Number: Passing Score: 700 Time Limit: 145 min

Transcription

1 Number: Passing Score: 700 Time Limit: 145 min

2 Exam A QUESTION 1 You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone. You need to ensure that outdated DNS records are automatically removed from the DNS zone. A. From the properties of the zone, modify the TTL of the SOA record. B. From the properties of the zone, enable scavenging. C. From the command prompt, run ipconfig /flushdns. D. From the properties of the zone, disable dynamic updates. Correct Answer: B / QUESTION 2 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes. A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU. B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes. C. Enable the Audit account management policy in the Default Domain Controller Policy. D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy. Correct Answer: A / QUESTION 3 Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.

3 A. Create a new stub zone named ad.contoso.com on DC2. B. Create a new standard secondary zone named ad.contoso.com on DC2. C. Configure the DNS server on DC2 to forward requests to DC1. D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone. Correct Answer: D / QUESTION 4 Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS). You need to create new organizational units in the AD LDS application directory partition. A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units. B. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition. C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units. D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. Correct Answer: D / QUESTION 5 Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role. DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role. You need to ensure that DC2 holds the Schema Master role. A. Configure DC2 as a bridgehead server. B. On DC2, seize the Schema Master role. C. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in. D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in. Correct Answer: B

4 / QUESTION 6 Your company has an Active Directory forest that runs at the functional level of Windows Server You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Restart IIS. B. Manually delete the Service Connection Point in AD DS and restart AD RMS. C. Install Message Queuing. D. Start the MSSQLSVC service. Correct Answer: AD / QUESTION 7 Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directoryintegrated zones: contoso.com and nwtraders.com. You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone. A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard. B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU). C. From the DNS Manager console, modify the permissions of the contoso.com zone. D. From the DNS Manager console, modify the permissions of the nwtraders.com zone. Correct Answer: C / QUESTION 8 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highly available.

5 A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array. B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO). C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain. Correct Answer: C / QUESTION 9 You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server1 to support the Online Responder. A. Import the enterprise root CA certificate. B. Configure the Certificate Revocation List Distribution Point extension. C. Configure the Authority Information Access (AIA) extension. D. Add the Server2 computer account to the CertPublishers group. Correct Answer: C / Configure a CA to Support OCSP Responders To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP) Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non- Microsoft OCSP responder. Configuring a certification authority (CA) to support OCSP responder services includes the following steps: 1. Configure certificate templates and issuance properties for OCSP Response Signing certificates. 2. Configure enrollment permissions for any computers that will be hosting Online Responders. 3. If this is a Windows Server 2003 based CA, enable the OCSP extension in issued certificates. 4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA. 5. Enable the OCSP Response Signing certificate template for the CA. QUESTION 10 Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed. You need to ensure that the user is able to log on to the computer.

6 A. Run the netsh command with the set and machine options. B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. C. Run the netdom TRUST /reset command. D. Run the Active Directory Users and Computers console to disable, and then enable the computer account. Correct Answer: B / QUESTION 11 Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. A. Add and configure a new account partner. B. Add and configure a new resource partner. C. Add and configure a new account store. D. Add and configure a Claims-aware application. Correct Answer: C / QUESTION 12 You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller. What tool should you use? A. Active Directory Users and Computers snap-in B. ntdsutil C. Local Users and Groups snap-in D. dsmod Correct Answer: B /

7 QUESTION 13 Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch office are able to log on to the domain by using the RODC. A. Add another RODC to the branch office. B. Configure a new bridgehead server in the main office. C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console. D. Configure the Password Replication Policy on the RODC. Correct Answer: D / QUESTION 14 Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records. You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records. A. Set dynamic updates to Secure Only. B. Remove the Authenticated Users group. C. Enable zone transfers to Name Servers. D. Deny the Everyone group the Create All Child Objects permission. Correct Answer: A / QUESTION 15 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso. com. A domain controller named DC2 has a standard secondary zone for contoso.com. You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data. A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone. B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the

8 secondary zone. D. On both servers, modify the interface that the DNS server listens on. Correct Answer: B / QUESTION 16 You are decommissioning domain controllers that hold all forest-wide operations master roles. You need to transfer all forest-wide operations master roles to another domain controller. Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.) A. Domain naming master B. Infrastructure master C. RID master D. PDC emulator E. Schema master Correct Answer: AE / QUESTION 17 Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network. You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain. A. Create a new stub zone for the intranet.fabrikam.com domain. B. Configure conditional forwarding for the intranet.fabrikam.com domain. C. Create a standard secondary zone for the intranet.fabrikam.com domain. D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain. Correct Answer: B / QUESTION 18 An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume.

9 A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command. B. Move the ntds.dit file to the new volume by using Windows Explorer. C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell. D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility. Correct Answer: D / QUESTION 19 Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll. You create a GPO. You need to track which employees access the Payroll files on the file servers. A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder. B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder. Correct Answer: B / QUESTION 20 Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need to implement key archival. A. Configure the certificate for automatic enrollment for the computers that store encrypted files. B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files. C. Apply the Hisecdc security template to the domain controllers. D. Archive the private key on the server. Correct Answer: D

10 / QUESTION 21 Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the Sales OU. A. Perform an authoritative restore of the Sales OU. B. Perform a non-authoritative restore of the Sales OU. C. Perform an authoritative restore of the Groups OU. D. Perform a non-authoritative restore of the Groups OU. Correct Answer: C / QUESTION 22 Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to create multiple password policies for users in your domain. A. From the Group Policy Management snap-in, create multiple Group Policy objects. B. From the Schema snap-in, create multiple class schema objects. C. From the ADSI Edit snap-in, create multiple Password Setting objects. D. From the Security Configuration Wizard, create multiple security policies. Correct Answer: C / QUESTION 23 You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server. You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console? A. Enable debug logging. B. Enable automatic testing for simple queries. C. Configure event logging to log errors and warnings.

11 D. Enable automatic testing for recursive queries. Correct Answer: A / QUESTION 24 Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You need to enable dynamic DNS updates on DC3. A. Run the Dnscmd.exe /ZoneResetType command on DC3. B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller. C. Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones. D. Run the Ntdsutil.exe > DS Behavior commands on DC3. Correct Answer: B / QUESTION 25 Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS server role installed. You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Clear the DNS cache on DC2. B. Configure conditional forwarding on DC2. C. Configure the Listen On address on DC2. D. Delete the Root zone on DC2. Correct Answer: BD

12 / QUESTION 26 Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit. You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit. You also need to ensure that the application is not deployed to users in the R&D organizational unit. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Configure the Block Inheritance setting on the R&D organizational unit. B. Configure the Enforce setting on the software deployment GPO. C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group. D. Configure the Block Inheritance setting on the Production organizational unit. Correct Answer: AC / QUESTION 27 Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller. The Active Directory site requires a local Global Catalog server to support a new application. You need to configure the domain controller as a Global Catalog server. Which tool should you use? A. The Server Manager console B. The Active Directory Sites and Services console C. The Dcpromo.exe utility D. The Computer Management console E. The Active Directory Domains and Trusts console Correct Answer: B / QUESTION 28 Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latency between the domain controllers.

13 A. Decrease the replication schedule for the DEFAULTIPSITELINK object. B. Decrease the replication interval for the DEFAULTIPSITELINK object. C. Decrease the cost between the connection objects. D. Decrease the replication interval for all connection objects. Correct Answer: B / QUESTION 29 Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server The domain functional level of contoso.com is Windows Server The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option. A. Raise the forest functional level of fabrikam.com to Windows Server B. Raise the domain functional level of fabrikam.com to Windows Server C. Raise the forest functional level of contoso.com to Windows Server D. Create a new forest trust and enable forest-wide authentication. Correct Answer: B / QUESTION 30 All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the consultants to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global group. B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use Failure audit policy setting. C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting. D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box. E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.

14 Configure the Failed Full control setting in the Auditing Entry dialog box. Correct Answer: CE / Practically the same as J/Q5. Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671 Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling Audit object access and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows: Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts. Audit object access success enables you to see usage patterns. This shows misuse of privilege. After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers. Auditing Files and Folders The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements. Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following: 1. In Windows Explorer, right-click the file or folder to audit and select Properties. 2. Select the Security tab and then click the Advanced button. 3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button. 4. Click the Add button to display the Select User or Group window. 5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name. QUESTION 31 You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Import the enterprise root CA certificate. B. Import the OCSP Response Signing certificate. C. Add the Server1 computer account to the CertPublishers group. D. Set the Startup Type of the Certificate Propagation service to Automatic. Correct Answer: AB

15 / QUESTION 32 Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations: London Chicago New York Madrid Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department. The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection. You need to install an application on all the computers in the sales department. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users. Link the GPO to each Sales organizational unit. B. Disable the slow link detection setting in the Group Policy Object (GPO). C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO). D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link the GPO to each Sales organizational unit. Correct Answer: BD / QUESTION 33 Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. The server is a backup server. The server has a single 500-GB hard disk that has three partitions for the operating system, applications, and data. You perform daily backups of the server. The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart the computer on the installation media. You select the Repair your computer option. You need to restore the operating system and all files. A. Select the System Image Recovery option. B. Run the Imagex utility at the command prompt. C. Run the Wbadmin utility at the command prompt. D. Run the Rollback utility at the command prompt. Correct Answer: C

16 / QUESTION 34 You need to remove the Active Directory Domain Services role from a domain controller named DC1. A. Run the netdom remove DC1 command. B. Run the Dcpromo utility. Remove the Active Directory Domain Services role. C. Run the nltest /remove_server: DC1 command. D. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility. Correct Answer: B / QUESTION 35 Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit. You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators. B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group. C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units. D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators. Correct Answer: AB / QUESTION 36 Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: "This user account has expired. Ask your administrator to reactivate the account." You need to ensure that the user is able to log on to the domain. A. Modify the properties of the user account to set the account to never expire. B. Modify the properties of the user account to extend the Logon Hours setting. C. Modify the default domain policy to decrease the account lockout duration.

