You perform metadata cleanup on a domain controller in the domain of the domain controller that you forciblyremoved. Metadata cleanup removes data from AD DS that identifies a domain controller to the replicationsystem.

Clean up server metadata by using GUI toolsClean up server metadata by using Active Directory Users and Computers1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then

click Active Directory Users and Computers.2. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.3. In the details pane, right-click the computer object of the domain controller whose metadata you want to

clean up, and then click Delete.

Clean up server metadata by using Active Directory Sites and Services1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click

Active Directory Sites and Services2. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of

the domain controller, right-click the NTDS Settings object, and then click Delete.

QUESTION 26Your network contains a single Active Directory domain . The functional level of the forest is Windows Server 2008 . The functional level of the domain is Windows Server 2008 R2 . All DNS servers run Windows Server 2008 . All domain controllers run Windows Server 2008 R2 .

You need to ensure that you can enable the Active Direc tory Recycle Bin .

What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.



Active Directory Recycle Bin Step-by-Step GuideBy default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must firstraise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2 ,which in turn requires all forest domain controllers or all servers that host instances of AD LDS configurationsets to be running Windows Server 2008 R2.

QUESTION 27Your network contains an Active Directory domain . The domain contains several domain controllers .All domain controllers run Windows Server 2008 R2 .

You need to restore the Default Domain Controllers Poli cy Group Policy object (GPO) to the WindowsServer 2008 R2 default settings .

What should you do?

A. Run dcgpofix.exe /target:dc.B. Run dcgpofix.exe /target:domain.C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/hh875588.aspx

DcgpofixRecreates the default Group Policy Objects (GPOs) for a domain.

SyntaxDCGPOFix [/ignoreschema] [/target: {Domain | DC | B oth}] [/?]

/ignoreschemaIgnores the version of the Active Directory® schema when you run this command. Otherwise, the commandonly works on the same schema version as the Windows version in which the command was shipped.

/target {Domain | DC | Both}Specifies which GPO to restore. You can restore the Default Domain Policy GPO, the Default DomainControllers GPO, or both.

ExamplesRestore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that youhave made to this GPO.

dcgpofix /ignoreschema /target:DC

QUESTION 28Your network contains an Active Directory domain . The domain contains two Active Directory sites named Site1 and Site2 . Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2 . The functional level of the forest is Windows Server 2003 . Active Directory replication between Site1 and Site 2 occurs from 20:00 to 01:00 every day .

At 07:00, an administrator deletes a user account w hile he is logged on to DC1 .

You need to restore the deleted user account . You want to achieve this goal by using the minimum amo unt of administrative effort .

What should you do?

A. On DC1, run the Restore-ADObject cmdlet.B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory

Domain Services.D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active

Directory Domain Services.


Explanation/Reference:Practically the same question as J/Q2 and K/Q28.

We cannot use Restore-ADObject , because Restore-ADObject is a part of the Recycle Bin feature, and youcan only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the questiontext it says "The functional level of the forest is Windows Server 2003."See http://technet.microsoft.com/nl-nl/library/dd379481.aspx

Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, whichcauses it to replicate the restored user account to other DC's.

Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)page 692

An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for thedata to make it authoritative and ensure that it is replicated to all other servers.


Authoritative restore of AD DS has the following re quirements:(...)You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restorecommand and restart the service after the command is complete.

QUESTION 29Your network contains an Active Directory domain .The domain contains two domain controllers named DC1 and DC2.

You perform a full backup of the domain controllers eve ry night by using Windows Server Backup .

You update a script in the SYSVOL folder .You discover that the new script fails to run properly .

You need to restore the previous version of the script in the SYSVOL folder . The solution must minimize the amount of time required to restore the script .


A. Run the Restore-ADObject cmdlet.B. Restore the system state to its original location.C. Restore the system state to an alternate location.D. Attach the VHD file created by Windows Server Backup.


Explanation/Reference:http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspxActive Directory Backup and Restore in Windows Server 2008

NTBACKUP vs. Windows Server Backup..As an added bonus, Windows Server Backup stores its backup images in Microsoft® Virtual Hard Disk (VHD)format. You can actually take a backup image and mount it as a volume in a virtual machine running underMicrosoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for aparticular file rather than having to perform test restores of tapes to see which one has the file is on it. (A noteof caution: you can't take a backup image and boot a virtual machine from it. Since the backed-up hardwareconfiguration doesn't correspond to the virtual machine's configuration, you can't use Windows Server Backupas a physical-to-virtual migration tool.)...


You need to restore a deleted computer account from the Active Directory Recycle Bin .

What should you do?

A. From the command prompt, run recover.exe.B. From the command prompt, run ntdsutil.exe.C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspxStep 2: Restore a Deleted Active Directory Object

Applies To: Windows Server 2008 R2

This step provides instructions for completing the following tasks with Active Directory Recycle Bin: Displaying the Deleted Objects container Restoring a deleted Active Directory object using Ldp.exe Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets Restoring multiple, deleted Active Directory objects

...To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, andthen click Run as administrator.2. At the Active Directory module for Windows PowerShell command prompt, type the following command,and then press ENTER: Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject

For example, if you want to restore an accidentally deleted user object with the display name Mary, type thefollowing command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject

http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active-directory-recycle-bin-using-ad-powershell.aspxRestoring object from the Active Directory Recycle Bin using AD Powershell

QUESTION 31You need to back up all of the group policies in a doma in .

The solution must minimize the size of the backup .


A. the Add-WBSystemState cmdletB. the Group Policy Management consoleC. the Wbadmin toolD. the Windows Server Backup feature



To back up a Group Policy object1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest

and domain containing the Group Policy object (GPO) to back up.2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain,

right-click Group Policy objects and click Back Up All.

QUESTION 32You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2 .

You need to ensure that you can recover the private key of a certificate issued to a Web server .

What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.B. From the Web server, run the Get-PfxCertificate cmdlet.C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.


Explanation/Reference:http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspxManual Key Archival

Manual key archival can be used in the following common scenarios that are not supported by automatic keyarchival:

Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft® Office Outlook. Certificates issued by CAs that do not support key archival. Certificates installed on the Microsoft Windows® 2000 and Windows Millennium Edition operatingsystems.

This topic includes procedures for exporting a private key by using the following programs and for importing aprivate key to a CA database:

Certutil.exe Certificates snap-in Microsoft Office Outlook

..

To export private keys by using Certutil.exe1. Open a Command Prompt window.2. Type the Certutil.exe –exportpfx command using the command-line options described in the followingtable.

Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>

QUESTION 33Your company has a main office and a branch office .The network contains a single Active Directory domain . The main office contains a domain controller named DC1.

You need to install a domain controller in the branch o ffice by using an offline copy of the ActiveDirectory database .


A. From the Ntdsutil tool, create an IFM media set.B. From the command prompt, run djoin.exe /loadfile.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the get-ADDomainController cmdlet.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspxInstalling an Additional Domain Controller by Using IFM

When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, youcan reduce the replication traffic that is initiated during the installation of an additional domain controller in anActive Directory domain. Reducing the replication traffic reduces the time that is necessary to install theadditional domain controller.

Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that youcan use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create

installation media for additional domain controllers that you are creating in a domain. The IFM method uses thedata in the installation media to install AD DS, which eliminates the need to replicate every object from a partnerdomain controller. However, objects that were modified, added, or deleted since the installation media wascreated must be replicated. If the installation media was created recently, the amount of replication that isrequired is considerably less than the amount of replication that is required for a regular AD DS installation. ...

QUESTION 34Your network contains an Active Directory domain . All domain controllers run Windows Server 2008 . The functional level of the domain is Windows Server 2003 . All client computers run Windows 7 .

You install Windows Server 2008 R2 on a server named Server1 .

You need to perform an offline domain join of Server1 .


A. From Server1, run djoin.exe.B. From Server1, run netdom.exe.C. From a Windows 7 computer, run djoin.exe.D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)pages 217, 218

Offline Domain JoinOffline domain join is also useful when a computer is deployed in a lab or other disconnected environment.When the computer is connected to the domain network and started for the first time, it will already be amember of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.

Four major steps are required to join a computer to the domain by using offline domain join:

1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an accountthat has permissions to join computers to the domain.

2. Use the DJoin command to provision a computer for offline d omain join . This step prepopulates ActiveDirectory with the information that Active Directory needs to join the computer to the domain, and exportsthe information called a blob to a text file.

3. At the offline computer that you want to join the domain use DJoin to import the blob into theWindows directory.

4. When you start or restart the computer, it will be a member of the domain.

QUESTION 35You have an Active Directory snapshot .

You need to view the contents of the organizational uni ts (OUs) in the snapshot .

Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.mscB. ntdsutil.exe, dsamain.exe, and dsa.mscC. wbadmin.msc, dsamain.exe, and netdom.exeD. wbadmin.msc, ntdsutil.exe, and explorer.exe


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc731620%28v=ws.10%29.aspxsnapshot

Manages snapshots of the volumes that contain the Active Directory database and log files, which you can viewon a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run thesnapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server.

In the command-line tool Ntdsutil.exe , you can use the snapshot subcommand to manage the snapshots, butyou must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server....

http://technet.microsoft.com/en-us/library/cc757197%28v=ws.10%29.aspxManaging Active Directory from MMC..Starting Active Directory MMC consoles from the command-line

Active Directory MMC consoles, including Active Directory Users and Computers (dsa.msc), Active DirectoryDomains and Trusts (domain.msc) and Active Directory Sites and Services (dssite.msc), provide command-lineoptions that allow you to start a console focused on a particular domain or domain controller. The command-line options support both fully qualified domain names and NetBIOS names.

QUESTION 36Your network contains a domain controller that runs Windows Server 2008 R2 .

You run the following command on the domain controller :dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport 389 -allowNonAdminAccess

The command fails .

You need to ensure that the command completes successfu lly .

How should you modify the command?

A. Include the path to Dsamain.B. Change the value of the -dbpath parameter.C. Change the value of the -ldapport parameter.D. Remove the allowNonAdminAccess


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)page 690

Use the AD DS database mounting tool to load the snapshot as an LDAP server.

dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ ntds\ntds.dit -ldapport portnumber

Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport val ueto ensure that you do not conflict with AD DS.Also note that you can use the minus (–) sign or the slash (/) for the options in the command.

QUESTION 37Your network contains an Active Directory domain . The domain contains five domain controllers . A domain controller named DC1 has the DHCP role and the file server role installed .

You need to move the Active Directory database on DC1 t o an alternate location .The solution must minimize impact on the network during the database move .


A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc794895%28v=ws.10%29.aspxRelocating the Active Directory Database Files

Applies To: Windows Server 2008, Windows Server 2008 R2

Relocating Active Directory database files usually involves moving files to a temporary location while hardwareupdates are being performed and then moving the files to a permanent location. On domain controllers that arerunning versions of Windows 2000 Server and Windows Server 2003, moving database files requires restartingthe domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introducesrestartable Active Directory Domain Services (AD DS ), which you can use to perform databasemanagement tasks without restarting the domain controller in DSRM. Before you move database files, youmust stop AD DS as a service .

QUESTION 38Your company has a main office and a branch office .The network contains an Active Directory forest . The forest contains three domains . The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server , a DHCP server , and a file server .

You remove the global catalog from DC5 .

You need to reduce the size of the Active Directory dat abase on DC5 . The solution must minimize the impact on all users in t he branch office .


A. Start DC5 in Safe Mode.

B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.


Explanation/Reference:http://allcomputers.us/windows_server/windows-server-2008-r2---manage-the-active-directory-database-%28part-2%29---defragment-the-directory-database---audit-active-directory-service.aspxWindows Server 2008 R2 : Manage the Active Directory Database (part 2) - Defragment the DirectoryDatabase & Audit Active Directory Service

3. Defragment the Directory Database

A directory database gets fragmented as you add, change, and delete objects to your database. Like any filesystem–based storage, as the directory database is changed and updated, fragments of disk space will build upso it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directoryperforms an online defragmentation of the directory database every 12 hours with the garbage collectionprocess, an automated directory database cleanup, and IT pros should be familiar with it. However, onlinedefragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data aroundfor easier access. Depending on how much fragmentation you actually have in the database, running an offlinedefragmentation—which does decrease the size of the database—could have a significant effect on the overallsize of your NTDS.DIT database file.

There is a little problem associated with defragmenting databases. They have to be taken offline in order tohave the fragments removed and the database resized. In Windows Server 2008 R2, there is a great featurethat allows you to take the database offline without shutting down the server. It's called Restartable ActiveDirectory, and it could not be much easier to stop and start your directory database than this. Figure 4 showsthe Services tool and how you can use it to stop the Active Directory service.

1. Start the Services tool from the Control Panel.2. Right-click Active Directory Domain Services, and select Stop.

Figure 4. You can use the Services tool to stop and restart Active Directory.

That's it! Now when you stop Active Directory Domain Services, any other dependent services will also bestopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network.The really cool thing about Restartable AD is that while the directory services and its dependent services arestopped, other services on the local machine are not. So, perhaps you have a shared printer running on yourDC. Print services still run, and print operations do not stop. Nice!

3.1. Offline Directory Defragmentation

Now that you have stopped Active Directory services, it is time to get down to the business of offlinedefragmentation of the directory database:1. Back up the database.2. Open a command prompt, and type NTDSUTIL.3. Type ACTIVATE INSTANCE NTDS.4. Type FILES, and press Enter.5. Type INFO, and press Enter. This will tell you the current location of the directory database, its size, and the

size of the associated log files. Write all this down.6. Make a folder location that has enough drive space for the directory to be stored.7. Type COMPACT TO DRIVE:\DIRECTORY, and press Enter. The drive and directory are the locations you

set up in step 5. If the drive path contains spaces, put the whole path in quotation marks, as in "C:\databasedefrag".

A new defragmented and compacted NTDS.DIT is created in the folder you specified.8. Type QUIT, and press Enter.9. Type QUIT again, and press Enter to return to the command prompt.10. If defragmentation succeeds without errors, follow the NTDSUTIL prompts.11.Delete all log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive.12.Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4.13.Close the command prompt.14.Open the Services tool, and start Active Directory Domain Services.

Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size ofyour database depending on how long it has been since your last offline defrag. The hard thing about offline

defrag is that every network is different, so making recommendations about how often to use the offline defragprocess is somewhat spurious. I recommend you get to know your directory database. Monitor its size andgrowth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and youwill find yourself using offline defragmentation on a frequency that works well for your network and yourdirectory database. One of the cool things about offline defragmentation is that if you should happen to have anerror occur during the defragmentation process, you still have your original NTDS.DIT database in place andcan continue using it with no problems until you can isolate and fix any issues.


You need to change the location of the Active Directory log files .


A. DsamainB. DsmgmtC. DsmoveD. Ntdsutil


Explanation/Reference:http://support.microsoft.com/kb/257420How To Move the Ntds.dit File or Log Files

Moving a Database or Log File

1. Restart the domain controller.2. Press F8 at the Startup menu, and then click Directory Services Restore Mode.3. Select the appropriate installation if more than one exists, and then log on as an administrator at the

logon prompt.4. Start a command prompt, and then type ntdsutil.exe.NOTE: To get a list of commands that you can use

at the Ntdsutil prompt, type ?.5. At a Ntdsutil prompt, type files.6. At the File Maintenance prompt, use one or both of the following procedures:

* To move a database, type move db to %s, where %s is the drive and folder where you want thedatabase moved.* To move log files, type move logs to %s, where %s is the drive and folder where you want the logfiles moved.

7. To view the log files or database, type info. To verify the integrity of the database at its new location, typeintegrity.

8. Type quit, and then type quit to return to a command prompt.9. Restart the computer in Normal mode.

NOTE: When you move the database and log files, you must back up the domain controller.

QUESTION 40Your network contains a single Active Directory domain . All servers run Windows Server 2008 R2 .

You deploy a new server that runs Windows Server 2008 R2 . The server is not connected to the internal network .

You need to ensure that the new server is already joine d to the domain when it first connects to theinternal network .

What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, runsysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server,run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server,run djoin.exe and specify the /provision parameter.


Explanation/Reference:Reference 1:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)pages 217, 218



1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with anaccount that has permissions to join computers to the domain.


3. At the offline computer that you want to join the domain use DJoin to import the blob into theWindows directory.

4. When you start or restart the computer, it will be a member of the domain.

Reference 2:http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx

Steps for performing an offline domain join

The offline domain join process includes the following steps:1. Run the djoin.exe /provision command to create computer account metadata for the destination computer

(the computer that you want to join to the domain). As part of this command, you must specify the name ofthe domain that you want the computer to join.

2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windowsdirectory of the destination computer.

3. When you start the destination computer, either as a virtual machine or after a complete operating systeminstallation, the computer will be joined to the domain that you specify.

QUESTION 41Your network contains an Active Directory domain . The domain contains four domain controllers .

You modify the Active Directory schema .

You need to verify that all the domain controllers rece ived the schema modification .


A. dcdiag.exe /aB. netdom.exe query fsmoC. repadmin.exe /showrepl *D. sc.exe query ntds


Explanation/Reference:http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspxGetting Over Replmon

Status Checking

Replmon had the option to generate a status report text file. It could tell you which servers were configured toreplicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the mainreasons people liked the tool.

Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get asummary report:

Repadmin /replsummary *

Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the other DCs are notavailable and cannot tell you their status.

You can also use more verbose commands with Repadmin to see details about which DCs are or are notreplicating:

Repadmin /showrepl *

...

QUESTION 42You remotely monitor several domain controllers .

You run winrm.exe quickconfig on each domain controller .

You need to create a WMI script query to retrieve infor mation from the bios of each domain controller .

Which format should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML


Explanation/Reference:http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606%28v=vs.85%29.aspxWQL (SQL for WMI)

The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured QueryLanguage (ANSI SQL)—with minor semantic changes.

QUESTION 43Your network contains an Active Directory domain named contoso.com . The domain contains five domain controllers .

You add a logoff script to an existing Group Policy object (GPO) .

You need to verify that each domain controller successf ully replicates the updated group policy .

Which two objects should you verify on each domain controller ? (Each correct answer presents part of the solution. Choose two .)

A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.polC. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com containerD. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc784268%28v=ws.10%29.aspxHow Core Group Policy Works

...The Gpt.ini File

The Gpt.ini file is located at the root of each Group Policy template. Each Gpt.ini file contains GPO versioninformation. Except for the Gpt.ini files created for the default GPOs, a display name value is also written to thefile.Each Gpt.ini file contains the GPO version number of the Group Policy template.

[General]Version=65539

Normally, this is identical to the version-number p roperty of the corresponding GroupPolicyContainerobject . It is encoded in the same way — as a decimal representation of a 4 byte hexadecimal number, theupper two bytes of which contain the GPO user settings version and the lower two bytes contain the computersettings version. In this example the version is equal to 10003 hexadecimal giving a user settings version of 1and a computer settings version of 3.

Storing this version number in the Gpt.ini allows the CSEs to check if the client is out of date to the lastprocessing of policy settings or if the currently applied policy settings (cached policies) are up-to-date. If thecached version is different from the version in the Group Policy template or Group Policy container, then policysettings will be reprocessed.

QUESTION 44Your network contains an Active Directory domain that contains five domain controllers .You have a management computer that runs Windows 7 .

From the Windows 7 computer, you need to view all a ccount logon failures that occur in the domain .The information must be consolidated on one list .

Which command should you run on each domain controller ?

A. Wecutil.exe qcB. Wevtutil.exe gliC. Winrm.exe quickconfigD. Winrshost.exe

Correct Answer: C


Explanation/Reference:http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-management-troubleshooting.aspxWinRM (Windows Remote Management) Troubleshooting

What is WinRM?

New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM &WinRS. Windows Remote Management (known as WinRM) is a handy new remote management service.WinRM is the “server” component of this remote management application and WinRS (Windows Remote Shell)is the “client” for WinRM, which runs on the remote computer attempting to remotely manage the WinRMserver. However, I should note that BOTH computers must have WinRM installed and enabled on them forWinRS to work and retrieve information from the remote system...

How to install WinRM

The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on thesame computer, you may see messages that indicate WinRM cannot be loaded before Interent InformationServices (IIS). However, WinRM does not actually depend on IIS: these messages occur because the loadorder ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll beregistered.(Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008) · The WinRM service starts automatically on Windows Server 2008. · On Windows Vista, the service must be started manually.

How to configure WinRMTo set the default configuration type: winrm quickconfig (or the abbreviated version, winrm qc)

‘winrm qc’ performs the following operations: 1. Starts the WinRM service and sets the service startup type to auto-start. 2. Configures a listener for the ports that send and receive WS-Management protocol messages using eitherHTTP or HTTPS on any IP address. 3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS. (Note: Winrm quickconfig also configures Winrs default settings)...

QUESTION 45You create a new Active Directory domain . The functional level of the domain is Windows Server 2008 R2 . The domain contains five domain controllers .

You need to monitor the replication of the group policy tem plate files .


A. DfsrdiagB. FsutilC. NtdsutilD. Ntfrsutl


Explanation/Reference:Personal comment:For lack of a better answer, Dfsrdiag seems to be the answer.

Explanation:http://www.windowsnetworking.com/articles-tutorials/common/Understanding-Group-Policy-Replication.htmlUnderstanding Group Policy Replication

Group Policy replication is controlled by two different replication mechanisms: FRS and Active Directoryreplication. We will take a look at both mthods within this article.

As Group Policy becomes more important for managing desktops and servers in Active Directory, it makessense that the details around Group Policy need to be understood more completely. There are many movingparts to Group Policy, including client side extensions, ADM/ADMX files, GPC, GPT, and much more. When achange occurs to a Group Policy object (GPO), that change only occurs on one domain controller. Thus, thechange to the GPO must be replicated to all of the other domain controllers. This replication affects multiplereplication mechanisms and can cause odd effects if not completed properly. This article will discuss thereplication of Group Policy and what you can do to verify that all replication has occurred.

..Replication of the Group Policy Template

The portion of the GPO that stores the settings into one or more files is the Group Policy Template (GPT). Thisportion of the GPO and the related files are stored on domain controllers under the Sysvol. The default path forthese files is c:\Windows\Sysvol\Sysvol\<domainname>\Policies, as shown in Figure 3.

Figure 3: All GPOs store settings in files under the Sysvol on domain controllers.

The Sysvol on domain controllers is used to deliver Group Policy settings and logon scripts to clients at logon.Since Sysvol is used for authentication of users and computers, it must be up to date on all domain controllers.When any information is changed under the Sysvol on one domain controller, it triggers replication of the Sysvolto all other domain controllers.

The Sysvol is replicated using the File Replication System (FRS). FRS does not have a schedule associatedwith it. FRS uses state-based replication instead. This means that as soon as there is a change to any fileunder the Sysvol folder structure, replication is triggered. This creates a very efficient and fast replication modelfor the GPT.

As a side note, FRS replication does not adhere to any site boundaries. Thus, replication will converge to all of

the domain controllers within only a few minutes, even to those domain controllers in remote locations.

Note: Windows Server 2008 can use FRS or DFS-R to replicate the contents of the Sysvol.

...

Verifying GPO Replication

The easiest tool to use to verify that both the GPC and GPT have replicated is GPOTool. This tool is free andvery easy to use. It comes with the operating system and can be run from a command prompt. Just typegpotool <dcname> /verbose from the command prompt, like you see in Figure 7.

Figure 7: GPOTool provides information on the convergence of both parts of the GPO.

The results of running this command will display the GPT and GPC version numbers for each GPO on thelisted domain controller.

If a portion of the GPO has not replicated to the domain controller that you are authenticating to, there is achance that the new settings in the GPO will not apply. Thus, if you know a GPO has been changed, yet thesettings are not being delivered, it is a good idea to verify that the GPO has replicated to the domain controllerthat you are authenticating too.

http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx‘Dfsrdiag.exe ReplicationState’: What’s DFSR up to?

..This command line switch can be executed against servers running Windows Server 2008 R2 only. The outputof this command line switch consists of a list of updates that are currently being serviced by the replicationservice on all inbound and outbound replication connections. Since this command line switch provides a point intime snapshot of replication activity on a server, it is possible to see whether replication is making any progressby comparing the output of this command obtained at different points in time. ..

Monitoring replication on the branch office server

n order to monitor the current replication state of the DFS replication service on these servers, the command‘dfsrdiag.exe ReplicationState’ can be used. The /member (or /mem) option can be used along with the‘ReplicationState’ command line switch to specify the server against which this command should be run. In thisexample, I’ve dumped a few files from the ‘Windows\System32’ directory into the replicated folder.

dfsrdiag ReplicationState /member:CONTOSO-BRANCH

...

Older information:It's hard to find some info on this.

Reference:http://www.examcollection.com/microsoft/Microsoft.Dump4Certs.70-640.v2011-03-21.by.Scrooge.293q.vce.file.html

[Slightly edited to make it more readable:]

By Cezar ( Apr 04 2011):With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use theDFSRDIAG tool. It is not available with domain functional level 2003.

With domain functional level 2003 you can only use Ntfrsutl.

QUESTION 46You create a new Active Directory domain . The functional level of the domain is Windows Server 2003 . The domain contains five domain controllers that run Windows Server 2008 R2 .

You need to monitor the replication of the group policy template files .


A. DfsrdiagB. Fsutil

C. NtdsutilD. Ntfrsutl


Explanation/Reference:http://www.windowsnetworking.com/articles-tutorials/common/Understanding-Group-Policy-Replication.htmlUnderstanding Group Policy Replication

Replication of the Group Policy Template

The portion of the GPO that stores the settings into one or more files is the Group Policy Template (GPT). Thisportion of the GPO and the related files are stored on domain controllers under the Sysvol . The defaultpath for these files is c:\Windows\Sysvol\Sysvol\<domainname>\Policies, as shown in Figure 3.

The Sysvol on domain controllers is used to deliver Group Policy settings and logon scripts to clients at logon.Since Sysvol is used for authentication of users and computers, it must be up to date on all domain controllers.When any information is changed under the Sysvol on one domain controller, it triggers replication of the Sysvolto all other domain controllers.

The Sysvol is replicated using the File Replication Sys tem (FRS) . FRS does not have a scheduleassociated with it. FRS uses state-based replication instead. This means that as soon as there is a change toany file under the Sysvol folder structure, replication is triggered. This creates a very efficient and fastreplication model for the GPT.

As a side note, FRS replication does not adhere to any site boundaries. Thus, replication will converge to all ofthe domain controllers within only a few minutes, even to those domain controllers in remote locations.

Note: Windows Server 2008 can use FRS or DFS-R to replica te the contents of the Sysvol .

http://technet.microsoft.com/en-us/library/cc962211.aspxNtfrsutl Tool

You can use the Ntfrsutl tool to do the following:

Show the ID table, inbound log, or outbound log for a computer hosting FRS.Examine memory usage by FRS.Show the FRS configuration in Active Directory.List the active replica sets in a domain.List the application programming interface (API) and version number for FRS.Poll immediately, quickly, or slowly for changes to the FRS configuration.

The syntax for Ntfrsutl is shown in Figure 18.7:

http://opportunizm.ru/LiB0070.shtmlNTFRSutl.exe (RK)

..Note: NTFRSutl has been included in the Windows 2000 Service Resource Kit. Some Beta versions ofWindows .NET server family have also comprised this tool...ntfrsutl ds and ntfrsutl sets — these commands display the FRS configuration (replication partners, file filters,schedules, etc.). This information can be partially viewed in the Active Directory Users and Computers snap-in(see the File Replication Service node in the System container, and the objects of FRS Sub-scriptions type,which every domain controller has)...

http://technet.microsoft.com/en-us/library/cc732006%28v=ws.10%29.aspxDFS Management

Applies To: Windows Server 2008

.. DfsrDiag Performs diagnostic tests of DFS Replication.

Old info:It's hard to find some info on this.

Reference:http://www.examcollection.com/microsoft/Microsoft.Dump4Certs.70-640.v2011-03-21.by.Scrooge.293q.vce.file.html

[Slightly edited to make it more readable:]

By Cezar ( Apr 04 2011):With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use theDFSRDIAG tool. It is not available with domain functional level 2003.

With domain functional level 2003 you can only use Ntfrsutl.

QUESTION 47You have a domain controller named Server1 that runs Windows Server 2008 R2 .

You need to determine the size of the Active Directory database on Server1 .

What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc961761.aspxDirectory Data Store

Active Directory data is stored in the Ntds.dit ESE database file . Two copies of Ntds.dit are present inseparate locations on a given domain controller:

%SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. Itcontains the values for the domain and a replica of the values for the forest (the Configuration container data).

%SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is used whenyou promote a Windows 2000 – based computer to a domain controller. The availability of this file allows you torun the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Serveroperating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot%\System32directory into the %SystemRoot%\NTDS directory. Active Directory is then started from this new copy of the file,and replication updates the file from other domain controllers.

QUESTION 48You need to receive an e-mail message whenever a domain user account is locked out .


A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011)page 525

Automatically Responding to EventsOne of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type thatappears in Event Viewer. You can respond to events in three ways:

Start A Program - Launches an application. Often, administrators write a script that carries out a series oftasks that they would otherwise need to manually perform, and automatically run that script when an eventappears.Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP) server you specify.Often, administrators configure urgent events to be sent to a mobile device.Display A Message - Displays a dialog box showing a message. This is typically useful only when a userneeds to be notified of something happening on the computer.

To trigger a task when an event occurs, follow one of these three procedures:Find an example of the event in Event Viewer . Then, right-click the event and click Attach Task To ThisEvent. A wizard will guide you through the process.(...)

QUESTION 49Your network contains an Active Directory domain named contoso.com . You have a management computer named Computer1 that runs Windows 7 .

You need to forward the logon events of all the domain contr ollers in contoso.com to Computer1 .All new domain controllers must be dynamically adde d to the subscription .

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate onComputer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).


Explanation/Reference:Reference:http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx

Setting up a Source Initiated SubscriptionSource-initiated subscriptions allow you to define a subscription on an event collector computer without definingthe event source computers, and then multiple remote event source computers can be set up (using a grouppolicy setting) to forward events to the event collector computer. This differs from a collector initiatedsubscription because in the collector initiated subscription model, the event collector must define all the eventsources in the event subscription.

QUESTION 50Your network contains an Active Directory domain that has two sites .

You need to identify whether logon scripts are replicat ed to all domain controllers .

Which folder should you verify?

A. GroupPolicyB. NTDSC. SoftwareDistributionD. SYSVOL



SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies,logon scripts , and important elements of Group Policy objects (GPOs).

QUESTION 51You install a standalone root certification authority ( CA) on a server named Server1 .

You need to ensure that every computer in the forest ha s a copy of the root CA certificate installed inthe local computer's Trusted Root Certification Aut horities store .

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameterB. certreq.exe and specify the -retrieve parameterC. certutil.exe and specify the -dspublish parameterD. certutil.exe and specify the -importcert parameter



Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exeto dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Syntax

Certutil <-parameter> [-parameter]

Parameter-dsPublishPublish a certificate or certificate revocation list (CRL) to Active Directory

QUESTION 52Your network contains an Active Directory forest .The forest contains two domains . You have a standalone root certification authority (CA) .

On a server in the child domain , you run the Add Roles Wizard and discover that the option to select anenterprise CA is disabled .

You need to install an enterprise subordinate CA on the server .

What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domainC. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain


Explanation/Reference:Reference:http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506-568ddb21d46b

In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configurationnaming context is replicated between domain controllers in the forest (not only current domain) and are writablefor Enterprise Admins (domain admins permissions are insufficient).

QUESTION 53You have an enterprise subordinate certification authority ( CA).You have a group named Group1 .

You need to allow members of Group1 to publish new cert ificate revocation lists . Members of Group1 must not be allowed to revoke cer tificates .

What should you do?

A. Add Group1 to the local Administrators group.B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.



Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable,publish , or configure certificate revocation list (CRL) schedules.

Revoking certificates is an activity of the Certificate Manager role.

QUESTION 54You have an enterprise subordinate certification authority ( CA) configured for key archival . Three key recovery agent certificates are issued . The CA is configured to use two recovery agents .

You need to ensure that all of the recovery agent certi ficates can be used to recover all new privatekeys .

What should you do?

A. Add a data recovery agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009)page 357

You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting theArchive The Key option and specifying a key recovery agent. In the number of recovery agents to use , selectthe number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRAcan be used to recover a private key. If you specify a smaller number than the number of KRA certificatesinstalled, the CA will randomly select that number of KRA certificates from the available total and encrypt theprivate key, using those certificates. This complicates recovery because you then have to figure out whichrecovery agent certificate was used to encrypt the private key before beginning recovery.

QUESTION 55You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module .

You need to back up Active Directory Certificate Servic es on the CA .


A. certutil.exe backupB. certutil.exe backupdbC. certutil.exe backupkeyD. certutil.exe store


Explanation/Reference:Because a hardware security module (HSM) is used that stores the private keys, the command

certutil.exe -backup would fail, since we cannot extract the private keys from the module. The HSMshould have a proprietary procedure for that.

The given commands are:

certutil -backupBackup set includes certificate database, CA certificate an the CA key pair

certutil -backupdbBackup set only includes certificate database

certutil -backupkeyBackup set only includes CA certificate and the CA key pair

certutil -storeProvides a dump of the certificate store onscreen.

Since we cannot extract the keys from the HSM we have to use backupdb .

Reference 1:Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004)page 215

For the commands listed above.


Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exeto dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

SyntaxCertutil <-parameter> [-parameter]

Parameter-backupdbBackup the Active Directory Certificate Services database

Reference 3:http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/

Blog with extra info, tips and a post:

kids says:Hello,Need your expert view on this question:

You have an enterprise subordinate certificate authority (CA). The CA is configured to use a hardware securitymodule. You need to back up Active Directory Certificate Services on the CA

- certutil.exe -backupkey- certutil.exe -backup- certutil.exe -store- certutil.exe -backupdb

the answer is -backupdb since it using hardware security module(HSM). Am i correct?

DXter says:Yes. But I whould have used: certutil.exe -backupdb KeepLog

QUESTION 56You have Active Directory Certificate Services (AD CS) deplo yed .You create a custom certificate template .

You need to ensure that all of the users in the domain automatically enroll for a certificate based on thecustom certificate template .


A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.



To automatically enroll client computers for certificates in a domain environment, you must:Configure an autoenrollment policy for the domain.(...)In Configuration Model, select Enabled to enable autoenrollment.

Configure certificate templates for autoenrollment.(...)In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, andthen click OK and Close to finish

Configure an enterprise CA.

QUESTION 57You have an enterprise subordinate certification authority ( CA).You have a custom Version 3 certificate template .

Users can enroll for certificates based on the cust om certificate template by using the Certificatesconsole . The certificate template is unavailable for Web enr ollment .

You need to ensure that the certificate template is ava ilable on the Web enrollment pages .

What should you do?

A. Run certutil.exe pulse.B. Run certutil.exe installcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.


Explanation/Reference:Identical to F33.


Certificate Web enrollment cannot be used with version 3 certificate templates.

Reference 2:http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx

The reason for this blog post is that one of our customers called after noticing some unexpected behavior whenthey were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template basedcertificate. The problem was that no matter what they did the Version 3 Templates would not appear ascertificates which could be requested via the web page. On the other hand, version 1 and 2 templates didappear in the page and requests could be done successfully using those templates.

QUESTION 58You have an enterprise subordinate certification authority ( CA). You have a custom certificate template that has a key length of 1,024 bits . The template is enabled for autoenrollment .

You increase the template key length to 2,048 bits .

You need to ensure that all current certificate holders automatically enroll for a certificate that uses t henew template .


A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management




Re-Enroll All Certificate HoldersThis procedure is used when a critical change is made to the certificate template and you want all subjects thathold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subjectverifies the version of the certificate against the version of the template on the certification authority (CA), thesubject will re-enroll.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete thisprocedure. For more information, see Implement Role-Based Administration.

To re-enroll all certificate holders1. Open the Certificate Templates snap-in .2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.

QUESTION 59

Your network contains an Active Directory forest . All domain controllers run Windows Server 2008 Standard . The functional level of the domain is Windows Server 2003 . You have a certification authority (CA) .

The relevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Dire ctory Certificate Services (AD CS) CertificateEnrollment Web Service on the network .

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.



Installation requirementsBefore installing the certificate enrollment Web services, ensure that your environment meets theserequirements:

A host computer as a domain member running Windows Server 2008 R2.An Active Directory forest with a Windows Server 2008 R2 schema .An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

QUESTION 60You have a domain controller that runs the DHCP service .

You need to perform an offline defragmentation of the A ctive Directory database on the domaincontroller .You must achieve this goal without affecting the availa bility of the DHCP service .

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.


Explanation/Reference:We don't need to restart the server to defragment the AD database. We do need to stop AD DS in order todefragment the database.


To perform offline defragmentation of the directory database1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then

click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required,and then click Continue.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds3. Type Y to agree to stop additional services, and then press ENTER.4. At the command prompt, type ntdsutil, and then press ENTER.5. (...)

QUESTION 61Your network contains two Active Directory forests named contoso.com and nwtraders.com . A two-way forest trust exists between contoso.com and nwtraders.com . The forest trust is configured to use selective authentication .

Contoso.com contains a server named Server1 . Server1 contains a shared folder named Marketing .

Nwtraders.com contains a global group named G_Marketing . The Change share permission and the Modify NTFS permission for the Marketing folder are assigned tothe G_Marketing group . Members of G_Marketing report that they cannot acce ss the Marketing folder .

You need to ensure that the G_Marketing members can acc ess the folder from the network .

What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folder.B. From Windows Explorer, modify the share permissions of the folder.C. From Active Directory Users and Computers, modify the computer object for Server1.D. From Active Directory Users and Computers, modify the group object for G_Marketing.


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)page 643-644

After you have selected Selective Authentication for the trust, no trusted users will be able to access resourcesin the trusting domain, even if those users have been given permissions. The users must also be assigned theAllowed To Authenticate permission on the computer object in the domain.

To assign this permission:1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is

selected on the View menu.2. Open the properties of the computer to which truste d users should be allowed to authenticate —that

is, the computer that trusted users will log on to or that contains resources to which trusted users have beengiven permissions.

3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box forthe Allowed To Authenticate permission.


You need to add a new user principal name (UPN) suffix to the forest .


A. Active Directory Administrative CenterB. Active Directory Domains and TrustsC. Active Directory Sites and ServicesD. Active Directory Users and Computers


Explanation/Reference:Reference:http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/

Demonstration adding a UPN SuffixTo add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the startmenu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you canadd and remove additional domain UPN suffixes for the forest.

QUESTION 63Your network contains an Active Directory domain . The domain contains two sites named Site1 and Site2 . Site1 contains five domain controllers . Site2 contains one read-only domain controller (RODC) . Site1 and Site2 connect to each other by using a slow WAN link .

You discover that the cached password for a user named User1 is compromised on the RODC .On a domain controller in Site1, you change the pas sword for User1 .

You need to replicate the new password for User1 to the RODC immediately . The solution must not replicate other objects to the RO DC.


A. Active Directory Sites and ServicesB. Active Directory Users and ComputersC. RepadminD. Replmon



Repadmin /rodcpwdrepl

Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domaincontroller to one or more read-only domain controllers (RODCs).

Example:The following example triggers replication of the passwords for the user account named JaneOh from thesource domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:

repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=Jan eOh,ou=execs,dc=contoso,dc=com


The properties of the contoso.com DNS zone are configured as shown in the exhibit:

You need to update all service location (SRV) records f or a domain controller in the domain .

What should you do?

A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.

Correct Answer: ASection: (none)

Explanation


The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller’s SRV resource records by restartingthis service from the Services branch of Server Man ager or by typing net start netlogon. An examquestion might ask you how to troubleshoot the nonregistration of SRV resource records.

http://en.wikipedia.org/wiki/SRV_recordSRV record

A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e.the hostname and port number, of servers for specified services.


A user named User1 takes a leave of absence for one year .

You need to restrict access to the User1 user account w hile User1 is away .

What should you do?

A. From the Default Domain Policy, modify the account lockout settings.B. From the Default Domain Controller Policy, modify the account lockout settings.C. From the properties of the user account, modify the Account options.D. From the properties of the user account, modify the Session settings.


Explanation/Reference:Account lockout settings deal with logon security, like how many times a wrong password can be enteredbefore an account gets locked out, or after how many minutes a locked out user can try again.

To really restrict access to the User1 account it has to be disabled, by modifying the account options.

Reference:http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx

Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online data, but retainsthe user’s data. Disabling a user account also keeps the user license associated with that account. This is thebest option to utilize when a person leaves an orga nization temporarily.

QUESTION 66Your network contains an Active Directory domain . The domain contains 1,000 user accounts .

You have a list that contains the mobile phone number of each user .

You need to add the mobile number of each user to Activ e Directory .

What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.B. Create a file that contains the mobile phone numbers, and then run csvde.exe.C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the

users.


Explanation/Reference:CSVDE can only import and export data from AD DS.http://technet.microsoft.com/en-us/library/cc732101.aspx


LdifdeCreates, modifies , and deletes directory objects.

QUESTION 67Your network contains an Active Directory domain named contoso.com . All domain controllers and member servers run Windows Server 2008 . All client computers run Windows 7 .

From a client computer , you create an audit policy by using the Advanced Audit Policy Configurationsettings in the Default Domain Policy Group Policy object (GPO). You discover that the audit policy is not applied to th e member servers . The audit policy is applied to the client computers .

You need to ensure that the audit policy is applied to all member servers and all client computers .

What should you do?

A. Add a WMI filter to the Default Domain Policy GPO.B. Modify the security settings of the Default Domain Policy GPO.C. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.


Explanation/Reference:Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. Tocircumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 memberservers.

Reference1:http://technet.microsoft.com/en-us/library/ff182311.aspx

Advanced Security Auditing FAQThe advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. Theadvanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008R2, or Windows Server 2008.

NoteIn Windows Vista and Windows Server 2008 , advanced audit event settings were not integrated w ithGroup Policy and could only be deployed by using lo gon scripts generated with the Auditpol.execommand-line tool . In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated withGroup Policy. This allows administrators to configure, deploy, and manage these settings in the Group PolicyManagement Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).

QUESTION 68Your network contains an Active Directory domain . The domain contains a group named Group1 . The minimum password length for the domain is set to six characters .

You need to ensure that the passwords for all users in Group1 are at least 10 characters long . All other users must be able to use passwords that are six characters long .


A. Run the New-ADFineGrainedPasswordPolicy cmdlet.B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.


Explanation/Reference:First we need to create a new Active Directory fine grained password policy, using New-ADFineGrainedPasswordPolicy.

Then we can apply the new policy to Group1, using Add-ADFineGrainedPasswordPolicySubject.

Reference:http://technet.microsoft.com/en-us/library/ee617238.aspx

New-ADFineGrainedPasswordPolicyCreates a new Active Directory fine grained password policy.

QUESTION 69Your company uses an application that stores data in an Active Directory Lightweight Directory Services (ADLDS) instance named Instance1 .

You attempt to create a snapshot of Instance1 as shown in the exhibit:

You need to ensure that you can take a snapshot of Inst ance1 .

What should you do?

A. At the command prompt, run net start VSS.B. At the command prompt, run net start Instance1.C. Set the Startup Type for the Instance1 service to Disabled.D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.


Explanation/Reference:Hard to find references on this, but the solution can be found by eliminating the rest.

Instance1 is running, otherwise you'd get a different message at the snaphot: create step. ("AD servicemust be running in order to perform this operation", on my virtual server.)

Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type for the VolumeShadow Copy Service (VSS) to Manual.

QUESTION 70Your network contains 10 domain controllers that run Windows Server 2008 R2 . The network contains a member server that is configured to collect all of the events that occur on thedomain controllers .

You need to ensure that administrators are notified whe n a specific event occurs on any of the domaincontrollers . You want to achieve this goal by using the minimum amou nt of administrative effort .

What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.

C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.


Explanation/Reference:Since the member server is collecting all domain controller events we just need to run the Create Basic TaskWizard on the member server, which enables us to send an e-mail when a specific event is logged. Runningthe wizard on every domain controller would work, but is much more work and we need to use the minimumamount of administrative effort.


To Run a Task in Response to a Given Event1. Start Event Viewer.2. In the console tree, navigate to the log that contains the event you want to associate with a task.3. Right-click the event and select Attach Task to This Event.4. Perform each step presented by the Create Basic Task Wizard.

In the Action step in the wizard you can decide to send an e-mail.

QUESTION 71Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2 .

You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1 .


A. At the command prompt, run net stop ntds.B. At the command prompt, run net stop netlogon.C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).


Explanation/Reference:We don't need to restart the server to defragment the AD database. We only need to stop AD DS in order todefragment the database, using ntdsutil.


To perform offline defragmentation of the directory database1. Open a Command Prompt as an administrator.2. At the command prompt, type the following command, and then press ENTER: net stop ntds3. Type Y to agree to stop additional services, and then press ENTER.4. At the command prompt, type ntdsutil, and then press ENTER.5. (...)

QUESTION 72Your network contains a single Active Directory domain named contoso.com .

An administrator accidentally deletes the _msdsc.co ntoso.com zone . You recreate the _msdsc.contoso.com zone .

You need to ensure that the _msdsc.contoso.com zone con tains all of the required DNS records .

What should you do on each domain controller?

A. Restart the Netlogon service.B. Restart the DNS Server service.C. Run dcdiag.exe /fix.D. Run ipconfig.exe /registerdns.


Explanation/Reference:Reference 1:http://support.microsoft.com/kb/817470

To register the required records to the single root domain controller, restart the Net Logon service on all thedomain controllers. The replication works correctly if the replication window is not less than the default DNSTime to Live (TTL) entry. To restart the Net Logon service, follow these steps:

1. Click Start, click Run, type cmd in the Open box, and then press ENTER.2. At the command prompt, type the following command, and then press ENTER: net stop netlogon3. Type net start netlogon , and then press ENTER.

Reference 2:http://serverfault.com/questions/383915/how-do-i-manually-create-the-msdcs-dns-zone-for-a-domain-that-was-created-pre-s

Be sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces theDC's to register their SRV records in the _msdcs zone.

QUESTION 73Your network contains an Active Directory-integrated zone . All DNS servers that host the zone are domain contr ollers .

You add multiple DNS records to the zone .

You need to ensure that the records are replicated to a ll DNS servers .


A. DnslintB. LdpC. NslookupD. Repadmin


Explanation/Reference:Practically the same question as G/Q8, J/Q24, K/Q8, K/Q31, different set of answers sometimes.

To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.


Forcing ReplicationSometimes it becomes necessary to forcefully replicate objects and entire partitions between domaincontrollers that may or may not have replication agreements.

Force a replication event with all partnersThe repadmin /syncall command synchronizes a specified domain controller with all replication partners.

Syntaxrepadmin /syncall <DC> [<NamingContext>] [<Flags>]

Parameters<DC>Specifies the host name of the domain controller to synchronize with all replication partners.

<NamingContext>Specifies the distinguished name of the directory partition.

<Flags>Performs specific actions during the replication.

QUESTION 74Your network contains an Active Directory forest . The forest contains two domains named contoso.com and eu.contoso.com . All domain controllers are DNS servers .

The domain controllers in contoso.com host the zone for contoso.com . The domain controllers in eu.contoso.com host the zone for eu.contoso.com .

The DNS zone for contoso.com is configured as shown in the exhibit:

You need to ensure that all domain controllers in the f orest host a writable copy of

_msdcs.contoso.com .


A. Create a zone delegation record in the contoso.com zone.B. Create a zone delegation record in the eu.contoso.com zone.C. Create an Active Directory-integrated zone for _msdcs.contoso.com.D. Create a secondary zone named _msdcs.contoso.com in eu.contoso.com.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc753500.aspxCreate a Zone Delegation

You can divide your Domain Name System (DNS) namespace into one or more zones. You can delegatemanagement of part of your namespace to another location or department in your organization by delegatingthe management of the corresponding zone.

When you delegate a zone, remember that for each new zone that you create, you will need delegation recordsin other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transferauthority and to provide correct referral to other DNS servers and clients of the new servers that are beingmade authoritative for the new zone.

http://blogs.chrisse.se/2011/04/10/are-you-storing-your-ad-integrated-dns-zones-in-the-dns-application-partitions-ncs/Are you storing your AD-Integrated DNS Zones in the DNS Application Partitions (NCs)?

1. BackgroundOverview

A partition is a data structure within Active Directory used to distinguish data for different replication purposes.Every domain controller contains the following three directory partitions: configuration, schema, and domain. Adirectory partition is also called the “naming context”. Domain controllers in the same forest but in differentdomains share the same configuration and schema data, but they do not share the same domain data...Every object created in the domain naming context, which includes DNS zones and nodes (DNS names, e.g.,microsoft.com), are replicated to all the GC’s in the domain.By using application directory partitions to store the DNS data, essentially all DNS objects are removed from theGC. This is a significant reduction in the number of objects that are normally stored in the GC..Additionally, an application directory partition that is replicated to all DNS servers in the forest can be used forzones like _msdcs.<forestname> which should be visible to the entire forest.This is ideal because all DC’s register their DsaGuid CNAME resource record in the _msdcs.<forestname>zone....

http://standalonelabs.wordpress.com/2011/05/08/what-is-the-_msdcs-subdomain/What is the _msdcs Subdomain?

Some of the materials I have read on Active Directory and DNS I feel have not done a clear job explainingexactly what the _msdcs subdomain is and how it is used in an Active Directory forest.

The following is my explanation which I hope makes some sense out of the issue.

_msdcs and Domain Controller Location

First, all domains in an Active Directory forest have a subdomain beneath them called _msdcs. To illustrate, if Icreate a domain called parent.local and a child domain called child.parent.local, those domains will eachcontain a subdomain: _msdcs.parent.local and _msdcs.child.parent.local respectively. You can see the _msdcssubdomain of a domain in my Active Directory forest below:

This subdomain is reserved for the registration of DNS records for Microsoft specific services. For example,when looking for a domain controller, a client will need to query a LDAP service record. Microsoft is not the onlysoftware company who makes directory services software using the LDAP protocol. As such, there needs to bea way for a client to specifically request a Microsoft LDAP server (in other words a domain controller). Becausethe _msdcs domain is reserved specifically for Microsoft, clients can safely query this domain for LDAP servicerecords and know they will be receiving the record for a Microsoft domain controller.

Take a closer look at the _msdcs subdomain. You’ll see it actually has several subdomains of its own.

One of these subdomains is the “dc” domain. The dc._msdcs domain contains two other subdomains called“_sites” and “_tcp.”

When a client is querying DNS for a domain controller, if the client does not know what site it belongs to, it willrequest a _ldap service record from the _tcp.dc._msdcs.domain.tld zone.

If the client does know what site it belongs to, it can query for a _ldap record in the subdomain for that site. Forexample, _tcp.Default-First-Site-Name._sites.dc._msdcs.child.parent.local using the example pictured above.

_msdcs Subdomain of the Forest Root Domain

The _msdcs subdomain of the forest’s root domain is a little special.

First, if you look at the records registered in the root of the zone, you may see several CNAME (or alias)records. There is a CNAME record for each domain controller in the forest and this record maps the GUID ofthe domain controller to the fully-qualified domain name of the domain controller. These records are used byActive Directory for replication purposes. All writable domain controllers must register a record in this zone forproper replication.

Now, take a look at the _msdcs domain under the forest root domain in the DNS Server Manager. Notice how itis depicted as a gray icon.

This signifies _msdcs is a delegated domain. Recall that delegations are used to specify the IP address ofanother DNS server that will host the zone. In the case of the _msdcs domain, the delegation does not actuallyspecify a different DNS server, but instead points to the local server as you can see from the properties of thedelegation in the screen shot below:

So, what is the point of delegating this subdomain to the same server? Well, essentially by specifying the_msdcs domain as a delegation, you remove it from the parent zone on the DNS server allowing you to createan independent _msdcs zone. The screen shot below highlights this _msdcs zone:

Because this is now a separate zone, it is possible to change it’s replication scope. By default, the replicationscope is set to all DNS servers in the forest.

In contrast, the parent domain’s replication scope is set to only the DNS servers in the domain by default.

Now, the _msdcs subdomain of the forest root has its own subdomain underneath it called “dc,” like we looked

at earlier, where DCs for the domain register their service records. But, because the _msdcs subdomain of theforest root domain is replicated to all DNS servers in the forest, it also make the perfect place for services thatare needed throughout the forest to register their DNS records as well. For example, say the global catalog.

Looking at the subdomains in the _msdcs domain, you’ll see in addition to the “dc” domain, there is asubdomain called “domains” and another subdomain called “gc.”

The domains._msdcs domain contains subdomains corresponding to all domains in the forest (labeled by thedomain’s GUID). In these subdomains are service records for the DCs in those domains.

The gc._msdcs domain contains two subdomains of its own called “_sites” and “_tcp.” These function the sameway as the “_sites” and “_tcp” subdomains in the dc._msdcs domain function. When a client needs to find aglobal catalog in the forest, it can query for an _ldap record in the _tcp.gc._msdcs.forestroot.tld zone if it doesnot know what site it is in or it can query for a global catalog in a specific site by requesting an _ldap record inthe _tcp.SiteName._sites.gc._msdcs.forestroot.tld zone.

I also want to make it clear, that because the _msdcs subdomain of the forest root is replicated to all DNSservers in the forest, this means every DNS server is authoritative for the _msdcs.forestroot.tld zone.

That concludes this look at the _msdcs domain. I hope this description was helpful.

QUESTION 75You need to compact an Active Directory database on a d omain controller that runs Windows Server2008 R2.

What should you do?

A. Run defrag.exe /a /c.B. Run defrag.exe /c /u.C. From Ntdsutil, use the Files option.D. From Ntdsutil, use the Metadata cleanup option.



Compact the Directory Database File (Offline Defrag mentation)You can use this procedure to compact the Active Directory database offline. Offline defragmentation returnsfree disk space in the Active Directory database to the file system. As part of the offline defragmentationprocedure, check directory database integrity.

Performing offline defragmentation creates a new, compacted version of the database file in a differentlocation.

Reference 2:Mastering Windows Server 2008 R2 (Sybex, 2010)page 805

Performing Offline Defragmentation of Ntds.ditThese steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment andcompact the database to a remote shared folder, map a drive letter to that shared folder before you begin thesesteps, and use that drive letter in the path where appropriate.1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as

Administrator.2. Type ntdsutil , and then press Enter.3. Type Activate instance NTDS , and press Enter.4. At the resulting ntdsutil prompt, type Files (case sensitive) and then press Enter.5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the

defragmentation, and then press Enter.

QUESTION 76Your network contains an Active Directory domain named contoso.com . Contoso.com contains three servers .

The servers are configured as shown in the following table:

You need to ensure that users can manually enroll and r enew their certificates by using the CertificateEnrollment Web Service .


A. Configure the policy module settings.B. Configure the issuance requirements for the certificate templates.C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.D. Configure the delegation settings for the Certificate Enrollment Web Service application pool account.


Explanation/Reference:All credit for correcting this one and providing the explanation goes to Luffy!


The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificaterenewal. In both cases, the client computer submits the request to the Web service and the Web servicesubmits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Webservice account must be trusted for delegation in order to present the client identity to the CA.

Reference 2:http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

Delegation is required for the Certificate Enrollment Web Service account when all of the following are true:the CA is not on the same computer as the Certificate Enrollment Web ServiceCertificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed toonly processing certificate renewal requeststhe authentication type is set to Windows Integrated Authentication or Client certificate authentication

QUESTION 77Your network contains an Active Directory domain named contoso.com . Contoso.com contains a member server that runs Windows Server 2008 Standard .

You need to install an enterprise subordinate certifica tion authority (CA) that supports private keyarchival . You must achieve this goal by using the minimum amount of administrative effort .


A. Initialize the Trusted Platform Module (TPM).B. Upgrade the member server to Windows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.


Explanation/Reference:Not sure about this one. See my thoughts below.________________________________________________________________________________

According to MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival is notavailable in the Windows Server 2008 R2 Standard edition, so that would leave out answer B.

Another dump gives the following for answer B:"Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise ."

Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go for that. In this VCE it

doesn't seem to make sense to go for B as it shouldn't work, I think.

Certificate Enrollment Policy Web Service role of answer C was introduced in Windows Server 2008 R2, so thatwould not be an option on the mentioned Windows Server 2008 machine.

Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a hardware-basedapproach to manage user authentication, network access, data protection and more that takes security tohigher level than software-based security."(http://www.trustedcomputinggroup.org/resources/how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/)

Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise edition. Hope the VCEis wrong.

QUESTION 78You have an enterprise subordinate certification authority ( CA).You have a custom Version 3 certificate template .Users can enroll for certificates based on the custom certificate template by using the Certificatesconsole . The certificate template is unavailable for Web enrollm ent .

You need to ensure that the certificate template is availabl e on the Web enrollment pages .

What should you do?

A. Run certutil.exe Cpulse.B. Run certutil.exe Cinstallcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.


Explanation/Reference:Identical to F12.


Certificate Web enrollment cannot be used with version 3 certificate templates.

Reference 2:http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx

The reason for this blog post is that one of our customers called after noticing some unexpected behavior whenthey were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template basedcertificate. The problem was that no matter what they did the Version 3 Templates would not appear ascertificates which could be requested via the web page. On the other hand, version 1 and 2 templates didappear in the page and requests could be done successfully using those templates.

QUESTION 79Your network contains an Active Directory domain . The domain contains a member server named Server1 that runs Windows Server 2008 R2 .

You need to configure Server1 as a global catalog serve r.

What should you do?

A. Modify the Active Directory schema.B. From Ntdsutil, use the Roles option.C. Run the Active Directory Domain Services Installation Wizard on Server1.D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).


Explanation/Reference:Now it's just a member server, so you'll have to run dcpromo to start the Active Directory Domain ServicesInstallation Wizard in order to promote the server to a domain controller. Only a domain controller can be aglobal catalog server.


The global catalog is a distributed data repository that contains a searchable, partial representation of everyobject in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog isstored on domain controllers that have been designated as global catalog servers and is distributed throughmultimaster replication.

QUESTION 80Your network contains three Active Directory forests named Forest1 , Forest2 and Forest3 . Each forest contains three domains .

A two-way forest trust exists between Forest1 and Forest2 . A two-way forest trust exists between Forest2 and Forest3 .

You need to configure the forests to meet the following requirements :

Users in Forest3 must be able to access resources in Forest1Users in Forest1 must be able to access resources in Forest3 .The number of trusts must be minimized .

What should you do?

A. In Forest2, modify the name suffix routing settings.B. In Forest1 and Forest3, configure selective authentication.C. In Forest1 and Forest3, modify the name suffix routing settings.D. Create a two-way forest trust between Forest1 and Forest3.E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012)page 639:

Forest Trusts(...)You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, aforest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However,

forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts theworldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest,those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. Ifyou want those two forests to trust each other, you must create a specific forest trust between them.

QUESTION 81Your network contains an Active Directory domain . All domain controllers run Windows Server 2003 .

You replace all domain controllers with domain controllers that run Windows Server 2008 R2 . You raise the functional level of the domain to Windows Server 2008 R2 .

You need to minimize the amount of SYSVOL replication t raffic on the network .

What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.


Explanation/Reference:Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functionallevel has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL,instead of File Replication Service (FRS) of previous Windows Server versions.The migration takes place on a domain controller holding the PDC Emulator role.


Using DFS Replication for replicating SYSVOL in Win dows Server 2008DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, WindowsServer 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share. Whena change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64KB, only the updated portion of the file is replicated.


Migrating to the Prepared StateThe following sections provide an overview of the procedures that you perform when you migrate SYSVOLreplication from File Replication Service (FRS) to Distributed File System (DFS Replication).

This migration phase includes the tasks in the following list.(...)Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to thePrepared state.

QUESTION 82Your network contains an Active Directory forest . The forest contains two domain controllers .


All client computers run Windows 7 .

You need to ensure that all client computers in the dom ain keep the same time as an external timeserver .

What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.



Change the Windows Time Service Configuration on th e PDC Emulator in the Forest Root DomainThe domain controller in the forest root domain that holds the primary domain controller (PDC) emulatoroperations master (also known as flexible single master operations or FSMO) role is the default time source forthe domain hierarchy of time sources in the forest.


Windows Time Service Tools and SettingsMost domain member computers have a time client type of NT5DS, which means that they synchronize timefrom the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usuallyconfigured to synchronize time with an external time source.

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems withthe time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshootingthe Windows Time service.

QUESTION 83Your network contains an Active Directory domain named contoso.com . Contoso.com contains two domain controllers .


All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range .

You need to minimize the number of client authenticatio n requests sent to DC2 .

What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign thesubnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign thesubnet to Site1. Move DC1 to Site1.

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign thesubnet to Site1. Move DC2 to Site1.

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign thesubnet to Site1. Move DC2 to Site1.


Explanation/Reference:Reference:http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2011-04-06.230q.vce.file.html

Spider from Switzerland - Apr 12 2011, 7:13 PMCreating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means onlyONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processedfrom the DC1 in the default-first-site and dc2 will authenticate only itself.

QUESTION 84Active Directory Rights Management Services (AD RMS) is deployed on your network.

You need to configure AD RMS to use Kerberos authentica tion .


A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS)



If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, youmust take additional steps to configure the server running AD RMS after installing the AD RMS server role andprovisioning the server. Specifically, you must perform these procedures:

Set the Internet Information Services (IIS) useAppPoolCredentials variable to TrueSet the Service Principal Names (SPN) value for the AD RMS service account

QUESTION 85Your network contains an Active Directory forest . The forest contains an Active Directory site for a remote office . The remote site contains a read-only domain controller (RODC) .

You need to configure the RODC to store only the passwo rds of users in the remote site .

What should you do?

A. Create a Password Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication

Group.



Password Replication Policy Allowed and Denied list sTwo new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC PasswordReplication Group.

These groups help implement a default Allowed List and Denied List for the RODC Password ReplicationPolicy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup Active Directory attributes mentioned earlier.

QUESTION 86Your company has four offices . The network contains a single Active Directory domain . Each office has a domain controller . Each office has an organizational unit (OU) that contains the user accounts for the users in that office. In each office , support technicians perform basic troubleshooting for the users in their respective office.

You need to ensure that the support technicians can res et the passwords for the user accounts in theirrespective office only . The solution must prevent the technicians from creating user accounts .

What should you do?

A. For each OU, run the Delegation of Control Wizard.B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security settings for each group.D. For each office, create an Active Directory group, and then modify the controlAccessRights attribute for

each group.


Explanation/Reference:Reference 1:


To delegate control of an organizational unit1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative

Tools, and then double-click Active Directory Users and Computers.2. To open Active Directory Users and Computers in Windows Server® 2012, click Start, type dsa.msc.3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.4. Click Delegate Control to start the Delegation of Control Wizard , and then follow the instructions in the

wizard.


Delegate the following common tasksThe following are common tasks that you can select to delegate control of them:

(...)Reset user passwords and force password change at next logon

QUESTION 87Your network contains a single Active Directory domain . Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7 . All of the computer accounts for the client computers are located in an organizational unit (OU) namedOU1.

You link a new Group Policy object (GPO) named GPO10 to OU1.

You need to ensure that GPO10 is applied only to client computers that run Windows 7 .

What should you do?

A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.B. Enable block inheritance on OU1.C. Create a WMI filter and assign the filter to GPO10.D. Modify the permissions of OU1.



To make sure that each GPO associated with a group can only be applied to computers running the correctversion of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to theGPO. Although you can create a separate membership group for each GPO, you would then have to managethe memberships of the different groups. Instead, use only a single membership group, and let WMI filtersautomatically ensure the correct GPO is applied to each computer.


You need to audit changes to a service account . The solution must ensure that the audit logs contain th e before and after values of all the changes .

Which security policy setting should you configure?

A. Audit Sensitive Privilege Use

B. Audit User Account ManagementC. Audit Directory Service ChangesD. Audit Other Account Management Events


Explanation/Reference:Reference 1:http://technet.microsoft.com/en-us/library/dd772641.aspx

Audit Directory Service ChangesThis security policy setting determines whether the operating system generates audit events when changes aremade to objects in Active Directory Domain Services (AD DS).


AD DS Auditing Step-by-Step GuideThis guide includes a description of the new Active Directory® Domain Services (AD DS) auditing feature inWindows Server® 2008. With the new auditing feature, you can log events that show old and new values; forexample, you can show that Joe's favorite drink changed from single latte to triple-shot latte.

QUESTION 89Your network contains two Active Directory forests named contoso.com and nwtraders.com . Active Directory Rights Management Services (AD RMS) is deployed in each forest .

You need to ensure that users from the nwtraders.com fo rest can access AD RMS protected content inthe contoso.com forest .

What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Create an external trust from nwtraders.com to contoso.com.C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.D. Create an external trust from contoso.com to nwtraders.com.



Reference:http://technet.microsoft.com/en-us/library/hh311036.aspx

Using AD RMS trustIt is not necessary to create trust or federation relationships between the Active Directory forests oforganizations to be able to share rights-protected information between separate organizations. AD RMSprovides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificatesor use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS rootcluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster totrust.

QUESTION 90

Your network contains a server named Server1 that runs Windows Server 2008 R2 . Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 st andalone server .

You plan to add a new token-signing certificate to Serv er1.

You import the certificate to the server as shown in the exhibit:

When you run the Add Token-Signing Certificate wizard , you discover that the new certificate isunavailable .

You need to ensure that you can use the new certificate for AD FS .

What should you do?

A. From the properties of the certificate, modify the Certificate Policy OIDs setting.B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.C. From the properties of the certificate, modify the Certificate purposes setting.D. Import the certificate to the local computer personal certificate store.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/hh341466.aspx

When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signingcertificate and install it in the local computer personal certificate store on that federation server.

QUESTION 91You need to purge the list of user accounts that were a uthenticated on a read-only domain controller(RODC).

What should you do?

A. Run the repadmin.exe command and specify the /prp parameter.B. From Active Directory Sites and Services, modify the properties of the RODC computer object.C. From Active Directory Users and Computers, modify the properties of the RODC computer object.D. Run the dsrm.exe command and specify the -u parameter.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

Clearing the authenticated accounts listIn addition to reviewing the list of authenticated users, you may decide to periodically clean up the list ofaccounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the newaccounts that have authenticated through the RODC.

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is theminimum required to complete this procedure.

To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all .Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list ofauthenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all , and then pressENTER.

QUESTION 92Your company has a main office and four branch offices . An Active Directory site exists for each office . Each site contains one domain controller . Each branch office site has a site link to the main office site .

You discover that the domain controllers in the branch offices sometimes replicate directly to eachother .

You need to ensure that the domain controllers in the b ranch offices only replicate to the domaincontroller in the main office .

What should you do?

A. Modify the firewall settings for the main office site.B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.C. Disable site link bridging.D. Modify the security settings for the main office site.



Configuring site link bridgesBy default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicitsite link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging

all site links is that your network is easier to maintain because you do not need to create a site link to describeevery possible path between pairs of sites.

Generally, you can leave automatic site link bridging enabled. However, you might want to disable automaticsite link bridging and create site link bridges manually just for specific site links, in the following cases:

(...)You have a network routing or security policy in place that prevents every domain controller from being ableto directly communicate with every other domain controller.

QUESTION 93Your network contains an Active Directory forest . The forest contains one domain . The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2 .DC1 was installed before DC2 .

DC1 fails .

You need to ensure that you can add 1,000 new user acco unts to the domain .

What should you do?

A. Modify the permissions of the DC2 computer account.B. Seize the schema master FSMO role.C. Configure DC2 as a global catalog server.D. Seize the RID master FSMO role.


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)pages 536-537

RID master failureA failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, preventsyou from creating new accounts for users, groups, or computers. However, domain controllers receive a sizablepool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go forsome time without the RID master online while it is being repaired. Seizing this role to another domain controlleris a significant action. After the RID master role has been seized, the domain controller that had beenperforming the role cannot be brought back online.


You need to identify whether the Active Directory Recyc le Bin is enabled .

What should you do?

A. From Ldp, search for the Reanimate-Tombstones object.B. From Ldp, search for the LostAndFound container.C. From Windows PowerShell, run the Get-ADObject cmdlet.D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

Correct Answer: D


Explanation/Reference:Reference:http://www.frickelsoft.net/blog/?p=224

How can I check whether the AD Recycle-Bin is enabl ed in my R2 forest?[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin isenabled.]

QUESTION 95Your network contains an Active Directory domain .You create and mount an Active Directory snapshot .

You run dsamain.exe as shown in the exhibit:

You need to ensure that you can browse the contents of the Active Directory snapshot .

What should you?

A. Stop Active Directory Domain Services (AD DS) and then rerun dsamain.exe.B. Change the value of the dbpath parameter, and then rerun dsamain.exe.C. Change the value of the ldapport parameter, and then rerun dsamain.exe.D. Restart the Volume Shadow Copy Service (VSS) and then rerun dsamain.exe.


Explanation/Reference:The path in the exhibit points to the running Active Directory database, not to the snapshot.

Reference:


For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along withthe complete path to the Ntds.dit file, for example:

/dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS \ntds.dit


You need to back up all of the Group Policy objects (GP Os), Group Policy permissions, and GroupPolicy links for the domain .

What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Backup-GPO cmdlet.


Explanation/Reference:When you backup a GPO using the Group Policy Management Console or the Backup-GPO cmdlet, the links todomains/sites/OUs are not included. The link is indicated in an accompanying gpreport.xml, but it's not in thebackup itself. If you restore the backup, then the GPO is not linked to anything.

Microsoft recommends that you do not modify the Sysvol structure. This recommendation also applies tobackup and restore operations of the Sysvol structure. On top of that, the SYSVOL folder only contains theGPT part of a GPO, so it would be an incomplete backup anyway.

The link between GPO and for example an OU is an attribute (gPLink) of the OU, not of the GPO. So, tobackup the GPOs, including the links, we have to perform a system state backup.

Reference 1:http://www.microsoft.com/en-us/download/details.aspx?id=22478

Planning and Deploying Group Policy (Word-document)

Backing up and restoring WMI filter data, IPsec pol icy settings, and links to OUsLinks to WMI filters and IPsec policies are stored in GPOs and are backed up as part of a GPO. When yourestore a GPO, these links are preserved if the underlying objects still exist in Active Directory. Links to OUs,however, are not part of the backup data and will not be restored during a restore operation.

Reference 2:http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266-4991-8309-c957a123a455/

Does backup-gpo cmdlet backup GPO links and permiss ion?

"Permissions are backed up but links are not. The links are actually properties of the OU and would be backedup as part of the system state. Please see this article for more information: http://technet.microsoft.com/en-us/library/cc784474.aspx. The article refers to the GPMC process which is the same as the PowerShell cmdlet."


Information saved in a backupBacking up a GPO saves all information that is stored inside the GPO to the file system. This includes thefollowing information:

GPO globally unique identifier (GUID) and domain.GPO settings.Discretionary access control list (DACL) on the GPO.WMI filter link, if there is one, but not the filter itself.Links to IP Security Policies, if any.XML report of the GPO settings, which can be viewed as HTML from within GPMC.Date and time stamp of when the backup was taken.User-supplied description of the backup.

Information not saved in a backupBacking up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is notavailable when the backup is restored to the original GPO or imported into a new one. This data that becomesunavailable includes the following information:

Links to a site, domain, or organizational unit.WMI filter.IP Security policy.

Reference 4:http://technet.microsoft.com/en-us/library/jj134176.aspx

Check Group Policy Infrastructure StatusEach GPO is stored partly in Active Directory and partly in the SYSVOL on the domain controller. The portion ofthe GPO stored in Active Directory is called the Group Policy container (GPC) while the portion of the GPOstored in the SYSVOL is called the Group Policy template (GPT). GPMC and Group Policy Management Editormanage the GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC isactually setting permissions on objects in both Active Directory and the SYSVOL. It is not recommended thatyou manipulate these separate objects independently outside of GPMC and the Group Policy ManagementEditor.

It is important to understand that these two separate features of a GPO rely on different replicationmechanisms. The file system portion, GPT, is replicated through Distributed File Service Replication (DFS-R)or File Replication Service (FRS), independently of the replication handled by Active Directory, GPC.


You need to reset the Directory Services Restore Mode ( DSRM) password on the domain controller .


A. NtdsutilB. DsamainC. Active Directory Users and ComputersD. Local Users and Groups


Explanation/Reference:Reference:http://blogs.technet.com/b/meamcs/archive/2012/05/29/reset-the-dsrm-administrator-password.aspx

To Reset the DSRM Administrator Password1. Click, Start, click Run, type ntdsutil , and then click OK.

2. At the Ntdsutil command prompt, type set dsrm password .3. (...)

QUESTION 98Your network contains an Active Directory forest . All client computers run Windows 7 .

The network contains a high-volume enterprise certification authority (C A).

You need to minimize the amount of network bandwidth re quired to validate a certificate .

What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).B. Configure an Online Certification Status Protocol (OCSP) responder.C. Modify the settings of the delta certificate revocation list (CRL).D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).



Online responderThis service is designed to respond to specific certificate validation requests through the Online CertificateStatus Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain afull CRL and can submit a validation request for a specific certificate. The online responder decodes thevalidation request and determines whether the certificate is valid. When it determines the status of therequested certificate, it sends back an encrypted response containing the information to the requester. Usingonline responders is much faster and more efficient than using CRLs. AD CS includes online responders as anew feature in Windows Server 2008 R2.

QUESTION 99Your network contains an Active Directory domain . You have five organizational units (OUs) named Finance , HR, Marketing , Sales , and Dev.

You link a Group Policy object named GPO1 to the domain as shown in the exhibit:

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs . The solution must prevent GPO1 from being applied to us ers in the Dev OU .

What should you do?

A. Enforce GPO1.B. Modify the security settings of the Dev OU.C. Link GPO1 to the Finance OU.D. Modify the security settings of the Finance OU.


Explanation/Reference:The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. Thismeans that GPO1 will not be applied to those OUs. For the Dev OU that's ok, but not for the Finance OU. Sowe have to link GPO1 to the Finance OU.


Block InheritanceYou can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policyobjects (GPOs) that are linked to higher sites, domains, or organizational units from being automaticallyinherited by the child-level.

If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree.

QUESTION 100

Your network contains an Active Directory domain . The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain .

You need to prevent the managed service accounts from b eing deleted accidentally from OU1 .

Which cmdlet should you use?

A. Set-ADUserB. Set-ADOrganizationalUnitC. Set-ADServiceAccountD. Set-ADObject


Explanation/Reference:You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to preventOU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use Set-ADObject to protect the accounts.


Set-ADObjectModifies an Active Directory object.

Parameter-ProtectedFromAccidentalDeletion <Boolean>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot deletethe corresponding object without changing the value of the property. Possible values for this parameter include:

$false or 0$true or 1

The following example shows how to set this parameter to true.-ProtectedFromAccidentalDeletion $true

Exam D

QUESTION 1Your network contains an Active Directory domain . All domain controllers run Windows Server 2008 R2 .

You need to collect all of the Directory Services event s from all of the domain controllers and store theevents in a single central computer .

What should you do?

A. Run the ntdsutil.exe command.B. Run the repodmin.exe command.C. Run the Get-ADForest cmdlet.D. Run the dsamain.exe command.E. Create custom views from Event Viewer.F. Run the dsquery.exe command.G. Configure the Active Directory Diagnostics Data Collector Set (DCS),H. Configure subscriptions from Event Viewer.I. Run the eventcreate.exe command.J. Create a Data Collector Set (DCS).

Correct Answer: HSection: (none)Explanation


Event SubscriptionsEvent Viewer enables you to view events on a single remote computer. However, troubleshooting an issuemight require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote compu ters and storethem locally . To specify which events to collect, you create an event subscription . Among other details, thesubscription specifies exactly which events will be collected and in which log they will be stored locally. Once asubscription is active and events are being collected, you can view and manipulate these forwarded events asyou would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.The functionality depends on the Windows Remote Management (WinRM) service and the Windows EventCollector (Wecsvc) service. Both of these services must be running on computers participating in theforwarding and collecting process. To learn about the steps required to configure event collecting andforwarding computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/en-us/library/cc748890.aspx).


You need to receive a notification when more than 100 Activ e Directory objects are deleted per second .

What should you do?

A. Create custom views from Event Viewer.

B. Run the Get-ADForest cmdlet.C. Run the ntdsutil.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (DCS).E. Create a Data Collector Set (DCS).F. Run the dsamain.exe command.G. Run the dsquery.exe command.H. Run the repadmin.exe command.I. Configure subscriptions from Event Viewer.J. Run the eventcreate.exe command.

Correct Answer: ESection: (none)Explanation


Reference:http://technet.microsoft.com/en-us/magazine/ff458614.aspx

Configure Windows Server 2008 to Notify you when Ce rtain Events OccurYou can configure alerts to notify you when certain events occur or when certain performance thresholds arereached. You can send these alerts as network messages and as events that are logged in the applicationevent log. You can also configure alerts to start applications and performance logs.

To configure an alert, follow these steps:1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left

pane, point to New, and then choose Data Collector Set .2. (...)3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box

to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter isabove or below a specific value. Select Above or Below, and then set the trigger value. The unit ofmeasurement is whatever makes sense for the currently selected counter or counters. For example, togenerate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process toconfigure other counters you’ve selected.


You need to create a snapshot of Active Directory .

What should you do?

A. Run the dsquery.exe command.B. Run the dsamain.exe command.C. Create custom views from Event Viewer.D. Configure subscriptions from Event Viewer.E. Create a Data Collector Set (DCS).F. Configure the Active Directory Diagnostics Data Collector Set (DCS).G. Run the repadmin.exe command.H. Run the ntdsutil.exe command.I. Run the Get-ADForest cmdlet.J. Run the eventcreate.exe command.


Explanation/Reference:Practically the same question as E/Q29


To create an AD DS or AD LDS snapshot1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.2. Click Start, right-click Command Prompt, and then click Run as administrator.3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then

click Continue.4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds7. At the snapshot prompt, type the following command, and then press ENTER: create


You mount an Active Directory snapshot .

You need to ensure that you can query the snapshot by u sing LDAP .

What should you do?

A. Run the dsamain.exe command.B. Create custom views from Event Viewer.C. Run the ntdsutil.exe command.D. Configure subscriptions from Event Viewer.E. Run the Get-ADForest cmdlet.F. Create a Data Collector Set (DCS).G. Run the eventcreate.exe command.H. Configure the Active Directory Diagnostics Data Collector Set (DCS).I. Run the repadmin.exe command.J. Run the dsquery.exe command.




The Active Directory database mounting tool (Dsamain.exe ) can improve recovery processes for yourorganization by providing a means to compare data as it exists in snapshots that are taken at different times sothat you can better decide which data to restore after data loss. This eliminates the need to restore multiplebackups to compare the Active Directory data that they contain.

Requirements for using the Active Directory databas e mounting tool

You do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following:

(...)Dsamain.exe, which you can use to expose the snapshot data as an LDAP serverExisting LDAP tools, such as Ldp.exe and Active Directory Users and Computers

QUESTION 5Your network contains an Active Directory domain named contoso.com . The domain contains a server named Server1 and a domain controller named DC1.

On Server1 , you configure a collector-initiated subscription for the Application log of DC1. The subscription is configured to collect all events .After several days, you discover that Server1 failed to collect any events from DC1 , although there aremore than 100 new events in the Application log of DC1.

You need to ensure that Server1 collects events from DC 1.

What should you do?

A. On Server1, run wecutil quick-config.B. On Server1, run winrm quickconfig.C. On DC1, run wecutil quick-config.D. On DC1, run winrm quickconfig.


Explanation/Reference:Since the subscription has been created, wecutil quick-config has already run on Server1. Only thing left is toconfigure DC1 to forward the events, using winrm quickconfig.

Reference1 :Mastering Windows Server 2008 R2 (Sybex, 2010)page 773

Windows event Collector ServiceThe first time you select the Subscriptions node of Event Viewer or the Subscription tab of any log, a dialog boxwill appear stating that the Windows Event Collector Service must be running and configured. It then askswhether you want to start and configure the service. If you click Yes, it starts the service and changes thestartup type from Manual to Automatic (Delayed Start), causing it to start each time Windows starts.


To configure computers in a domain to forward and c ollect events1. Log on to all collector and source computers. It is a best practice to use a domain account with

administrative privileges.2. On each source computer, type the following at an elevated command prompt: winrm quickconfig

QUESTION 6A network contains an Active Directory Domain Services (AD DS) domain .

Active Directory is configured as shown in the following table:

The functional level of the domain is Windows Server 2008 R2 . The functional level of the forest is Windows Server 2003 .

Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00A.M. every day .At 7:00 A.M. an administrator deletes a user account w hile he is logged on to DC001 .

You need to restore the deleted user account . You must achieve this goal by using the minimum adminis trative effort .

What should you do?

A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.B. On DC001, run the Restore-ADObject cmdlet.C. On DC006, run the Restore-ADObject cmdlet.D. On DC001, stop AD DS, restore the system state, and then start AD DS.


Explanation/Reference:Practically the same question as E/Q33 and K/Q28.




"An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for thedata to make it authoritative and ensure that it is replicated to all other servers."




The domain is configured as shown in the exhibit:

You have a Group Policy Object (GPO) linked to the domain .

You need to ensure that the settings in the GPO are not processed by user accounts or computeraccounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort .

What should you do?

A. Modify the Group Policy permissions.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.


Explanation/Reference:Same question as K/Q2, but with the exhibit.


Block InheritanceYou can block inheritance for a domain or organizational unit . Blocking inheritance prevents Group Policy

objects (GPOs) that are linked to higher sites, domains, or organizational units from being automaticallyinherited by the child-level.

QUESTION 8Your network contains an Active Directory domain named contoso.com .You have an organizational unit (OU) named Sales and an OU named Engineering .You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings .

You discover that GPO2 has a setting that conflicts wit h a setting in GPO1 . When the policies are applied, the setting in GPO2 takes effect .

You need to ensure that the settings in GPO1 supersede the settings in GPO2 . The solution must ensure that all non-conflicting settings in b oth GPOs are applied .

What should you do?

A. Configure Restricted Groups.B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineer OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI filtering.H. Configure Group Policy Permissions.I. Enable loopback processing in replace mode.J. Enable block inheritance.


Explanation/Reference:Practically the same as J/Q22 and K/Q3.

Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)page 283

Precedence of Multiple Linked GPOsAn OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ linkorder determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.

figure 6-10 GPO link order

The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are

enabled or disabled in the Power User Configuration GPO have precedence over these same settings in theStandard User Configuration GPO.

To change the precedence of a GPO link:1. Select the OU, site, or domain in the GPMC console tree.2. Click the Linked Group Policy Objects tab in the details pane.3. Select the GPO.4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected

GPO.

QUESTION 9All vendors belong to a global group named vendors .You place three file servers in a new organizational unit (OU) named ConfidentialFileServers . The three file servers contain confidential data located in shared folders .

You need to record any failed attempts made by the vend ors to access the confidential data .


A. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configurethe Audit object access failure audit policy setting.

B. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configurethe Audit privilege use Failure audit policy setting.

C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab.Configure Failed Full control setting in the AuditingEntry dialog box.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure FailedFull control setting in the AuditingEntry dialog box.

E. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configurethe Deny access to this computer from the network user rights setting for the Vendors global group.


Explanation/Reference:Practically the same as A/Q30.

Reference:Windows Server 2008 R2 Unleashed (SAMS, 2010)page 671

Auditing Resource AccessObject access can be audited, although it is not one of the recommended settings. Auditing object access canplace a significant load on the servers, so it should only be enabled when it is specifically needed. Auditingobject access is a two-step process : Step one is enabling “Audit object access” and step two is selecting theobjects to be audited. When enabling Audit object access, you need to decide if both failure and successevents will be logged. The two options are as follows:

Audit object access failure enables you to see if users are attempting to access objects to which theyhave no rights. This shows unauthorized attempts.Audit object access success enables you to see usage patterns. This shows misuse of privilege.

After object access auditing is enabled, you can easily monitor access to resources such as folders, files, andprinters.

Auditing Files and FoldersThe network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the

property pages for those files or folders. Keep in mind that the more files and folders that are audited, the moreevents that can be generated, which can increase administrative overhead and system resource requirements.Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

1. In Windows Explorer, right-click the file or folder to audit and select Properties.2. Select the Security tab and then click the Advanced button.3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.4. Click the Add button to display the Select User or Group window.5. Enter the name of the user or group to audit when a ccessing the file or folder . Click the Check Names

button to verify the name.

QUESTION 10A corporate network includes a single Active Directory Domain Services (AD DS) d omain .

The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs : HR Users and HR Computers . User accounts for the HR department reside in the HR Users OU . Computer accounts for the HR department reside in the HR Computers OU . All HR department employees belong to a security group named HR Employees . All HR department computers belong to a security group named HR PCs.

Company policy requires that passwords are a minimum of 6 characters .

You need to ensure that, the next time HR department em ployees change their passwords, thepasswords are required to have at least 8 character s. The password length requirement should not change for e mployees of any other department .

What should you do?

A. Modify the password policy in the GPO that is applied to the domain.B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.C. Create a fine-grained password policy and apply it to the security group named HR Employees.D. Modify the password policy in the GPO that is applied to the domain controllers OU.


Explanation/Reference:Thanks to Camel73 for confirming there was an error in answer C. That's fixed now.


What do fine-grained password policies do?You can use fine-grained password policies to specify multiple password policies within a single domain. Youcan use fine-grained password policies to apply different restrictions for password and account lockout policiesto different sets of users in a domain.

For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts ofother users. In other cases, you might want to apply a special password policy for accounts whose passwordsare synchronized with other data sources.

Are there any special considerations?Fine-grained password policies apply only to user o bjects (or inetOrgPerson objects if they are usedinstead of user objects) and global security groups . By default, only members of the Domain Admins groupcan set fine-grained password policies. However, you can also delegate the ability to set these policies to otherusers. The domain functional level must be Windows Server 2008.

Fine-grained password policy cannot be applied to a n organizational unit (OU) directly . To apply fine-grained password policy to users of an OU, you can use a shadow group.

QUESTION 11A corporate network includes a single Active Directory Domain Services (AD DS) d omain . All regular user accounts reside in an organisational unit (OU) named Employees . All administrator accounts reside in an OU named Admins .

You need to ensure that any time an administrator modif ies an employee's name in AD DS, the changeis audited .


A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to theEmployees OU.

B. Modify the searchFlags property for the Name attribute in the Schema.C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Admins OU.D. Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategory.


Explanation/Reference:Same question as J/Q37, different set of answers.

Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We cando that by using auditpol.exe.


Auditing changes to objects in AD DSIn Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access,that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008,this policy is divided into four subcategories:

Directory Service AccessDirectory Service ChangesDirectory Service ReplicationDetailed Directory Service Replication

The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory DirectoryService Changes . This guide provides instructions for implementing this audit policy subcategory.

The types of changes that you can audit include a user (or any security principal) creating, modifying , moving,or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:

When a successful modify operation is performed on an attribute , AD DS logs the previous and currentvalues of the attribute. If the attribute has more than one value, only the values that change as a result of themodify operation are logged.(...)

Steps to set up auditingThis section includes procedures for each of the primary steps for enabling change auditing:

Step 1: Enable audit policy.Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.

Step 1: Enable audit policy.This step includes procedures to enable change auditing with either the Windows interface or a command line:

(...)By using the Auditpol command-line tool, you can enable individual subcategories.

To enable the change auditing policy using a comman d line1. Click Start, right-click Command Prompt, and then click Run as administrator.2. Type the following command, and then press ENTER:auditpol /set /subcategory:"directory service chang es" /success:enable

QUESTION 12Your network contains an Active Directory forest named contoso.com .

You need to provide a user named User1 with the ability to create and manage subnet objects . The solution must minimize the number of permissions as signed to User1 .

What should you do?

A. From Active Directory Users and Computers, run the Delegation of Control wizard.B. From Active Directory Administrative Centre, add User1 to the Schema Admins group.C. From Active Directory Sites and Services, run the Delegation of Control wizard.D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.


Explanation/Reference:Adding the user to the Schema Admins group, or to the Network Configuration Operators group would giveUser1 too much rights. Since we have to delegate an administrative task concerning subnets, we have to runthe Delegation of Control wizard from Active Directory Sites and Services.

Reference below is for Windows Server 2003 R2, but is still valid for 2008 R2.


Delegate control of a site

To delegate control of a site1. Open Active Directory Sites and Services .2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the

Delegation of Control Wizard .3. Follow the instructions in the Delegation of Control Wizard.

Notes(...)In Active Directory Sites and Services, you can delegate control for the subnets , intersite transports, sites,and server containers.

QUESTION 13A corporate network contains a Windows Server 2008 R2 Active Directory forest .

You need to add a User Principal Name (UPN) suffix to t he forest .

What tool should you use?

A. Dsmgmt.

B. Active Directory Domains and Trusts console.C. Active Directory Users and Computers console.D. Active Directory Sites and Services console.


Explanation/Reference:Practically the same as F/Q17

Reference:http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/

Demonstration adding a UPN SuffixTo add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu.Right click Active Directory Domains and Trusts at the top and open the properties. From here you can addand remove additional domain UPN suffixes for the forest.

QUESTION 14Your network contains a single Active Directory domain that has two sites named Site1 and Site2 . Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.

DC3 fails .You discover that replication no longer occurs between the sites . You verify the connectivity between DC4 and the domain controllers in Site1 .On DC4, you run repadmin.exe /kcc .Replication between the sites continues to fail .

You need to ensure that Active Directory data replicate s between the sites .

What should you do?

A. From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.B. From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server.C. From Active Directory Users and Computers, configure the NTDS settings of DC4.D. From Active Directory Users and Computers, configure the location settings of DC4.


Explanation/Reference:Same question as D/Q37.

By modifying the properties of DC3 we can remove the preferred bridgehead status of DC3.

Reference 1:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 193, 194



bridgehead server.2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties .3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want


Reference 2:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012)pages 589, 590

Preferred Bridgehead Servers(...)It’s important to understand that if you have specified one or more bridgehead servers and none of thebridgeheads is available, no other server is automatically selected, and replication does not occur for the siteeven if there are servers that could act as bridgehead servers.


All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 ServicePack 1 (SP1) . The functional level of the domain is Windows Server 2003 .

You need to configure SYSVOL to use DFS Replication .

Which tools should you use? (Each correct answer presents part of the solution. Choose two .)

A. DfsrmigB. FrsdiagC. NtdsutilD. Set-ADForestE. RepadminF. Set-ADDomainModeG. DFS Management

Correct Answer: AFSection: (none)Explanation

Explanation/Reference:First we need to upgrade the domain functional level, using Set-ADDomainMode. Then, now that the domaincontrollers have been upgraded to Windows Server 2008 R2 and the domain functional level has beenupgraded (to Windows Server 2008 (R2)), we can migrate to DFS Replication for replicating SYSVOL, insteadof File Replication Service (FRS) of previous Windows Server versions. We can use Dfsrmig for that migration.


In versions of Windows Server prior to Windows Server 2008, the FRS was used to replicate the contents ofSYSVOL between domain controllers. FRS has limitations in both capacity and performance that cause it tobreak occasionally. Unfortunately, troubleshooting and configuring FRS is quite difficult. In Windows Server2008 and Windows Server 2008 R2 domains, you have t he option to use DFS-R to replicate the contents

of SYSVOL.

Reference 2:http://technet.microsoft.com/en-us/library/ee617230.aspx

Set-ADDomainModeThe Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by settingthe DomainMode parameter.

The domain mode can be set to the following values that are listed in order of functionality from lowest tohighest.

Windows2000DomainWindows2003InterimDomainWindows2003DomainWindows2008DomainWindows2008R2Domain


Migrating to the Prepared StateThe following sections provide an overview of the procedures that you perform when you migrate SYSVOLreplication from File Replication Service (FRS) to Distributed File System (DFS Replication).

This migration phase includes the tasks in the following list.(...)Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to thePrepared state.

QUESTION 16Your network contains an Active Directory forest . The forest contains one domain named contoso.com .

You attempt to run adprep /domainprep and the operation fails .You discover that the first domain controller deployed to the forest failed .

You need to run adprep /domainprep successfully .

What should you do?

A. Move the domain naming master role.B. Install a read-only domain controller (RODC).C. Move the PDC emulator role.D. Move the RID master role.E. Move the infrastructure master role.F. Deploy an additional global catalog server.G. Move the bridgehead server.H. Move the schema master role.I. Restart the Active Directory Domain Services (AD DS) service.J. Move the global catalog server.



Adprep /domainprep must be run on the server holding the Infrastructure Master role . The role wasoriginally installed on the first domain controller in the forest. Now it's down and another domain controller mustget the Infrastructure Master role.


Planning Operations Master Role PlacementOperations master role holders are assigned automatically when the first domain controller in a given domain iscreated. The two forest-level roles (schema master and domain naming master) are assigned to the firstdomain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructuremaster , and PDC emulator) are assigned to the first domain controller created in a domain .


adprep /domainprepMust be run on the infrastructure operations master for the domain.


You discover the following event in the Event log of client computers: "The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient willtry again in %1 minutes."

You need to ensure that the client computers can synchr onize their clocks properly .

What should you do?

A. Move the domain naming master role.B. Restart Active Directory Domain Services (AD DS) service.C. Move the PDC emulator role.D. Move the infrastructure master role.E. Move the global catalog server.F. Move the RID master role.G. Move the bridgehead server.H. Move the schema master role.I. Deploy an additional global catalog server.J. Install a read-only domain controller (RODC).


Explanation/Reference:It could be that the server holding the PDC Emulator role has failed. Whatever the cause, we need to move thePDC Emulator role to another domain controller to restore time synchronization in the domain.

Reference 1:http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=14&EvtSrc=w32time&LCID=1033

Event ID14

MessageThe time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will tryagain in %1 minutes.

ExplanationWindows Time Service is configured to use the domain hierarchy to locate its time source. It could not locatea domain controller that is a suitable time source . The time service will continue to search for an acceptabledomain controller. If the time service cannot locate a time source after the maximum number of attempts, theWin32Time 49 message will be logged.


PDC Emulator RoleThe PDC Emulator role performs multiple, crucial functions for a domain:

(...)Provides a master time source for the domain - Active Directory, Kerberos, File Replication Service(FRS) and Distributed File System Replication (DFS-R) each rely on timestamps, so synchronizing the timeacross all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master forthe entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest rootPDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’s PDCemulator. All other domain members synchronize their time with their preferred domain controller. Thishierarchical structure of time synchronization, all implemented through the Win32Time service, ensuresconsistency of time. Coordinated Universal Time (UTC) is synchronized, and the time displayed to users isadjusted based on the time zone setting of the computer.

QUESTION 18Your network contains an Active Directory forest named contoso.com . The functional level of the forest is Windows Server 2008 R2 . The DNS zone for contoso.com is Active Directory-integrated .

You deploy a read-only domain controller (RODC) named RODC1.You install the DNS Server server role on RODC1 .You discover that RODC1 does not have any application d irectory partitions .

You need to ensure that RODC1 has a directory partition of contoso.com .

What should you do?

A. From DNS Manager, create secondary zones.B. Run Dnscmd.exe , and specify the /enlistdirectorypartition parameter.C. From DNS Manager, right-click RODC1 and click Update Server Data Files .D. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.



RODC Post-Installation ConfigurationIf you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS applicationdirectory partitions. The RODC is not enlisted automatically in the DNS a pplication directory partitions bydesign because it is a privileged operation. If the RODC were allowed to enlist itself, it would havepermissions to add or remove other DNS servers that are enlisted in the application directory partitions.

To enlist a DNS server in a DNS application directo ry partition1. Open an elevated command prompt.2. At the command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /EnlistDirectoryPartition <FQDN >

For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain namedchild.contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZo nes.child.contoso.com


You need to identify whether a fine-grained password po licy is applied to a specific group .


A. Credential ManagerB. Group Policy Management EditorC. Active Directory Users and ComputersD. Active Directory Sites and Services


Explanation/Reference:Practically the same question as K/Q7, different set of answers.

Use Active Directory Users and Computers to determine the value of the msDS-PSOApplied attribute of thespecific group:

1. Open the Properties windows for the group in Active Directory Users and Computers2. Click the Attribute Editor tab, and then click Filter3. Ensure that the Show attributes/Optional check box is selected.4. Ensure that the Show read-only attributes/Backlinks check box is selected.5. Locate the value of msDS-PSOApplied in the Attributes list.


Defining the scope of fine-grained password policie sA PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO:

(...)A new attribute named msDS-PSOApplied has been added to the user and group objects in WindowsServer 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDS-PSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it.

As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since themsDS-PSOApplied attribute of the user and group objects has a back-link to the PSO.


You need to create one password policy for administrato rs and another password policy for all otherusers .


A. Group Policy Management EditorB. Group Policy Management Console (GPMC)C. Authorization ManagerD. Ldifde


Explanation/Reference:Same question as K/Q6, different set of answers.

Reference:http://technet.microsoft.com/en-US/library/cc754461.aspx

Creating a PSO using ldifdeYou can use the ldifde command as a scriptable alternative for creating PSOs.

To create a PSO using ldifde1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf:

dn: CN=PSO1, CN=Password Settings Container,CN=Syst em,DC=dc1,DC=contoso,DC=comchangetype: addobjectClass: msDS-PasswordSettingsmsDS-MaximumPasswordAge:-1728000000000msDS-MinimumPasswordAge:-864000000000msDS-MinimumPasswordLength:8msDS-PasswordHistoryLength:24msDS-PasswordComplexityEnabled:TRUEmsDS-PasswordReversibleEncryptionEnabled:FALSEmsDS-LockoutObservationWindow:-18000000000msDS-LockoutDuration:-18000000000msDS-LockoutThreshold:0msDS-PasswordSettingsPrecedence:20msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=conto so,DC=com

2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.3. Type the following command, and then press ENTER:ldifde –i –f pso.ldf

QUESTION 21Your network contains two Active Directory forests named contoso.com and fabrikam.com . Each forest contains one domain .A two-way forest trust exists between the forests.

You plan to add users from fabrikam.com to groups in co ntoso.com .

You need to identify which group you must use to assign users in fabrikam.com access to the sharedfolders in contoso.com .

To which group should you add the users ?

A. Group 1: Security Group - Domain Local.B. Group 2: Distribution Group - Domain Local.C. Group 3: Security Group - Global.

D. Group 4: Distribution Group - Global.E. Group 5: Security Group - Universal.F. Group 6: Distribution Group - Univeral.


Explanation/Reference:This one is a bit tricky. According to Microsoft's advice we should put Users Accounts into a Global Group, thenadd the Global Group to a Universal Group, and then add the Universal Group to a Domain Local group whichis used to assigned permissions to. Microsoft calls this AGUDLP. See the reference below.

So, the users need to be put in a Global Group (answer C ("Group 3: Security Group - Global")), but it's theUniversal Group that travels across the forest trust (answer E ("Group 5: Security Group - Universal")).

Another way of looking at the question might be that they're asking what kind of group actually is assignedaccess to the shared folders. That would be a Domain Local security group, being answer A ("Group 1: SecurityGroup - Domain Local").

Because of Microsoft's advice I choose answer C ("G roup 3: Security Group - Global"). But it could jus tas well be A or E.

Again, it's tricky one.


Best practices for using security groups across for estsBy carefully using domain local, global, and universal groups, administrators can more effectively controlaccess to resources located in other forests. Consider the following best practices:

To represent the sets of users who need access to the same types of resources, create role-based globalgroups in every domain and forest that contains these users. For example, users in the Sales Department inForestA require access to an order-entry application that is a resource in ForestB. Account Departmentusers in ForestA require access to the same application, but these users are in a different domain. InForestA, create the global group SalesOrder and add users in the Sales Department to the group .Create the global group AccountsOrder and add users in the Accounting Department to that group.To group the users from one forest who require similar access to the same resources in a different forest,create universal groups that correspond to the global group roles. For example, in ForestA, create auniversal group called SalesAccountsOrders and add the global groups SalesOrder andAccountsOrder to the group .To assign permissions to resources that are to be accessed by users from a different forest, createresource-based domain local groups in every domain and use these groups to assign permissionson the resources in that domain . For example, in ForestB, create a domain local group calledOrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entryapplication, and assign appropriate permissions.To implement access to a resource across a forest, add universal groups from trusted forests to thedomain local groups in the trusting forests . For example, add the SalesAccountsOrders universal groupfrom ForestA to the OrderEntryApp domain local group in ForestB.

QUESTION 22Your network contains an Active Directory domain . The domain contains 5,000 user accounts .

You need to disable all of the user accounts that have a description of Temp . You must achieve this goal by using the minimum amount of administrative effort .

Which tools should you use?

(Each correct answer presents part of the solution. Choose two .)

A. FindB. DsgetC. DsmodD. DsaddE. Net accountsF. Dsquery

Correct Answer: CFSection: (none)Explanation

Explanation/Reference:Here we can use Dsquery to find the accounts that have "Temp" as their description and pipe it through toDsmod to disable them. Should look like this:dsquery user domainroot -desc "Temp" | dsmod user - disabled yes


Dsquery userFinds users in the directory who match the search criteria that you specify. If the predefined search criteria inthis command are insufficient, use the more general version of the query command, dsquery *.

Syntaxdsmod user

ParametersdomainrootSpecifies the node in the console tree where the search starts. You can specify the forest root (forestroot),domain root (domainroot), or distinguished name of a node as the start node (<StartNode>). If you specifyforestroot, dsquery searches by using the global catalog. The default value is domainroot.

-desc <Description>Specifies the descriptions of the user objects you want to modify.

RemarksThe results from a dsquery search can be piped as input to one of the other directory service command-linetools, such as Dsget, Dsmod, Dsmove, or Dsrm.


Dsmod userModifies attributes of one or more existing users in the directory.

Syntaxdsmod user

Parameter-disabled {yes | no}Specifies whether AD DS disables user accounts for logon. The available values are yes and no. Yes indicatesthat AD DS disables user accounts for logon and no indicates that AD DS does not disable user accounts forlogon.


The domain contains two file servers .

The file servers are configured as shown in the following table:

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1 .You configure the advanced audit policy .You discover that the settings are not applied to Serve r1. The settings are applied to Server2 .

You need to ensure that access to the file shares on Ser ver1 is audited .

What should you do?

A. From Active Directory Users and Computers, modify the permissions of the computer account for Server1.B. From GPO1, configure the Security Options.C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.D. On Server1, run seceditexe and specify the /configure parameter.E. On Server1, run auditpol.exe and specify the /set parameter.


Explanation/Reference:Reference 1:http://technet.microsoft.com/en-us/library/ff182311.aspx

What are the differences in auditing functionality between versions of Windows?Basic audit policy settings are available in all versions of Windows since Windows 2000 and can be appliedlocally or by using Group Policy. Advanced audit policy settings were introduced in W indows Vista andWindows Server 2008, but the settings can only be a pplied by using logon scripts . In Windows 7 andWindows Server 2008 R2, advanced audit policy settings can be configured and applied by using local anddomain Group Policy settings.


Auditpol setSets the per-user audit policy, system audit policy, or auditing options.

QUESTION 24Your network contains an Active Directory domain named contoso.com .You have an organizational unit (OU) named Sales and an OU named Engineering . Each OU contains over 200 user accounts .The Sales OU and the Engineering OU contain several user accounts that are members of a universalgroup named Group1 .You have a Group Policy object (GPO) linked to the domain .

You need to prevent the GPO from being applied to the member s of Group1 only .

What should you do?

A. Modify the Group Policy permissions.B. Configure Restricted Groups.C. Configure WMI filtering.D. Configure the link order.E. Enable loopback processing in merge mode.F. Link the GPO to the Sales OU.G. Configure Group Policy Preferences.H. Link the GPO to the Engineering OU.I. Enable block inheritance.J. Enable loopback processing in replace mode.



Best way to handle this is how graimer from Norway desribed it in http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-07-04.by.Andyfx.401q.vce.file.html

"GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU.The security filter will only help you specify groups. So you have two choices. You could remove authenticatedusers in the security filter and add groups containing everyone except group1 members(messy solution) or youcould leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(sincedeny will alwys win over allow)."

The reference below explains a situation where the GPO only needs to be applied to one group, it's the otherway around so to speak.

Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)page 285, 286

Using Security Filtering to Modify GPO ScopeBy now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to applyGPOs only to certain groups of users or computers rather than to all users or computers within the scope of theGPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specificsecurity groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply GroupPolicy permissions to the GPO .

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Readand Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to acomputer (for example, by its link to the computer’s OU), but the computer does not have Read and ApplyGroup Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriatepermissions for security groups, you can filter a GPO so that its settings apply only to the computers and usersyou specify.

Filtering a GPO to Apply to Specific GroupsTo apply a GPO to a specific security group, perform the following steps:4. Select the GPO in the Group Policy Objects container in the console tree.5. In the Security Filtering section, select the Authenticated Users group and click Remove.6. Click OK to confirm the change.7. Click Add.8. Select the group to which you want the policy to apply and click OK.

QUESTION 25Your network contains an Active Directory domain .You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Finance organizational unit (OU) and contain multiple settings .

You discover that GPO2 has a setting that conflicts with a setting in GPO1 . When the policies are applied, the setting in GPO2 takes effect .

You need to ensure that the settings in GPO1 supersede the settings in GPO2 . The solution must ensure that all non-conflicting settin gs in both GPOs are applied .

What should you do?

A. Configure the link order.B. Configure Restricted Groups.C. Enable block inheritance.D. Link the GPO to the Finance OU.E. Enable Ioopback processing in merge mode.F. Enable Ioopback processing in replace mode.G. Link the GPO to the Human Resources OU.H. Configure Group Policy Preferences.I. Configure WMI filtering.J. Modify the Group Policy permissions.


Explanation/Reference:Practically the same as J/Q4 and K/Q3.




The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that areenabled or disabled in the Power User Configuration GPO have precedence over these same settings in theStandard User Configuration GPO.


GPO.

QUESTION 26You have a domain controller named DC1 that runs Windows Server 2008 R2 . DC1 is configured as a DNS server for contoso.com .

You install the DNS server role on a member server named Server1 and then you create a standardsecondary zone for contoso.com . You configure DC1 as the master server for the zone .

You need to ensure that Server1 receives zone updates from DC1.

What should you do?

A. On DC1, modify the permissions of contoso.com zone.B. On Server1, add a conditional forwarder.C. Add the Server1 computer account to the DNsUpdateProxy group.D. On DC1, modify the zone transfer settings for the contoso.com zone.


Explanation/Reference:Practically the same question as B/Q1 and K/Q45.







QUESTION 27A corporate network includes an Active Directory-integrated zone . AIl DNS servers that host the zone are domain controllers .


You need to ensure that the new records are available on al l DNS servers as soon as possible .


A. Active Directory Sites And Services consoleB. NtdsutilC. DnslintD. Nslookup


Explanation/Reference:Practically the same question as F/Q28, G/Q8, K/Q8, K/Q31, different set of answers sometimes.


Forcing ReplicationWhen you need updates to be replicated sooner than the intersite replication schedule allows, or whenreplication between sites is impossible because of configuration errors, you can force replication to and fromdomain controllers.

Forcing replication of all directory updates over a connectionIf you want to replicate certain updates, such as a significant addition of new passwords or user accounts, toanother domain controller in the domain, you can use the Replicate now option in the Active Directory Sitesand Services snap-in to force replication of all directory partitions over a connection object that representsinbound replication from a specific domain controller. A connection object for a server object that represents adomain controller identifies the replication partner from which the domain controller receives replication. If thechanges are made on one domain controller, you can select the connection from that domain controller andforce replication to its replication partner.