17 D. Modify the properties of the user account to set the password to never expire. Correct Answer: A / QUESTION 37 You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2. You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller. You create the site link between Site1 and Site2. What should you do next? A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2. B. Use the Active Directory Sites and Services console to configure a new site link bridge object. C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2. D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1. Correct Answer: A / QUESTION 38 Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department. You need to install an Office 2007 application only on the computers in the Sales organizational unit. You create a GPO named SalesApp GPO. What should you do next? A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain. C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. Correct Answer: A

18 / QUESTION 39 Your network consists of an Active Directory forest that contains one domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone. You have two Active Directory sites. Each site contains five domain controllers. You add a new NS record to the zone. You need to ensure that all domain controllers immediately receive the new NS record. A. From the DNS Manager console, reload the zone. B. From the DNS Manager console, increase the version number of the SOA record. C. From the command prompt, run repadmin /syncall. D. From the Services snap-in, restart the DNS Server service. Correct Answer: C / QUESTION 40 Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level is Windows You need to ensure the UPN suffix for contoso.com is available for user accounts. What should you do first? A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher. B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher. C. Add the new UPN suffix to the forest. D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com. Correct Answer: C / QUESTION 41 You have a Windows Server 2008 R2 Enterprise Root CA. Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA. You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role. What should you do next?

19 A. Configure the Online Responder Role Service on a member server. B. Configure the Online Responder Role Service on a domain controller. C. Configure the Certificate Enrollment Web Service role service on a member server. D. Configure the Certificate Enrollment Web Service role service on a domain controller. Correct Answer: C / QUESTION 42 You need to relocate the existing user and computer objects in your company to different organizational units. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Run the move-item command in the Microsoft Windows PowerShell utility. B. Run the Active Directory Users and Computers utility. C. Run the Dsmove utility. D. Run the Active Directory Migration Tool (ADMT). Correct Answer: BC / QUESTION 43 Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition. You have a member server that contains a standard primary DNS zone for dev.contoso.com. You need to ensure that all domain controllers can resolve names for dev.contoso.com. A. Modify the properties of the SOA record in the contoso.com zone. B. Create a NS record in the contoso.com zone. C. Create a delegation in the contoso.com zone. D. Create a standard secondary zone on a Global Catalog server. Correct Answer: C / QUESTION 44 Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.

20 You install Windows Server 2008 R2 on a server. You need to add the new server as a domain controller in your domain. What should you do first? A. On a domain controller run adprep /rodcprep. B. On the new server, run dcpromo /adv. C. On the new server, run dcpromo /createdcaccount. D. On a domain controller, run adprep /forestprep. Correct Answer: D / QUESTION 45 Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller. You disable an account that has administrative rights. You need to immediately replicate the disabled account information to all sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers. B. From the Active Directory Sites and Services console, select the existing connection objects and force replication. C. Use Repadmin.exe to force replication between the site connection objects. D. Use Dsmod.exe to configure all domain controllers as global catalog servers. Correct Answer: BC / QUESTION 46 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to capture all replication errors from all domain controllers to a central location. A. Start the Active Directory Diagnostics data collector set. B. Start the System Performance data collector set. C. Install Network Monitor and create a new a new capture. D. Configure event log subscriptions.

21 Correct Answer: D / QUESTION 47 Your company has an Active Directory forest that contains client computers that run Windows Vista and Microsoft Windows XP. You need to ensure that users are able to install approved application updates on their computers. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Set up Automatic Updates through Control Panel on the client computers. B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site. C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates. D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates. Correct Answer: CD / QUESTION 48 Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives. You need to apply desktop restrictions to the sales executives group. You must not apply these desktop restrictions to the sales managers group. You create a GPO named DesktopLockdown and link it to the Sales organizational unit. What should you do next? A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO. C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO. Correct Answer: D / QUESTION 49 Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server All user accounts from the child

22 domain are migrated to the parent domain. The child domain is scheduled to be decommissioned. You need to remove the child domain from the Active Directory forest. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role. D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain. Correct Answer: CD / QUESTION 50 Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You plan to create a new Active Directory-integrated zone. You need to ensure that the new zone is only replicated to four of your domain controllers. What should you do first? A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter. B. Create a new delegation in the ForestDnsZones application directory partition. C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter. D. Create a new delegation in the DomainDnsZones application directory partition. Correct Answer: A / Practically the same question as D/Q25 and K/Q17, different set of answers.

23 Exam B QUESTION 1 You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS Server for contoso.com. You install the DNS Server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. A. On DC1, modify the permissions of contoso.com zone. B. On Server1, add a conditional forwarder. C. On DC1, modify the zone transfer settings for the contoso.com zone. D. Add the Server1 computer account to the DNSUpdateProxy group. Correct Answer: C / Practically the same question as J/Q23 and K/Q45. Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer. To modify zone transfer settings using the Windows interface 1. Open DNS Manager. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. QUESTION 2 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA). You need to ensure that only administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

24 A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers. B. Modify the security settings on the template to allow only administrators to request code signing certificates. C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy. D. Publish the code signing template. Correct Answer: BD / QUESTION 3 Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server. When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available. You need to install the AD CS role as an Enterprise CA. What should you do first? A. Add the DNS Server role. B. Add the Active Directory Lightweight Directory Service (AD LDS) role. C. Add the Web server (IIS) role and the AD CS role. D. Join the server to the domain. Correct Answer: D / QUESTION 4 Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2. The DNS servers are configured as shown in the following table. Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites. You need to enable Internet name resolution for all client computers. A. Update the list of root hints servers on DNS2.

25 B. Create a copy of the.(root) zone on DNS1. C. Delete the.(root) zone from DNS2. Configure conditional forwarding on DNS2. D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1. Correct Answer: C / QUESTION 5 Your network consists of a single Active Directory domain. All domain controllers run Windows Server You upgrade all domain controllers to Windows Server You need to configure the Active Directory environment to support the application of multiple password policies. A. Raise the functional level of the domain to Windows Server B. On one domain controller, run dcpromo /adv. C. Create multiple Active Directory sites. D. On all domain controllers, run dcpromo /adv. Correct Answer: A / QUESTION 6 Your company has two Active Directory forests named contoso.com and fabrikam.com. The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table. All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server. Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain. You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries. A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3. B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server. C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.

26 D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1. Correct Answer: D / QUESTION 7 Your company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains. You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain. A. Decrease the replication interval for all Connection objects. B. Decrease the replication interval for the DEFAULTIPSITELINK site link. C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com. D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com. Correct Answer: C / QUESTION 8 Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application. The registry modifications are in a file that has an.adm extension. You need to prepare the target computers for the application. A. Import the.adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers. B. Create a Microsoft Windows PowerShell script to copy the.adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer. C. Create a Microsoft Windows PowerShell script to copy the.adm file to the startup folder of each target computer. D. Create a Microsoft Windows PowerShell script to copy the.adm file to each computer. Run the REDIRCmp CONTAINER-DN command on each target computer. Correct Answer: A / QUESTION 9 Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One of

27 these GPOs publishes applications to user objects. A user reports that the application is not available for installation. You need to identify whether the GPO has been applied. A. Run the Group Policy Results utility for the user. B. Run the GPRESULT /S <system name> /Z command at the command prompt. C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt. D. Run the Group Policy Results utility for the computer. Correct Answer: A / QUESTION 10 Your company has an Active Directory domain. You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2. You need to ensure that members of the Account Operators group are able to issue smartcard credentials. They should not be able to revoke certificates. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) A. Create an Enrollment Agent certificate. B. Create a Smartcard logon certificate. C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group. D. Install the AD CS role and configure it as an Enterprise Root CA. E. Install the AD CS role and configure it as a Standalone CA. F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group. Correct Answer: BCD / QUESTION 11 You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct. You need to identify the cause of the failure. You also need to ensure that the new users are able to log on. Which utility should you run? A. Active Directory Domains and Trusts

28 B. Repadmin C. Rstools D. Rsdiag Correct Answer: B / Repadmin allows us to check the replication status and also allows us to force a replication between domain controllers. Repadmin /replsummary Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report. Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions. Repadmin /syncall Synchronizes a specified domain controller with all replication partners. QUESTION 12 Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory-integrated zone for contoso.com. You have a Unix-based DNS server. You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS server. What should you do in the DNS Manager console? A. Enable BIND secondaries B. Create a stub zone C. Disable recursion D. Create a secondary zone Correct Answer: A / QUESTION 13 Your company has an Active Directory domain. You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You need to access the Active Directory Schema snap-in.

29 A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager. B. Log off and log on again by using an account that is a member of the Schema Administrators group. C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing. D. Register Schmmgmt.dll. Correct Answer: D / QUESTION 14 Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server. You need to audit changes to the CA configuration settings and the CA security settings. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Configure auditing in the Certification Authority snap-in. B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32% \CertSrv directory. C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory. D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server. Correct Answer: AD / QUESTION 15 Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server You perform the following activities: Create a global distribution group. Add users to the global distribution group. Create a shared folder on a Windows Server 2008 member server. Place the global distribution group in a domain local group that has access to the shared folder. You need to ensure that the users have access to the shared folder. A. Add the global distribution group to the Domain Administrators group. B. Change the group type of the global distribution group to a security group. C. Change the scope of the global distribution group to a Universal distribution group.