You can also use the Repadmin.exe command-line tool to replication changes from a server to one or moreother servers or to all servers.

QUESTION 28Your network contains an Active Directory domain named contoso.com . Contoso.com contains two domain controllers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the Active Directory-integrated zone forcontoso.com .

From DNS Manager on DC1, you enable scavenging for the contoso.com zone .You discover stale DNS records in the zone .

You need to ensure that the stale DNS records are delet ed from contoso.com .

What should you do?

A. From DNS Manager, enable scavenging on DC1.B. From DNS Manager, reload the zone.C. Run dnscmd.exe and specify the ageallrecords parameter.D. Run dnscmd.exe and specify the startscavenging parameter.

Correct Answer: A


Explanation/Reference:According to Technet the answer should be A ("From DNS Manager, enable scavenging on DC1"). Scavenginghas been enabled for the zone, but it also needs te be enabled on the server.


Prerequisites for aging and scavengingBefore you can use the aging and scavenging features of DNS, several conditions must be met:

Scavenging and aging must be enabled, both at the DNS server and on the zone.(...)


You discover the following event in the Event log of domain controllers : " The request for a new account-identifier pool failed. The operation will be retried until the requestsucceeds. The error is " %1 " "

You need to ensure that the domain controllers can acqu ire new account-identifier pools successfully .

What should you do?

A. Move the domain naming master role.B. Move the global catalog server.C. Restart the Active Directory Domain Services (AD DS) service.D. Deploy an additional global catalog server.E. Move the infrastructure master role.F. Move the PDC emulator role.G. Install a read-only domain controller (RODC).H. Move the RID master role.I. Move the bridgehead server.J. Move the schema master role.



This error can occur when the server holding the RID master role is not available to provide a new RID pool.Moving the RID master role to another domain controller will resolve this.


Event ID 16651 — RID Pool RequestUsers, computers, and groups stored in Active Directory are collectively known as security principals. Eachsecurity principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefixidentifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the securityprincipal within the domain. The RID is a monotonically increasing number at the end of the SID.

Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holdsthe RID master role (also known as flexible single master operations or FSMO) in each Active Directorydomain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) isresponsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools areobtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they canadvertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers requireadditional RID allocations in order to continue creating security principals when their current RID pool becomesdepleted.

Event DetailsMessageThe request for a new account-identifier pool failed. The operation will be retried until the request succeeds.The error is " %1 "

ResolveCheck connectivity to the RID master, and check its replication statusA relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domaincontroller can communicate with the domain controll er that is identified as the RID operations master.Ensure that the RID master is online and replicatin g to other domain controllers.

QUESTION 30Your network contains an Active Directory domain named adatum.com . All servers run Windows Server 2008 R2 Enterprise . All client computers run Windows 7 Professional .

The network contains an enterprise certification authority (CA).You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates .All users plan to encrypt files by using EFS .

You need to ensure that the private keys for all new EF S certificates are archived .

Which snap-in should you use?

A. Share and Storage ManagementB. Security Configuration wizardC. Enterprise PKID. Active Directory Administrative CenterE. Certification AuthorityF. Group Policy ManagementG. Certificate TemplatesH. Authorization ManagerI. Certificates

Correct Answer: GSection: (none)Explanation

Explanation/Reference:Practically the same question as G/Q36.


Configure a Certificate Template for Key ArchivalThe key archival process takes place when a certificate is issued. Therefore, a certificate template must bemodified to archive keys before any certificates are issued based on this template.

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificatetemplate in order to protect users from data loss, but it can also be useful when applied to other types ofcertificates.

To configure a certificate template for key archiva l and recovery1. Open the Certificate Templates snap-in .2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate

Template.3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification

authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008,Windows 7, or Windows Vista.

4. In Template, type a new template display name, and then modify any other optional properties as needed.5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to,

and then click OK.6. Under Group or user names, select the user or group names that you just added. Under Permissions, select

the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select theAutoenroll check box.

7. On the Request Handling tab, select the Archive subject's encryption private key check box .

QUESTION 31Your network contains an Active Directory domain named adatum.com . All servers run Windows Server 2008 R2 Enterprise . All client computers run Windows 7 Professional .

The network contains an enterprise certification authority (CA).You have a custom certificate template named Sales_Temp . Sales_Temp is published to the CA .

You need to ensure that all of the members of a group n amed Sales can enroll for certificates that useSales_Temp .


A. Enterprise PKIB. Certification AuthorityC. Share and storage ManagementD. Certificate TemplatesE. Security Configuration WizardF. Authorization ManagerG. Group Policy ManagementH. CertificatesI. Active Directory Administrative Center



Deploying Certificate TemplatesAfter creating a new certificate template, the next step is to deploy the certificate template so that a certificationauthority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to oneor more CAs, defining which security principals have Enroll perm issions for the certificate template , anddeciding whether to configure autoenrollment for the certificate template.

To define permissions to allow a specific security principal to enroll for certificates based on acertificate template1. Open the Certificate Templates snap-in (Certtmpl.msc).2. In the details pane, right-click the certificate template you want to change, and then click Properties.3. On the Security tab, ensure that Authenticated users is assigned Read permissions. This ensures that all

authenticated users on the network can see the certificate templates.4. On the Security tab, click Add. Add a global group or universal group that contains all security

principals requiring Enroll permissions for the cer tificate template , and then click OK.5. On the Security tab, select the newly added security group, and then assign Allow for the Read and Enroll

permissions.6. Click OK.

Permission DesignUse the following recommendations for permissions assignments:

Assign permissions only to global groups or to universal groups. It is not recommended to assignpermissions to domain local groups. Domain local groups are only recognized in the domain where theyexist, and assigning permissions to them can result in inconsistent application of permissions. You shouldnot assign permissions directly to an individual user or computer account.(...)

QUESTION 32Your network contains an Active Directory forest named adatum.com . All domain controllers currently run Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows Server 2003 .

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2 .


A. Deploy a writable domain controller that runs Windows Server 2008 R2.B. Raise the functional level of the forest to Windows Server 2008.C. Run adprep.exe.D. Raise the functional level of the domain to Windows Server 2003.


Explanation/Reference:An RODC requires a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.So, whether you install the writable domain controller first or the Windows Server 2008 R2 server (your futureRODC), you have to run adprep.exe first to prepare the domain/forest for either domain controller.


Prerequisites for Deploying an RODCComplete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication(LVR) is available. This provides a higher level of replication consistency. The domain functional level mustbe Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forestfunctional level is Windows Server 2003, the domain functional level of all domains in the forest is WindowsServer 2003 or higher.Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that runWindows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directoryschema and update security descriptors so that you can add the new domain controllers.Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in

the same domain as the RODC and ensure that the writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

QUESTION 33Your network contains two Active Directory forests named contoso.com and nwtraders.com . Active Directory Rights Management Services (AD RMS) is deployed in each forest .

You need to ensure that users from the nwtraders.com fo rest can access AD RMS protected content inthe contoso.com forest .

What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.C. Create an external trust from nwtraders.com to contoso.com.D. Create an external trust from contoso.com to nwtraders.corn.


Explanation/Reference:Same question as F/Q44.


Using AD RMS trustIt is not necessary to create trust or federation relationships between the Active Directory forests oforganizations to be able to share rights-protected information between separate organizations. AD RMSprovides two types of trust relationships that provide this kind of rights-protected information exchange. Atrusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificatesor use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS rootcluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster totrust.

QUESTION 34Your network contains an Active Directory forest .All users have a value set for the Department attribute .From Active Directory Users and computers , you search a domain for all users who have a Departmentattribute value of Marketing . The search returns 50 users .From Active Directory Users and Computers , you search the entire directory for all users who have aDepartment attribute value of Marketing . The search does not return any users .

You need to ensure that a search of the entire director y for users in the marketing department returnsall of the users who have the Marketing Department attribute .

What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the user class.


Explanation/Reference:Same question as K/Q4.

Reference:http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

Global Catalog Partial Attribute SetThe attributes that are replicated to the global catalog by default include a base set that have been defined byMicrosoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute tothe global catalog check box to designate an attributeSchema object as a member of the PAS, which sets thevalue of the isMemberOfPartialAttributeSet attribute to TRUE.

QUESTION 35A corporate network includes a single Active Directory Domain Services (AD DS) d omain .

The AD DS infrastructure is shown in the following graphic:

When the Montreal site domain controller is offline , authentication requests for Montreal branch officeusers are sent to the Toronto site domain controlle r.

You need to ensure that when the Montreal Site domain c ontroller is offline, authentication requests forMontreal branch office users are sent to the Quebec City site domain controller .

What should you do?

A. Create a site link bridge between the Montreal site and the Quebec City site.B. Enable the global catalog role on the Montreal site domain controller.C. Modify the Default Domain Policy Group Policy Object.D. Delete the Toronto-Montreal Site Link



Enable Clients to Locate a Domain Controller in the Next Closest SiteYou can modify the Default Domain Policy to enable Windows Vista and Windows Server 2008 clients in thedomain to locate domain controllers in the next closest site if no domain controller in their own site or theclosest site is available.

To enable clients to locate a domain controller in the next closest site1. Click Start, click Administrative Tools, and then click Group Policy Management.2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then

click Continue.3. Double-click Forest:forest_name, double-click Domains, and then double-click domain_name.4. Right-click Default Domain Policy, and then click E dit .5. In Group Policy Management Editor, in the console tree, go to Computer Configuration/Policies/

Administrative Templates/System/Netlogon/DC Locator DNS Records.6. In the details pane, double-click Try Next Closest Site, click Enabled, and then click OK.


Enabling Clients to Locate the Next Closest Domain ControllerIf you have a domain controller that runs Windows Server 2008 or Windows Server 2008 R2, you can make itpossible for client computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server2008 R2 to locate domain controllers more efficiently by enabling the Try Next Closest Site Group Policysetting. This setting improves the Domain Controller Locator (DC Locator) by helping to streamline networktraffic, especially in large enterprises that have many branch offices and sites.

By default, the Try Next Closest Site setting is not enabled. When the setting is not enabled, DC Locator usesthe following algorithm to locate a domain controller:

Try to find a domain controller in the same site.If no domain controller is available in the same site, try to find any domain controller in the domain.

If you enable the Try Next Closest Site setting, DC Locator uses the following algorithm to locate a domaincontroller:

Try to find a domain controller in the same site.If no domain controller is available in the same site, try to find a domain controller in the next closest site. Asite is closer if it has a lower site-link cost than another site with a higher site-link cost.If no domain controller is available in the next closest site, try to find any domain controller in the domain.

QUESTION 36A corporate environment includes two Active Directory Domain Services (AD DS) forests , as shown in thefollowing table:

You need to ensure that users in the contoso.com domain can access resources in theeng.fabrikam.com domain .

What should you do?

A. Enable selective authentication.B. Enable forest-wide authentication.C. Create an external trust between contoso.com and eng.fabrikam.com.D. Enable domain-wide authentication.



Creating External TrustsYou can create an external trust to form a one-way or two-way, nontransitive trust with domains that areoutside your forest. External trusts are sometimes necessary when users need access to resources that arelocated in a Windows NT 4.0 domain or in a domain that is in a separate Active Directory Domain Services (ADDS) forest that is not joined by a forest trust.


You need to activate the Active Directory Recycle Bin i n the domain .


A. DsamainB. Set-ADDomainC. Add-WindowsFeatureD. Ldp




Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)Ldp.exe

QUESTION 38

Your network contains an Active Directory domain named contoso.com .

You need to create a script that runs the Best Practice s Analyzer (BPA) each week for all of the serverroles that BPA supports on each domain controller .You must achieve this goal by using the minimum amount of administrative effort .

Which tools should you use?(Each correct answer presents part of the solution. Choose three .)

A. Get-Troubleshooting Pack / Invoke-Troubleshooting Pack.B. Import-Module Best Practices.C. Get-BPA Model / Invoke-BPA Model.D. Import-Module Troubleshooting Pack.E. Get- BPA Result.

Correct Answer: BCESection: (none)Explanation

Explanation/Reference:Reference 1:http://technet.microsoft.com/en-us/library/dd759206.aspx

To scan all roles by using Windows PowerShell cmdle ts1. Open a Windows PowerShell session with elevated user rights.

2. Import the Server Manager module into your Windows PowerShell session. To import the Server Managermodule, type the following, and then press ENTER.

Import-Module ServerManager

3. Import the BPA module. Type the following, and then press Enter.Import-Module BestPractices

4. Pipe all roles for which BPA scans can be performed into the Invoke-BPAModel cmdlet to start scans.Get-BPAModel | Invoke-BPAModel


Get-BpaResultThe Get-BPAResult cmdlet allows you to retrieve and view the results of the most recent Best PracticesAnalyzer (BPA) scan for a specific model.

QUESTION 39A corporate network includes a single Active Directory Domain Services (AD DS) d omain . All regular user accounts reside in an organizational unit (OU) named Employees . All administrator accounts reside in an OU named Admins .

You need to ensure that any time an administrator modif ies an employee's name in AD DS, the changeis audited .


A. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group PolicyObject.

B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to theEmployees OU.

C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.D. Modify the searchFlags property for the User class in the schema.



To audit changes made to objects in AD DS we have to use Directory Service Changes auditing, whichindicates the old and new values of the changed properties of the objects that were changed. DirectoryService Changes auditing is a subcategory of Audit directory service access , and is not enabled by default.To use it we have to enable it first, and we can do that specifically for Directory Service Changes by usingauditpol.exe, or we can use Group Policy Management to enable Audit directory service access , whichenables all subcategories, including Directory Service Changes . You do this by modifying the DefaultDomain Controllers Policy .


In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access,that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008,this policy is divided into four subcategories :

Directory Service AccessDirectory Service ChangesDirectory Service ReplicationDetailed Directory Service Replication

This step includes procedures to enable change audi ting with either the Windows interface or acommand line:By using Group Policy Management, you can turn on the global audit policy, Audit directory service access ,which enables all the subcategories for AD DS auditing.

To enable the global audit policy using the Windows interface1. Click Start, point to Administrative Tools, and then Group Policy Management.2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your

domain, double-click Domain Controllers, right-click Default Domain Controllers Policy , and then clickEdit.

3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click SecuritySettings, double-click Local Policies, and then click Audit Policy.

4. In the details pane, right-click Audit directory service access , and then click Properties.5. Select the Define these policy settings check box.6. Under Audit these attempts, select the Success, check box, and then click OK.


The Administrator deletes an OU named OU1 accidentally .

You need to restore OU1 .

Which cmdlet should you use?

A. Get-ADObject cmdlet.B. Get-ADOrganizationalUnit cmdlet.C. Get-ADUser cmdlet.D. Get-ADGroup cmdlet.



Restoring a deleted Active Directory object using t he Get-ADObject and Restore-ADObject cmdletsYou can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObjectActive Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObject cmdlet.



You have a Group Policy Object (GPO) linked to the domain .

You need to ensure that the settings in the GPO are not processed by user accounts or computeraccounts in the Finance organizational unit (OU) . You must achieve this goal by using the minimum amount of administrative effort .

What should you do?

A. Modify the Group Policy Permission.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.

F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.


Explanation/Reference:Thanks to Wesley for pointing out the exhibit was missing!

Same question as J/Q3, slightly different answers.


Block InheritanceYou can block inheritance for a domain or organizational unit . Blocking inheritance prevents Group Policyobjects (GPOs) that are linked to higher sites, domains, or organizational units from being automaticallyinherited by the child-level.

QUESTION 42Your network contains an Active Directory domain named contoso.com.You have an organizational unit (OU) named Sales and an OU named Engineering .You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings .

You discover that GPO2 has a setting that conflicts wit h a setting in GPO1 . When the policies are applied, the setting in GPO2 takes effect .

You need to ensure that the settings in GPO1 supersede the settings in GPO2 . The solution must ensure that all non-conflicting setti ngs in both GPOs are applied .

What should you do?

A. Configure Restricted Groups.B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineering OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI Filtering.H. Configure Group Policy Preferences.I. Enable loopback processing in replace mode.J. Enable block inheritance.


Explanation/Reference:Practically the same as J/Q4 and J/Q22.




The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that areenabled or disabled in the Power User Configuration GPO have precedence over these same settings in theStandard User Configuration GPO.


GPO.

QUESTION 43Your network contains an Active Directory forest .All users have a value set for the Department attribute .From Active Directory Users and Computers , you search a domain for all users who have a Departmentattribute value of Marketing . The search returns 50 users .From Active Directory Users and Computers , you search the entire directory for all users who have aDepartment attribute value of Marketing .The search does not return any users .

You need to ensure that a search of the entire director y for users in the marketing department returnsall of the users who have the Marketing Department attribute .

What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in modify the properties of the user class.




Global Catalog Partial Attribute SetThe attributes that are replicated to the global catalog by default include a base set that have been defined byMicrosoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute tothe global catalog check box to designate an attributeSchema object as a member of the PAS, which sets thevalue of the isMemberOfPartialAttributeSet attribute to TRUE.


You discover the following event in the Event log of domain controllers : "The request for a new account-identifier pool failed. The operation will be retried until the requestsucceeds. The error is " %1 ""

You need to ensure that the domain controllers can acqu ire new account-identifier pools successfully .

What should you do?

A. Move the PDC emulator role.B. Move the schema master role.C. Move the global catalog server.D. Move the domain naming master role.E. Move the infrastructure master role.F. Move the RID master role.G. Restart the Active Directory Domain Services (AD DS) service.H. Deploy an additional global catalog server.I. Move the bridgehead server.J. Install a read-only domain controller (RODC).

Correct Answer: FSection: (none)Explanation

Explanation/Reference:Practically the same question as J/Q26.

This error can occur when the server holding the RID master role is not available to provide a new RID pool.Moving the RID master role to another domain controller will resolve this.


Event ID 16651 — RID Pool RequestUsers, computers, and groups stored in Active Directory are collectively known as security principals. Eachsecurity principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefixidentifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the securityprincipal within the domain. The RID is a monotonically increasing number at the end of the SID.

Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holdsthe RID master role (also known as flexible single master operations or FSMO) in each Active Directorydomain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is

responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools areobtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they canadvertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers requireadditional RID allocations in order to continue creating security principals when their current RID pool becomesdepleted.

Event DetailsMessageThe request for a new account-identifier pool failed. The operation will be retried until the request succeeds.The error is " %1 "

ResolveCheck connectivity to the RID master, and check its replication statusA relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domaincontroller can communicate with the domain controll er that is identified as the RID operations master.Ensure that the RID master is online and replicatin g to other domain controllers.


You need to create one password policy for administrato rs and another password policy for all otherusers .


A. NtdsutilB. Active Directory Users and ComputersC. ADSI EditD. Group Policy Management Console (GPMC)



Reference:http://technet.microsoft.com/en-US/library/cc754461.aspx

Creating a PSO using ADSI EditActive Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an ActiveDirectory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects andattributes.

To create a PSO using ADSI Edit1. Click Start, click Run, type adsiedit.msc, and then click OK.2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO,

and then click OK.4. Double-click the domain.5. Double-click DC=<domain_name>.6. Double-click CN=System.7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domain

appear.8. Right-click CN=Password Settings Container, click New, and then click Object.9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.10. In Value, type the name of the new PSO, and then click Next.

11.Continue with the wizard, and enter appropriate values for all mustHave attributes.


You need to identify whether a fine-grained password po licy is applied to a specific group .


A. Active Directory Sites and ServicesB. Authorization ManagerC. Local Security PolicyD. ADSI Edit


Explanation/Reference:Practically the same question as J/Q16, different set of answers.

Use ADSI Edit to determine the value of the msDS-PSOApplied attribute of the specific group:

1. Open the Properties windows for the group in ADSI Edit2. On the Attribute Editor tab click Filter3. Ensure that the Show attributes/Optional check box is selected.4. Ensure that the Show read-only attributes/Backlinks check box is selected.5. Locate the value of msDS-PSOApplied in the Attributes list.


Defining the scope of fine-grained password policie sA PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO:

(...)A new attribute named msDS-PSOApplied has been added to the user and group objects in WindowsServer 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDS-PSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it.

As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since themsDS-PSOApplied attribute of the user and group objects has a back-link to the PSO.

QUESTION 47A corporate network includes an Active Directory-integrated zone . All DNS servers that host the zone are domain controllers .


You need to ensure that the new records are available o n all DNS servers as soon as possible .


A. RepadminB. Active Directory Domains and Trusts consoleC. LdpD. Ntdsutil


Explanation/Reference:Practically the same question as F/Q28, G/Q8, J/Q24, K/Q31 , different set of answers sometimes.









QUESTION 48Your network contains an Active Directory forest named contoso.com . The forest contains two domains named contoso.com and child.contoso.com . The forest contains two sites named Seattle and Denver . Both sites contain users , client computers , and domain controllers from both domains .

The Seattle site contains the first domain controller deployed to the forest. The Seattle site also contains the primary domain controller (PDC) emulator for both domains . All of the domain controllers are configured as DNS servers . All DNS zones are replicated to all of the domain controllers in the forest .

The users in the Denver site report that is takes a long time to log on to their client computer when theyuse their user principal name (UPN). The users in the Seattle site do not experience the same issue .

You need to reduce the amount of time it takes for the Denv er users to log on to their client computerby using their UPN .

What should you do?

A. Reduce the cost of the site link between the Denver site and the Seattle site.B. Enable the global catalog on a domain controller in the Denver site.C. Enable universal group membership caching in the Denver site.D. Move a PDC emulator to the Denver site.E. Reduce the replication interval of the site link between the Denver site and the Seattle site.F. Add an additional domain controller to the Denver site.


Explanation/Reference:Quite similar to K/Q39.


Common Global Catalog ScenariosThe following events require a global catalog server:

(...)User logon . In a forest that has more than one domain, two conditions require the global catalog duringuser authentication:

1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a globalcatalog server is required to resolve the name.

2. (...)

QUESTION 49Your network contains two Active Directory forests named contoso.com and fabrikam.com . Each forest contains a single domain .A two-way forest trust exists between the forests. Selective authentication is enabled on the trust .

Contoso.com contains a group named Group1 .Fabrikam.com contains a server named Server1 .

You need to ensure that users in Group1 can access reso urces on Server1 .

What should you modify ?

A. the permissions of the Group1 groupB. the UPN suffixes of the contoso.com forestC. the UPN suffixes of the fabrikam.com forestD. the permissions of the Server1 computer account


Explanation/Reference:Group1 must get the 'Allowed To Authenticate' permission on Server1, so I'd go for A, as given.Answer D may sound tempting, but it speaks of permissions of the Server1 computer account.

Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)pages 643, 644

After you have selected Selective Authentication for the trust, no trusted users will be able to access resourcesin the trusting domain, even if those users have been given permissions. The users must also be assignedthe Allowed To Authenticate permission on the compu ter object in the domain .

1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features isselected on the View menu.

2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, thecomputer that trusted users will log on to or that contains resources to which trusted users have been given

permissions.3. On the Security tab, add the trusted users or a gro up that contains them and select the Allow check

box for the Allowed To Authenticate permission.

QUESTION 50Your network contains an Active Directory domain named contoso.com .You have an organizational unit (OU) named Sales and an OU named Engineering .

Users in the Sates OU frequently log on to client c omputers in the Engineering OU .

You need to meet the following requirements :All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and theEngineering OU must be applied to sales users when they log on to client computers in theEngineering OU .Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users whenthey log on to client computers in the Sales OU .Policy settings in the GPOs linked to the Sales OU must not be applied to users in the EngineeringOU.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.


Explanation/Reference:Very similar question to L/Q6.

We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO'sthat are linked to the Sales OU and the Engineering OU to be applied.


Loopback processing with merge or replaceSetting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied toevery user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the UserConfiguration settings of the user. This allows you to ensure that a consistent set of policies is applied to anyuser logging on to a particular computer, regardless of their location in Active Directory.

Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set toMerge or Replace. In either case the user only receives user-related policy settings.

Loopback with Replace—In the case of Loopback with Replace, the GPO list for the user is replaced in itsentirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in GroupPolicy processing and precedence). The User Configuration settings from this list are applied to the user.Loopback with Merge —In the case of Loopback with Merge, the Group Policy object list is a

concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOsfor the computer (obtained during computer startup) is appended to this list. Because the computer's GPOsare processed after the user's GPOs, they have precedence if any of the settings conflict.

Reference 2:http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

For a clear and easy explanation of Loopback Processing. Recommended!

Reference 3:Windows Server 2008 R2 Unleashed (SAMS, 2010)page 1028

Loopback ProcessingWhen a user is processing domain policies, the policies that apply to that user are based on the location of theuser object in the Active Directory hierarchy. The same goes for domain policy application for computers. Thereare situations, however, when administrators or organizations want to ensure that all users get the same policywhen logging on to a particular computer or server. For example, on a computer that is used for training or on aRemote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must bethe same for each user, this can be controlled by enabling loopback processing in Replace mode on a policythat is applied to the computer objects.

To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, anysettings defined within that policy in the User Configuration node are applied to all users who log on to thecomputer this particular policy is applied to. When loopback processing is enabled and configured in Mergemode on a policy applied to a computer object and a user logs on, all of the user policies are applied and thenall of the user settings within the policy applied to the computer object are also applied to the user. This ensuresthat in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.

QUESTION 51You have an Active Directory domain named contoso.com .

You need to view the account lockout threshold and dura tion for the domain .


A. Computer ManagementB. Net ConfigC. Active Directory Users and ComputersD. Gpresult


Explanation/Reference:Same question as K/Q44.

Hard to find references for this one. I checked the steps below on a virtual lab.

You can see the required settings when you:1. Open Active Directory Users and Computers2. Go to View in the menubar and make sure "Advanced Features"is checked.3. Right click on the domain and choose Properties4. On the Attribute Editor tab click on Filter5. Ensure that the Show attributes/Optional check box is selected.6. In the Attributes list locate lockoutThreshold and lockoutDuration .

Played with the settings in the Group Policy Management Editor and the settings were reflected in the stepsabove every time.

QUESTION 52Your network contains an Active Directory forest . The forest contains two domains named contoso.com and east.contoso.com . The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role install ed.

You need to create a DNS zone that is available on DC1 and DC2 . The solution must ensure that zone transfers are encryp ted .

What should you do?

A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rulesand outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2and select DC1 as the master.

B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=comnaming context.

C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso, DC=com namingcontext. Create a secondary zone on DC1 and select DC2 as the master.

D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create asecondary zone on DC2 and select DC1 as the master.


Explanation/Reference:This one looks a bit like question A/Q15, in which we had two domain controllers, one having a primary zone,and the second with the secondary zone. We needed to ensure that the replication of the zone was encrypted.The solution was to use an Active Directory-integrated zone, and it makes sense to apply that here too.

IPsec could be a valid option too, but is not listed.

DNSSEC is used to sign DNS responses between servers and clients, not to encrypt zone transfers.


Securing DNS Zone Replication

Using Active Directory ReplicationReplicating zones as part of Active Directory replication provides the following security benefits:

Active Directory replication traffic is encrypted; therefore zone replication traffic is encryptedautomatically .(...)

Reference 2:http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created byDNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNSresolver is able to check if the information is identical (correct and complete) to the information on theauthoritative DNS server.

DNSSEC does not provide confidentiality of data; in particular, al l DNSSEC responses are

authenticated but not encrypted.

Reference 3:http://www.efficientip.com/dnssec

It is important to note that DNSSEC does not supply a solution for data confidentiality but only avalidation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only thesignature which is encrypted.


Zone transfersZone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of theresource records, including DNSSEC resource records, are transferred from the primary server to thesecondary servers with no additional setup requirements.

Reference 5:http://technet.microsoft.com/en-us/library/jj200221.aspx

Overview of DNSSECDomain Name System Security Extensions (DNSSEC) is a suite of extensions that adds security to the DNSprotocol by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource recordsare accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to aDNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in asigned zone, a digital signature is returned with the response so that validation can be performed. If validation issuccessful, this proves that the data has not been modified or tampered with in any way.

QUESTION 53Your network contains an Active Directory domain named adatum.com .All servers run Windows Server 2008 R2 .The network contains an enterprise certification authority (CA) .

You need to ensure that all of the members of a group n amed Managers can view the event log entriesfor Certificate Services .


A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management


Explanation/Reference:All credit goes to Luffy for correcting this one!

Practically the same as G/Q37.

We can make the Group1 group a member of the Event Log Readers Group , giving them read access to allevent logs, thus including the Certificate Services events. We can do that by using Group PolicyManagement .

Reference 1:It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here'swhat I did in VMWare, using a domain controller and a member server. Click along if you want!

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to thecontoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group,named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

1. Start the Group Policy Management console on DC01.2. Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..."3. I named the GPO "EventLog_TESTGROUP"4. Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..."5. Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted

Groups"6. Right-click "Restricted Groups" and choose "Add Group..."7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log

Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let'sdo the second one. Click the Browse button and go find the Event Log Readers group. Click OK.

8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it.

It should look like this now:

9. Click OK.10.On MEM01 open a command prompt and run gpupdate /force .11.Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

Reference 2:http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or DomainControllers they are accessing are Windows 2003 follow the steps below.

(...)

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all

event logs. If that is the case just add them to the Built in Event Log Readers group .

QUESTION 54Your network contains an Active Directory domain named adatum.com . All servers run Windows Server 2008 R2 Enterprise . All client computers run Windows 7 Professional .The network contains an enterprise certification authority (CA) .

You need to approve a pending certificate request .


A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management


Explanation/Reference:Practically the same question as G/Q40.

Reference 1:http://technet.microsoft.com/de-de/library/ff849263.aspx

To issue a pending certificate request:1. Log on to your root CA by using an account that is a certificate manager.2. Start the Certification Authority snap-in .3. In the console tree, expand your root CA, and click Pending Certificates.4. In the details pane, right-click the pending CA certificate, and click Issue.

QUESTION 55Your network contains an Active Directory domain named contoso.com .You have an organizational unit (OU) named Sales and an OU named Engineering .You have a Group Policy object (GPO) linked to the domain .

You need to ensure that the settings in the GPO are not processed by user accounts or computeraccounts in the Sales OU . You must achieve this goal by using the minimum amount of administrative effort .

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.

G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



Block InheritanceYou can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policyobjects (GPOs) that are linked to higher sites, domains, or organizational units from being automaticallyinherited by the child-level.

QUESTION 56A corporate network includes a single Active Directory Domain Services (AD DS) d omain . The domain contains 10 domain controllers . The domain controllers run Windows Server 2008 R2 and are configured as DNS servers .

You plan to create an Active Directory-integrated zone .

You need to ensure that the new zone is replicated to o nly four of the domain controllers .


A. Use the ntdsutil tool to modify the DS behavior for the domain.B. Use the ntdsutil tool to add a naming context.C. Create a new delegation in the ForestDnsZones application directory partition.D. Use the dnscmd tool with the /zoneadd parameter.


Explanation/Reference:Practically the same question as A/Q50 and D/Q25, different set of answers.

To control which servers get a copy of the zone we have to store the zone in an application directory partition.That application directory partition must be created before we create the zone, otherwise it won't work. So that'swhat we have to do first. Directory partitions are also called naming contexts and we can create one usingntdsutil .



Store Data in an AD DS Application PartitionYou can store Domain Name System (DNS) zones in the domain or application directory partitions of ActiveDirectory Domain Services (AD DS). An application directory partition is a data structure in AD DS thatdistinguishes data for different replication purposes. When you store a DNS zone in an application directo rypartition, you can control the zone replication sco pe by controlling the replication scope of the

application directory partition.









QUESTION 57Your network contains an Active Directory domain named contoso.com . Contoso.com contains a writable domain controller named DC1 and a read-only domain controller(RODC) named DC2. All domain controllers run Windows Server 2008 R2 .

You need to install a new writable domain controller na med DC3 in a remote site . The solution must minimize the amount of replication tr affic that occurs during the installation ofActive Directory Domain Services (AD DS) on DC3 .


A. Run dcpromo.exe /createdcaccount on DC3.B. Run ntdsutil.exe on DC2.C. Run dcpromo.exe /adv on DC3.D. Run ntdsutil.exe on DC1.


Explanation/Reference:We can run dcpromo.exe /adv on DC3 to install a new writable domain controller using the Install From Media

(IFM) option. That way there is less replication traffic. But before we can do that we have to create theinstallation media first. I suspect that's what they mean when they say "What should you do first? " So first wecreate the installation media, then we use the installation media to install DC3.

Technet gives us instructions on how to create the installation media. It says:

"You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently."

"You must use writeable domain controller installation media to install a writeable domain controller. You cancreate writeable domain controller installation med ia only on a writeable domain controller ."

Since DC2 in answer B is a read-only domain controller, that leaves us with answer D ("Run ntdsutil.exe onDC1").


[Used for the information above]

[Some extra info on using IFM to install the DC:]

Reference 2:http://http://technet.microsoft.com/en-us/library/cc732887.aspx

dcpromo /advPerforms an install from media (IFM) operation.

Reference 3:http://http://technet.microsoft.com/en-us/library/cc816722.aspx

Installing an Additional Domain Controller by Using IFMWhen you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, youcan reduce the replication traffic that is initiated during the installation of an additional domain controller in anActive Directory domain. Reducing the replication traffic reduces the time that is necessary to install theadditional domain controller.

QUESTION 58Your network contains an Active Directory forest . The forest contains 10 domains . All domain controllers are configured as global catalog servers .

You remove the global catalog role from a domain controller named DC5.

You need to reclaim the hard disk space used by the glo bal catalog on DC5 .

What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).B. From Active Directory Sites and Services, modify the general properties of DC5.C. From Ntdsutil, use the Semantic database analysis option.D. From Ntdsutil, use the Files option.


Explanation/Reference:Reference 1:http://http://technet.microsoft.com/en-us/library/cc816618.aspx

Database defragmentationIn cases in which the data decreases significantly, such as when the global catalog is removed from a domaincontroller, free disk space is not automatically returned to the file system. Although this condition does notaffect database operation, it does result in large amounts of free disk space in the database. To decrease thesize of the database file by returning free disk space from the database file to the file system, you can performan offline defragmentation of the database. Whereas online defragmentation occurs automatically while AD DSis running, offline defragmentation requires taking the domain controller offline and using the Ntdsutil.execommand-line tool to perform the procedure.


To perform offline defragmentation of the directory database

1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and thenclick Run as administrator. If the User Account Control dialog box appears, provide credentials, if required,and then click Continue.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds3. Type Y to agree to stop additional services, and then press ENTER.4. At the command prompt, type ntdsutil, and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds , and then press ENTER.6. At the ntdsutil prompt, type files, and then press ENTER.7. (...)





A. LdpB. RepadminC. NtdsutilD. NslookupE. Active Directory Sites And Services consoleF. Active Directory Domains And Trusts consoleG. DnslintH. Dnscmd


Explanation/Reference:Practically the same question as F/Q28, J/Q24, K/Q8, K/Q31, different set of answers sometimes.









QUESTION 60You have a DNS zone that is stored in a custom application partition .

You need to add a domain controller to the replication scope of the custom application partition .


A. DNScmdB. DNS ManagerC. Server ManagerD. Dsmod



After you create a Domain Name System (DNS) application directory partition to store a zone, you must enlistthe DNS server that hosts the zone in the application directory partition.

To enlist a DNS server in a DNS application directo ry partition1. Open a command prompt.2. Type the following command, and then press ENTER: dnscmd <ServerName> /

EnlistDirectoryPartition <FQDN>

QUESTION 61Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard . Server1 has the Active Directory Certificate Services (AD CS) role installed .

You configure a certificate template named Template1 for autoenrollment . You discover that certificates are not being issued to any client computers . The event logs on the client computers do not contain any autoenrollment errors .

You need to ensure that all of the client computers aut omatically receive certificates based onTemplate1 .

What should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).B. Modify the Default Domain Controllers Policy Group Policy object (GPO).C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.D. Restart Certificate Services on Server1.



Configure Certificate AutoenrollmentMany certificates can be distributed without the client even being aware that enrollment is taking place. Thesecan include most types of certificates issued to computers and services, as well as many certificates issued tousers.

To automatically enroll clients for certificates in a domain environment, you must:Configure a certificate template with Autoenroll permissions.Configure an autoenrollment policy for the domain.

To configure autoenrollment Group Policy for a doma in1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to

Administrative Tools, and then click Group Policy Management.2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default

Domain Policy Group Policy object (GPO) that you want to edit.3. (...)

QUESTION 62Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) roleinstalled .

You need to perform an automated installation of an AD LDS instance .


A. Dism.exeB. Servermanagercmd.exeC. Adaminstall.exeD. Ocsetup.exe



To perform an unattended install of an AD LDS insta nce

1. Create a new text file by using any text editor.2. Specify the installation parameters.3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD

LDS setup files.4. At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM

\ adaminstall.exe /answer:drive:\<pathname>\<filename>.txt"

QUESTION 63Your network contains an Active Directory domain named contoso.com . A partner company has an Active Directory domain named nwtraders.com . The networks for contoso.com and nwtraders.com connect to each other by using a WAN link .

You need to ensure that users in contoso.com can access resources in nwtraders.com and resourceson the Internet .


A. Modify the Trusted Root Certification Authorities store.B. Modify the Intermediate Certification Authorities store.C. Create conditional forwarders.D. Add a root hint to the DNS server.


Explanation/Reference:Reference:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 114-115

Conditional ForwardersYou can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolutionfor specified domains only. In other words, the local DNS server will forward all the queries that it receives fornames ending with a specific domain name to the conditional forwarder. This is especially useful in situationswhere users in your company need access to resources in a nother company with a separate AD DSforest and DNS zones, such as a partner company . In such a case, specify a conditional forwarder thatdirects such queries to the DNS server in the partner company while other queries are forwarded to theInternet . Doing so reduces the need for adding secondary zones for partner companies on your DNS servers.

QUESTION 64Your network contains an Active Directory forest . The forest contains multiple domains .

You need to ensure that users in the human resources de partment can search for employees by usingthe employeeNumber attribute .

What should you do?

A. From Active Directory Sites and Services, modify the properties of each global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the user object class.C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

Global Catalog Replication of Additions to the Part ial Attribute SetEach global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For theobjects of its own domain, a global catalog server has information related to all attributes that are associatedwith those objects. For the objects in domains other than its own, a global catalog server has only informationthat is related to the set of attributes that are marked in the AD DS schema to be included in the partial attributeset (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to beused for searches. These attributes are replicated to every global catalog server in an AD DS forest."

"The attributes that are replicated to the global catalog by default include a base set that have been defined byMicrosoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema sn ap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attributeto the global catalog check box to designate an attributeSchema object as a member of the PAS, which setsthe value of the isMemberOfPartialAttributeSet attribute to TRUE.

QUESTION 65Your network contains a single Active Directory domain . The domain contains an enterprise certification authority (CA) .

You need to ensure that the encryption keys for e-mail certificates can be recovered from the CAdatabase .

You modify the e-mail certificate template to support k ey archival .


A. Issue the key recovery agent certificate template.B. Run certutil.exe -recoverkey.C. Run certreq.exe-policy.D. Modify the location of the Authority Information Access (AIA) distribution point.



Identify a Key Recovery AgentA key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Becausethe role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned tothis role.

To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow theperson assigned to this role to enroll for a key recovery agent certificate.

QUESTION 66Your network contains an Active Directory-integrated DNS zone named contoso.com .

You discover that the zone includes DNS records for com puters that were removed from the network .

You need to ensure that the DNS records are deleted automati cally from the zone .

What should you do?

A. From DNS Manager, set the aging properties.B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.D. Create a scheduled task that runs ipconfig.exe /flushdns.



Set Aging and Scavenging Properties for the DNS Ser verThe DNS Server service supports aging and scavenging features. These features are provided as amechanism for performing cleanup and removal of stale resource records, which can accumulate in zone dataover time. You can use this procedure to set the default aging and scavenging properties for the zones on aserver.

To set aging and scavenging properties for the DNS server using the Windows interface1. Open DNS Manager .2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.3. Select the Scavenge stale resource records check box.4. Modify other aging and scavenging properties as needed.


You run the following command on the domain controller :dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -allowNonAdminAccess

The command fails .

You need to ensure that the command completes successfu lly .

How should you modify the command ?

A. Change the value of the -dbpath parameter.B. Include the path to Dsamain.C. Change the value of the -ldapport parameter.D. Remove the CallowNonAdminAccess parameter.



Use the AD DS database mounting tool to load the snapshot as an LDAP server.

dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ ntds\ntds.dit -ldapport portnumber

Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport valu eto ensure that you do not conflict with AD DS.Also note that you can use the minus (–) sign or the slash (/) for the options in the command.

QUESTION 68Your network contains an Active Directory domain . The domain contains 10 domain controllers that run Windows Server 2008 R2 .

You need to monitor the following information on the do main controllers during the next five days :Memory usageProcessor usageThe number of LDAP queries

What should you do?

A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.B. Use the System Performance Data Collector Set (DCS).C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.D. Use the Active Directory Diagnostics Data Collector Set (DCS).


Explanation/Reference:The System Performance Data Collector Set/System Performance template does not monitor Active Directorydata (we need the number of LDAP queries). That leaves out answers B ("Use the System Performance Data Collector Set (DCS)") andC ("Create a User Defined Data Collector Set (DCS) that uses the System Performance template").

Because the Active Directory Diagnostics Data Collector Set (DCS) runs only for 5 minutes and we need tomonitor for 5 days we have to use a User Defined Data Collector Set (DCS) that uses the Active DirectoryDiagnostics template. For a User Defined Data Collector Set we can set the monitoring duration in seconds,minutes, hours, days or weeks.

So we have to create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnosticstemplate.

Reference:http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-and-beyond.aspx

AD Data Collector Sets in Win2008 and beyondThe Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannotbe modified for the built-in collector. However, the collection can be stopped manually by clicking the Stopbutton or from the command line. If reducing or increasing the time that a data collector set runs is required,and manually stopping the collection is not desirable, then see How to Create a User Defined Data CollectionSet.

QUESTION 69Your network contains an Active Directory domain named contoso.com .Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) namedRODC1.

You need to view the most recent user accounts authenti cated by RODC1 .


A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.


Explanation/Reference:Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx#BKMK_Auth2

To view authenticated accounts using Active Directo ry Users and Computers1. Open Active Directory Users and Computers . To open Active Directory Users and Computers, click

Start. In Start Search, type dsa.msc, and then press ENTER.2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the

correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-clickthe Active Directory Users and Computers object, and then click Change Domain or Change DomainController, respectively.

3. Click Domain Controllers.4. In the details pane, right-click the RODC computer account , and then click Properties.5. Click the Password Replication Policy tab.6. Click Advanced.7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as

shown in the following illustration.

QUESTION 70Your network contains an Active Directory domain . The domain contains 3,000 client computers . All of the client computers run Windows 7 . Users log on to their client computers by using standard user accounts .

You plan to deploy a new application named App1 .The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run .

You need to deploy App1 to all client computers .

The solution must meet the following requirements :App1 must automatically detect and replace corrupt applicatio n files .App1 must be available from the Start menu on each client comput er.


A. Create a logon script that calls Setup.exe for App1.B. Create a .zap file.C. Create a startup script that calls Setup.exe for App1.D. Repackage App1 as a Windows Installer package.

Correct Answer: D



Windows Installer featuresDiagnoses and repairs corrupted applications --An application can query Windows Installer to determinewhether an installed application has missing or corrupted files. If any are detected, Windows Installer repairsthe application by recopying only those files found to be missing or corrupted.

QUESTION 71Your network contains an Active Directory domain named contoso.com . Contoso.com contains two sites named Site1 and Site2 . Site1 contains a domain controller named DC1.

In Site1 , you install a new domain controller named DC2. You ship DC2 to Site2 .You discover that certain users in Site2 authenticate t o DC1.

You need to ensure that the users in Site2 always attem pt to authenticate to DC2 first .

What should you do?

A. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.B. From Active Directory Sites and Services, modify the Location attribute for Site2.C. From Active Directory Sites and Services, move the DC2 server object.D. From Active Directory Users and Computers, move the DC2 computer object.


Explanation/Reference:DC2 may be shipped to Site2, but it's not yet associated properly with Site2 in Active Directory.

Reference1:http://technet.microsoft.com/en-us/library/cc816674.aspx

To move a server object to a new site1. Open Active Directory Sites and Services.2. In the console tree, expand Sites and the site in which the server object resides.3. Expand Servers to display the domain controllers that are currently configured for that site.4. Right-click the server object that you want to move, and then click Move.5. In Site Name, click the destination site, and then click OK.6. Expand the site object to which you moved the server, and then expand the Servers container.7. Verify that an object for the server that you moved exists.8. Expand the server object, and verify that an NTDS Settings object exists.

Reference2:http://technet.microsoft.com/en-us/library/cc754697.aspx

Using sitesSites help facilitate several activities, including:

(...)Authentication . Site information helps make authentication faster and more efficient. When a client logs onto a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you

can ensure that clients use domain controllers that are nearest to them for authentication, which reducesauthentication latency and traffic on wide area network (WAN) connections.

QUESTION 72Your network contains an Active Directory domain named contoso.com .Contoso.com contains a server named Server2 .

You open the System properties on Server2 as shown in the exhibit:

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA) , youdiscover that the enterprise subordinate CA option is unavailable .

You need to configure Server2 as an enterprise subordin ate CA.


A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.C. Import the root CA certificate.D. Join Server2 to the domain.


Explanation/Reference:In doubt about this one, whether to go for A ("Upgrade Server2 to Windows Server 2008 R2 Enterprise"), or D

("Join Server2 to the domain"). Left it at D ("Join Server2 to the domain"), because that's undoubtedly anecessary step we have to take here.

See below for my (messy) thoughts.

Reference:http://social.technet.microsoft.com/Forums/nl-BE/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7c-ea254de5dada

[Someone asked this question to Brian Komar:]

<begin quote>

buffaloyoungOkay, so on this same note, I'm looking at a practice test type question for the 70-640 exam that shows theserver runnning Windows Server 2008 R2 standard, and mentions that when you set up the Enterprise SubCertificate Authority, the Enterprise Sub CA option is not available. The mulitple choice solutions are: a. upgrade to enterprise; b. run server manager as an admin; c. import the root CA; d. Join the server to the domain.

I had thought it was "A" because of the enterprise 2008 issue, but if this is changed in standard R2 ... looking atthe fact that the info shows the Workgroup to be "WORKGROUP," I am inclined to answer D. Is this right? Orshould it still be A?

Brian:This forum is for helping people with real world PKI and security issues. It is not a study board <G>

That being said, D would be my answer. Based on some of the other things I have heard about the exam, thatmay not be the answer they are looking for ;-)

Brian<end quote>

"that may not be the answer they are looking for", what does Brian mean by that? Was he deliberately trying toconfuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard forroot CA only? I'm talking about this, from the 70-640 Training Kit errata page:Page 781, 1st paragraph

<begin quote>The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or WindowsServer 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, butyou will not have access to all features.

Note from the Author or Editor:Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Ourrecommendation would be to use this as a root CA on ly.<end quote>

If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoftwants to hear from us, being answer A. Since the question is about an enterprise subordinate CA.

QUESTION 73Your network contains an Active Directory domain . The domain contains an enterprise certification authority (CA) .

You need to ensure that only members of a group named A dmin1 can create certificate templates .

Which tool should you use to assign permissions to Admin1 ?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services


Explanation/Reference:We need to use Active Directory Sites and Services to assign permissions to create certificate templates toglobal or universal groups.The first reference lists what needs to be done, the second reference explains how to do it.


Delegating Template ManagementYou can delegate the ability to manage individual certificate templates or to create any certificate templates bydefining appropriate permissions to global groups or universal groups that a user belongs to.

There are three levels of delegation for certificat e template administration: - Modify existing templates - Create new templates (by duplicating existing templates) - Full delegation (including modifying all existing templates and creating new ones)

Create New TemplatesTo delegate the ability to create certificate templates to users who are not members of the Domain Adminsgroup in the forest root domain, or members of the Enterprise Admins group, it is necessary to define theappropriate permissions in the Configuration naming context of AD DS.

To delegate the ability to duplicate and create new certificate templates, you must make the followingpermission assignments to a global or universal group of which the user is a member:

Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=PublicKey Services,CN=Services,CN=Configuration,DC=ForestRoot.Grant Full Control permission to every certificate template in the following container: CN=CertificateTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissionsassigned to the Certificate Templates container are not inherited by the individual certificate templates.Grant Create All Child Objects permission on the following container: CN=OID,CN=Public KeyServices,CN=Services,CN=Configuration,DC=ForestRoot container.

Reference 2:Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008)page 298

Delegate Permissions for Creation of New TemplatesYou can delegate the permission to create new templates by assigning permissions to a custom universalgroup for the CN=Certificate Templates,CN=Public KeyServices,CN=Services,CN=Configuration,ForestRootDomain container.

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.2. Open the Active Directory Sites And Services console.3. From the View menu, ensure that the Show Services Node setting is enabled.4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates .5. In the console tree, right-click Certificate Templates, and then click Delegate Control.6. In the Delegation Of Control wizard, click Next.7. On the Users Or Groups page, click Add.

8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.9. On the Users Or Groups page, click Next.10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation

Of New Objects In This Folder, and then click Next.12.On the Permissions page, in the Permissions list, enable Full Control, and then click Next.13.On the Completing The Delegation Of Control wizard page, click Finish.

QUESTION 74Your network contains an Active Directory domain . All DNS servers are domain controllers .

You view the properties of the DNS zone as shown in the exhibit:

You need to ensure that only domain members can registe r DNS records in the zone .


A. Modify the zone type.B. Create a trust anchor.C. Modify the Advanced properties of the DNS server.D. Modify the Dynamic updates setting.


Explanation/Reference:To ensure that only domain members are allowed to register DNS records we have to:

1. modify the zone type to Active Directory-Integrated.2. set the Dynamic updates option to Secure only, which is only available to Active Directory-Integrated zones.

Reference 1:MCTS Windows Server ® 2008 Active Directory Configuration Study Guide (Sybex, 2008)page 53

Secure only —This means that only machines with accounts in Active Directory can register with DNS .Before DNS registers any account in its database, it checks Active Directory to make sure that account is anauthorized domain computer.


Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configureddifferently, you must change the zone type and directory-integrate the zo ne before securing it for DNSdynamic updates .

QUESTION 75Your company has a single Active Directory forest with a single domain . Consultants in different departments of the company require access to different network resources . The consultants belong to a global group named TempWorkers . Three file servers are placed in a new organizational unit named SecureServers . The file servers contain confidential data in shared fo lders .

You need to prevent the consultants from accessing the confidential data .

What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign theDeny access to this computer from the network user right to the TempWorkers global group.

B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computerfrom the network user right to the TempWorkers global group.

C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full controlpermission for the TempWorkers global group on the share.

D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user rightto the TempWorkers global group.

E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign theDeny log on locally user right to the TempWorkers global group.


Explanation/Reference:Same question as D/Q8. Same answer. The other options give the consultants too much or too little rights.

Personal comment :Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the sharedfolders (implies access from the network)."Deny log on locally" makes no sense in this instance, because we are reffering to shared folder andsupposedly physical access to servers should be highly restricted.And best practices recommend that you link GPOs at the domain level only for domain wide purposes.

QUESTION 76Your network contains two Active Directory forests named contoso.com and nwtraders.com . The functional level of both forests is Windows Server 2003 . Contoso.com contains one domain .

Nwtraders.com contains two domains .

You need to ensure that users in contoso.com can access the resources in all domains . The solution must require the minimum number of trusts .

Which type of trust should you create?

A. externalB. forestC. realmD. shortcut



When to create a forest trustYou can create a forest trust between forest root domains if the forest functional level is Windows Server 2003or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in eachforest. Forest trusts are useful for application service providers, organizations undergoing mergers oracquisitions, collaborative business extranets, and organizations seeking a solution for administrativeautonomy.

QUESTION 77You install an Active Directory domain in a test enviro nment .

You need to reset the passwords of all the user account s in the domain from a domain controller .

Which two Windows PowerShell commands should you run? (Each correct answer presents part of the solution, choose two .)

A. $ newPassword = *B. Import-Module ActiveDirectoryC. Import-Module WebAdministrationD. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - ResetE. Set- ADAccountPassword - NewPassword - ResetF. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )G. Import-Module ServerManager

Correct Answer: DFSection: (none)Explanation

Explanation/Reference:First we create a variable, $newPassword, and prompt the user for the password to assign it to the variable.Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to Set-ADAccountPassword to assign the $newPassword variable to every account's new password.

Note that Set- ADAccountPossword must be a typo.

Reference 1:

http://technet.microsoft.com/en-us/library/ee176935.aspx

Prompting a User to Enter InformationThe Read-Host cmdlet enables you to interactively prompt a user for information. For example, this commandprompts the user to enter his or her name, then stores that name in the variable $Name (to answer the prompt,type a name and then press ENTER):$Name = Read-Host "Please enter your name"


Get-ADUserGets one or more Active Directory users.


Set-ADAccountPasswordModifies the password of an Active Directory account.

ParametersNewPasswordSpecifies a new password value.

ResetSpecifies to reset the password on an account. When you use this parameter, you must set the NewPasswordparameter. You do not need to specify the OldPassword parameter.

QUESTION 78Your network contains two forests named adatum.com and litwareinc.com . The functional level of all the domains is Windows Server 2003 . The functional level of both forests is Windows 2000 .

You need to create a forest trust between adatum.com an d litwareinc.com .


A. Create an external trust.B. Raise the functional level of both forests.C. Configure SID filtering.D. Raise the functional level of all the domains.



When to create a forest trustYou can create a forest trust between forest root domains if the forest functional level is Windows Server 2003or higher.

QUESTION 79Your network contains an Active Directory forest named adatum.com .All client computers used by the marketing department are in an organizational unit (OU) namedMarketing Computers .

All user accounts for the marketing department are in an OU named Marketing Users .

You purchase a new application .

You need to ensure that every user in the domain who lo gs on to a marketing department computer canuse the application . The application must only be available from the marketi ng department computers .

What should you do?

A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to ashared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a shared folder on the network. Assign the application.

C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation packageto a local drive on each marketing department computer. Publish the application.

D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to afolder on each marketing department computer. Publish the application.


Explanation/Reference:The software must only be available on the marketing department computers, so we must link the GPO to theMarketing Computers OU. Next we need to assign the application to the Marketing Computers OU.

Reference:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 399

Assigning Software to ComputersWhen you assign software to computers, it is available to all authenticated users of the computer, regardless oftheir group membership or privileges. The software package is installed when the computer is next restartedafter the package has been assigned. For example, suppose that you have a design application that should beavailable on all computers in the Engineering OU but not to computers elsewhere on your network. You wouldassign this application to computers in a Group Policy object (GPO) linked to the Engineering OU.

QUESTION 80Your network contains an Active Directory forest named adatum.com .

You need to create an Active Directory Rights Managemen t Services (AD RMS) licensing-only cluster .

What should you install before you create the AD RMS root cluster ?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008




Before you install AD RMSBefore you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 forthe first time, there are several requirements that must be met:

(...)

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:Install the database server that is used to host the AD RMS databases on a separate computer.(...)

QUESTION 81Your network contains an Active Directory domain named contoso.com . The contoso.com domain contains a domain controller named DC1.

You create an Active Directory-integrated GlobalNames z one . You add an alias (CNAME) resource record named Server1 to the zone . The target host of the record is server2.contoso.com .When you ping Server1 , you discover that the name fails to resolve . You are able to successfully ping server2.contoso.com .

You need to ensure that you can resolve names by using the GlobalNames zone .


A. Dnscmd DC1.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domainB. Dnscmd DC1.contoso.com /config /Enableglobalnamessupport forestC. Dnscmd DC1.contoso.com /config /Enableglobalnamessupport 1D. Dnscmd DC1.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest


Explanation/Reference:Support for Globalnames must be enabled, otherwise the DNS Server service does not resolve single-labelnames in the GlobalNames zone.


dnscmd /configChanges values in the registry for the DNS server and individual zones. Accepts server-level settings and zone-level settings.

Parameter/enableglobalnamessupport {0|1}Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of single-label DNS names across a forest.

0Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Serverservice does not resolve single-label names in the GlobalNames zone.

1Enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Serverservice resolves single-label names in the GlobalNames zone.

QUESTION 82Your network contains an Active Directory domain named contoso.com .The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2 .

A user logs on to a computer in the branch office sit e.You discover that the user's password is not stored on RODC1.

You need to ensure that the user's password is stored o n RODC1 when he logs on to a branch officesite computer .

What should you do?

A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC PasswordReplication Group.

B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowedusers, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1.D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1.


Explanation/Reference:Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)pages 416-417

Password Replication PolicyPassword Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. IfPRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of that user canbe processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and serviceticket activities are referred by the RODC to a writable domain controller.

An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. Theseattributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the AllowedList, the user’s credentials are cached. You can include groups on the Allowed List, in which case all users whobelong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List andthe Denied List, the user’s credentials will not be cached—the Denied List takes precedence.

Configuring Domain-Wide Password Replication PolicyTo facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in theUsers container of Active Directory. The first group, Allowed RODC Password Replication Group , is addedto the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a newRODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by alldomain RODCs, add those users to the Allowed RODC Password Replication Group .

QUESTION 83You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a servernamed Server1 .

You need to configure the Windows Firewall on Server1 t o allow external users to authenticate by usingAD FS.

Which protocol should you allow on Server1?

A. Kerberos

B. SSLC. SMBD. RPC



AD FS relies on secure HTTP communications by using SSL authentication certificates to verify the identity ofboth the server and the client during communications. Because of this, all communications occur through port443 over HTTPS.

QUESTION 84Your network contains an Active Directory domain named contoso.com . Contoso.com contains a member server that runs Windows Server 2008 R2 Standard .

You need to create an enterprise subordinate certificat ion authority (CA) that can issue certificatesbased on version 3 certificate templates .You must achieve this goal by using the minimum amount of administrative effort .


A. Run the certutil.exe - addenrollmentserver command.B. Install the Active Directory Certificate Services (AD CS) role on the member server.C. Upgrade the member server to Windows Server 2008 R2 Enterprise.D. Run the certutil.exe - installdefaulttemplates command.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc725838.aspxCertificate Template Versions

Active Directory Certificate Services (AD CS) provides these versions of certificate templates that are availableon enterprise certification authorities (CA).

Version 3 certificate templates

In addition to version 2 template features and autoenrollment, version 3 certificate templates provide support forSuite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specifycryptographic algorithms that must be used by U.S. government agencies to secure confidential information.

Template availability Windows Server 2008 R2, all editions Windows Server 2008, Enterprise and Datacenter editions

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26736075.htmlWindows 2008 R2 Standard or Enterprise for CA

..

With some of the new features in R2 you could technically scrape by with Standard, but you really want to doEnterprise edition for your online subordinate CA so you have access to all the features that will make thingseasier to manage and to ensure that you have access to potential future requirements...

Old info:

At first I changed the answer to B ("Install the Active Directory Certificate Services (AD CS) role on the memberserver.") and I reasoned like this:

Version 3 certificates are supported on Windows Server 2008 R2 Standard, so there's no upgrade toEnterprise necessary. The first thing to do would be to install the Active Directory Certificate Services (ADCS) role.

Reference 1:http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx

"Version 3 templates are supported by CAs installed on Windows Server 2008 Enterprise and DatacenterEditions. They are also supported by CAs installed on Windows Server 2008 R2 Standard , Enterprise,Datacenter, Foundation and Server Core Editions."


To install a subordinate CA1. Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services .Click Next two times.2. (...)

While this still may be true I left it at the original answer C ("Upgrade the member server to Windows Server2008 R2 Enterprise"). Quite frankly, I'm not sure whether it's right or wrong. Hopefully someone can clear thisup once and for all.

Some other notes and quotes I collected:--------------------------------------------------MS Press Training Kit 70-640 - 2nd Editionpage 781

"Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2Datacenter edition."

Errata:"This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to allfeatures."

Note from the Author or Editor:Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Ourrecommendation would be to use this as a root CA only. -------------------------------


Version 3 certificate templatesIn addition to version 2 template features and autoenrollment, version 3 certificate templates provide support forSuite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specifycryptographic algorithms that must be used by U.S. government agencies to secure confidential information.

Template availabilityWindows Server 2008 R2, all editionsWindows Server 2008, Enterprise and Datacenter editions

--------------------------

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7c-ea254de5dada/

I am looking for some clarifaction on deploying a Windows Server 2008 R2 Standard CA and version 2 andversion 3 certificates. I currently have a Windows Server 2008 Standard CA.

Server 2008 Standard can only issue certificates based on V1 certificate templates.Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templatesWindows Server 2008 does not equal Windows Server 2008 R2This ability was introduced with the Windows server 2008 R2 skuyou will have one of two choices:- Upgrade to Server 2008 Enterprise- Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise

Brian Komar, thank you for the answer!I have another question. In Training Kit (Exam 70-6 40) described: "Enterprice CAs can run only onWindows Server 2008 R2 Enterprise edition or Datac enter edition". Is it true? If yes, how we can issu ecertificate based on V3 certificate templates on Wi ndows Server 2008 R2 Standard?

The training kit is incorrect. It probably was upda ted from Windows Server 2008 (or Windows Server2003) where the statement was correctBrian

QUESTION 85Your network contains a server named Server1 . The Active Directory Rights Management Services (AD RMS ) server role is installed on Server1 .

An administrator changes the password of the user a ccount that is used by AD RMS . You need to update AD RMS to use the new password .


A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Local Users and GroupsD. Services


Explanation/Reference:Reference:http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-service-account-password.aspx

AD RMS How To: Change the RMS Service Account Passw ordThe Active Directory Rights Management Services managem ent console provides a wizard to change orupdate the AD RMS service account. The most common use for this process is to update the service accountpassword when it has been changed.

It is important to use this process to update or change the AD RMS service account. This ensures thenecessary components are updated properly.

QUESTION 86Your company, Contoso, Ltd., has a main office and a branch office . The offices are connected by a WAN link . Contoso has an Active Directory forest that contains a single domain named ad.contoso.com .The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office . DC1 is configured as a DNS server for the ad.contoso.com DNS zone . This zone is configured as a standard primary zone .

You install a new domain controller named DC2 in the branch office . You install DNS on DC2.

You need to ensure that the DNS service can update reco rds and resolve DNS queries in the event thata WAN link fails .

What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.B. Create a new stub zone named ad.contoso.com on DC2.C. Configure the DNS server on DC2 to forward requests to DC1.D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.


Explanation/Reference:Three answers don't make sense, leaving us with the one that works.

Create a new secondary zone named ad.contoso.com on DC2.This would create a read-only zone, so it couldn't be updated

Create a new stub zone named ad.contoso.com on DC2.This stub zone would contain source information about authoritative name servers for its zone only, being DC1,but that one would be unavailable in the WAN link fails.

Configure the DNS server on DC2 to forward requests to DC1.This doesn't help if the WAN link fails and DC1 is unavailable.

QUESTION 87Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2Enterprise .

You enable key archival on the CA . The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates .

You need to archive the private key for all new EFS cer tificates .


A. Active Directory Users and ComputersB. Authorization ManagerC. Group Policy ManagementD. Enterprise PKIE. Security TemplatesF. TPM Management

G. CertificatesH. Certification AuthorityI. Certificate Templates

Correct Answer: ISection: (none)Explanation



Configure a Certificate Template for Key ArchivalThe key archival process takes place when a certificate is issued. Therefore, a certificate template must bemodified to archive keys before any certificates are issued based on this template.

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificatetemplate in order to protect users from data loss, but it can also be useful when applied to other types ofcertificates.

To configure a certificate template for key archiva l and recovery1. Open the Certificate Templates snap-in .2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate

Template.3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification

authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008,Windows 7, or Windows Vista.

4. In Template, type a new template display name, and then modify any other optional properties as needed.5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to,

and then click OK.6. Under Group or user names, select the user or group names that you just added. Under Permissions, select

the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select theAutoenroll check box.

7. On the Request Handling tab, select the Archive subject's encryption private key check box .


You need to ensure that all of the members of a group n amed Group1 can view the event log entries forCertificate Services .


A. Certificate TemplatesB. Certification AuthorityC. Authorization ManagerD. Active Directory Users and ComputersE. TPM ManagementF. Security TemplatesG. Group Policy ManagementH. Enterprise PKII. Certificates


Explanation/Reference:All credit goes to Luffy for correcting this one!

Practically the same as K/Q14.

We can make the Group1 group a member of the Event Log Readers Group , giving them read access to allevent logs, thus including the Certificate Services events. We can do that by using Group PolicyManagement .

Reference 1:It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here'swhat I did in VMWare, using a domain controller and a member server. Click along if you want!

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to thecontoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group,named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

1. Start the Group Policy Management console on DC01.2. Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..."3. I named the GPO "EventLog_TESTGROUP"4. Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..."5. Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted

Groups"6. Right-click "Restricted Groups" and choose "Add Group..."7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log

Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let'sdo the second one. Click the Browse button and go find the Event Log Readers group. Click OK.

8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it.

It should look like this now:

9. Click OK.10.On MEM01 open a command prompt and run gpupdate /force .11.Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

Reference 2:http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or DomainControllers they are accessing are Windows 2003 follow the steps below.

(...)

Windows 2008 is much easier as long as you are giving the users and groups in question read access to allevent logs. If that is the case just add them to the Built in Event Log Readers group .


You need to ensure that users can enroll for certificat es that use the IPSEC (Offline request) certificatetemplate .


A. Enterprise PKIB. TPM ManagementC. CertificatesD. Active Directory Users and ComputersE. Authorization ManagerF. Certification AuthorityG. Group Policy ManagementH. Security TemplatesI. Certificate Templates

Correct Answer: ISection: (none)Explanation

Explanation/Reference:Reference:http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/962be5d1-d824-4dd8-a501-3c3a9d600083

(...) the user should have proper permission on Certificate Templates. Please follow the steps below fortroubleshooting:1. Open MMC, add Certificate Templates snap-in .2. Double-click IPSec (Offline Request), switch to Security tab, give the user Read and Enroll rights.3. Close and restart IE on clients computer to test.

QUESTION 90Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2Enterprise .You have a custom certificate template named Template 1 . Template1 is published to the CA .

You need to ensure that all of the members of a group n amed Group1 can enroll for certificates that useTemplate1 .


A. Security TemplatesB. Enterprise PKIC. Certification AuthorityD. Certificate TemplatesE. CertificatesF. TPM ManagementG. Authorization ManagerH. Group Policy ManagementI. Active Directory Users and Computers



Configuring Certificate TemplatesAD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the following capabilities:

(...)Configuring access control lists (ACLs) on certificate templates


You need to approve a pending certificate request .


A. Active Directory Users and ComputersB. Authorization ManagerC. Certification AuthorityD. Group Policy ManagementE. Certificate TemplatesF. TPM ManagementG. CertificatesH. Enterprise PKII. Security Templates



Reference:http://technet.microsoft.com/de-de/library/ff849263.aspx

To issue a pending certificate request:1. Log on to your root CA by using an account that is a certificate manager.2. Start the Certification Authority snap-in .3. In the console tree, expand your root CA, and click Pending Certificates.4. In the details pane, right-click the pending CA certificate, and click Issue.

QUESTION 92Your network contains an Active Directory domain named adatum.com .

You need to ensure that IP addresses can be resolved t o fully qualified domain names (FQDNs) .

Under which node in the DNS snap-in should you add a zone?

A. Reverse Lookup Zones

B. adatum.comC. Forward Lookup ZonesD. Conditional ForwardersE. _msdcs.adatum.com


Explanation/Reference:Practically the same as I/Q13.

Reference:Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010)page 193

A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IPaddress. A reverse lookup does the opposite: the client provides an IP address, and then the DNS serverreturns an FQDN.

QUESTION 93Your network contains an Active Directory domain named adatum.com . The domain contains a domain controller named DC1. DC1 has an IP address of 192.168.200.100.

You need to identify the zone that contains the Pointer (PTR) record for DC1 .

Which zone should you identify?

A. adatum.comB. _msdcs.adatum.comC. 100.168.192.in-addr.arpaD. 200.168.192.in-addr.arpa


Explanation/Reference:Reference 1:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 57

Reverse lookup: This occurs when a client computer knows the IP address of another computer and requiresits hostname, which can be found in the DNS server’s PTR (pointer) resource record.

Reference 2:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 45/730

You are configuring a reverse lookup zone for your network, which uses the Class C network address range of192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?a. 5.168.192.in-addr.arpab. 0.5.168.192.in-addr.arpac. 192.168.5.in-addr.arpad. 192.168.5.0.in-addr.arpa

The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and usesa special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do notuse the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified inreverse sequence, so the other two choices are both incorrect.

QUESTION 94Your network contains an Active Directory forest named adatum.com .The DNS infrastructure fails .

You rebuild the DNS infrastructure .

You need to force the registration of the Active Direct ory Service Locator (SRV) records in DNS .

Which service should you restart on the domain controllers?

A. NetlogonB. DNS ServerC. Network Location AwarenessD. Network Store Interface ServiceE. Online Responder Service





The password policy of the domain requires that the passwords for all user accounts be changed every50 days .

You need to create several user accounts that will be u sed by services . The passwords for these accounts must be changed automa tically every 50 days .

Which tool should you use to create the accounts ?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. Active Directory Module for Windows PowerShellD. ADSI EditE. Active Directory Domains and Trusts


Explanation/Reference:Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed serviceaccounts. Managed service accounts offer Automatic password management, making password managementeasier.


What are the benefits of new service accounts?In addition to the enhanced security that is provided by having individual accounts for critical services, there arefour important administrative benefits associated with managed service accounts:

(...)Unlike with regular domain accounts in which administrators must reset passwords manually, the networkpasswords for these accounts will be reset automatically.(...)


Use the Active Directory module for Windows PowerShell to create a managed service account.


To create a new managed service account1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK

to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Accountcontainer exists.

2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShellicon .

3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>].

Reference 4:http://technet.microsoft.com/en-us/library/hh852236.aspx

Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify thenumber of days for the password change interval.

-ManagedPasswordIntervalInDays<Int32>

Specifies the number of days for the password change interval. If set to 0 then the default is used. This can onlybe set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object.

The following example shows how to specify a 90 day password changes interval:

-ManagedPasswordIntervalInDays 90

QUESTION 96Your network contains an Active Directory domain . The domain contains several domain controllers .

You need to modify the Password Replication Policy on a read-only domain controller (RODC) .


A. Group Policy ManagementB. Active Directory Domains and Trusts

C. Active Directory Users and ComputersD. Computer ManagementE. Security Configuration Wizard


Explanation/Reference:Practically the same as I/Q12.

Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

Administering the Password Replication PolicyThis topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP)and password caching for read-only domain controllers (RODCs).

To configure the PRP using Active Directory Users a nd Computers1. Open Active Directory Users and Computers as a member of the Domain Admins group.2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

domain.3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click

Properties.4. Click the Password Replication Policy tab.5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and

the Deny list on the RODC. To add other groups that should be included in either the Allowed list or theDeny list, click Add.To add other accounts that will have credentials cached on the RODC, click Allow passwords for theaccount to replicate to this RODC.To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwordsfor the account from replicating to this RODC.

QUESTION 97Your network contains an Active Directory forest . The forest contains domain controllers that run Windows Server 2008 R2 . The functional level of the forest is Windows Server 2003 . The functional level of the domain is Windows Server 2008 .

From a domain controller, you need to perform an au thoritative restore of an organizational unit (OU) .


A. Raise the functional level of the forestB. Modify the tombstone lifetime of the forest.C. Restore the system state.D. Raise the functional level of the domain.


Explanation/Reference:The Recycle Bin feature cannot be applied here, see the reference below.

Reference:Windows Server 2008 R2 Unleashed (SAMS, 2010)pages 1292 and 1297

Active Directory Recycle Bin RecoveryLet’s begin this section with a very clear statement: If you need to recover a deleted Active Directory object andthe Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceedto the “Active Directory Authoritative Restore” section.