30 D. Raise the forest functional level to Windows Server Correct Answer: B / QUESTION 16 Your company hires 10 new employees. You want the new employees to connect to the main office through a VPN connection. You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to shared resources in the main office. The new employees are unable to access shared resources in the main office. You need to ensure that users are able to establish a VPN connection to the main office. A. Grant the new employees the Allow Access Dial-in permission. B. Grant the new employees the Allow Full control permission. C. Add the new employees to the Remote Desktop Users security group. D. Add the new employees to the Windows Authorization Access security group. Correct Answer: A / QUESTION 17 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller. A. Review performance data in Resource Monitor. B. Review the Hardware Events log in the Event Viewer. C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report. D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report. Correct Answer: C / QUESTION 18 Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

31 You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Run the adprep /domainprep command. B. Raise the forest functional level to Windows Server C. Raise the domain functional level to Windows Server D. Run the adprep /forestprep command. Correct Answer: AD / QUESTION 19 You need to identify all failed logon attempts on the domain controllers. A. View the Netlogon.log file. B. View the Security tab on the domain controller computer object. C. Run Event Viewer. D. Run the Security and Configuration Wizard. Correct Answer: C / QUESTION 20 Your company has a DNS server that has 10 Active Directory integrated zones. You need to provide copies of the zone files of the DNS server to the security department. A. Run the dnscmd /ZoneInfo command. B. Run the ipconfig /registerdns command. C. Run the dnscmd /ZoneExport command. D. Run the ntdsutil > Partition Management > List commands. Correct Answer: C / QUESTION 21 Your company has an Active Directory forest. The company has three locations. Each location has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department.

32 The company plans to deploy a Microsoft Office 2007 application on all computers within the three Sales organizational units. You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units. A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain. B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. Correct Answer: C / QUESTION 22 Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers. You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices. At which level should you deactivate UGMC? A. Server B. Connection object C. Domain D. Site Correct Answer: D / QUESTION 23 Your network consists of a single Active Directory domain. All domain controllers run Windows Server You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R). A. From the command prompt, run dfsutil /addroot:sysvol.

33 B. From the command prompt, run netdom /reset. C. From the command prompt, run dcpromo /unattend:unattendfile.xml. D. Raise the functional level of the domain to Windows Server 2008 R2. Correct Answer: D / QUESTION 24 Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server There are four Windows Server 2003 domain controllers in the main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Raise the functional level of the forest to Windows Server B. Deploy a Windows Server 2008 domain controller at the main office. C. Raise the functional level of the domain to Windows Server D. Run the adprep/rodcprep command. Correct Answer: BD / QUESTION 25 Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3. You need to use your client computers to edit domainbased GPOs by using the ADMX files that are stored in the ADMX central store. A. Add your account to the Domain Admins group. B. Upgrade your client computers to Windows 7. C. Install.NET Framework 3.0 on your client computers. D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder. Correct Answer: B / QUESTION 26 Your company has a domain controller that runs Windows Server The domain controller has the backup

34 features installed. You need to perform a non-authoritative restore of the doman controller using an existing backup file. A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volume D. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume Correct Answer: A / QUESTION 27 Your company has an Active Directory domain. All servers run Windows Server. You deploy a Certification Authority (CA) server. You create a new global security group named CertIssuers. You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates. What should you do? A. Assign the Certificate Manager role to the CertIssuers group B. Place CertIssuers group in the Certificate Publisher group C. Run the certsrv -add CertIssuers command promt of the certificate server D. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell Correct Answer: A / QUESTION 28 Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain. You need to create the computer accounts in an OU. A. Run the csvde -f computers.csv command B. Run the ldifde -f computers.ldf command C. Run the dsadd computer <computerdn> command D. Run the dsmod computer <computerdn> command

35 Correct Answer: C / QUESTION 29 Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7. You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone. You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone. What should you do first? A. On the member server, add a conditional forwarder. B. On the member server, install Active Directory Domain Services. C. Add all computer accounts to the DNS UpdateProxy group. D. Convert the standard primary zone to an Active Directory-integrated zone. Correct Answer: D / QUESTION 30 Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist. You need to configure the contoso.com zone to automatically remove expired records. A. Enable only secure updates on the contoso.com zone, B. Enable scavenging and configure the refresh interval on the contoso.com zone. C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone. D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone Correct Answer: B / QUESTION 31 You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certification authority (CA) server that meets the following requirements:

36 Allows the certification authority to automatically issue certificates Integrates with Active Directory Domain Services A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA. B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA. C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA. D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master. Correct Answer: B / QUESTION 32 You have a Windows Server 2008 R2 Enterprise Root certification authority (CA). You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates. You grant the Account Operators group the Issue and Manage Certificates permission on the CA. Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.) A. Enable the Restrict Enrollment Agents option on the CA. B. Enable the Restrict Certificate Managers option on the CA. C. Add the Basic EFS certificate template for the Account Operators group. D. Grant the Account Operators group the Manage CA permission on the CA. E. Remove all unnecessary certificate templates that are assigned to the Account Operators group. Correct Answer: BCE / QUESTION 33 Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2. You need to ensure users are able to enroll new certificates. A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA. B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users' profile. C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.

37 D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations, Correct Answer: A / QUESTION 34 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA. The Enterprise Intermediate CA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server. B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server. C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object. D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object. Correct Answer: B / QUESTION 35 Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language version of the administrative templates. You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\sysvol\domain \Policies\PolicyDefinitions\FR. You need to ensure that the French-language version of the templates is available. A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copy the ADM files to the FR folder. B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. Correct Answer: B /

38 QUESTION 36 A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails. You need to enable the user to join a single computer to the domain. You must ensure that the user is denied any additional rights beyond those required to complete the task. A. Prestage the computer account in the Active Directory domain. B. Add the user to the Domain Administrators group for one day. C. Add the user to the Server Operators group in the Active Directory domain. D. Grant the user the right to log on locally by using a Group Policy Object (GPO). Correct Answer: A / QUESTION 37 The default domain GPO in your company is configured by using the following account policy settings: - Minimum password length: 8 characters - Maximum password age: 30 days - Enforce password history: 12 passwords remembered - Account lockout threshold: 3 invalid logon attempts - Account lockout duration: 30 minutes You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has domain user rights. The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out. You need to resolve the server failure and prevent recurrence of the failure. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Reset the password of the SQLSrv user account. B. Configure the local security policy on Serverl to grant the Logon as a service right on the SQLSrv user account. C. Configure the properties of the SQLSrv account to Password never expires. D. Configure the properties of the SQLSrv account to User cannot change password. E. Configure the local security policy on Serverl to explicitly grant the SQLSrv user account the Allow logon locally user right. Correct Answer: AC / QUESTION 38 Your company has two Active Directory forests named Forest1 and Forest2, The forest functional level and the

39 domain functional level of Forest1 are set to Windows Server The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server You need to set up a transitive forest trust between Forest1 and Forest2, What should you do first? A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode. B. Raise the forest functional level of Forest2 to Windows Server C. Upgrade the domain controllers in Forest2 to Windows Server D. Upgrade the domain controllers in Forest2 to Windows Server Correct Answer: B / Creating Forest Trusts You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way or two-way, transitive trust relationship. The following are required to create forest trusts successfully: You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest. To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server (...) QUESTION 39 Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long, You need to decrease the amount of time it takes for the branch office users to logon. A. Configure DC1 as a Global Catalog server. B. Configure DC1 as a bridgehead server for the branch office site. C. Decrease the replication interval on the site link that connects the branch office to the corporate network. D. Increase the replication interval on the site link that connects the branch office to the corporate network. Correct Answer: A /

40 QUESTION 40 Your company has an Active Directory domain. The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link. You add a new server to the main office. Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server. You need to ensure that the user is able to connect to the new server. A. Clear the cache on DNS2. B. Reload the zone on DNS1. C. Refresh the zone on DNS2. D. Export the zone from DNS1 and import the zone to DNS2. Correct Answer: C / QUESTION 41 You need to validate whether Active Directory successfully replicated between two domain controllers. A. Run the DSget command. B. Run the Dsquery command. C. Run the RepAdmin command. D. Run the Windows System Resource Manager. Correct Answer: C / You can use the repadmin /showrepl command to verify successful replication to a specific domain controller. QUESTION 42 You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller. You need to perform a non-authoritative restore of the domain controller by using an existing backup file. A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore. B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in

41 to perform a critical volume restore. C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore. D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore. Correct Answer: A / QUESTION 43 Your company has an Active Directory forest. Not all domain controllers in the forest are configured as Global Catalog Servers. Your domain structure contains one root domain and one child domain. You modify the folder permissions on a file server that is in the child domain. You discover that some Access Control entries start with S and that no account name is listed. You need to list the account names. A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog. B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog. C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog. D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global Catalog. Correct Answer: D / QUESTION 44 Your company security policy requires complex passwords. You have a comma delimited file named import.csv that contains user account information. You need to create user account in the domain by using the import.csv file. You also need to ensure that the new user accounts are set to use default passwords and are disabled. What shoulld you do? A. Modify the useraccountcontrol attribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD utility to set default passwords for the user accounts. B. Modify the useraccountcontrol attribute to accounts disabled. Run the csvde -f import.csv command. Run the DSMOD utility to set default passwords for the user accounts. C. Modify the useraccountcontrol attribute to disabled. Run the wscript import.csv command. Run the DSADD utility to set default passwords for the imported user accounts. D. Modify the useraccountcontrol attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADD utility to set passwords for the imported user accounts. Correct Answer: A