Active Directory Authoritative RestoreWhen Active Directory has been modified and needs to be restored to a previous state, and this rollback needsto be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of ActiveDirectory is required. An authoritative restore of Active Directory can include the entire Active Directorydatabase, a single object, or a container, such as an organizational unit including all objects previously storedwithin the container. To perform an authoritative restore of Active Direc tory, perform the System Staterestore of a domain controller.

QUESTION 98Your network contains an Active Directory forest . The forest contains two domains named contoso.com and woodgrovebank.com .

You have a custom attribute named Attribute1 in Active Directory .Attribute1 is associated to User objects .

You need to ensure that Attribute1 is included in the G lobal Catalog .

What should you do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User

objects.C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the

forest.


Explanation/Reference:Same question as D/Q39


Global Catalog Partial Attribute SetThe attributes that are replicated to the global catalog by default include a base set that have been defined byMicrosoft as the attributes that are most likely to be used in searches. Administrators can use the MicrosoftManagement Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet theneeds of their installation. In the Active Directory Schema snap-in , you can select the Replicate this attributeto the global catalog check box to designate an attributeSchema object as a member of the PAS, which setsthe value of the isMemberOfPartialAttributeSet attribute to TRUE.

Global Catalog Replication of Additions to the Part ial Attribute SetEach global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For theobjects of its own domain, a global catalog server has information related to all attributes that are associatedwith those objects. For the objects in domains other than its own, a global catalog server has only informationthat is related to the set of attributes that are marked in the AD DS schema to be included in the partial attributeset (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to beused for searches. These attributes are replicated to every global catalog server in an AD DS forest.

If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schemasnap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object . You markthe attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If theisMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog. Ifthe value is not checked (set to FALSE), the attribute is not replicated to the global catalog.

QUESTION 99Your network contains a server named Server1 . Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (ADLDS) role installed . Server1 hosts two AD LDS instances named Instance1 and Instance2 .

You need to remove Instance2 from Server1 without affec ting Instance1 .


A. NTDSUtilB. DsdbutilC. Programs and Features in the Control PanelD. Server Manager



Administering AD LDS InstancesEach AD LDS instance runs as an independent—and separately administered—service on a computer.

Reference 2:technet.microsoft.com/en-us/library/cc794886.aspx

To remove an AD LDS instance1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click

Programs and Features .2. Locate and click the AD LDS instance that you want to remove.3. Click Uninstall.

NoteIt is not necessary to restart the computer after you remove an AD LDS instance.


You need to compact the Active Directory database .

What should you do?

A. Run the Get-ADForest cmdlet.B. Configure subscriptions from Event Viewer.C. Run the eventcreate.exe command.D. Configure the Active Directory Diagnostics Data Collector Set (OCS).E. Create a Data Collector Set (DCS).

F. Run the repadmin.exe command.G. Run the ntdsutil.exe command.H. Run the dsquery.exe command.I. Run the dsamain.exe command.J. Create custom views from Event Viewer.



Compact the Directory Database File (Offline Defrag mentation)You can use this procedure to compact the Active Directory database offline. Offline defragmentation returnsfree disk space in the Active Directory database to the file system. As part of the offline defragmentationprocedure, check directory database integrity.

Performing offline defragmentation creates a new, compacted version of the database file in a differentlocation.

Reference 2:Mastering Windows Server 2008 R2 (Sybex, 2010)page 805

Performing Offline Defragmentation of Ntds.ditThese steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragmentand compact the database to a remote shared folder, map a drive letter to that shared folder before you beginthese steps, and use that drive letter in the path where appropriate.1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as

Administrator.2. Type ntdsutil , and then press Enter.3. Type Activate instance NTDS , and press Enter.4. At the resulting ntdsutil prompt, type Files (case sensitive) and then press Enter.5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the

defragmentation, and then press Enter.

Exam E

QUESTION 1Your network contains an Active Directory forest named fabrikam.com .

The forest contains the following domains :Fabrikam.comEu.fabrikam.comNa.fabrikam.comEu.contoso.comNa.contoso.com

You need to configure the forest to ensure that the adm inistrators of any of the domains can specify auser principal name (UPN) suffix of contoso.com whe n they create user accounts from Active DirectoryUsers and Computers .


A. Active Directory Sites and ServicesB. Set-ADDomainC. Set-ADForestD. Active Directory Administrative Center



We would use the following command to achieve this:

Set-ADForest -UPNSuffixes @{Add="contoso.com"}


Creating a UPN Suffix for a ForestThis topic explains how to use the Active Directory module for Windows PowerShell to create a new userprincipal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the namesthat are used to log on to another domain in the forest.

ExampleThe following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:

Set-ADForest -UPNSuffixes @{Add="headquarters.fabri kam.com"}

Reference 2http://technet.microsoft.com/en-us/library/ee617221.aspx

Set-ADForestModifies an Active Directory forest.

ParameterUPNSuffixesModifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valuedmsDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to addremove, replace, or clear UPN suffix values.

Syntax:To add values:-UPNSuffixes @{Add=value1,value2,...}

QUESTION 2A corporate network includes a single Active Directory Domain Services (AD DS) d omain and two AD DSsites . The AD DS sites are named Toronto and Montreal . Each site has multiple domain controllers .

You need to determine which domain controller holds the Inter-Site Topology Generator role for theToronto site .

What should you do?

A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site.B. Use the Ntdsutil tool with the roles parameter.C. Use the Ntdsutil tool with the LDAP policies parameter.D. Use the Active Directory Sites and Services console to view the properties of each domain controller in the

Toronto site.



Determine the ISTG Role Owner for a SiteThe Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generatingthe intersite topology. If you want to regenerate the intersite topology, you must determine the identity of theISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties anddetermine the ISTG role owner for the site.

To determine the ISTG role owner for a site1. Open Active Directory Sites and Services .2. In the console tree, click the site object whose ISTG role owner you want to determine.3. In the details pane, right-click the NTDS Site Settings object, and then click Properties . The current

role owner appears in the Server box under Inter-Site Topology Generator.

QUESTION 3Your network contains an Active Directory domain . The domain contains five sites . One of the sites contains a read-only domain controller (RODC ) named RODC1.

You need to identify which user accounts can have their password cached on RODC1 .


A. RepadminB. DcdiagC. Get-ADDomainControllerPasswordReplicationPolicyUsageD. Adtest

Correct Answer: A


Explanation/Reference:"The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that areauthenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC.The list of accounts that are stored on a RODC is known as the revealed list ."

So, this revealed list has a list of accounts whose passwords are cached on RODC's. But we don't need theaccounts that are cached on RODC1, but the ones that can be cached on RODC1. Those are in the allowedlist , and we can get it using repadmin .


Repadmin /prpLists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

Syntaxrepadmin /prp view <RODC> {<List_Name>|<User>}

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for aspecified user.

Parameters<RODC>Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domainname. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in onedomain.

<List_Name>Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

auth2: The list of security principals that the RODC has authenticated.reveal: The list of security principals for which the RODC has cached passwords.allow : The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cachepasswords for this list of security principals only .deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cachepasswords for any security principals in this list.

QUESTION 4A network contains an Active Directory forest .The forest contains three domains and two sites .

You remove the global catalog from a domain controller named DC2 . DC2 is located in Site1 .

You need to reduce the size of the Active Directory dat abase on DC2 . The solution must minimize the impact on all users in S ite1 .


A. On DC2, start the Protected Storage service.B. On DC2, stop the Active Directory Domain Services service.C. Start DC2 in Safe Mode.D. Start DC2 in Directory Services Restore Mode.

Correct Answer: BSection: (none)

Explanation


Returning Unused Disk Space from the Active Directo ry Database to the File SystemDuring ordinary operation, the free disk space in the Active Directory database file becomes fragmented. Eachtime garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented onlineto optimize its use within the database file. The unused disk space is maintained for the database; it is notreturned to the file system.

Only offline defragmentation can return unused disk space from the directory database to the file system.When database contents have decreased considerably through a bulk deletion (for example, when youremove the global catalog from a domain controller ), or if the size of the database backup is significantlyincreased as a result of the amount of free disk space, use offline defragmentation to reduce the size of theNtds.dit file.

On domain controllers that are running Windows Server 2008, offline defragmentation does not requirerestarting the domain controller in Directory Services Restore Mode (DSRM), as is required on domaincontrollers that are running versions of Windows Server 2000 and Windows Server 2003. You can use a newfeature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the ADDS service . When the service is stopped, services that depend on AD DS shut down automatically. However,any other services that are running on the domain controller, such as Dynamic Host Configuration Protocol(DHCP), continue to run and respond to clients.

QUESTION 5Your network contains an Active Directory domain named adatum.com . The functional level of the domain is Windows Server 2008 . All domain controllers run Windows Server 2008 R2 . All client computers run Windows 7 Enterprise .

You need to receive a notification when more than 50 Ac tive Directory objects are deleted per second .

What should you do?

A. Run the Get-ADDomain cmdlet.B. Run the dsget.exe command.C. Run the ntdsutil.exe command.D. Run the ocsetup.exe command.E. Run the dsamain.exe command.F. Run the eventcreate.exe command.G. Create a Data Collector Set (DCS).H. Create custom views from Event Viewer.I. Configure subscriptions from Event Viewer.J. Import the Active Directory module for Windows PowerShell.


Explanation/Reference:Practically the same question as H/Q11.

Reference:http://technet.microsoft.com/en-us/magazine/ff458614.aspx

Configure Windows Server 2008 to Notify you when Ce rtain Events OccurYou can configure alerts to notify you when certain events occur or when certain performance thresholds arereached. You can send these alerts as network messages and as events that are logged in the applicationevent log. You can also configure alerts to start applications and performance logs.

To configure an alert, follow these steps:1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left

pane, point to New, and then choose Data Collector Set .2. (...)3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box

to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter isabove or below a specific value. Select Above or Below, and then set the trigger value. The unit ofmeasurement is whatever makes sense for the currently selected counter or counters. For example, togenerate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process toconfigure other counters you’ve selected.

QUESTION 6A company has an Active Directory forest . You plan to install an offline Enterprise root certification authority (CA ) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module forprivate key storage .

You attempt to add the Active Directory Certificate Ser vices (AD CS) server role to CA1 . The Enterprise CA option is not available .

You need to install the AD CS server role as an Enterprise CA on CA1 .


A. Add the DNS Server server role to CA1.B. Add the Web Server (IIS) server role and the AD CS server role to CA1.C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.D. Join CA1 to the domain.


Explanation/Reference:Reference 1:http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/

Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannotchoose to install Enterprise Certification Authority, because it’s unavailable.

Well, you need to fulfill basic requirements:1. Server machine has to be a member server (domain jo ined) .2. (...)

Reference 2:http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211-9a99-a06108521268

I am trying to install a new enterprise root CA on my windows server 2008 r2 system, but the enterprise optionis always greyed out. The server was originally setup and put on the domain, but has since been removed fromthe domain and left in a workgroup.

its greyed out because it's not in a domain; that's one of the requirements for Enterprise CA.

QUESTION 7Your company has an Active Directory forest . Each regional office has an organizational unit (OU) named Marketing . The Marketing OU contains all users and computers in the region's Ma rketing department .

You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs .

You create a GPO named MarketingApps .


A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain.B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU.D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.


Explanation/Reference:Practically the same question as A/Q38.

We need to assign the software to the computers, and link the GPO to each Marketing OU. We do not link it tothe domain, then every computer would have the software.

Reference:http://support.microsoft.com/kb/816102

You can use Group Policy to distribute computer programs by using the following methods:

Assigning SoftwareYou can assign a program distribution to users or computers. If you assign the program to a user, it is installedwhen the user logs on to the computer. When the user first runs the program, the installation is completed. Ifyou assign the program to a computer, it is install ed when the computer starts, and it is available to allusers who log on to the computer. When a user first runs the program, the installation is completed.

Publishing SoftwareYou can publish a program distribution to users. When the user logs on to the computer, the published programis displayed in the Add or Remove Programs dialog box, and it can be installed from there.


The Active Directory sites are configured as shown in the Sites exhibit:

You need to ensure that DC1 and DC4 are the only server s that replicate Active Directory changesbetween the sites .

What should you do?

Exhibit:

A. Configure DC1 as a preferred bridgehead server for IP transport.B. Configure DC4 as a preferred bridgehead server for IP transport.C. From the DC4 server object, create a Connection object for DC1.D. From the DC1 server object, create a Connection object for DC4.


Explanation/Reference:Same question as L/Q4, with a different Exhibit, so with a different answer.

Reference:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 193, 194



bridgehead server.2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want


QUESTION 9Your network contains an Active Directory domain named contoso.com . The domain contains a domain controller named DC1. DC1 has the DNS Server role installed and hosts an Active Directory-integrated zone for conto so.com . The no-refresh interval and the refresh interval are both set to three days .

The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit:

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit:

You discover that the scavenging process ran today , but the record for Server1 was not deleted .You run dnscmd.exe and specify the ageallrecords parameter .

You need to identify when the record for Server1 will b e deleted from the zone .

In how many days will the record be deleted ?

A. 13B. 10C. 23D. 7


Explanation/Reference:The blank Record time stamp field indicates a static record. That's the reason it wasn't deleted. The timestamphas been set using dnscmd /ageallrecords .

The Time to live setting means that the server will hold a cached record for 10 days, so it has nothing to do withthis question. The record will become stale in six days (no-refresh interval + refresh interval, that's 3 + 3 days),so now that the timestamp has been set it will be deleted when the next scavenging operation occurs, in sevendays.


dnscmd /ageallrecordsSets the current time on all time stamps in a zone or node.

Record scavenging does not occur unless the records are time stamped. Name server (NS) resource records,start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records arenot included in the scavenging process, and they are not time stamped even when the ageallrecords commandruns.

Reference 2:http://www.windowsitpro.com/article/dns/scavenging-stale-dns-records

When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging featureconsiders the record stale and deletes it. So, when you set No-refresh interval to 3 days and Refresh interval to5 days, scavenging will delete records that are more than 8 days old.



Each organizational unit (OU) contains over 500 user accounts .The Finance OU and the Human Resources OU contain several user accounts that are members of auniversal group named Group1 .You have a Group Policy object (GPO) linked to the doma in .

You need to prevent the GPO from being applied to the membe rs of Group1 only .

What should you do?

Exhibit:

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.



Best way to handle this is how graimer from Norway desribed it in http://www.examcollection.com/microsoft/Microsoft.BrainDump.70-640.v2012-07-04.by.Andyfx.401q.vce.file.html

"GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU.The security filter will only help you specify groups. So you have two choices. You could remove authenticatedusers in the secuirty filter and add groups containing everyone except group1 members(messy solution) or youcould leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since

deny will alwys win over allow)."

The reference below explains a situation where the GPO only needs to be applied to one group, it's the otherway around so to speak.

Reference:MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)page 285, 286

Using Security Filtering to Modify GPO ScopeBy now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to applyGPOs only to certain groups of users or computers rather than to all users or computers within the scope of theGPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specificsecurity groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply GroupPolicy permissions to the GPO .

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Readand Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to acomputer (for example, by its link to the computer’s OU), but the computer does not have Read and ApplyGroup Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriatepermissions for security groups, you can filter a GPO so that its settings apply only to the computers and usersyou specify.

Filtering a GPO to Apply to Specific GroupsTo apply a GPO to a specific security group, perform the following steps:4. Select the GPO in the Group Policy Objects container in the console tree.5. In the Security Filtering section, select the Authenticated Users group and click Remove.6. Click OK to confirm the change.7. Click Add.8. Select the group to which you want the policy to apply and click OK.

QUESTION 11Your network contains an Active Directory forest named contoso.com .You plan to migrate all user accounts to a new forest named litwareinc.com .The functional level of the contoso.com forest is Windows Server 2003 . Contoso.com contains four servers .

The servers are configured as shown in the following table:

The functional level of the litwareinc.com forest is Windows Server 2008 . Litwareinc.com contains four servers . The servers are configured as shown in the following table:

You need to identify on which server in the litwareinc. com forest you must install Active DirectoryMigration Tool version 3.2 (ADMT v3.2) .

Which server should you identify ?

A. Litw_Srv4B. Litw_Srv1C. Litw_Srv2D. Litw_Srv3



Prerequisites for installing ADMT v3.2Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments thathave a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a serverrunning Windows Server 2008 R2 .

In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 mustnot be installed under the Server Core installation option or be running as a read-only domaincontroller (RODC) .


The password policy for the domain is configured as shown in the Current Policy exhibit:

You change the password policy for the domain as shown in the New Policy exhibit:

You need to provide users with examples of a valid pass word .

Which password examples should you provide to the users? (Each correct answer presents a complete solution. Choose three .)

A. 123456!@#$%^B. !@#$1234ABCDC. password1234D. 1-2-3-4-5-a-b-c-eE. %%PASS1234%%F. 111111aaaaaaa

Correct Answer: BDESection: (none)Explanation



Passwords must meet complexity requirementsThis security setting determines whether passwords must meet complexity requirements. Complexityrequirements are enforced when passwords are changed or created.

If this policy is enabled, passwords must meet the following minimum requirements when they are changed orcreated:

1. Passwords must not contain the user's entire samAccountName (Account Name) value or entiredisplayName (Full Name) value.

2. Passwords must contain characters from three of the following five categories : Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrilliccharacters)Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrilliccharacters)Base 10 digits (0 through 9)Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.This includes Unicode characters from Asian languages.


The Active Directory sites are configured as shown in the Sites exhibit:

You need to ensure that DC1 and DC4 are the only server s that replicate Active Directory changesbetween the sites .

What should you do?

Exhibit:

A. Configure DC1 as a preferred bridgehead server for IP transport.B. Configure DC4 as a preferred bridgehead server for IP transport.C. From the DC4 server object, create a Connection object for DC1.D. From the DC1 server object, create a Connection object for DC4.


Explanation/Reference:Same question as K/Q48, with a different Exhibit, so with a different answer.

Reference:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)pages 193, 194



bridgehead server.2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want


QUESTION 14Your network contains an Active Directory forest named contoso.com . The functional level of the forest is Windows Server 2008 R2 . The forest contains a single domain .

You need to ensure that objects can be restored from th e Active Directory Recycle Bin .


A. NtdsutilB. Set-ADDomainC. DsamainD. Enable-ADOptionalFeature


Explanation/Reference:Similar question to question E/Q28.



Enable-ADOptionalFeature Active Directory module cm dlet (This is the recommended method.)Ldp.exe



Users in the Finance organizational unit (OU) frequently log on to client computers in the HumanResources OU .

You need to meet the following requirements :All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and theHuman Resources OU must be applied to finance users when they log on to client computers in theEngineering OU .Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users whenthey log on to client computers in the Finance OU .Policy settings in the GPOs linked to the Finance OU must not be applied to users in the HumanResources OU .

What should you do?

Exhibit:

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.

Correct Answer: DSection: (none)

Explanation

Explanation/Reference:Very similar question to K/Q11.

We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO'sthat are linked to the Sales OU and the Engineering OU to be applied.


Loopback processing with merge or replaceSetting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied toevery user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the UserConfiguration settings of the user. This allows you to ensure that a consistent set of policies is applied to anyuser logging on to a particular computer, regardless of their location in Active Directory.

Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set toMerge or Replace. In either case the user only receives user-related policy settings.

Loopback with Replace—In the case of Loopback with Replace, the GPO list for the user is replaced in itsentirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in GroupPolicy processing and precedence). The User Configuration settings from this list are applied to the user.Loopback with Merge —In the case of Loopback with Merge, the Group Policy object list is aconcatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOsfor the computer (obtained during computer startup) is appended to this list. Because the computer's GPOsare processed after the user's GPOs, they have precedence if any of the settings conflict.

Reference 2:http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

For a clear and easy explanation of Loopback Processing. Recommended!

Reference 3:Windows Server 2008 R2 Unleashed (SAMS, 2010)page 1028

Loopback ProcessingWhen a user is processing domain policies, the policies that apply to that user are based on the location of theuser object in the Active Directory hierarchy. The same goes for domain policy application for computers. Thereare situations, however, when administrators or organizations want to ensure that all users get the same policywhen logging on to a particular computer or server. For example, on a computer that is used for training or on aRemote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must bethe same for each user, this can be controlled by enabling loopback processing in Replace mode on a policythat is applied to the computer objects.

To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, anysettings defined within that policy in the User Configuration node are applied to all users who log on to thecomputer this particular policy is applied to. When loopback processing is enabled and configured in Mergemode on a policy applied to a computer object and a user logs on, all of the user policies are applied and thenall of the user settings within the policy applied to the computer object are also applied to the user. This ensuresthat in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.

QUESTION 16Your network contains an Active Directory forest named contoso.com . The forest contains four computers .

The computers are configured as shown in the following table:

An administrator creates a script that contains the following commands :

You need to identity which computers can successfully r un all of the commands in the script .

Which two computers should you identify? (Each correct answer presents part of the solution. Choose two .)

A. Computer1B. Server1C. Computer2D. Server2


Explanation/Reference:According to Technet the "Auditpol /resourceSACL " command applies only to Windows 7 and WindowsServer 2008 R2 (and I suppose Windows 8 and Windows Server 2012), so the answer should be Computer2and Server2

Reference:http://technet.microsoft.com/en-us/library/ff625687.aspx

Auditpol resourceSACLApplies only to Windows 7 and Windows Server 2008 R2.



You need to ensure that when users log on to client com puters, they are added automatically to thelocal Administrators group . The users must be removed from the group when they log off of the client computers .

What should you do?

Exhibit:

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).



Reference:http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

QUESTION 18You have an enterprise subordinate certification authority ( CA).You have a custom certificate template that has a key length of 1,024 bits . The template is enabled for autoenrollment .You increase the template key length to 2,048 bits .

You need to ensure that all current certificate holders automatically enroll for a certificate that uses t he

new template .


A. Group Policy Management MMC Snap-InB. Certificates MMC Snap-In on the Certificate AuthorityC. Certificate Templates MMC Snap-InD. Certification Authority MMC Snap-In


Explanation/Reference:Practically the same question as F/Q13.


Re-Enroll All Certificate HoldersThis procedure is used when a critical change is made to the certificate template and you want all subjects thathold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subjectverifies the version of the certificate against the version of the template on the certification authority (CA), thesubject will re-enroll.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete thisprocedure. For more information, see Implement Role-Based Administration.

To re-enroll all certificate holders1. Open the Certificate Templates snap-in .2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.


You attempt to create a new child domain and you receive the following error message :"An LDAP read of operational attributes failed."

You need to ensure that you can add a new child domain to the forest .

What should you do?

A. Move the PDC emulator role.B. Move the RID master role.C. Move the infrastructure master role.D. Move the schema master role.E. Move the domain naming master role.F. Move the global catalog server.G. Move the bridgehead server.H. Install a read-only domain controller (RODC).I. Deploy an additional global catalog server.J. Restart the Active Directory Domain Services (AD DS) service.

Correct Answer: ESection: (none)

Explanation

Explanation/Reference:This message appears when the domain naming master is unavailable. It needs to be moved to anotherdomain controller to resolve this.

Reference:http://technet.microsoft.com/en-us/library/bb727058.aspx

Troubleshooting Active Directory Installation Wizar d Problems

Symptom or ErrorAn LDAP read of operational attributes failed.

Root CauseThe domain naming master for the forest is offline or cannot be contacted.

SolutionMake the current domain naming master accessible. If necessary, see "Seizing Operations Master Roles" inthis guide.

QUESTION 20Your network contains an Active Directory domain named adatum.com . The functional level of the domain is Windows Server 2003 . All domain controllers run Windows Server 2008 R2 .

You mount an Active Directory snapshot .

You need to ensure that you can connect to the snapshot by using LDAP .

What should you do?

A. Run the Get-ADDomain cmdlet.B. Run the dsget.exe command.C. Run the ntdsutil.exe command.D. Run the ocsetup.exe command.E. Run the dsamain.exe command.F. Run the eventcreate.exe command,G. Create a Data Collector Set (DCS).H. Create custom views from Event Viewer.I. Configure subscriptions from Event Viewer.J. Import the Active Directory module for Windows PowerShell.




The Active Directory database mounting tool (Dsamain.exe ) can improve recovery processes for yourorganization by providing a means to compare data as it exists in snapshots that are taken at different times sothat you can better decide which data to restore after data loss. This eliminates the need to restore multiplebackups to compare the Active Directory data that they contain.

Requirements for using the Active Directory databas e mounting toolYou do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following:

(...)Dsamain.exe, which you can use to expose the snapshot data as an LDAP serverExisting LDAP tools, such as Ldp.exe and Active Directory Users and Computers

QUESTION 21Your network contains an Active Directory domain named contoso.com .You have an organizational unit (OU) named Sales and an OU named Engineering .

You need to ensure that when users log on to client com puters, they are added automatically to thelocal Administrators group . The users must be removed from the group when they log off of the client computers .

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Sales OU.J. Link the Group Policy object (GPO) to the Engineering OU.


Explanation/Reference:Practically the same question as L/Q8.

Reference:http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

QUESTION 22Your network contains an Active Directory forest named contoso.com . The forest contains two member servers named Server1 and Server2 . Server1 and Server2 have the DNS Server server role installed .Server1 hosts a standard primary zone for contoso.com . Server2 is configured as a secondary name server for contoso.com .

You experience issues with the copy of the zone on Serv er2.You verify that both copies of the zone have the same s erial number .

You need to transfer a complete copy of the zone from S erver1 to Server2 .

What should you do on Server2 ?

A. From DNS Manager, right-click contoso.com and click Transfer from Master.

B. From Services, right-click DNS Server and click Refresh.C. From Services, right-click DNS Server and click Restart.D. From DNS Manager, right-click contoso.com and click Reload.E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.


Explanation/Reference:Must be a typo in E, because it's actually Transfer new copy of zone from Master .

Restarting the DNS service does initiate a zone transfer request, but because the serial/version numbers arethe same no zone transfer will take place. Only if the Master had a higher number would there be a zonetransfer.

Reference:MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011)page 212

Manually Updating a Secondary ZoneBy right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to performthe following secondary zone update operations:

Reload - This operation reloads the secondary zone from the local storage.Transfer From Master - The server hosting the local secondary zone determines whether the serialnumber in the secondary zone’s SOA resource record has expired and then pulls a zone transfer from themaster server.Transfer New Copy Of Zone From Master - This operation performs a zone transfer from the secondaryzone’s master server regardless of the serial number in the secondary zone’s SOA resource record.

QUESTION 23Your network contains an Active Directory domain . The domain contains two Active Directory sites named Site1 and Site2 . Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllers named DC3 and DC4.The functional level of the domain is Windows Server 2008 R2 . The functional level of the forest is Windows Server 2003 .

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day .At 07:00 , an administrator deletes a user account while he is logged on to DC1 .

You need to restore the deleted user account . You want to achieve this goal by using the minimum amou nt of administrative effort .

What should you do?

A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start ActiveDirectory Domain Services.

B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, run the Restore-ADObject cmdlet.D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory

Domain Services.


Explanation/Reference:Practically the same question as E/Q33 and J/Q2.




"An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for thedata to make it authoritative and ensure that it is replicated to all other servers."



QUESTION 24You create a standard primary zone for contoso.com .

You need to specify a user named Admin1 as the person r esponsible for managing the zone .

What should you do? (Each correct answer presents a complete solution. Choose two .)

A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of"hostmaster.contoso.com" to "admin1.contoso.com".

B. From DNS Manager, open the properties of the Start of Authority (SOA) record of contoso.com. Specifyadmin1.contoso.com as the responsible person.

C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of"[email protected]" to "[email protected]".

D. From DNS Manager, open the properties of the Start of Authority (SOA) record of contoso.com. [email protected] as the responsible person.


Explanation/Reference:You can use Notepad to edit the dns file, but the email address of the person responsible for this zone must belisted with a ".", instead of a "@". That's why C is wrong here.


To modify the start of authority (SOA) resource rec ord for a zone using the Windows interface1. Open DNS Manager .2. In the console tree, right-click the applicable zone, and then click Properties.3. Click the Start of Authority (SOA) tab.4. As needed, modify properties for the start of authority (SOA) resource record.

5. Click OK to save the modified properties.


The SOA resource record contains the following information:

SOA resource record fields

Responsible personThe e-mail address of the person responsible for administering the zone. A period (.) is used instead of an atsign (@) in this e-mail name.(...)

QUESTION 25Your network contains an Active Directory forest named contoso.com . The functional level of the forest is Windows Server 2008 R2.The DNS zone for contoso.com is Active Directory-integrated .

You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1.You discover that RODC1 does not have any DNS applicati on directory partitions .

You need to ensure that RODC1 has a copy of the DNS app lication directory partition of contoso.com .

What should you do? (Each correct answer presents a complete solution. Choose two .)

A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.B. Run ntdsutil.exe. From the Partition Management context, run the create nc command.C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DESection: (none)Explanation

Explanation/Reference:Practically the same question as J/Q15, different set of answers.


RODC Post-Installation ConfigurationIf you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS applicationdirectory partitions. The RODC is not enlisted automatically in the DNS a pplication directory partitions bydesign because it is a privileged operation. If the RODC were allowed to enlist itself, it would havepermissions to add or remove other DNS servers that are enlisted in the application directory partitions.

To enlist a DNS server in a DNS application directo ry partition1. Open an elevated command prompt.2. At the command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /EnlistDirectoryPartition <FQDN >

For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain namedchild.contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZo nes.child.contoso.com

You might encounter the following error when you run this command:Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF

If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:

1. ntdsutil2. partition management3. connections4. Connect to a writeable domain controller (not an RODC):

connect to server <WriteableDC>.Child.contoso.com5. quit6. To enlist this server in the replication scope for this zone, run the following command:

add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com <rodcServer>.Child.contoso.com





A. NtdsutilB. DnscmdC. RepadminD. Nslookup


Explanation/Reference:Practically the same question as F/Q28, G/Q8, J/Q24, K/Q8, different set of answers sometimes.









QUESTION 27Your network contains three servers named ADFS1, ADFS2 and ADFS3 that run Windows Server 2008 R2 . ADFS1 has the Active Directory Federation Services (AD FS) Federa tion Service role service installed .

You plan to deploy AD FS 2.0 on ADFS2 and ADFS3 .

You need to export the token-signing certificate from A DFS1, and then import the certificate to ADFS2and ADFS3 .

Which format should you use to export the certificate ?

A. Personal Information Exchange PKCS #12 (.pfx)B. DER encoded binary X.509 (.cer)C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)D. Base-64 encoded X.S09 (.cer)


Explanation/Reference:Many thanks to 'confused' from Algeria and Luffy for noting this question needed a correction and for their help!

Practically the same question as E/Q12.

Reference 1:http://technet.microsoft.com/en-us/library/ff678038.aspx

Checklist: Migrating Settings in the AD FS 1.x Fede ration Service to AD FS 2.0If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certificationauthority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.

[The site provides also a link for instructions on how to export the token-signing certificate. That link point to thesite mentioned in reference 2.]


Export the private key portion of a token-signing c ertificate

To export the private key of a token-signing certificate1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.2. Right-click Federation Service, and then click Properties.3. On the General tab, click View.4. In the Certificate dialog box, click the Details tab.5. On the Details tab, click Copy to File.6. On the Welcome to the Certificate Export Wizard page, click Next.7. On the Export Private Key page, select Yes, export the private key, and then click Next.8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX) and then

click Next.9. (...)

QUESTION 28You create a user account template for the marketing department .When you copy the user account template , you discover that the Web page attribute is not copied .

You need to preserve the Web page attribute when you copy t he user account template .

What should you do?

A. From Active Directory Administrative Center, modify the value of the wWWHomePage attribute for the useraccount template.

B. From the Active Directory Schema snap-in, modify the properties of the user class.C. From Active Directory Users and Computers, modify the value of the wWWHomePage attribute for the user

account template.D. From ADSI Edit, modify the properties of the wWWHomePage attribute.



You can modify which default attributes are carried over to a newly copied user or specify additional attributesthat will be copied to the new user. To do this, open the Active Directory Schema snap-in , view the desiredattribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You canmodify or add only the attributes that are instances of the user class .

QUESTION 29Your network contains an Active Directory domain named contoso.com . The functional level of the forest is Windows Server 2008 R2 .

The Default Domain Controller Policy Group Policy objec t (GPO) contains audit policy settings .On a domain controller named DC1, an administrator configures the Advanced Audit PolicyConfiguration settings by using a local GPO .

You need to identify what will be audited on DC1 .


A. Get-ADObjectB. SeceditC. Security Configuration and AnalysisD. Auditpol



Auditpol getRetrieves the system policy, per-user policy, auditing options, and audit security descriptor object.

Reference 2:

Windows Server 2008 R2 Unleashed (SAMS, 2010)page 670

You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a listof all the settings for the audit categories and subcategories, use the following command:auditpol /get /category:*

QUESTION 30A network contains an Active Directory forest .The forest schema contains a custom attribute for user objects .

You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table .


A. DsmodB. CsvdeC. LdifdeD. Dsrm


Explanation/Reference:We can achieve this by using csvde:CSVDE -f onlyusers.csv -r "objectCategory=person" - l "CN,<CustomAttributeName>"

The exported CSV file can be viewed in Excel.


CsvdeImports and exports data from Active Directory Domain Services (AD DS) using files that store data in thecomma-separated value (CSV) format. You can also support batch operations based on the CSV file formatstandard.

SyntaxCsvde [-i] [-f <FileName>] [-r <LDAPFilter>] [-l <L DAPAttributeList>] (...)

Parameters-iSpecifies import mode. If not specified, the default mode is export.

-f <FileName>Identifies the import or export file name.

-r <LDAPFilter>Creates an LDAP search filter for data export.

-l <LDAPAttributeList>Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, andcsvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns allattributes.

QUESTION 31You have an Active Directory domain named contoso.com .

You need to view the account lockout threshold and dura tion for the domain .


A. Net UserB. Active Directory Users and ComputersC. Group Policy Management Console (GPMC)D. Computer Management


Explanation/Reference:Same question as K/Q12. For K/Q12 I thought there was only one option, but here there are two correctanswers:B ("Active Directory Users and Computers")C ("Group Policy Management Console (GPMC)")

Am I missing something? Which is the "right" one? You tell me.

QUESTION 32A domain controller named DC4 runs Windows Server 2008 R2 . DC4 is configured as a DNS server for fabrikam.com .

You install the DNS Server server role on a member server named DNS1 and then you create a standardsecondary zone for fabrikam.com . You configure DC4 as the master server for the zone .

You need to ensure that DNS1 receives zone updates from DC4.

What should you do?

A. Add the DNS1 computer account to the DNSUpdateProxy group.B. On DC4, modify the permissions of fabrikam.com zone.C. On DNS1, add a conditional forwarder.D. On DC4, modify the zone transfer settings for the fabrikam.com zone.


Explanation/Reference:Practically the same question as B/Q1 and J/Q23.







QUESTION 33Your network contains an Active Directory forest named contoso.com . The forest contains two domains named contoso.com and child.contoso.com . All domain controllers run Windows Server 2008 . All forest-wide operations master roles are in chil d.contoso.com .

An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 ServicePack 1 (SP1) installation media .You plan to run adprep.exe /domainprep in each domain .

You need to ensure that you have the required user righ ts to run the command successfully in eachdomain .

Of which groups should you be a member ? (Each correct answer presents part of the solution. Choose two .)

A. Administrators in child.contoso.comB. Enterprise Admins in contoso.com

C. Domain Admins in child.contoso.comD. Domain Admins in contoso.comE. Administrators in contoso.comF. Schema Admins in contoso.com


Explanation/Reference:Reference:http://technet.microsoft.com/de-de/library/cc731728.aspx

adprep /domainprepPrepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run thiscommand after the forestprep command finishes and after the changes replicate to all the domain controllers inthe forest.

Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008.You must run this command on the domain controller that holds the infrastructure operations master role for thedomain. You must be a member of the Domain Admins group to run this command.

QUESTION 34Your network contains an Active Directory forest named contoso.com . The forest contains a single domain and 10 domain controllers . All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).

The forest contains an application directory partition named dc=app1, dc=contoso,dc=com . A domain controller named DC1 has a copy of the application directory partition .

You need to configure a domain controller named DC2 to receive a copy of dc=app1,dc=contoso,dc=corn .


A. Active Directory Sites and ServicesB. DsmodC. DcpromoD. Dsmgmt



DcpromoInstalls and removes Active Directory Domain Services (AD DS).

ParameterApplicationPartitionsToReplicate:""Specifies the application directory partitions that dcpromo will replicate. Use the following format:"partition1" "partition2" "partitionN"Use * to replicate all application directory partitions.

QUESTION 35A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Se rvices (AD DS)domain .

You need to enable Universal Group Membership Caching o n several domain controllers in the domain .


A. DsmodB. DscmdC. NtdsutilD. Active Directory Sites and Services console



Enable Universal Group Membership Caching in a SiteIn a branch site that has no global catalog server and in a forest that has multiple domains, you can use thisprocedure to enable Universal Group Membership Caching on a domain controller in the site so that a globalcatalog server does not have to be contacted across a wide area network (WAN) link for every initial userlogon.

To enable Universal Group Membership Caching in a s ite1. Open Active Directory Sites and Services .2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group

Membership Caching.3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching .5. In the Refresh cache from list, click the site that you want the domain controller to contact when the

Universal Group membership cache must be updated, and then click OK.

QUESTION 36Your network contains an Active Directory forest . The forest contains three domains . All domain controllers have the DNS Server server role installed .The forest contains three sites named Site1 , Site2 , and Site3 . Each site contains the users, client computers, and domain controllers of each domain . Site1 contains the first domain controller deployed to the forest . The sites connect to each other by using unreliable WAN links .

The users in Site2 and Site3 report that it takes a long time to log on to their client computer when theyuse their user principal name (UPN). The users in Site1 do not experience the same issue .

You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to theirclient computer by using their UPN .

What should you do?

A. Configure a global catalog server in Site2 and a global catalog server in Site3.B. Reduce the replication interval of the site links.C. Move a primary domain controller (PDC) emulator to Site2 and to Site3.

D. Add additional domain controllers to Site2 and to Site3.E. Reduce the cost of the site links.F. Enable universal group membership caching in Site2 and in Site3.




Common Global Catalog ScenariosThe following events require a global catalog server:

(...)User logon . In a forest that has more than one domain, two conditions require the global catalog duringuser authentication:

1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a globalcatalog server is required to resolve the name.

2. (...)

QUESTION 37You have a client computer named Computer1 that runs Windows 7 .On Computer1 , you configure a source-initiated subscription .You configure the subscription to retrieve all events from the Windows logs of a doma in controllernamed DC1 . The subscription is configured to use the HTTP protocol .

You discover that events from the Security log of DC1 are not collected on Computer1. Events from the Application log of DC1 and the System log of DC1 are collected on Computer1.

You need to ensure that events from the Security log of DC1 are collected on Computer1 .

What should you do?

A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller.B. Add the Network Service security principal to the Event Log Readers group on the domain.C. Configure the subscription to use custom Event Delivery Optimization settings.D. Configure the subscription to use the HTTPS protocol.


Explanation/Reference:Reference 1:http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event-forwarding-and-you.aspx

Preparing Windows Server 2008 and Windows Server 2008 R2You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this,simply add the Network Service account to the Built-in Event Log Readers group.

Reference 2:http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/8434ffb3-1621-4bc5-8311-66d88b215886/

How to collect security logs using event forwarding ?

For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below toconfigure it.1. Click start->run, type CompMgmt.msc to open Computer Management Console.2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.3. Click Add, then click Location button, select your computer and click OK.4. Click Object Types button, check the checkbox of Build-in security principals and click OK.5. Add “Network Service”build-in account to Event Log Readers group .6. Reboot the client computer.

After these steps have been taken, you will see the security event logs in the Forwarded Events on your eventcollector.

QUESTION 38Your network contains an Active Directory forest named contoso.com . The forest contains six domains .

You need to ensure that the administrators of any of th e domains can specify a user principal name(UPN) suffix of litwareinc.com when they create use r accounts by using Active Directory Users andComputers .


A. Active Directory Administrative CenterB. Set-ADDomainC. Active Directory Sites and ServicesD. Set-ADForest



We would use the following command to achieve this:

Set-ADForest -UPNSuffixes @{Add="contoso.com"}


Creating a UPN Suffix for a ForestThis topic explains how to use the Active Directory module for Windows PowerShell to create a new userprincipal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the namesthat are used to log on to another domain in the forest.

ExampleThe following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:

Set-ADForest -UPNSuffixes @{Add="headquarters.fabri kam.com"}

Reference 2http://technet.microsoft.com/en-us/library/ee617221.aspx

Set-ADForestModifies an Active Directory forest.

ParameterUPNSuffixesModifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valuedmsDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to addremove, replace, or clear UPN suffix values.

Syntax:To add values:-UPNSuffixes @{Add=value1,value2,...}

QUESTION 39Your network contains an Active Directory domain named litwareinc.com . The domain contains two sites named Site1 and Site2 . Site2 contains a read-only domain controller (RODC).

You need to identify which user accounts attempted to a uthenticate to the RODC .


A. Active Directory Users and ComputersB. NtdsutilC. Get-ADAccountResultantPasswordReplicationPolicyD. Adtest


Explanation/Reference:Ntdsutil cannot be used for this.http://technet.microsoft.com/en-us/library/cc753343.aspx

Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed list ordenied list of a read-only domain controller's password replication policy. Get-ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed.http://technet.microsoft.com/en-us/library/ee617207.aspx

Adtest is used for perfomance testing.


Review whose accounts have been authenticated to an RODCPeriodically, you should review whose accounts have been authenticated to an RODC. (...)You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have beenauthenticated to an RODC.

Reference 2:http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3-6ebb9d7fa6bf(v=ws.10)#BKMK_Auth2

[Gives a step by step explanation on using Active Directory Users and Computers for this.]

QUESTION 40Your network contains an Active Directory forest . The forest schema contains a custom attribute for user objects .

You need to generate a file that contains the last logo n time and the custom attribute values for each

user in the forest .


A. the Get-ADUser cmdletB. the Export-CSV cmdletC. the Net User commandD. the Dsquery User tool


Explanation/Reference:Practically the same question as E/Q16.

I find this one a bit tricky, as both the Get-ADUser cmdlet and the Dsquery tool seem to get the job done, Ithink. The other two options play no role here:

Export-CSV cannot perform queries. It is used to save queries that have been piped through.Net User is too limited for our question.

Get-ADUserReferences:https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838-e0f5f3a591d7

http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Export-CsvReference:http://technet.microsoft.com/en-us/library/ee176825.aspxSaving Data as a Comma-Separated Values FileThe Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need todo is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process tograb information about all the processes running on the computer, then uses Export-Csv to write that data to afile named C:\Scripts\Test.txt:Get-Process | Export-Csv c:\scripts\test.txt .

Net UserReference:http://technet.microsoft.com/en-us/library/cc771865.aspxAdds or modifies user accounts, or displays user account information.

DSQUERYReference 1:http://technet.microsoft.com/en-us/library/cc754232.aspx

Parameters{<StartNode> | forestroot | domainroot}Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot ),domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specifyforestroot , AD DS searches by using the global catalog.

-attr {<AttributeList> | *}Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in theresult set. If you specify the value of this parameter as a wildcard character (*), this parameter displays allattributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses thedefault output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is adistinguished name.

Reference 2:http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b

Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot asthe startnode, instead of forestroot what we need.

Reference 3:http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/List all last login times for all users, regardless of whether they are disabled.dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountNamelastLogon >>c:\last_logon_for_all.txt

QUESTION 41Your network contains an Active Directory forest named contoso.com . The forest contains six domains .

You need to ensure that the administrators of any of th e domains can specify a user principal name(UPN) suffix of litwareinc.com when they create use r accounts by using Active Directory Users andComputers .


A. Active Directory Domains and TrustsB. Set-ADDomainC. Active Directory Sites and ServicesD. Active Directory Users and Computers


Explanation/Reference:Many thanks to Camel73 for supplying this new question!


To add UPN suffixes1. Open Active Directory Domains and Trusts .2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.4. Repeat step 3 to add additional alternative UPN suffixes.

QUESTION 42Domains provide which of the following functions ?

A. Creating logical boundariesB. Easing the administration of users, groups, computers, and other objectsC. Providing a central database of network objects

D. All of the above


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756901%28v=ws.10%29.aspxActive Directory Logical Structure Background Information

Before you design your Active Directory logical structure, it is important to understand the Active Directorylogical model. Active Directory is a distributed database that stores and manages information about networkresources, as well as application-specific data from directory enabled applications. Active Directory allowsadministrators to organize elements of a network (such as users, computers, devices, and so on) into ahierarchical containment structure. The top-level container is the forest. Within forests are domains, and withindomains are organizational units. This is called the logical model because it is independent of the physicalaspects of the deployment, such as the number of domain controllers required within each domain and networktopology.

Figure 2.2 Relationship Between Active Directory Forests, Domains, and OUs

QUESTION 43You are the administrator for a large organization with multiple remote sites .

Your supervisor would like to have remote users log in locally to their own site , but he is nervous aboutsecurity .

What type of server can you implement to ease their concerns?

A. Domain controllerB. Global CatalogC. Read-only domain controllerD. Universal Group Membership Caching Server


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc772234%28v=ws.10%29.aspxRead-Only Domain Controllers Step-by-Step Guide

An RODC makes it possible for organizations to easily deploy a domain controller in scenarios where physicalsecurity cannot be guaranteed, such as branch office locations, or in scenarios where local storage of alldomain passwords is considered a primary threat, such as in an extranet or in an application-facing role.

QUESTION 44You are the network administrator for the ABC Company. Your network consists of two DNS servers named DNS1 and DNS2. The users who are configured to use DNS2 complain because they are unable to connect to Internetwebsites .

The following table shows the configuration of both servers :

The users connected to DNS2 need to be able to access t he Internet .

What needs to be done?

A. Build a new Active Directory Integrated zone on DNS2.B. Delete the .(root) zone from DNS2 and configure Conditional forwarding on DNS2.C. Delete the current cache.dns file.D. Update your cache.dns file and root hints.


Explanation/Reference:Basically the same as B/Q4.

http://support.microsoft.com/kb/298148How To Remove the Root Zone (Dot Zone)

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone forthe domain is created and a root zone, also known as a dot zone, is also created. This root zone may preventaccess to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones otherthan those that are listed with DNS, and you cannot configure forwarders or root hint servers. For thesereasons, you may have to remove the root zone.

QUESTION 45You are the network administrator for a large company that has one main site and one branch office . Your company has a single Active Directory forest , ABC.com. You have a single domain controller named ServerA in the main site that has the DNS role installed . ServerA is configured as a primary DNS zone .

You have decided to place a domain controller named ServerB in the remote site and implement the DNSrole on that server.

You want to configure DNS so that if the WAN link fail s, users in both sites can still update records and

resolve any DNS queries .

How should you configure the DNS servers ?

A. Configure Server B as a secondary DNS server. Set replication to occur every 5 minutes.B. Configure Server B as s stub zone.C. Configure Server B as an Active Directory Integrated zone and convert Server A to an Active Directory

Integrated zone.D. Configure Server A as an Active Directory Integrated zone and configure Server B as a secondary zone.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc726034.aspxUnderstanding Active Directory Domain Services Integration







Zones are replicated and synchronized to new domain controllers automatically whenever a new one isadded to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replicationplanning for your network.

Directory-integrated replication is faster and more efficient than standard DNS replication.

QUESTION 46You are the network administrator for an organization that has two locations , New York and London . Each location has multiple domains but all domains fall under the same tree , Stellacon.com.

Users in the NY.us.stellacon.com domain need to access resources in the London.uk.stellacon.comdomain.

You need to reduce the amount of time it takes for auth entication when users from NY.us.stellacon.comaccess resources in London.uk.stellacon.com .

What can you do?

A. Set up a one-way shortcut trust from London.uk.stellacon.com to NY.us.stellacon.com.B. Set up a one-way shortcut trust from NY.us.stellacon.com to London.uk.stellacon.com.C. Enable Universal Group Membership Caching in NY.us.stellacon.com.D. Enable Universal Group Membership Caching in London.uk.stellacon.com.


Explanation/Reference:Basically the same as B/Q7.

http://technet.microsoft.com/en-us/library/cc754538.aspxUnderstanding When to Create a Shortcut Trust

When to create a shortcut trust

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize theauthentication process.

Authentication requests must first travel a trust path between domain trees. In a complex forest this can taketime, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships thatauthentication requests must traverse between any two domains. Shortcut trusts effectively shorten the paththat authentication requests travel between domains that are located in two separate domain trees.

Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest. Usingthe following illustration as an example, you can form a shortcut trust between domain B and domain D,between domain A and domain 1, and so on.

Using one-way trusts

A one-way, shortcut trust that is established between two domains in separate domain trees can reduce thetime that is necessary to fulfill authentication requests—but in only one direction. For example, when a one-way,shortcut trust is established between domain A and domain B, authentication requests that are made in domain

A to domain B can use the new one-way trust path. However, authentication requests that are made in domainB to domain A must still travel the longer trust path.

Using two-way trusts

A two-way, shortcut trust that is established between two domains in separate domain trees reduces the timethat is necessary to fulfill authentication requests that originate in either domain. For example, when a two-waytrust is established between domain A and domain B, authentication requests that are made from either domainto the other domain can use the new, two-way trust path.

QUESTION 47You are hired as a consultant by ABC Corporation to implement a Windows Server 2008 R2 computer ontotheir Windows Server 2003 domain . All of the client machines are Windows 7 .

You install Windows Server 2008 R2 onto a new computer and join that computer to the Windows 2003domain .

You want to upgrade the Windows Server 2008 R2 to a dom ain controller .


A. On the new server, run adprep /domainprep.B. On the new server, run adprep /forestprep.C. On a Windows Server 2003 domain controller, run adprep /domainprep.D. On a Windows Server 2003 domain controller, run adprep /forestprep.


Explanation/Reference:Same as A/Q44:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/DC promotion and adprep/forestprep

Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in anexisting domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into thisActive Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility isavailable on the Windows Server 2008 installation media in the Windows\sources\adprep folder"

A1: You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the\sources\adprep folder from the Windows Server 2008 installation DVD to the schema master role holder andrun Adprep from there.

A2:to introduce the first W2K8 DC within an AD forest....

(1) no AD forest exists yet:--> on the stand alone server execute: DCPROMO--> and provide the information needed

(2) an W2K or W2K3 AD forest already exists:--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)

--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)--> on the stand alone server execute: DCPROMO--> and provide the information needed

QUESTION 48You need to deactivate the UGMC option on some of your domain controllers .

At which level in Active Directory would you deactivate UGMC?

A. ServerB. SiteC. DomainD. Forest


Explanation/Reference:Basically the same as B/Q22:

http://www.ntweekly.com/?p=788Question:How To Enable Or Disable Universal Group Membership Caching Windows Server 2008

Answer: Universal Group Membership Caching enables us to allow users to log on to the network withoutcontacting a Global Catalog server, this is recommended to use in remote sites without global a catalog server.

To enable or disable Universal Group Membership Caching follow the steps below:

Open Active Directory Sites And Service -> Go to the site you need to enable or disable the feature -> Rightclick on the NTDS Site Settings and Click on Properties

Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91Script to Disable Universal Group Membership Caching in all Sites

How to Disable Universal Group Membership Caching in all Sites using a Script

Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC)caches a user’s membership in Universal Groups on domain controllers authenticating the user. This featureallows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting aGlobal Catalog.

Unlike Global group memberships, which are stored in each domain, Universal Group memberships are onlystored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domainthat is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides UniversalGroup membership information for the user’s account at the time the user logs on to the domain to theauthenticating domain controller.

UGMC is generally a good idea for multiple domain forests when:1. Universal Group membership does not change frequently.2. Low WAN bandwidth between Domain Controllers in different sites.

It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.

QUESTION 49You work for an organization with a single domain forest . Your company has one main location and two branch locations .

All locations are configured as Active Directory sites and all sites are connected with theDEFAULTIPSITELINK object .

Your connections are running slower than the company pol icy allows .

You want to decrease the replication latency between al l domain controllers in the various sites .

What should you do?

A. Decrease the Replication interval for the DEFAULTIPSITELINK object.B. Decrease the Replication interval for the site.C. Decrease the Replication schedule for the site.D. Decrease the Replication schedule for all domain controllers.


Explanation/Reference:Basically the same as A/Q28:

Answer : Decrease the replication interval for the DEFAULTIPSITELINK object.

Personal comment:All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into all sites areconnected with the first domain controller in the forestSo the topology is star shaped.Thus, decreasing the cost between the connection objects will offer no benefit.We know we have multiple sites linked and are using a DEFAULTIPSITELINK object.Thus, the most plausible answer is to decrease the replication interval for DEFAULTIPSITELINK.

Explanation :http://www.informit.com/articles/article.aspx?p=26866&seqNum=5Understanding Active Directory, Part IIIReplication

Active Directory replication between domain controllers is managed by the system administrator on a site-by-site basis. As domain controllers are added, a replication path must be established. This is done by theKnowledge Consistency Checker (KCC), coupled with Active Directory replication components. The KCC is adynamic process that runs on all domain controllers to create and modify the replication topology. If a domaincontroller fails, the KCC automatically creates new paths to the remaining domain controllers. Manualintervention with the KCC will also force a new path.

The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain controllerretains a copy of the entire directory for that particular domain. As changes are made in one domain controller,the originator communicates these changes to the peer domain controllers. The directory data itself is stored inthe ntds.dit file.

Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site.Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for datatransmission. The default intersite replication protocol is RPC.Intersite and Intrasite Replication

There are distinct differences in internal and intersite domain controller replication. In theory, the networkbandwidth within a site is sufficient to handle all network traffic associated with replication and other ActiveDirectory activities. By the definition of a site, the network must be reliable and fast. A change notificationprocess is initiated when modifications occur on a domain controller. The domain controller waits for aconfigurable period (by default, five minutes) before it forwards a message to its replication partners. Duringthis interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copy the

modification from the original domain controller. In the event that no changes were noted during a configurableperiod (six hours, by default), a replication sequence ensures that all possible modifications are communicated.Replication within a site involves the transmission of uncompressed data.

NOTE

Security-related modifications are replicated within a site immediately. These changes include account andindividual user lockout policies, changes to password policies, changes to computer account passwords, andmodifications to the Local Security Authority (LSA).

Replication between sites assumes that there are network-connectivity problems, including insufficientbandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make decisionson the type, frequency, and timing of intersite replication. All replication objects transmitted between sites arecompressed, which may reduce traffic by 10 to 25 percent, but because this is not sufficient to guaranteeproper replication, the system administrator has the responsibility of scheduling intersite replication.Replication Component Objects

Whereas the KCC represents the process elements associated with replication, the following comprise theActive Directory object components:

Connection object. Domain controllers become replication "partners" when linked by a connection object.This is represented by a one-way path between two domain controller server objects. Connection objectsare created by the KCC by default. They can also be manually created by the system administrator.NTDS settings object. The NTDS settings object is a container that is automatically created by the ActiveDirectory. It contains all of the connection objects, and is a child of the server object.Server object. The Active Directory represents every computer as a computer object. The domain controlleris also represented by a computer object, plus a specially created server object. The server object's parentis the site object that defines its IP subnet. However, in the event that the domain controller server objectwas created prior to site creation, it will be necessary to manually define the IP subnet to properly assign thedomain controller a site.

When it is necessary to link multiple sites, two additional objects are created to manage the replicationtopology.

Site link . The site link object specifies a series of values (cost, interval, and schedule) that define theconnection between sites. The KCC uses these values to manage replication and to modify the replicationpath if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default untilthe system administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of theactual cost of data transmission as defined bandwidth. The interval value sets the number of timesreplication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; threehours is the default. The schedule interval establishes the time when replication should occur. Althoughreplication can be at any time by default, the system administrator may want to schedule it only during off-peak network hours.Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol.By default, all site links use the same protocol, and are transitive. Moreover, they belong to a single site linkbridge. No configuration is necessary to the site link bridge if the IP network is fully routed. Otherwise,manual configuration may be necessary.


http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspxWhat Is Active Directory Replication Topology?

Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keepreplicas of directory partitions synchronized. Multiple domains are common in large organizations, as aremultiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placedin more than one site.

Therefore, replication must often occur both within sites and between sites to keep domain and forest data

consistent among domain controllers that store the same directory partitions. Site objects can be configured toinclude a set of subnets that provide local area network (LAN) network speeds. As such, replication within sitesgenerally occurs at high speeds between domain controllers that are on the same network segment. Similarly,site link objects can be configured to represent the wide area network (WAN) links that connect LANs.Replication between sites usually occurs over these WAN links, which might be costly in terms of bandwidth. Toaccommodate the differences in distance and cost of replication within a site and replication between sites, theintrasite replication topology is created to optimize speed, and the intersite replication topology is created tominimize cost.

The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controllerand is responsible for creating the connections between domain controllers that collectively form the replicationtopology. The KCC uses Active Directory data to determine where (from what source domain controller to whatdestination domain controller) to create these connections.

..

The following diagram shows the interaction of these technologies with the replication topology, which isindicated by the two-way connections between each set of domain controllers.

Replication Topology and Dependent Technologies

http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspxHow Active Directory Replication Topology Works

..Replication Topology Physical StructureThe Active Directory replication topology can use many different components. Some components are requiredand others are not required but are available for optimization. The following diagram illustrates most replicationtopology components and their place in a sample Active Directory multisite and multidomain forest. Thedepiction of the intersite topology that uses multiple bridgehead servers for each domain assumes that at leastone domain controller in each site is running at least Windows Server 2003. All components of this diagram andtheir interactions are explained in detail later in this section.

Replication Topology Physical Structure

In the preceding diagram, all servers are domain controllers. They independently use global knowledge ofconfiguration data to generate one-way, inbound connection objects. The KCCs in a site collectively create anintrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an intersitetopology. Within sites, one-way arrows indicate the inbound connections by which each domain controllerreplicates changes from its partner in the ring. For intersite replication, one-way arrows represent inboundconnections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain (orfrom a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sitesthat share a site link. Domains are indicated as D1, D2, D3, and D4.

Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a siteobject in Active Directory. Heavy solid lines between sites indicate WAN links over which two-way replicationcan occur, and each WAN link is represented in Active Directory as a site link object. Site link objects allowconnections to be created between bridgehead servers in each site that is connected by the site link.

Not shown in the diagram is that where TCP/IP WAN links are available, replication between sites uses theRPC replication transport. RPC is always used within sites. The site link between Site A and Site D uses theSMTP protocol for the replication transport to replicate the configuration and schema directory partitions andglobal catalog partial, read-only directory partitions. Although the SMTP transport cannot be used to replicate

writable domain directory partitions, this transport is required because a TCP/IP connection is not availablebetween Site A and Site D. This configuration is acceptable for replication because Site D does not hostdomain controllers for any domains that must be replicated over the site link A-D.

By default, site links A-B and A-C are transitive (bridged), which means that replication of domain D2 is possiblebetween Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are site link settings that determine the routing preference for replication, which is based on the aggregatedcost of available site links. The cost of a direct connection between Site C and Site B is the sum of costs on sitelinks A-B and A-C. For this reason, replication between Site B and Site C is automatically routed through Site Ato avoid the more expensive, transitive route. Connections are created between Site B and Site C only ifreplication through Site A becomes impossible due to network or bridgehead server conditions.

...

Control Replication Latency and CostReplication latency is inherent in a multimaster directory service. A period of replication latency begins when adirectory update occurs on an originating domain controller and ends when replication of the change is receivedon the last domain controller in the forest that requires the change. Generally, the latency that is inherent in aWAN link is relative to a combination of the speed of the connection and the available bandwidth. Replicationcost is an administrative value that can be used to indicate the latency that is associated with differentreplication routes between sites. A lower-cost route is preferred by the ISTG when generating the replicationtopology.

Site topology is the topology as represented by the physical network: the LANs and WANs that connect domaincontrollers in a forest. The replication topology is built to use the site topology. The site topology is representedin Active Directory by site objects and site link objects. These objects influence Active Directory replication toachieve the best balance between replication speed and the cost of bandwidth utilization by distinguishingbetween replication that occurs within a site and replication that must span sites. When the KCC createsreplication connections between domain controllers to generate the replication topology, it creates moreconnections between domain controllers in the same site than between domain controllers in different sites.The results are lower replication latency within a site and less replication bandwidth utilization between sites.

Within sites, replication is optimized for speed as follows:Connections between domain controllers in the same site are always arranged in a ring, with possibleadditional connections to reduce latency.Replication within a site is triggered by a change notification mechanism when an update occurs, moderatedby a short, configurable delay (because groups of updates frequently occur together).Data is sent uncompressed, and thus without the processing overhead of data compression.

Between sites, replication is optimized for minimal bandwidth usage (cost) as follows:Replication data is compressed to minimize bandwidth consumption over WAN links.Store-and-forward replication makes efficient use of WAN links — each update crosses an expensive linkonly once.Replication occurs at intervals that you can schedule so that use of expensive WAN links is managed.The intersite topology is a layering of spanning trees (one intersite connection between any two sites foreach directory partition) and generally does not contain redundant connections.

...

Topology-Related Objects in Active DirectoryActive Directory stores replication topology information in the configuration directory partition. Severalconfiguration objects define the components that are required by the KCC to establish and implement thereplication topology:

..Site Link ObjectsFor a connection object to be created on a destination domain controller in one site that specifies a sourcedomain controller in another site, you must manually create a site link object (class siteLink ) that connectsthe two sites. Site link objects identify the transport protocol and scheduling required to replicate between twoor more sites. You can use Active Directory Sites and Services to create the site links. The KCC uses theinformation stored in the properties of these site links to create the intersite topology connections.

A site link is associated with a network transport by creating the site link object in the appropriate transportcontainer (either IP or SMTP). All intersite domain replication must use IP site links. The Simple Mail TransferProtocol (SMTP) transport can be used for replication between sites that contain domain controllers that donot host any common domain directory partition replicas.Site Link Properties

A site link specifies the following:Two or more sites that are permitted to replicate with each other.An administrator-defined cost value associated with that replication path. The cost value controls the routethat replication takes, and thus the remote sites that are used as sources of replication information.A schedule during which replication is permitted to occur .An interval that determines how frequently replication occurs over this site link during the times when theschedule allows replication.

Default Site LinkWhen you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transportscontainer). This site link contains only one site, Default-First-Site-Name.

QUESTION 50You are the network administrator for the ABC Company. The ABC Company has all Windows Server 2008 R2 Active Directory domains and uses an EnterpriseRoot certificate server .

You need to verify that revoked certificate data is hig hly available .

What should you do?

A. Implement a Group Policy Object(GPO) that has the Certificate Verification Enabled option.B. Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP) responder.C. Implement a Group Policy object(GPO) that enables the Online Certificate Status Protocol(OCSP)

responder.D. Using Network Load Balancing, implement the Certificate Verification Enabled option.



Answer : Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.

Explanation :http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspxAD CS: Online Certificate Status Protocol Support

Certificate revocation is a necessary part of the process of managing certificates issued by certificationauthorities (CAs). The most common means of communicating certificate status is by distributing certificaterevocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs)where the use of conventional CRLs is not an optimal solution , an Online Responder based on theOnline Certificate Status Protocol (OCSP) can be us ed to manage and distribute revocation statusinformation .

What does OCSP support do?

The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of twocommon methods for conveying information about the validity of certificates. Unlike CRLs, which are distributedperiodically and contain information about all certificates that have been revoked or suspended, an OnlineResponder receives and responds only to requests from clients for information about the status of a singlecertificate. The amount of data retrieved per request remains constant no matter how many revoked certificatesthere might be.

In many circumstances, Online Responders can process certificate status r equests more efficiently thanby using CRLs ...Adding one or more Online Responders can significantly enhance the flexibility and scalabili ty of anorganization's PKI ...

Further information :http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability.aspxImplementing an OCSP Responder: Part V High Availability

There are two major pieces in implementing the High Availability Configuration . The first step is to add theOCSP Responders to what is called an Array . When OCSP Responders are configured in an Array, theconfiguration of the OCSP responders can be easily maintained, so that all Responders in the Array have thesame configuration. The configuration of the Array Controller is used as the baseline configuration that is thenapplied to other members of the Array.

The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders iswhat actually provides fault tolerance .

QUESTION 51You are the network administrator for your organization. Your company uses a Windows Server 2008 R2 Enterprise Root CA . The company has issued a new policy that prevents port 443 and port 80 from being opened on domaincontrollers and on issuing CAs .

Your users need to request certificates from a web inter face . You have already installed the AD CS role .

What do you need to do next ?

A. Configure the Certificate Authority Web Enrollment Service on a member server.B. Configure the Certificate Authority Web Enrollment Service on a domain server.C. Configure AD FS on member server to allow secure web-based access.D. Configure AD FS on domain controller to allow secure web-based access.



http://technet.microsoft.com/en-us/library/dd759209.aspxCertificate Enrollment Web Service Overview

The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service thatenables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with theCertificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the clientcomputer is not a member of a domain or when a domain member is not connected to the domain.

Personal note:since domain controllers are off-limits (regarding open ports), you are left to install the Certificate EnrollmentWeb Service role service on a plain member server

QUESTION 52You are the administrator of an organization with a single Active Directory domain . A user who left the company returns after 16 weeks . The user tries to log onto their old computer and receives an error stating that authentication has f ailed . The user's account has been enabled .

You need to ensure that the user is able to log onto th e domain using that computer .

What do you do?

A. Reset the computer account in Active Directory. Disjoin the computer from the domain and then rejoin thecomputer to the domain.

B. Run the ADadd command to rejoin the computer account.C. Run the MMC utility on the user's computer and add the Domain Computers snap-in.D. Re-create the user account and reconnect the user account to the computer account.



Answer : Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer tothe domain.

Explanation :http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-and-primary-domain-failed.aspxTrust Relationship between Workstation and Primary Domain failed

What are the common causes which generates this message on client systems?

There might be multiple reasons for this kind of behaviour. Below are listed a few of them:1. Single SID has been assigned to multiple computers.2. If the Secure Channel is Broken between Domain controller and workstations3. If there are no SPN or DNSHost Name mentioned in the computer account attributes4. Outdated NIC Drivers.

How to Troubleshoot this behaviour?.. 2. If the Secure Channel is Broken between Domain control ler and workstationsWhen a Computer account is joined to the domain, Secure Channel password is stored with computer accountin domain controller. By default this password will change every 30 days (This is an automatic process, nomanual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for thedomain in which its machine account exists. After locating the appropriate DC, the machine account passwordfrom the workstation is authenticated against the password on the DC.If there are problems with system time, DNS configuration or other settings, secure channel’s passwordbetween Workstation and DCs may not synchronize with each other.

A common cause of broken secure channel [machine account password] is that the secure channel passwordheld by the domain member does not match that held by the AD. Often, this is caused by performing a

Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing anold (previous) machine account password to be presented to the AD.

Resolution:

Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computeraccount back to the domain.(this is a somewhat similar principle to performing a password reset for a user account)

Or

You can go ahead and reset the computer account using netdom.exe tool

http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspxNetdom



You can use netdom to :Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. Manage computer accounts for domain member workstations and member servers. Managementoperations include: Establish one-way or two-way trust relationships between domains, including the following kinds of trustrelationships: Verify or reset the secure channel for the following configurations:

* Member workstations and servers . * Backup domain controllers (BDCs) in a Windows NT 4.0 domain. * Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000replicas.

Manage trust relationships between domains.

SyntaxNetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]

http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspxNetdom reset

Resets the secure connection between a workstation and a domain controller.

Syntaxnetdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | /usero:}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]

Further information :http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspxNetdom trust

Establishes, verifies, or resets a trust relationship between domains.

Syntaxnetdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: | /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/

transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

QUESTION 53You are the administrator of an organization with a single Active Directory domain . One of your senior executives tries to log onto a machine and receives the error "This user account hasexpired. Ask your administrator to reactivate your account ".

You need to make sure this doesn't happen again to this user .

What do you do?

A. Configure the domain policy to disable account lockouts.B. Configure the password policy to extend the maximum password age to 0.C. Modify the user's properties to set the Account Never Expires setting.D. Modify the user's properties to extend the maximum password age to 0.



Answer : Modify the properties of the user account to set the account to never expire.

Explanation :

Further information :http://technet.microsoft.com/en-us/library/dd145547.aspxUser Properties - Account Tab

Account expiresSets the account expiration policy for this user. You can select between the following options:

Use Never to specify that the selected account will never expire. This option is the default for new users.Select End of and then select a date if you want to have the user's account expire on a specified date.

QUESTION 54You work for an organization with a single Windows Server 2008 R2 Active Directory do main . The domain has OUs for Sales , Marketing , Admin , R&D and Finance .

You need only the users in the Finance OU to get Window s Office 2010 installed automatically ontotheir computers . You create a GPO named OfficeApp .

What is the next step in getting all the Finance users Office 2010?

A. Edit the GPO and assign the Office application to the users account. Link the GPO to the Finance OU.B. Edit the GPO and assign the Office application to the users account. Link the GPO to the domain.

C. Edit the GPO and assign the Office application to the computer account. Link the GPO to the domain.D. Edit the GPO and assign the Office application to the computer account. Link the GPO to the Finance OU.


Explanation/Reference:Almost the same as A/Q38 and B/Q21

Self explanatory.

QUESTION 55You are the systems administrator for a medium-sized Active Directory domain . Currently, the environment supports many different domain controllers , some of which are running WindowsNT 4 and others that are running Windows 2003 and Server 2008 R2 .

When you are running domain controllers in this type of environment, which of the following types of groupscan you not use ?(Choose Two )

A. Universal security groupsB. Global groupsC. Domain local groupsD. Computer groups


Explanation/Reference:http://support.microsoft.com/kb/231273Group Type and Scope Usage in Windows

Windows 2000 and later extends the Microsoft Windows NT 4.0 concept of user groups by addingUniversal and Distribution groups . In Windows NT 4.0, there are only Global and Local groups, and both areconsidered Security groups.

QUESTION 56You are the network administrator for an organization that has all Windows Server 2008 R2 domaincontrollers .

You need to capture all replication errors that occur b etween all domain controllers .

What should you do?

A. Use System Performance data collector sets.B. Use ntdsutil.C. Configure event log subscriptions.D. Use the ADSI Edit tool.



Basically the same as A/Q46:

http://technet.microsoft.com/en-us/library/cc748890.aspxConfigure Computers to Forward and Collect Events







QUESTION 57You are one of two network administrators for your organization. Your IT partner does most of the work in Active Directory.

While working in Active Directory, your partner accidently deleted a user from the Sales OU . You recover the user from tape backup but you want to h elp prevent this from happening again in thefuture .

What can you do?

A. Enable the Active Directory Recycle Bin.B. Use ADSI Edit to restore the user.C. Take away all rights from the other administrator.D. Use the Directory Services Restore Mode Lockout command.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd392261%28v=ws.10%29.aspxActive Directory Recycle Bin Step-by-Step Guide

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserveand restore accidentally deleted Active Directory objects without restoring Active Directory data from backups,restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deletedActive Directory objects are preserved and the objects are restored in their entirety to the same consistent

logical state that they were in immediately before deletion. For example, restored user accounts automaticallyregain all group memberships and corresponding access rights that they had immediately before deletion,within and across domains.

Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services(AD LDS) environments.

ImportantBy default , Active Directory Recycle Bin in Windows Server 2008 R2 is disabled . To enable it, you mustfirst raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2,which in turn requires all forest domain controllers or all servers that host instances of AD LDS configurationsets to be running Windows Server 2008 R2. After you set the forest functional level of your environment toWindows Server 2008 R2, you can use the instructions in this guide to enable Active Directory Recycle Bin.In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin isirreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

QUESTION 58What is the maximum number of domains that a Windows Server 2008 R2 computer , configured as adomain controller , may participate in at one time ?