42 / QUESTION 45 You are installing an application on a computer that runs Windows Server 2008 R2. During installation, the application will need to install new attributes and classes to the Active Directory database. You need to ensure that you can install the application. A. Change the functional level of the forest to Windows Server 2008 R2. B. Log on by using an account that has Server Operator rights. C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the application. D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the application. Correct Answer: C / QUESTION 46 Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements. Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. You need to configure your partner company's domain to use the approved set of administrative templates. A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy. B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator. C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator. D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator. Correct Answer: B / QUESTION 47

43 You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5 minutes. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) A. Set the Minimum password age setting to one day. B. Set the Maximum password age setting to one day. C. Set the Account lockout duration setting to 5 minutes. D. Set the Reset account lockout counter after setting to 5 minutes. E. Set the Account lockout threshold setting to 3 invalid logon attempts. F. Set the Enforce password history setting to 3 passswords remembered. Correct Answer: CDE /

44 Exam C QUESTION 1 Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web. You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA. You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit. A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /db webou.inf from the comand prompt. B. Export the settings on IISServerA to create a security template. Import the security template into a GPO and link the GPO to the Web organizational unit. C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf from the comand prompt. D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit. Correct Answer: B / QUESTION 2 Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS Servers. You have a standard primary zone for dev.contoso.com that is stored on a member server. You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone. A. On the member server, create a stub zone. B. On the member server, create a NS record for each domain controller. C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest. D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain. Correct Answer: C / QUESTION 3 Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain.

45 You need to register the SRV records. Which command should you run on the new domain controller? A. Run the netsh interface reset command. B. Run the ipconfig /flushdns command. C. Run the dnscmd /EnlistDirectoryPartition command. D. Run the sc stop netlogon command followed by the sc start netlogon command. Correct Answer: D / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 4 You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed. You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). A. Install and configure an Online Responder. B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. C. Install and configure an additional domain controller. D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations. Correct Answer: A / QUESTION 5 You want users to log on to Active Directory by using a new Principal Name (UPN). You need to modify the UPN suffix for all user accounts. Which tool should you use? A. Dsmod B. Netdom C. Redirusr D. Active Directory Domains and Trusts

46 Correct Answer: A / QUESTION 6 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1. You need to log changes made to the Description attribute on all group objects in OU1 only. A. Run auditpol.exe. B. Modify the auditing entry for OU1. C. Modify the auditing entry for the domain. D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO to OU1. Correct Answer: B / QUESTION 7 Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data. You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data. A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility. B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account. C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group. D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group. Correct Answer: D /

47 QUESTION 8 Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1. You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1. A. Remove the Request Certificates permission from the Domain Users group. B. Remove the Request Certificated permission from the Authenticated Users group. C. Assign the Allow - Manage CA permission to only the Security Manager user Account. D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account Correct Answer: D / Implement Role-Based Administration You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform. The following table describes the roles, users, and groups that can be used to implement role-based administration. Roles and groups Certificate manager Security permission Issue and Manage Certificates Description Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in. QUESTION 9 You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What is the minimal forest functional level that you should use? A. Windows Server 2008 R2 B. Windows Server 2008 C. Windows Server 2003 D. Windows 2000 Correct Answer: C /

48 Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. (...) QUESTION 10 Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema. You discover that the Active Directory replication traffic to the Global Catalogs has increased. You need to prevent the new attributes from being replicated to the Global Catalog. You must achieve this goal without affecting application functionality. A. Change the replication interval for the DEFAULTIPSITELINK object to B. Change the cost for the DEFAULTIPSITELINK object to C. Make the new attributes in the Active Directory as defunct. D. Modify the properties in the Active Directory schema for the new attributes. Correct Answer: D / QUESTION 11 You are decommissioning one of the domain controllers in a child domain. You need to transfer all domain operations master roles within the child domain to a newly installed domain controller in the same child domain. Which three domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose three.) A. RID master B. PDC emulator C. Schema master D. Infrastructure master E. Domain naming master Correct Answer: ABD / QUESTION 12 There are 100 servers and 2000 computers present at your company's headquarters.

49 The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service. The nodes are named as CKMFON1 and CKMFON2. The cluster on CKMFO has one physical shared disk of 400 GB capacity. A 200GB single volume is configured on the shared disk. Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1. The DHCP and WINS services will be hosted on other nodes. Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node. The wizard shows an error "no disks are available" during configuration. Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1? A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard. C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard E. None of the above Correct Answer: B / QUESTION 13 Exhibit:

50 Company servers run Windows Server It has a single Active Directory domain. A server called S4 has file services role installed. You install some disk for additional storage. The disks are configured as shown in the exhibit. To support data stripping with parity, you have to create a new drive volume. What should you do to achieve this objective? A. Build a new spanned volume by combining Disk0 and Disk1 B. Create a new Raid-5 volume by adding another disk. C. Create a new virtual volume by combining Disk 1 and Disk 2 D. Build a new striped volume by combining Disk0 and Disk 2 Correct Answer: B / QUESTION 14 Your company asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you do to create a backup copy of Windows Cardspace cards to be used at home? A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive C. Back up the system state data by using backup status tool on your USB drive D. Employ Windows Cardspace application to backup the data on your USB drive. E. Reformat the C: Drive F. None of the above Correct Answer: D

51 / QUESTION 15 Company has servers on the main network that run Windows Server It also has two domain controllers. Active Directory services are running on a domain controller named CKDC1. You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to perform offline critical updates on CKDC1 without rebooting the server? A. Start the Active Directory Domain Services on CKDC1 B. Disconnect from the network and start the Windows update feature C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again. E. None of the above Correct Answer: C / QUESTION 16 One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2) A. Configure RODC filtered attribute set on the server B. Configure RODC filtered set on the server that holds Schema Operations Master role. C. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set. E. None of the above Correct Answer: BD / Adding attributes to the RODC filtered attribute set The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised.

52 A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed. Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest. QUESTION 17 Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality? A. Configure an account in Active Directory Domain Services (AD DS) for each user. B. Add and configure ADRMSADMIN account in local administrators group on the user computers C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group D. Reinstall the Active Directory domain on user computers E. All of the above Correct Answer: A / QUESTION 18 Company has an active directory forest on a single domain. Company needs a distributed application that employs a custom application. The application is directory partition software named PARDAT. You need to implement this application for data replication. Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution) A. Dnscmd. B. Ntdsutil. C. Ipconfig D. Dnsutil E. All of the above Correct Answer: AB

53 / QUESTION 19 Company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication. The application is installed on one member server in five sites. You need to configure the five member servers to receive the ResData application directory partition for data replication. A. Run the Dcpromo utility on the five member servers. B. Run the Regsvr32 command on the five member servers C. Run the Webadmin command on the five member servers D. Run the RacAgent utility on the five member servers Correct Answer: A / QUESTION 20 As an administrator at Company, you have installed an Active Directory forest that has a single domain. You have installed an Active Directory Federation services (AD FS) on the domain member server. What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain? A. Add a new account store and configure it. B. Add a new resource partner and configure it C. Add a new resource store and configure it D. Add a new administrator account on AD FS and configure it E. None of the above Correct Answer: A / QUESTION 21 Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revoked certificate information. You need to make sure that the revoked certificate information is available at all times. What should you do to achieve that? A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain. B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain

54 C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array. D. Use network load balancing and publish an OCSP responder. E. None of the above Correct Answer: D / QUESTION 22 As the Company administrator you had installed a read-only domain controller (RODC) server at remote location. The remote location doesn't provide enough physical security for the server. What should you do to allow administrative accounts to replicate authentication information to Read-Only Domain Controllers? A. Remove any administrative accounts from RODC's group B. Add administrative accounts to the domain Allowed RODC Password Replication group C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO) D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO. E. None of the above Correct Answer: B / QUESTION 23 ABC.com boasts a two-node Network Load Balancing cluster which is called web.ck1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only. With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web.ck1.com. You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.ck1.com NLB cluster to accept HTTP traffic only. Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution) A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console B. Run the wlbs disable command on the cluster nodes C. Assign a unique port rule for NLB cluster by using the NLB Cluster console D. Delete the default port rules through Network Load Balancing Cluster console Correct Answer: AD

55 / QUESTION 24 ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows server You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office. What should you do to setup RODC on the computer in branch office? A. Execute an attended installation of AD DS B. Execute an unattended installation of AD DS C. Execute RODC through AD DS D. Execute AD DS by using deploying the image of AD DS E. none of the above Correct Answer: B / Install an RODC on a Server Core installation To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS. QUESTION 25 You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization. Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational. (Select all that apply) A. Go to Services tab, and check if Active Directory Federation Services is running B. In the event viewer, Applications, Event ID column look for event ID 674. C. Open a browser window, and then type the Federation Service URL for the new federation server. D. None of the above Correct Answer: BC /

56 Verify Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. 1. Log on to a client computer with Internet access. 2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy. 3. Press ENTER. Note -At this point your browser should display the error Server Error in '/adfs' Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS). 4. Log on to the federation server proxy. 5. Click Start, point to Administrative Tools, and then click Event Viewer. 6. In the details pane, double-click Application. 7. In the Event column, look for event ID 674. QUESTION 26 ABC.com has purchased laptop computers that will be used to connect to a wireless network. You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks. You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network. What should you do to enforce the group policy wireless settings to the laptop computers? A. Execute gpupdate/target:computer command at the command prompt on laptop computers B. Execute Add a network command and leave the SSID (service set identifier) blank C. Execute gpupdate/boot command at the command prompt on laptops computers D. Connect each laptop computer to a wired network and log off the laptop computer and then login again. E. None of the above Correct Answer: D / QUESTION 27 The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS. You need to prepare the domain controller for disaster recovery apart from the routine backup procedures. You are unable to launch the backup utility while attempting to back up the system state data for the data controller. You need to backup system state data from the Windows Server 2008 domain controller server.