A. ZeroB. OneC. TwoD. Any number of domains


Explanation/Reference:Personal comment:A computer, be it a workstation or a server, can be a member of only one domain at a time.

QUESTION 59You are the systems administrator of a large organization that has recently implemented Windows Server2008 R2. You have a few remote sites that do not have very tight security .

You have decided to implement read-only domain control lers (RODC) .

What forest functional levels does the network need for you to do the install? (Choose Three )

A. Windows 2000 MixedB. Windows 2008 R2C. Windows 2003D. Windows 2008



Ensure that the forest functional level is Windows Server 2003 or h igher .

..Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC and ensure that the writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

QUESTION 60Your network contains an Active Directory domain .The domain contains 20 domain controllers .You need to identify which domain controllers are globa l catalog servers .


A. dsqueryB. netshC. nltestD. Get-ADOptionalFeature


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732885%28v=ws.10%29.aspxDsquery server

Dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the ActiveDirectory Domain Services (AD DS) server role installed.

Syntaxdsquery server [-o {dn | rdn}] [-forest] [-domain <DomainName>] [-site <SiteName>] [-name <Name>] [-desc<Description>] [-hasfsmo {schema | name | infr | pdc | rid}] [-isgc] [{-s <Server> | -d <Domain>}] [-u<UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

Parameters..-gc Specifies that the search use the Active Directory global catalog....

To find all domain controllers in the domain widgets.contoso.com that are global catalog servers, type:dsquery server –domain widgets.contoso.com -isgc

QUESTION 61Your network contains an Active Directory forest . The forest contains two domains named contoso.com and east.contoso.com . The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role install ed.


What should you do?

A. Create a primary zone on DC1 and store the zone in DC=Contoso, DC=com naming context. Create asecondary zone on DC2 and select DC1 as the master.

B. Create a primary zone on DC1 and store the zone in a zone file. Configure Encrypting File System (EFS)

encryption. Create a secondary zone on DC2 and select DC1 as the master.C. Create a primary zone on DC1 and store the zone in a zone file. Configure IPSec on DC1 and DC2. Create

a secondary zone on DC2 and select DC1 as the master.D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a

secondary zone on DC2 and select DC1 as the master.


Explanation/Reference:Similar to A/Q15 and K/Q13.

http://technet.microsoft.com/en-us/network/bb531150.aspxIPsec

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over InternetProtocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, dataintegrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is basedon Internet Engineering Task Force (IETF) standards.

In Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, you can configure IPsecbehavior by using the Windows Firewall with Advanced Security snap-in. In earlier versions of Windows, IPsecwas a stand-alone technology separate from Windows Firewall.

http://technet.microsoft.com/en-us/library/ee649192%28v=ws.10%29.aspxSecure Zone Transfers with IPsec

Use the following procedure to configure an IP Security (IPsec) rule to secure communications b etweentwo DNS servers . When applied to the primary and secondary DNS servers for a zone, this policy will protectupdates occurring by zone transfer from the primary to the secondary DNS server. By applying this policy, zonetransfers are not allowed unless both servers are domain members and have matching connection securityrules. The policy is configured to apply to zone transfers between IP addresses specified on the Zone Transferstab.

Exam F

QUESTION 1Your network contains an Active Directory forest named adatum.com . The forest contains four child domains named europe.adatum.com , northamerica.adatum.com ,asia.adatum.com , and africa.adatum.com .

You need to create four new groups in the forest root d omain .

The groups must be configured as shown in the following table:

What should you do?

To answer, drag the appropriate group type to the correct group name in the answer area.

Select and Place:

Correct Answer:


Explanation/Reference:Reference:Windows Server 2008 R2 Unleashed (SAMS, 2010)page 128

Domain local groupsDomain local groups are essentially the same thing as local groups in Windows NT, and are used to administerresources located only on their own domain. They can contain users and groups from any other trusted domain.Most typically, these types of groups are used to grant access to resources for groups in different domains.

Global groupsGlobal groups are on the opposite side from domain local groups. They can contain users only in the domain inwhich they exist but are used to grant access to resources in other trusted domains. These types of groups arebest used to supply security membership to user accounts that share a similar function, such as the salesglobal group.

Universal groupsUniversal groups can contain users and groups from any domain in the forest and can grant access to anyresource in the forest. Along with this added power come a few caveats. First, universal groups are availableonly in domains with a functional level of Windows 2000 Native or later. Second, all members of each universalgroup are stored in the global catalog, increasing the replication load. It is important to note, however, thatuniversal group membership replication has been noticeably streamlined and optimized in Windows Server2008 R2 because the membership is incrementally replicated.


You need to use Group Policies to deploy the line-of-bu siness applications shown in the followingtable:

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:

Correct Answer:


Explanation/Reference:Practically the same question as L/Q10.

Reference:technet.microsoft.com/en-us/library/cc783502.aspx

Software installationYou can use the Software Installation extension of Group Policy to centrally manage software distribution inyour organization. You can assign and publish software for groups of users and computers using this extension.

Assigning ApplicationsWhen you assign applications to users or computers, the applications are automatically installed on theircomputers at logon (for user-assigned applications) or startup (for computer-assigned applications.)

When assigning applications to users , the default behavior is that the application will be advertised to thecomputer the next time the user logs on. This means that the application shortcut appears on the Start menu,and the registry is updated with information about the application, including the location of the applicationpackage and the location of the source files for the installation. With this advertisement information on theuser's computer, the application is installed the first time the user tries to use the application. In addition to thisdefault behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully installthe package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored bycomputers running Windows 2000, which will always advertise user-assigned applications.

When assigning applications to computers , the application is installed the next time the computer boots up.Applications assigned to computers are not advertised, but are installed with the default set of featuresconfigured for the package. Assigning applications through Group Policy requires that the application setup isauthored as a Windows Installer (.msi) package.

Publishing ApplicationsYou can also publish applications to users , making the application available for users to install. To install apublished application, users can use Add or Remove Programs in Control Panel, which includes a list of allpublished applications that are available for them to install. Alternatively, if the administrator has selected theAuto-install this application by file extension activation feature, users can open a document file associated witha published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, if

it is not already installed. Publishing applications only applies to user policy; you cannot publish applications tocomputers.


The DNS infrastructure fails .You rebuild the DNS infrastructure .

You need to force the registration of the Active Direct ory Service Locator (SRV) records in DNS .

Which service should you restart on the domain controllers?

To answer, select the appropriate service in the answer area.

Point and Shoot:

Correct Answer:




QUESTION 4Your network contains an Active Directory forest named contoso.com . The password policy of the forest requires that the passwords for all of the user accounts be changedevery 30 days .

You need to create user accounts that will be used by s ervices . The passwords for these accounts must be changed automa tically every 30 days .

Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed serviceaccounts. Managed service accounts offer Automatic password management, making password managementeasier.


What are the benefits of new service accounts?In addition to the enhanced security that is provided by having individual accounts for critical services, there arefour important administrative benefits associated with managed service accounts:

(...)Unlike with regular domain accounts in which administrators must reset passwords manually, the network

passwords for these accounts will be reset automatically.(...)


Use the Active Directory module for Windows PowerShell to create a managed service account.


To create a new managed service account1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK

to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Accountcontainer exists.

2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShellicon .

3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>].

Reference 4:http://technet.microsoft.com/en-us/library/hh852236.aspx

Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify thenumber of days for the password change interval.

-ManagedPasswordIntervalInDays<Int32>

Specifies the number of days for the password change interval. If set to 0 then the default is used. This can onlybe set on object creation. After that the setting is read only. This value returns the msDS-ManagedPasswordInterval of the group managed service account object.

The following example shows how to specify a 90 day password changes interval:

-ManagedPasswordIntervalInDays 90

QUESTION 5Your network contains an Active Directory forest named contoso.com . All client computers run Windows 7 Enterprise .

You need to automatically create a local group named Po werManagers on each client computer thatcontains a battery . The solution must minimize the amount of administrative effort .

Which node in Group Policy Management Editor should you use?

To answer, select the appropriate node in the answer area.

Point and Shoot:

Correct Answer:



Configure a Local Group ItemLocal Group preference items allow you to centrally create, delete, and rename local groups. Also, you can usethese preference items to change local group memberships. Before you create a local group preference item,you should review the behavior of each type of action possible with the extension.

Creating a Local Group item1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain

the new preference item, and then click Edit.2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder ,

and then expand the Control Panel Settings folder .3. Right-click the Local Users and Groups node, point to New, and select Local Group.4. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. (For more

information, see "Actions" in this topic.)5. Enter local group settings for Group Policy to configure or remove. (For more information, see "Local group

settings" in this topic.)

6. Click the Common tab, configure any options, and then type your comments in the Description box. (Formore information, see Configure Common Options.)

7. Click OK. The new preference item appears in the details pane.

ActionsThis type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. Thebehavior of the preference item varies with the action selected and whether a group with the same name exists.

Create - Create a new local group on the local computer. If the local group exists, then do not modify it.(...)

QUESTION 6Your network contains an Active Directory domain named contoso.com . The domain contains a domain controller named Server1 . Server1 has an IP address of 192.168.200.100.

You need to view the Pointer (PTR) record for Server1 .

Which zone should you open in the DNS snap-in to view the record?

To answer, select the appropriate zone in the answer area.

Point and Shoot:

Correct Answer:



Reference 1:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 57

Reverse lookup : This occurs when a client computer knows the IP address of another computer and requiresits hostname, which can be found in the DNS server’s PTR (pointer) resource record.

Reference 2:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 45/730

You are configuring a reverse lookup zone for your network, which uses the Class C network address range of192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?a. 5.168.192.in-addr.arpab. 0.5.168.192.in-addr.arpac. 192.168.5.in-addr.arpad. 192.168.5.0.in-addr.arpa

The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and usesa special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do notuse the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified inreverse sequence, so the other two choices are both incorrect.


You need to create a new site link between two sites na med Site1 and Site3 . The site link must support the replication of domai n objects .

Under which node in Active Directory Sites and Services should you create the site link?


Point and Shoot:

Correct Answer:



You can use this procedure to create a site link object and add the appropriate sites to it.

To create a site link object8. Open Active Directory Sites and Services .9. Expand Sites , and then expand Inter-Site Transports .10.Right-click IP, and then click New Site Link .11. In Name, type a name for the site link.12. In Sites not in this site link, click a site that you want to add to the site link. Hold down the SHIFT key to click

a second site that is adjacent in the list, or hold down the CTRL key to click a second site that is notadjacent in the list.

13.After you select all the sites that you want to add to the site link, click Add, and then click OK.

QUESTION 8Your company has a main office and a branch office . All servers are located in the main office . The network contains an Active Directory forest named adatum.com . The forest contains a domain controller named MainDC that runs Windows Server 2008 R2 Enterprise anda member server named FileServer that runs Windows Server 2008 R2 Standard .

You have a kiosk computer named Public_Computer that runs Windows 7 . Public_Computer is not connected to the network .

You need to join Public_Computer to the adatum.com doma in .

What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

Build List and Reorder:

Correct Answer:







3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windowsdirectory.

4. When you start or restart the computer , it will be a member of the domain.

QUESTION 9Your network contains two forests named contoso.com and fabrikam.com . The functional level of all the domains is Windows Server 2003 . The functional level of both forests is Windows 2000 .

You need to create a trust between contoso.com and fabr ikam.com . The solution must ensure that users from contoso.com ca n only access the servers in fabrikam.comthat have the Allowed to Authenticate permission se t.

What should you do?



Correct Answer:


Explanation/Reference:Still not really sure whether an external trust or forest trust is needed here. Just left it as it is.


Selective authentication over an external trust restricts access to only those users in a trusted domain whohave been explicitly given authentication permissions to computer objects (resource computers) that reside inthe trusting domain. To explicitly give authentication permissions to computer objects in the trusting domain tocertain users, administrators must grant those users the Allowed to Authenticate permission in Active Directory.


You need to create an Active Directory Rights Managemen t Services (AD RMS) licensing-only cluster .

What should you do?



Correct Answer:


Explanation/Reference:During the installation of the AD RMS root cluster we need to select a configuration database, so we need toinstall SQL Server 2008 first. Next we need to install the AD RMS root cluster, only then can we install the ADRMS licensing-only cluster. The last step is to deploy the AD RMS policy templates.


Before you install AD RMSBefore you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 forthe first time, there are several requirements that must be met:

(...)

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:Install the database server that is used to host the AD RMS databases on a separate computer.(...)


A root AD RMS cluster must already be present in the AD DS forest before you can install the licensing-only cluster.

QUESTION 11Your company plans to open a new branch office . The new office will have a Iow-speed connection to the Internet .You plan to deploy a read-only domain controller (RODC) in the branch office .

You need to create an offline copy of the Active Direct ory database that can be used to install ActiveDirectory on the new RODC .

Which commands should you run from Ntdsutil ?


To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.


Correct Answer:


Explanation/Reference:Same question as L/Q9, same answers.


Installing AD DS from MediaYou can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently.

To create installation media1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command

prompt.2. At the command prompt, type the following command, and then press ENTER: ntdsutil3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in

the table earlier in this topic) and then press ENTER.For example, to create RODC installation media , type the following command, and then press ENTER:create rodc C:\InstallationMediaWhere C:\InstallationMedia is the path to the folder where you want the installation media to be created.You can save the installation media to a network shared folder or to any other type of removable media.

QUESTION 12Your network contains an Active Directory domain . The domain contains a domain controller named DC1 that runs Windows Server 2008 R2 Service Pack 1(SP1).

You need to implement a central store for domain policy templates .

What should you do?

To answer, select the source content that should be copied to the destination folder in the answer area.

Hot Area:

Correct Answer:


Explanation/Reference:In the reference below the entire PolicyDefinitions folder gets copied. In the question we copy the contents ofthat PolicyDefinitions folder, which has the same result of course.

Reference:http://www.petri.co.il/creating-group-policy-central-store.htm

Creating a Central StoreCreating a central store is actually a rather simple process. The first thing that you will have to do is to log ontoa computer that is running either Windows Vista or Windows Server 2008. If you have one particular machinethat has all of your group policy template files installed on it, then that machine is a good candidate.

The next thing that you must do is to open Windows Explorer, and then go into the C:\Windows folder. Locatethe PolicyDefinitions folder, right click on it, and then choose the Copy command from the shortcut menu. Thiswill copy the folder and its contents to the Windows clipboard.

The next step in the process is to map a network drive letter to the sysvol folder on a domain controller. The fullpath that you will need to access on the domain controller is c:\Windows\SYSVOL\domain\Policies. Finally,copy the PolicyDefinitions folder to the \Windows\SYSVOL\domain\Policies folder on the domain controller. Youcan see what this looks like in Figure A.

Figure ACopy the PolicyDefinitions folder to the domain controller’s \Windows\Sysvol\Domain\Policies folder.

QUESTION 13Your company plans to open a new branch office .The new office will have a low-speed connection to the Internet .You plan to deploy a read-only domain controller (RODC) in the branch office .

You need to create an offline copy of the Active Direct ory database that can be used to install the ActiveDirectory on the new RODC .

Which commands should you run from Ntdsutil?


Select and Place:

Correct Answer:


Explanation/Reference:Same question as J/Q31, same answers.


Installing AD DS from MediaYou can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently.

To create installation media1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command

prompt.2. At the command prompt, type the following command, and then press ENTER: ntdsutil3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in

the table earlier in this topic) and then press ENTER.

For example, to create RODC installation media , type the following command, and then press ENTER:create rodc C:\InstallationMedia6. Where C:\InstallationMedia is the path to the folder where you want the installation media to be created.7. You can save the installation media to a network shared folder or to any other type of removable media.


You need to use Group Policies to deploy the applicatio ns shown in the following table:

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:

Correct Answer:


Explanation/Reference:Practically the same question as I/Q2.

Reference:technet.microsoft.com/en-us/library/cc783502.aspx

Software installationYou can use the Software Installation extension of Group Policy to centrally manage software distribution inyour organization. You can assign and publish software for groups of users and computers using this extension.

Assigning ApplicationsWhen you assign applications to users or computers, the applications are automatically installed on theircomputers at logon (for user-assigned applications) or startup (for computer-assigned applications.)

When assigning applications to users , the default behavior is that the application will be advertised to thecomputer the next time the user logs on. This means that the application shortcut appears on the Start menu,and the registry is updated with information about the application, including the location of the applicationpackage and the location of the source files for the installation. With this advertisement information on theuser's computer, the application is installed the first time the user tries to use the application. In addition to thisdefault behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully installthe package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored bycomputers running Windows 2000, which will always advertise user-assigned applications.

When assigning applications to computers , the application is installed the next time the computer boots up.Applications assigned to computers are not advertised, but are installed with the default set of featuresconfigured for the package. Assigning applications through Group Policy requires that the application setup isauthored as a Windows Installer (.msi) package.

Publishing ApplicationsYou can also publish applications to users , making the application available for users to install. To install apublished application, users can use Add or Remove Programs in Control Panel, which includes a list of allpublished applications that are available for them to install. Alternatively, if the administrator has selected theAuto-install this application by file extension activation feature, users can open a document file associated witha published application. For example, double clicking an .xls file will trigger the installation of Microsoft Excel, ifit is not already installed. Publishing applications only applies to user policy; you cannot publish applications tocomputers.


You need to view which password setting object is appli ed to a user .

Which filter option in Attribute Editor should you enable ?

To answer, select the appropriate filter option in the answer area.

Hot Area:

Correct Answer:



View a Resultant PSO for a User or a Global Securit y Group

You can view the resultant Password Settings object (PSO) for a user object:Viewing the resultant PSO for users using the Active Directory module for Windows PowerShellViewing the resultant PSO for users using the Windows interfaceViewing the resultant PSO for users from the command line using dsget

To view the resultant PSO for a user using Windows interface

1. Open Active Directory Users and Computers.2. On the View menu, ensure that Advanced Features is checked.3. In the console tree, click Users.4. In the details pane, right-click the user account for which you want to view the resultant PSO, and then click

Properties.5. Click the Attribute Editor tab, and then click Filter.6. Ensure that the Show attributes/Optional check box is selected.7. Ensure that the Show read-only attributes/Constructed check box is selected.8. Locate the value of the msDS-ResultantPSO attribute in the Attributes list.

QUESTION 16Your network contains two Active Directory forests named contoso.com and fabrikam.com . A two-way forest trust exists between the forests . Selective authentication is enabled on the trust . Fabrikam.com contains a server named Server1 .

You assign Contoso\Domain Users the Manage documents permission and the Print permission to ashared printer on Server1 .You discover that users from contoso.com cannot access the shared printer on Server1 .

You need to ensure that the contoso.com users can acces s the shared printer on Server1 .

Which permission should you assign to Contoso\Domain Users ?

To answer, select the appropriate permission in the answer area.

Hot Area:

Correct Answer:



Grant the Allowed to Authenticate Permission on Com puters in the Trusting Domain or ForestFor users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to accessresources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trustauthentication setting has been set to selective authentication , each user must be explicitly granted theAllowed to Authenticate permission on the security descriptor of the computer objects (resource computers)that reside in the trusting domain or forest.

QUESTION 17Your network contains an Active Directory forest named contoso.com . The forest contains two sites named Seattle and Montreal . The Seattle site contains two domain controllers .


The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest .

You need to configure DC2 as a global catalog server .

Which object's properties should you modify ?

To answer, select the appropriate object in the answer area.

Hot Area:

Correct Answer:



To designate a domain controller to be a global cat alog server1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.2. In the console tree, expand the Sites container, and then expand the site in which you are designating a

global catalog server.3. Expand the Servers container, and then expand the Server object for the domain controller that you want to

designate as a global catalog server.4. Right-click the NTDS Settings object for the target server, and then click Properties .5. Select the Global Catalog check box, and then click OK.

QUESTION 18Your network contains an Active Directory forest named contoso.com . The forest contains two Active Directory sites named Seattle and Montreal . The Montreal site is a branch office that contains only a single read-only domain controller (RODC).

You accidentally delete the site link between the two s ites .You recreate the site link while you are connected to a domain controller in Seattle .

You need to replicate the change to the RODC in Montrea l.

Which node in Active Directory Sites and Services should you use?


Hot Area:

Correct Answer:


Explanation/Reference:Reference 1:http://blogs.technet.com/b/ashleymcglone/archive/2011/06/29/report-and-edit-ad-site-links-from-powershell-turbo-your-ad-replication.aspx

Site links are stored in the Configuration partition of the AD database.


To use Active Directory Sites and Services to force replication of the configuration partition to an RODC1. Open the Active Directory Sites and Services snap-in (Dssite.msc).2. Double-click Sites, double-click the name of the site that has the RODC, double-click Servers, double-click

the name of the RODC, right-click NTDS Settings , and then click Replicate configuration to the selectedDC.

3. Click OK to close the message indicating that AD DS has replicated the connections.

QUESTION 19Your network contains an Active Directory forest named contoso.com . The forest contains two sites named Seattle and Montreal . The Seattle site contains two domain controllers .


You need to enable universal group membership caching i n the Seattle site .

Which object's properties should you modify ?

To answer, select the appropriate object in the answer area.

Hot Area:

Correct Answer:


Explanation/Reference:Reference:http://http://technet.microsoft.com/en-us/magazine/ff797984.aspx

Configure Universal Group Membership Caching in Act ive Directory

You can enable or disable universal group membership caching by following these steps:

1. In Active Directory Sites And Services, expand and then select the site you want to work with.2. In the details pane, right-click NTDS Site Settings, and then click Prop erties .3. To enable universal group membership caching, select the Enable Universal Group Membership Caching

check box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cacheuniversal group memberships. The selected site must have a working global catalog server.

4. To disable universal group membership caching, clear the Enable Universal Group Membership Cachingcheck box on the Site Settings tab.

5. Click OK.

QUESTION 20You are one of two network administrators for your organization. Your IT partner does most of the work in Active Directory.

While working in Active Directory, your partner accidently deleted a user from the Sales OU . You recover the user from tape backup but you want to h elp prevent this from happening again in thefuture .

What can you do?

A. Enable the Active Directory Recycle Bin.B. Use ADSI Edit to restore the user.C. Take away all rights from the other administrator.D. Use the Directory Services Restore Mode Lockout command.


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd392261%28v=ws.10%29.aspxActive Directory Recycle Bin Step-by-Step Guide

Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserveand restore accidentally deleted Active Directory objects without restoring Active Directory data from backups,restarting Active Directory Domain Services (AD DS), or rebooting domain controllers.

When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deletedActive Directory objects are preserved and the objects are restored in their entirety to the same consistentlogical state that they were in immediately before deletion. For example, restored user accounts automaticallyregain all group memberships and corresponding access rights that they had immediately before deletion,within and across domains.

Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services(AD LDS) environments.

ImportantBy default , Active Directory Recycle Bin in Windows Server 2008 R2 is disabled . To enable it, you mustfirst raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2,which in turn requires all forest domain controllers or all servers that host instances of AD LDS configurationsets to be running Windows Server 2008 R2. After you set the forest functional level of your environment toWindows Server 2008 R2, you can use the instructions in this guide to enable Active Directory Recycle Bin.In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin isirreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

QUESTION 21What is the maximum number of domains that a Windows Server 2008 R2 computer , configured as adomain controller , may participate in at one time ?

A. ZeroB. OneC. TwoD. Any number of domains


Explanation/Reference:Personal comment:A computer, be it a workstation or a server, can be a member of only one domain at a time.

QUESTION 22You are the systems administrator of a large organization that has recently implemented Windows Server2008 R2. You have a few remote sites that do not have very tight security .

You have decided to implement read-only domain control lers (RODC) .

What forest functional levels does the network need for you to do the install? (Choose Three )

A. Windows 2000 Mixed

B. Windows 2008 R2C. Windows 2003D. Windows 2008



Ensure that the forest functional level is Windows Server 2003 or h igher ...Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC and ensure that the writable domain controller is also a DNS server that hasregistered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domainupdates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

QUESTION 23Your network contains an Active Directory domain .The domain contains 20 domain controllers .You need to identify which domain controllers are globa l catalog servers .


A. dsqueryB. netshC. nltestD. Get-ADOptionalFeature


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc732885%28v=ws.10%29.aspxDsquery server

Dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the ActiveDirectory Domain Services (AD DS) server role installed.

Syntaxdsquery server [-o {dn | rdn}] [-forest] [-domain <DomainName>] [-site <SiteName>] [-name <Name>] [-desc<Description>] [-hasfsmo {schema | name | infr | pdc | rid}] [-isgc] [{-s <Server> | -d <Domain>}] [-u<UserName>] [-p {<Password> | *}] [-q] [-r] [-gc] [-limit <NumberOfObjects>] [{-uc | -uco | -uci}]

Parameters..-gc Specifies that the search use the Active Directory global catalog....

To find all domain controllers in the domain widgets.contoso.com that are global catalog servers, type:dsquery server –domain widgets.contoso.com -isgc


The forest contains two domains named contoso.com and east.contoso.com . The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role install ed.


What should you do?

A. Create a primary zone on DC1 and store the zone in DC=Contoso, DC=com naming context. Create asecondary zone on DC2 and select DC1 as the master.

B. Create a primary zone on DC1 and store the zone in a zone file. Configure Encrypting File System (EFS)encryption. Create a secondary zone on DC2 and select DC1 as the master.

C. Create a primary zone on DC1 and store the zone in a zone file. Configure IPSec on DC1 and DC2. Createa secondary zone on DC2 and select DC1 as the master.

D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create asecondary zone on DC2 and select DC1 as the master.


Explanation/Reference:Similar to A/Q15 and K/Q13.

http://technet.microsoft.com/en-us/network/bb531150.aspxIPsec

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over InternetProtocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, dataintegrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is basedon Internet Engineering Task Force (IETF) standards.

In Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, you can configure IPsecbehavior by using the Windows Firewall with Advanced Security snap-in. In earlier versions of Windows, IPsecwas a stand-alone technology separate from Windows Firewall.

http://technet.microsoft.com/en-us/library/ee649192%28v=ws.10%29.aspxSecure Zone Transfers with IPsec

Use the following procedure to configure an IP Security (IPsec) rule to secure communications b etweentwo DNS servers . When applied to the primary and secondary DNS servers for a zone, this policy will protectupdates occurring by zone transfer from the primary to the secondary DNS server. By applying this policy, zonetransfers are not allowed unless both servers are domain members and have matching connection securityrules. The policy is configured to apply to zone transfers between IP addresses specified on the Zone Transferstab.

QUESTION 25Your network contains an Active Directory forest named contoso.com . The forest contains a domain controller named DC1 that runs Windows Server 2008 R2 Enterprise and amember server named Server1 that runs Windows Server 2008 R2 Standard . You have a computer named Computer1 that runs Windows 7 . Computer1 is not connected to the network .

You need to join Computer1 to the contoso.com domain .

What should you do?



Correct Answer:







3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windowsdirectory.

4. When you start or restart the computer , it will be a member of the domain.

Reference 2:http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step.aspx

Performing an offline domain join using different p hysical computersTo perform an offline domain join using physical computers, you can complete the following steps. The bestpractice in this case is to have one domain controller, one domain-joined computer to use as a provisioningserver, and one client computer that you want to join to the domain.

1. On the provisioning server, open an elevated command prompt. 2. Type the following command to provision the computer account:djoin /provision /domain <domain to be joined> /machine <name of th e destinationcomputer> /savefile blob.txt3. Copy the blob.txt file to the client computer .4. On the client computer, open an elevated command prompt, and then type the following command to

request the domain join:djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /loca los5. Reboot the client computer . The computer will be joined to the domain.

QUESTION 26You need to modify the Password Replication Policy on a read-only domain controller (RODC) .


To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:Practically the same as H/Q5.

Reference:http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

Administering the Password Replication PolicyThis topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP)and password caching for read-only domain controllers (RODCs).

To configure the PRP using Active Directory Users a nd Computers1. Open Active Directory Users and Computers as a member of the Domain Admins group.2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

domain.3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click

Properties.4. Click the Password Replication Policy tab.5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and

the Deny list on the RODC. To add other groups that should be included in either the Allowed list or theDeny list, click Add.To add other accounts that will have credentials cached on the RODC, click Allow passwords for theaccount to replicate to this RODC.To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwordsfor the account from replicating to this RODC.


You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs) .

Under which node in the DNS snap-in should you add a zone?


Point and Shoot:

Correct Answer:


Explanation/Reference:Practically the same as H/Q1.

Reference:Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010)page 193

A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IPaddress. A reverse lookup does the opposite: the client provides an IP address, and then the DNS serverreturns an FQDN.

QUESTION 28Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operations master r oles . DC1 fails .

You need to rebuild DC1 by reinstalling the operating s ystem . You also need to rollback all operations master roles t o their original state .

You perform a metadata cleanup and remove all reference s of DC1 .

Which three actions should you perform next ?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.)


Correct Answer:


Explanation/Reference:First we need to seize the operations master roles from DC1 to DC2. They are important and need to be inplace. Next we rebuild DC1 (not DC2, we need it) and transfer the operations master roles back to DC1 .

QUESTION 29A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active DirectoryLightweight Directory Services (AD LDS) role instal led . An AD LDS instance named LDS1 stores its data on the C: drive .

You need to relocate the LDS1 instance to the D: drive .

Which three actions should you perform in sequence ?

(To answer, move the three appropriate actions from the list of actions to the answer area and arrange them inthe correct order.)


Correct Answer:


Explanation/Reference:Reference:http://www.ucertify.com/blog/windows-server-2008-tools-used-for-configuring-and-maintaining-active-directory.html

NTDSUTILNTDSUTIL.EXE is a command-line tool that is used to manage Active Directory.

Important UsageTo relocate AD LDS directory partition, use the NTD SUTIL tool. Take the following steps:

Stop the LDS by using the net stop command.Move the Database file through NTDSUTIL tool.Start the directory service using the net start command.

QUESTION 30You need to perform an offline defragmentation of an Ac tive Directory database .

Which four actions should you perform in sequence ?

(To answer, move the appropriate four actions from the list of actions to the answer area and arrange them inthe correct order.)


Correct Answer:



Compact the database file to a local directory or r emote shared folder, as follows:1. Open a Command Prompt as an administrator.2. At the command prompt, type the following command, and then press ENTER: net stop ntds3. Type Y to agree to stop additional services, and then press ENTER.4. At the command prompt, type ntdsutil , and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds , and then press ENTER.6. At the ntdsutil prompt, type files , and then press ENTER.7. If you are compacting the database to a local drive , at the file maintenance: prompt, type compact

to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to alocation on the local computer) and then press ENTE R.

8. If defragmentation completes successfully, type quit , and then press ENTER to quit the file maintenance:prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe.

(...)

NoteYou should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on asecured network drive. If the compaction of the database does not work properly, you can then easily restorethe database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you haveat least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.ditfile to preserve it. Avoid overwriting the original Ntds.dit file.

9. Manually copy the compacted database file to the or iginal location, as follows: copy“<temporaryDrive>:\ntds.dit” “<originalDrive>:\<pat hToOriginalDatabaseFile>\ntds.dit”

Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file.

(...)10.Restart AD DS. At the command prompt, type the foll owing command, and then press ENTER: net

start ntds

QUESTION 31Your company has an Active Directory forest that contains multiple domain controllers . The domain controllers run Windows Server 2008 .

You need to perform an an authoritative restore of a de leted organizational unit and its child objects .

Which four actions should you perform in sequence ?

(To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them inthe correct order.)


Correct Answer:


Explanation/Reference:References:Performing Authoritative Restore of Active Directory Objectshttp://technet.microsoft.com/en-us/library/cc816878.aspx

Restart the Domain Controller in Directory Services Restore Mode Locallyhttp://technet.microsoft.com/en-us/library/cc816897.aspx

Restore AD DS from Backup (Nonauthoritative Restore)


Mark an Object or Objects as Authoritativehttp://technet.microsoft.com/en-us/library/cc816813.aspx

Restart the Domain Controller in Directory Services Restore Mode Locally If you have physical access to a domain controller, you can restart the domain controller in Directory ServicesRestore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the serveris functioning as a member server, not as a domain controller.During installation of Active Directory Domain Services (AD DS), you set the Administrator password for loggingon to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using thisDSRM password for the local Administrator account.

Restore AD DS from Backup (Nonauthoritative Restore ) Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current stateto the previous state of a backup. Use this procedure before you perform an authoritative restore procedure torecover objects that were deleted after the time of the backup. To restore AD DS from backup, use a systemstate or critical-volumes backup.

Mark an Object or Objects as AuthoritativeIn this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when theyreplicate to other domain controllers.

Restart the domain controller[Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.]

QUESTION 32ABC.com has an Active Directory forest on a single domain . The domain operates Windows Server 2008 .

A new administrator accidentally deletes the entire organizational unit in the Active Directory databasethat hosts 6000 objects .You have backed up the system state data using third-party backup software. To restore backup , you start the domain controller in the Directory Services Restore Mode (DSRM) .

You need to perform an authoritative restore of the org anizational unit and restore the domaincontroller to its original state .

Which three actions should you perform?


Correct Answer:


Explanation/Reference:References:Performing Authoritative Restore of Active Directory Objectshttp://technet.microsoft.com/en-us/library/cc816878.aspx

Restart the Domain Controller in Directory Services Restore Mode Locallyhttp://technet.microsoft.com/en-us/library/cc816897.aspx

Restore AD DS from Backup (Nonauthoritative Restore)http://technet.microsoft.com/en-us/library/cc794755.aspx

Mark an Object or Objects as Authoritativehttp://technet.microsoft.com/en-us/library/cc816813.aspx

Restart the Domain Controller in Directory Services Restore Mode Locally If you have physical access to a domain controller, you can restart the domain controller in Directory ServicesRestore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the serveris functioning as a member server, not as a domain controller.During installation of Active Directory Domain Services (AD DS), you set the Administrator password for loggingon to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using thisDSRM password for the local Administrator account.

Restore AD DS from Backup (Nonauthoritative Restore ) Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current stateto the previous state of a backup. Use this procedure before you perform an authoritative restore procedure torecover objects that were deleted after the time of the backup. To restore AD DS from backup, use a systemstate or critical-volumes backup.

Mark an Object or Objects as AuthoritativeIn this procedure, you use the ntdsutil command to select objects that are to be marked authoritative whenthey replicate to other domain controllers.

Restart the domain controller[Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.]

QUESTION 33You manage an Active Directory forest named contoso.com .The forest contains an empty root domain named contoso.com and a child domain namedchild.contoso.com . All domain controllers run Windows Server 2008 . The functional level of the forest is Windows Server 2008 .

You need to raise the functional level of the forest to Windows Server 2008 R2 . You must achieve this goal by using the minimum amount of administrative effort .

What should you do?



Correct Answer:


Explanation/Reference:To upgrade the forest level to Windows Server 2008 R2 we need to upgrade the servers first. And before weupgrade the servers we need to prepare the domain and forest using adprep.


CautionDo not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domaincontrollers running Windows Server 2008 or earlier.

Reference 2:MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)page 96

The Adprep UtilityMicrosoft provides the Adprep utility to prepare a down-level Active Directory domain for receiving Windows

Server 2008 and Windows Server 2008 R2 domain controllers. Found in the \sources\adprep folder of theinstallation DVD-ROM, this tool prepares the forest and domain by extending the Active Directory schema andupdating several required permissions.

Running the Adprep /forestprep CommandYou must run the Adprep /forestprep command on the schema master of the forest first. It extends theschema to receive the new Windows Server 2008 enhancements, including the addition of directory descriptorsfor certain objects including granular password policies. You have to run this command and let its changesreplicate throughout the forest before you run the Adprep /domainprep command.

Reference 3:Not really relevant, but some info on why using an empty root domain is no longer preferable:http://blogs.technet.com/b/askds/archive/2010/05/07/friday-mail-sack-tweener-clipart-comics-edition.aspx#adempty


Date post:	04-Apr-2022
Category:	Documents
Upload:	others
View:	20 times
Download:	0 times

Windows Server 2008 - Configuring Active Directory

Documents