57 A. Add your user account to the local Backup Operators group B. Install the Windows Server backup feature using the Server Manager feature. C. Install the Removable Storage Manager feature using the Server Manager feature D. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server. E. None of the above Correct Answer: B / QUESTION 28 You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper physical security. You need to activate nonadministrative accounts passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords? A. Delete all administrative accounts from the RODC's group B. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO) C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators. E. None of the above Correct Answer: C / QUESTION 29 ABC.com has a network that is comprise of a single Active Directory Domain. As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers. Which tool should you use to test the certificate with AD LDS? A. Ldp.exe B. Active Directory Domain services C. ntdsutil.exe D. Lds.exe E. wsamain.exe

58 F. None of the above Correct Answer: A / QUESTION 30 ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed. Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server? A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts B. Add a password replication policy to the main Domain RODC and add user accounts in the security group C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server D. Configure and add a separate password replication policy on each RODC computer account Correct Answer: D / QUESTION 31 The corporate network of Company consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Company 1 and Company 2. To ensure central monitoring of events you decided to collect all the events on one server, to collect events from Company, and transfer them to Company 1. You configure the required event subscriptions. You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol. However, you discovered that none of the subscriptions work. Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution). A. Run window execute the winrm quickconfig command on Company 2. B. Run window execute the wecutil qc command on Company 2. C. Add the Company 1 account to the Administrators group on Company 2. D. Run window execute the winrm quickconfig command on Company 1. E. Add the Company 2 account to the Administrators group on Company 1. F. Run window execute the wecutil qc command on Company 1. Correct Answer: ACF

59 / We need to do three things: 1 - run winrm quickconfig on the source computer (Company 2) 2 - run wecutil qc on the collector computer (Company 1) 3 - add the computer account of the collector computer to the local Administrators group on the source computer Had the Event delivery optimization setting been set to Minimize Bandwidth or Minimize Latency, then we would need to run winrm quickconfig on the collector computer too. Because it's set to Normal we can skip that step. If the HTTPS protocol had been used we also would have had to configure Windows Firewall exceptions for port 443. But it's not, and it's not even listed, so that's cool. Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector computer. 3. On the collector computer, type the following at an elevated command prompt: wecutil qc 4. Add the computer account of the collector computer to the local Administrators group on each of the source computers. 5. The computers are now configured to forward and collect events. Follow the steps in Create a New Subscription to specify the events you want to have forwarded to the collector. QUESTION 32 Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one of the branch offices. You need to identify the user accounts that were cached on the stolen RODC server. Which utility should you use? A. Dsmod.exe B. Ntdsutil.exe C. Active Directory Sites and Services D. Active Directory Users and Computers Correct Answer: D /

60 QUESTION 33 ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet. You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy. Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution) A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS) C. Use ABC.com intranet IP addresses on all virtual servers on CKT. D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network. E. None of the above Correct Answer: AD / QUESTION 34 You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain. You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdowns and identify the cause of it. What should you do to perform this task? A. Link the GPO to the domain and enable System Events option B. Link the GPO to the domain and enable Audit Object Access option C. Link the GPO to the Domain Controllers and enable Audit Object Access option D. Link the GPO to the Domain Controllers and enable Audit Process tracking option E. Perform all of the above actions Correct Answer: A /

61 QUESTION 35 ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU. You need to execute a non-authoritative restore before an authoritative restore of the OU. Which backup should you use to perform non- authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller? A. Critical volume backup B. Backup of all the volumes C. Backup of the volume that hosts Operating system D. Backup of AD DS folders E. all of the above Correct Answer: A / QUESTION 36 ABC.com has a network that consists of a single Active Directory domain.windows Server 2008 is installed on all domain controllers in the network. You are instructed to capture all replication errors from all domain controllers to a central location. What should you do to achieve this task? A. Initiate the Active Directory Diagnostics data collector set B. Set event log subscriptions and configure it C. Initiate the System Performance data collector set D. Create a new capture in the Network Monitor Correct Answer: B / QUESTION 37 Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication.

62 What do you need to configure, in order to complete the deployment of AD RMS? A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1 B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _DC1 C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5 D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5 E. None of the above Correct Answer: D / QUESTION 38 You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do to accomplish this task? A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance C. Move AD LDS database and log files on a separate volume and use windows server backup utility D. None of the above Correct Answer: B / Backing up AD LDS instance data with Dsdbutil.exe With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance. QUESTION 39 You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Which utility you will use to convert basic disks to dynamic disks on FileSrv1? A. Diskpart.exe B. Chkdsk.exe

63 C. Fsutil.exe D. Fdisk.exe E. None of the above Correct Answer: A / [Diskpart] Convert dynamic Converts a basic disk into a dynamic disk. QUESTION 40 ABC.com has a domain controller that runs Windows Server The ABC.com network boasts 40 Windows Vista client machines. As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificate settings on all machines in a domain from one main location? A. Configure Enterprise CA certificate settings B. Configure Enterprise trust certificate settings C. Configure Advance CA certificate settings D. Configure Group Policy certificate settings E. All of the above Correct Answer: D / AD CS: Policy Settings In the Windows Server 2008 operating system, certificate-related Group Policy settings enable administrators to manage certificate validation settings according to the security needs of the organization. What are certificate settings in Group Policy? Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. QUESTION 41 A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted. You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online. A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility. B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.

64 C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility. D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility. Correct Answer: D / QUESTION 42 Your company has a server that runs Windows Server 2008 R2. The server runs an instance of Active Directory Lightweight Directory Services (AD LDS). You need to replicate the AD LDS instance on a test computer that is located on the network. A. Run the repadmin /kcc <servername> command on the test computer. B. Create a naming context by running the Dsmgmt command on the test computer. C. Create a new directory partition by running the Dsmgmt command on the test computer. D. Create and install a replica by running the AD LDS Setup wizard on the test computer. Correct Answer: D / Create a Replica AD LDS Instance To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance. To create a replica AD LDS instance 1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard. 2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next. 3. On the Setup Options page, click A replica of an existing instance, and then click Next. 4. Finish creating the new instance by following the wizard instructions. QUESTION 43 Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table. Server name Operating System Server role Server1 Windows 2008 Domain controller Server2 Windows 2008 R2 Enterprise root certification authority (CA) Server3 Windows 2008 R2 Network Device Enrollment Service (NDES) You need to ensure that all device certificate requests use the MD5 hash algorithm.

65 A. On Server2, run the Certutil tool. B. On Server1, update the CEP Encryption certificate template. C. On Server1, update the Exchange Enrollment Agent (Offline Request) template. D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm \HashAlgorithm registry key. Correct Answer: D / Managing Network Device Enrollment Service Configuring NDES NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography \MSCEP. To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table. Key name HashAlgorithm \ HashAlgorithm Value Data Type String Default value SHA1 Description Accepted values are SHA1 and MD5. QUESTION 44 Your network contains an Active Directory domain. You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA). You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computers can automatically enroll for certificates. Which command should you run on Computer1? A. certreq.exe retrieve B. certreq.exe submit C. certutil.exe getkey D. certutil.exe pulse Correct Answer: D

66 / QUESTION 45 Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA). What should you configure in the adatum.com domain? A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings. B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings. C. From the Default Domain Policy, modify the Certificate Enrollment policy. D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings. Correct Answer: C / QUESTION 46 You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed: Enterprise root certification authority (CA) Certificate Enrollment Web Service Certificate Enrollment Policy Web Service You create a new certificate template. External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users. You need to ensure that the external users can request certificates by using the new template. What should you do on Server1? A. Run iisreset.exe /restart. B. Run gpupdate.exe /force. C. Run certutil.exe dspublish. D. Restart the Active Directory Certificate Services service. Correct Answer: A / QUESTION 47 Your network contains an enterprise root certification authority (CA).

67 You need to ensure that a certificate issued by the CA is valid. A. Run syskey.exe and use the Update option. B. Run sigverif.exe and use the Advanced option. C. Run certutil.exe and specify the -verify parameter. D. Run certreq.exe and specify the -retrieve parameter. Correct Answer: C / QUESTION 48 You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. Users are required to log on to the domain by using a smart card. Your company's corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked. An employee resigns. You need to immediately prevent the employee from logging on to the domain. A. Revoke the employee's smart card certificate. B. Disable the employee's Active Directory account. C. Publish a new delta certificate revocation list (CRL). D. Reset the password for the employee's Active Directory account. Correct Answer: B /

68 Exam D QUESTION 1 You add an Online Responder to an Online Responder Array. You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array. A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1. B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32. C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller. D. From the Online Responder Management Console, select the new Online Responder, and then select Synchronize Members with Array Controller. Correct Answer: C / Reference 1: Managing Array members For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members. Reference 2: To designate an Array controller 1. Open the Online Responder snap-in. 2. In the console tree, click Array Configuration Members. 3. Select the Online Responder that you want to designate as the Array controller. 4. In the Actions pane, click Set as Array Controller. QUESTION 2 Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping. You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. A. Run certutil.exe -crl. B. Run certutil.exe -delkey. C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group. D. From Active Directory Users and Computers, modify the Contact object for the external partner. Correct Answer: A

69 / QUESTION 3 Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com. Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com. You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails. A. Configure the Expires after option for the contoso.com zone to 4 days. B. Configure the Retry interval option for the contoso.com zone to 4 days. C. Configure the Refresh interval option for the contoso.com zone to 4 days. D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days. Correct Answer: A / QUESTION 4 Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com. You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server. Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has an A record in the fabrikam.com DNS zone. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers. B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com. C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option. D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option. E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com. Correct Answer: BD / QUESTION 5

70 Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers. The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only. A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers. You need to configure the intranet.adatum.com zone to meet the new security policy requirement. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties. B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties. C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties. D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties. Correct Answer: AD / QUESTION 6 Your company has two Active Directory forests as shown in the following table. Forest name Forest functional level Domain(s) contoso.com Windows Server 2008 contoso.com fabrikam.com Windows Server 2008 fabrikam.com eng.fabrikam.com The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain. You need to configure the forest trust to meet the new security policy requirement. A. Delete the outgoing forest trust in the contoso.com domain. B. Delete the incoming forest trust in the contoso.com domain. C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication. D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties. Correct Answer: D

71 / QUESTION 7 Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level. You need to configure AD RMS so that users are able to protect their documents. A. Install the AD RMS client 2.0 on each client computer. B. Add the RMS service account to the local administrators group on the AD RMS server. C. Establish an account in Active Directory Domain Services (AD DS) for each RMS user. D. Upgrade the Active Directory domain to the functional level of Windows Server Correct Answer: C / QUESTION 8 Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers. The TempWorkers group is not nested in any other groups. You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders. You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers. You must achieve this goal without affecting access to other domain resources. A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group. D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group. Correct Answer: A / QUESTION 9 Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering.

72 You need to create a password policy for the engineering department that is different from your domain password policy. A. Create a new GPO. Link the GPO to the Engineering OU. B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU. C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group. D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard. Correct Answer: C / QUESTION 10 Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain. You need to configure DNS to allow only secure dynamic updates. What should you do first? A. On DC1 and DC2, configure a trust anchor. B. On DC1 and DC2, configure a connection security rule. C. On DC1, configure the zone transfer settings. D. On DC1, configure the zone to be stored in Active Directory. Correct Answer: D / QUESTION 11 Your network contains a domain controller that has two network connections named Internal and Private. Internal has an IP address of Private has an IP address of You need to prevent the domain controller from registering Host (A) records for the IP address. A. Modify the netlogon.dns file on the domain controller. B. Modify the Name Server settings of the DNS zone for the domain. C. Modify the properties of the Private network connection on the domain controller. D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.

73 Correct Answer: C / QUESTION 12 Your network contains an Active Directory forest named contoso.com. You plan to add a new domain named nwtraders.com to the forest. All DNS servers are domain controllers. You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest. A. Add the computer accounts of all the domain controllers to the DnsAdmins group. B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group. C. Create a standard primary zone on a domain controller in the forest root domain. D. Create an Active Directory-integrated zone on a domain controller in the forest root domain. Correct Answer: D / QUESTION 13 Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com. You discover that non-domain member computers register records in the contoso.com zone. You need to prevent the non-domain member computers from registering records in the contoso.com zone. All domain member computers must be allowed to register records in the contoso.com zone. What should you do first? A. Configure a trust anchor. B. Run the Security Configuration Wizard (SCW). C. Change the contoso.com zone to an Active Directory-integrated zone. D. Modify the security settings of the %SystemRoot%\System32\Dns folder. Correct Answer: C / QUESTION 14 Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The

74 target host of the record is server2. contoso.com. When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. A. From the command prompt, use the netsh tool. B. From the command prompt, use the dnscmd tool. C. From DNS Manager, modify the properties of the GlobalNames zone. D. From DNS Manager, modify the advanced settings of the DNS server. Correct Answer: B / Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd <ServerName> /config /enableglobalnamessupport 1 QUESTION 15 Your company has a main office and a branch office. The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain. The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You uninstall the DNS server role from RODC1. You need to prevent DNS records from replicating to RODC1. A. Modify the replication scope for the contoso.com zone. B. Flush the DNS cache and enable cache locking on RODC1. C. Configure conditional forwarding for the contoso.com zone. D. Modify the zone transfer settings for the contoso.com zone. Correct Answer: A /

75 QUESTION 16 Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table. The functional level of the forest is Windows Server The functional level of the domain is Windows Server DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise. You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC. What should you do first? A. Change the functional level of the forest. B. Change the functional level of the domain. C. Upgrade DC1 to Windows Server 2008 R2. D. Upgrade DNS1 to Windows Server 2008 R2. Correct Answer: D / QUESTION 17 Your network contains a domain controller that is configured as a DNS server. The server hosts an Active Directory-integrated zone for the domain. You need to reduce how long it takes until stale records are deleted from the zone. A. From the configuration directory partition of the forest, modify the tombstone lifetime. B. From the configuration directory partition of the forest, modify the garbage collection interval. C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval. D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval. Correct Answer: C / QUESTION 18 You have an Active Directory domain named contoso.com. You have a domain controller named Server1 that is

76 configured as a DNS server. Server1 hosts a standard primary zone for contoso.com. The DNS configuration of Server1 is shown in the exhibit. (Click the Exhibit button.) You discover that stale resource records are not automatically removed from the contoso.com zone. You need to ensure that the stale resource records are automatically removed from the contoso.com zone. A. Set the scavenging period of Server1 to 0 days. B. Modify the Server Aging/Scavenging properties. C. Configure the aging properties for the contoso.com zone. D. Convert the contoso.com zone to an Active Directory-integrated zone. Correct Answer: C / QUESTION 19 Your network contains an Active Directory domain named contoso.com. You remove several computers from the network.

77 You need to ensure that the host (A) records for the removed computers are automatically deleted from the contoso.com DNS zone. A. Configure dynamic updates. B. Configure aging and scavenging. C. Create a scheduled task that runs the Dnscmd /ClearCache command. D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command. Correct Answer: B / QUESTION 20 You need to force a domain controller to register all service location (SRV) resource records in DNS. Which command should you run? A. ipconfig.exe /registerdns B. net.exe stop dnscache & net.exe start dnscache C. net.exe stop netlogon & net.exe start netlogon D. regsvr32.exe dnsrslvr.dll Correct Answer: C / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 21 Your network contains an Active Directory domain named contoso.com. You plan to deploy a child domain named sales.contoso.com. The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com. You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fully qualified domain names (FQDNs). A. Create a DNS forwarder. B. Create a DNS delegation. C. Configure root hint servers.

78 D. Configure an alternate DNS server on all client computers. Correct Answer: B / QUESTION 22 Your network contains a single Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone for contoso. com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept secure dynamic updates only. You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone. Which command should you run? A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary C. dnslint.exe /ql D. repadmin.exe /syncall /force Correct Answer: B / QUESTION 23 Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in the following Command Prompt window. You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com. What should you modify? A. the root hints of the DNS server B. the security settings of the zone C. the Windows Firewall settings on the DNS server D. the zone transfer settings of the zone Correct Answer: D

79 / QUESTION 24 Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2. You need to identify if all of the DNS records used for Active Directory replication are correctly registered. A. From the command prompt, use netsh.exe. B. From the command prompt, use dnslint.exe. C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet. D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet. Correct Answer: B / Dnslint.exe DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct. QUESTION 25 Your network contains an Active Directory forest. The forest contains one domain and three sites. Each site contains two domain controllers. All domain controllers are DNS servers. You create a new Active Directory-integrated zone. You need to ensure that the new zone is replicated to the domain controllers in only one of the sites. What should you do first? A. Modify the NTDS Site Settings object for the site. B. Modify the replication settings of the default site link. C. Create an Active Directory connection object. D. Create an Active Directory application directory partition. Correct Answer: D / Practically the same question as A/Q50 and K/Q17, different set of answers. QUESTION 26

80 Your network contains a single Active Directory forest. The forest contains two domains named contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following table. All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integrated zones. You need to ensure that contoso.com records are available on DC3. Which command should you run? A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest Correct Answer: B / QUESTION 27 You have a DNS zone that is stored in a custom application directory partition. You install a new domain controller. You need to ensure that the custom application directory partition replicates to the new domain controller. What should you use? A. the Active Directory Administrative Center console B. the Active Directory Sites and Services console C. the DNS Manager console D. the Dnscmd tool Correct Answer: D / dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition's replica set. QUESTION 28 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the

81 forest is Windows Server You have a member server named Server1 that runs Windows Server You need to ensure that you can add Server1 to contoso.com as a domain controller. What should you run before you promote Server1? A. dcpromo.exe /CreateDCAccount B. dcpromo.exe /ReplicaOrNewDomain:replica C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest Correct Answer: C / After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server QUESTION 29 Your network contains an Active Directory forest. The forest contains a single domain. You want to access resources in a domain that is located in another forest. You need to configure a trust between the domain in your forest and the domain in the other forest. What should you create? A. an incoming external trust B. an incoming realm trust C. an outgoing external trust D. an outgoing realm trust Correct Answer: A / A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest). QUESTION 30 Your network contains two Active Directory forests. One forest contains two domains named contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configured between the two forests.

82 You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.com domain by using the user name NA\User1. Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain. You need to ensure that User1 can log on to the computer in the nwtraders.com domain. A. Enable selective authentication over the forest trust. B. Create an external one-way trust from na.contoso.com to nwtraders.com. C. Instruct User1 to log on to the computer by using his user principal name (UPN). D. Instruct User1 to log on to the computer by using the user name nwtraders\user1. Correct Answer: C / QUESTION 31 Your company has a main office and a branch office. The main office contains two domain controllers. You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the branch office, and then add the domain controller to the BranchOfficeSite site. You discover that users in the branch office are randomly authenticated by either the domain controller in the branch office or the domain controllers in the main office. You need to ensure that the users in the branch office always attempt to authenticate to the domain controller in the branch office first. A. Create organizational units (OUs). B. Create Active Directory subnet objects. C. Modify the slow link detection threshold. D. Modify the Location attribute of the computer objects. Correct Answer: B / QUESTION 32 Your company has a main office and 50 branch offices. Each office contains multiple subnets. You need to automate the creation of Active Directory subnet objects. What should you use? A. the Dsadd tool B. the Netsh tool

83 C. the New-ADObject cmdlet D. the New-Object cmdlet Correct Answer: C / QUESTION 33 Your network contains an Active Directory forest. The forest contains multiple sites. You need to enable universal group membership caching for a site. A. From Active Directory Sites and Services, modify the NTDS Settings. B. From Active Directory Sites and Services, modify the NTDS Site Settings. C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site. D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the site. Correct Answer: B / QUESTION 34 You need to ensure that domain controllers only replicate between domain controllers in adjacent sites. What should you configure from Active Directory Sites and Services? A. From the IP properties, select Ignore all schedules. B. From the IP properties, select Disable site link bridging. C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects. D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site. Correct Answer: B / QUESTION 35 Your company has a main office and a branch office. You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office. You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.

84 A. Configure the NTDS Site Settings object. B. Create Active Directory subnet objects. C. Create Active Directory Domain Services connection objects. D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router. Correct Answer: B / QUESTION 36 Your network contains an Active Directory domain. The domain is configured as shown in the following table. Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure that users in Branch2 only authenticate to the domain controllers in Main. A. On DC3, set the AutoSiteCoverage value to 0. B. On DC3, set the AutoSiteCoverage value to 1. C. On DC1 and DC2, set the AutoSiteCoverage value to 0. D. On DC1 and DC2, set the AutoSiteCoverage value to 1. Correct Answer: A / QUESTION 37 Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. DC3 fails. You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 and the domain controllers in Site1. On DC4, you run repadmin.exe /kcc. Replication between the sites continues to fail. You need to ensure that Active Directory data replicates between the sites.

85 A. From Active Directory Sites and Services, modify the properties of DC3. B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2. C. From Active Directory Users and Computers, modify the location settings of DC4. D. From Active Directory Users and Computers, modify the delegation settings of DC4. Correct Answer: A / Same question as J/Q10. By modifying the properties of DC3 we can remove the preferred bridgehead status of DC3. Reference 1: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. Reference 2: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, December ) pages 589, 590 Preferred Bridgehead Servers (...) It s important to understand that if you have specified one or more bridgehead servers and none of the bridgeheads is available, no other server is automatically selected, and replication does not occur for the site even if there are servers that could act as bridgehead servers. QUESTION 38 Your network contains an Active Directory domain. The functional level of the domain is Windows Server The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2. You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR). What should you do first? A. Run dfsrdiag.exe PollAD. B. Run dfsrmig.exe /SetGlobalState 0. C. Upgrade all domain controllers to Windows Server 2008 R2. D. Raise the functional level of the domain to Windows Server 2008.

86 Correct Answer: D / QUESTION 39 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects. You need to ensure that Attribute1 is replicated to the global catalog. A. In Active Directory Sites and Services, configure the NTDS Settings. B. In Active Directory Sites and Services, configure the universal group membership caching. C. From the Active Directory Schema snap-in, modify the properties of the User class schema object. D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute. Correct Answer: D / QUESTION 40 Your network contains an Active Directory domain. The domain contains three domain controllers. One of the domain controllers fails. Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts. Which operations master role should you seize? A. domain naming master B. infrastructure master C. primary domain controller (PDC) emulator D. RID master E. schema master Correct Answer: D / QUESTION 41 Your network contains two standalone servers named Server1 and Server2 that have Active Directory Lightweight Directory Services (AD LDS) installed.

87 Server1 has an AD LDS instance. You need to ensure that you can replicate the instance from Server1 to Server2. What should you do on both servers? A. Obtain a server certificate. B. Import the MS-User.ldf file. C. Create a service user account for AD LDS. D. Register the service location (SRV) resource records. Correct Answer: C / QUESTION 42 Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1. You need to create an additional AD LDS application directory partition in the existing instance. Which tool should you use? A. Adaminstall B. Dsadd C. Dsmod D. Ldp Correct Answer: D / Create an Application Directory Partition You use Ldp.exe to add a new application directory partition to an existing instance of Active Directory Lightweight Directory Services (AD LDS). QUESTION 43 Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1. You connect to Instance1 by using ADSI Edit. You run the Create Object wizard and you discover that there is no User object class. You need to ensure that you can create user objects in Instance1.

88 A. Run the AD LDS Setup Wizard. B. Modify the schema of Instance1. C. Modify the properties of the Instance1 service. D. Install the Remote Server Administration Tools (RSAT). Correct Answer: B / To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable.ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetorgperson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema. QUESTION 44 Your network contains an Active Directory domain. The domain contains a server named Server1. Server1 runs Windows Server 2008 R2. You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1. A. Run ldp.exe and use the Bind option. B. Run diskpart.exe and use the Attach option. C. Run dsdbutil.exe and use the snapshot option. D. Run imagex.exe and specify the /mount parameter. Correct Answer: C / QUESTION 45 Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network. A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation. The solution must minimize the administrative rights of User1. To which group should you add User1? A. AD RMS Auditors B. AD RMS Service Group C. Domain Admins

89 D. Schema Admins Correct Answer: C / QUESTION 46 Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com. From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com. You need to prevent users from impersonating contoso.com users. A. Configure trusted domains. B. Enable lockbox exclusion in AD RMS. C. Create a forest trust between adatum.com and contoso.com. D. Add a certificate from a third-party trusted certification authority (CA). Correct Answer: A / QUESTION 47 Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network. You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month. You need to ensure that all the computers can use the most up-to-date version of the AD RMS template. You want to achieve this goal by using the minimum amount of administrative effort. A. Upgrade all of the Windows Vista computers to Windows 7. B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2). C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy. D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy. Correct Answer: B

90 / QUESTION 48 Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who have Windows Mobile 6 devices report that they cannot access documents that are protected by AD RMS. You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices. A. Modify the security of the ServerCertification.asmx file. B. Modify the security of the MobileDeviceCertification.asmx file. C. Enable anonymous authentication for the _wmcs virtual directory. D. Enable anonymous authentication for the certification virtual directory. Correct Answer: B / QUESTION 49 Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password. Which console should you use? A. Active Directory Rights Management Services B. Active Directory Users and Computers C. Component Services D. Services Correct Answer: A / QUESTION 50 Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have several custom policy templates. The custom policy templates are updated frequently. Some users report that it takes as many as 30 days to receive the updated policy templates. You need to ensure that users receive the updated custom policy templates within seven days. A. Modify the registry on the AD RMS servers.

91 B. Modify the registry on the users' computers. C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task. D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task. Correct Answer: B / Configuring the AD RMS client The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updatefrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM \TemplateManagement. In this registry key, you can also configure the updateiflastupdatedbeforetime, which forces the client computer to update its rights policy templates.

92 Exam E QUESTION 1 Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1. You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers. A. Run ntdsutil.exe and use the Roles option. B. Run dsmgmt.exe and use the Local Roles option. C. From Active Directory Sites and Services, modify the NTDS Site Settings. D. From Active Directory Users and Computers, add the user to the Server Operators group. Correct Answer: B / Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role. To configure Administrator Role Separation for an RODC 1. Click Start, click Run, type cmd, and then press ENTER. 2. At the command prompt, type dsmgmt.exe, and then press ENTER. 3. At the DSMGMT prompt, type local roles, and then press ENTER. 4. (...) QUESTION 2 You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1. Which tool should you use? A. Active Directory Administrative Center B. Active Directory Users and Computers C. Dsadd D. Dsmgmt Correct Answer: B / Many thanks to Luffy for pointing me in the right direction with this question! There are a couple of ways to achieve this and two of them are mentioned in the listed answers, Active Directory Users and Computers and Dsmgmt.

93 Referenced below are two Technet articles. The first explains the different ways to implement Administrator Role Separation on an RODC, and why the use of Active Directory Users is recommended over Dsmgmt. The second reference is now a kind of bonus, explaining how to use dsmgmt for this task. (In version 1 of this dump I used it to explain why dsmgmt should be the answer.) Reference 1: Delegating local administration of an RODC Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or a security group, the user or group is not added the Domain Admins group and therefore does not have additional rights to perform directory service operations. Steps and best practices for setting up ARS You can specify a delegated RODC administrator during an RODC installation or after it. To specify the delegated RODC administrator after installation, you can use either of the following options: Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedby attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.

94 Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC. [See also the second reference for more information on how to use dsmgmt.] Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator. In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain. Reference 2: Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role. To configure Administrator Role Separation for an RODC 1. Click Start, click Run, type cmd, and then press ENTER.

95 2. At the command prompt, type dsmgmt.exe, and then press ENTER. 3. At the DSMGMT prompt, type local roles, and then press ENTER. 4. For a list of valid parameters, type?, and then press ENTER. By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter. 5. Type add <DOMAIN>\<user> <administrative role> For example, type add CONTOSO\testuser administrators QUESTION 3 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC). You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored and User1 reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if the WAN link fails. A. Create a Password Settings object (PSO) and link the PSO to User1's user account. B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group. C. Add the computer account of the RODC to the Allowed RODC Password Replication Group. D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group. Correct Answer: D / QUESTION 4 Your company has a main office and a branch office. The network contains an Active Directory domain. The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named DC2. You discover that the password of an administrator named Admin1 is cached on DC2. You need to prevent Admin1's password from being cached on DC2. A. Modify the NTDS Site Settings. B. Modify the properties of the domain. C. Create a Password Setting object (PSO). D. Modify the properties of DC2's computer account. Correct Answer: D /

96 QUESTION 5 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 is not stored on RODC1. You need to ensure that User1's password is stored on RODC1. What should you modify? A. the Member Of properties of RODC1 B. the Member Of properties of User1 C. the Security properties of RODC1 D. the Security properties of User1 Correct Answer: B / QUESTION 6 Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC). A user from the branch office reports that his account is locked out. From a writable domain controller in the main office, you discover that the user's account is not locked out. You need to ensure that the user can log on to the domain. A. Modify the Password Replication Policy. B. Reset the password of the user account. C. Run the Knowledge Consistency Checker (KCC) on the RODC. D. Restore network communication between the branch office and the main office. Correct Answer: D / QUESTION 7 Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort.

97 Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. At the command prompt, run adprep.exe /rodcprep. B. At the command prompt, run adprep.exe /forestprep. C. At the command prompt, run adprep.exe /domainprep. D. From Active Directory Domains and Trusts, raise the functional level of the domain. E. From Active Directory Users and Computers, pre-stage the RODC computer account. Correct Answer: BC / Because the domain has only Windows Server 2008 domain controllers, the current domain and forest functional levels are 2008 at most. Introducing a 2008 R2 domain controller requires adprep /forestprep and adprep /domainprep to be run. There's no other way, it has to be done. On top of that, the current domain already has five Windows Server 2008 RODCs. This means that adprep / rodcprep has already run and doesn't need to be run again in this case. What is Adprep.exe? Adprep.exe is a command-line tool that is included on the installation disk of each version of Windows Server. Adprep.exe performs operations that must be completed in an existing Active Directory environment before you can add a domain controller that runs that version of Windows Server. You must run various Adprep.exe commands on your existing domain controllers to complete these operations in the following cases: Before you add the first domain controller that runs a version of Windows Server that is later than the latest version that is running in your existing domain. (...) Running Adprep.exe To complete the required operations, you must run the Adprep.exe commands that are listed in the following table. You must run adprep /forestprep before you run other commands. adprep /forestprep Must be run on the schema operations master for the forest. Once for the entire forest adprep /domainprep Must be run on the infrastructure operations master for the domain. Once in each domain where you plan to install an additional domain controller that runs a later version of Windows Server than the latest version that is running in the domain. adprep /rodcprep If you already ran this command for Windows Server 2008, you do not have to run it again for Windows Server 2008 R2. QUESTION 8 You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named Server1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. Which inbound TCP port should you allow on Server1?

98 A. 88 B. 135 C. 443 D. 445 Correct Answer: C / QUESTION 9 You deploy a new Active Directory Federation Services (AD FS) federation server. You request new certificates for the AD FS federation server. You need to ensure that the AD FS federation server can use the new certificates. To which certificate store should you import the certificates? A. Computer B. IIS Admin Service service account C. Local Administrator D. World Wide Web Publishing Service service account Correct Answer: A / QUESTION 10 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed. You have an application named App1 that is configured to use Server1 for AD FS authentication. You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server. You need to ensure that App1 can use Server2 for authentication. What should you do on Server2? A. Add an attribute store. B. Create a relying party trust. C. Create a claims provider trust. D. Create a relaying provider trust. Correct Answer: B /

99 QUESTION 11 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store. A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application. You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company. What should you create on Server1? A. a new application B. a resource partner C. an account partner D. an organization claim Correct Answer: D / Many thanks to Luffy for helping me out with this one! Since the account store has already been configured, what needs to be done is to use the account store to map an AD DS global security group to an organization claim (called group claim extraction). So that's what we need to create for authentication: an organization claim. Creating a resource/account partner is part of setting up the Federation Trust. Reference 1: Configuring the Federation Servers [All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to post here.] Reference 2: Add an AD DS Account Store If user and computer accounts that require access to a resource that is protected by Active Directory Federation Services (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as an account store on a federation server in the Federation Service that authenticates the accounts. Reference 3: Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS) account store for an account Federation Service, you map an organization group claim to a security group in AD DS. This mapping is called a group claim extraction. QUESTION 12 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.

100 You plan to deploy AD FS 2.0 on Server2. You need to export the token-signing certificate from Server1, and then import the certificate to Server2. Which format should you use to export the certificate? A. Base-64 encoded X.509 (.cer) B. Cryptographic Message Syntax Standard PKCS #7 (.p7b) C. DER encoded binary X.509 (.cer) D. Personal Information Exchange PKCS #12 (.pfx) Correct Answer: D / Many thanks to 'confused' from Algeria and Luffy for noting this question needed a correction and for their help! Practically the same question as K/Q32 Reference 1: Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x. [The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.] Reference 2: Export the private key portion of a token-signing certificate To export the private key of a token-signing certificate 1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services. 2. Right-click Federation Service, and then click Properties. 3. On the General tab, click View. 4. In the Certificate dialog box, click the Details tab. 5. On the Details tab, click Copy to File. 6. On the Welcome to the Certificate Export Wizard page, click Next. 7. On the Export Private Key page, select Yes, export the private key, and then click Next. 8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then click Next. 9. (...) QUESTION 13 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server. You install AD FS 2.0 on Server2. You need to add Server2 to the existing AD FS farm.

101 A. On Server1, run fsconfig.exe. B. On Server1, run fsconfigwizard.exe. C. On Server2, run fsconfig.exe. D. On Server2, run fsconfigwizard.exe. Correct Answer: C / Configure a New Federation Server To configure a new federation server using the command line 1. Open a Command Prompt window. 2. Change the directory to the path where AD FS 2.0 was installed. 3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone CreateFarm CreateSQLFarm JoinFarm JoinSQLFarm} [deployment specific parameters] Parameter JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server. QUESTION 14 Your network contains an Active Directory forest. You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the network. You create a Windows PowerShell script named new-users.ps1 that contains the following lines: new-aduser user1 new-aduser user2 new-aduser user3 new-aduser user4 new-aduser user5 On the domain controller, you double-click the script and the script runs. You discover that the script fails to create the user accounts. You need to ensure that the script creates the user accounts. Which cmdlet should you add to the script? A. Import-Module B. Register-ObjectEvent C. Set-ADDomain D. Set-ADUser Correct Answer: A /

102 QUESTION 15 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to modify the custom attribute value of 500 user accounts. Which tool should you use? A. Csvde B. Dsmod C. Dsrm D. Ldifde Correct Answer: D / We cannot use Dsmod here, because it supports only a subset of commonly used object class attributes. Csvde can only import and export data. Dsrm is used to delete objects from the directory. Ldifde Creates, modifies, and deletes directory objects. QUESTION 16 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest. What should you use? A. the Dsquery tool B. the Export-CSV cmdlet C. the Get-ADUser cmdlet D. the Net.exe user command Correct Answer: C / Practically the same question as K/Q43. I find this one a bit tricky, as both the Get-ADUser cmdlet and the Dsquery tool seem to get the job done, I think. The other two options play no role here: Export-CSV cannot perform queries. It is used to save queries that have been piped through. Net User is too limited for our question.

103 Get-ADUser References: e0f5f3a591d7 Export-Csv Saving Data as a Comma-Separated Values File The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process to grab information about all the processes running on the computer, then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt: Get-Process Export-Csv c:\scripts\test.txt. Net User Adds or modifies user accounts, or displays user account information. DSQUERY Reference 1: Parameters {<StartNode> forestroot domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify forestroot, AD DS searches by using the global catalog. -attr {<AttributeList> *} Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name. Reference 2: Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need. Reference 3: e0f787/ List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectcategory=user)(objectclass=user))" -limit 0 -attr givenname sn samaccountname lastlogon >>c:\last_logon_for_all.txt QUESTION 17 You have a Windows PowerShell script that contains the following code:

104 import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword $_. password} When you run the script, you receive an error message indicating that the format of the password is incorrect. The script fails. You need to run a script that successfully creates the user accounts by using the password contained in accounts.csv. Which script should you run? A. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)} B. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)} C. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString "Password")} D. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString $_.Password)} Correct Answer: B / QUESTION 18 Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2. Your company's corporate security policy states that the password for each user account must be changed at least every 45 days. You have a user account named Service1. Service1 is used by a network application named Application1. Every 45 days, Application1 fails. After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy. A. Run the cmdlet. B. Run the Set-ADServiceAccount cmdlet. C. Create a new password policy. D. Create a new Password Settings object (PSO). Correct Answer: B / QUESTION 19 Your network contains an Active Directory forest.

105 You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount of administrative effort. What should you use? A. the Active Directory Domains and Trusts console B. the Active Directory Users and Computers console C. the Csvde tool D. the Ldifde tool Correct Answer: D / QUESTION 20 Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2). You need to prevent all users from running an application named App1.exe. Which Group Policy settings should you configure? A. Application Compatibility B. AppLocker C. Software Installation D. Software Restriction Policies Correct Answer: D / QUESTION 21 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You need to ensure that all client computers can apply Group Policy preferences. A. Upgrade all Windows XP client computers to Windows 7. B. Create a central store that contains the Group Policy ADMX files. C. Install the Group Policy client-side extensions (CSEs) on all client computers. D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2). Correct Answer: C

106 / QUESTION 22 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2). You need to audit user access to the administrative shares on the client computers. A. Deploy a logon script that runs Icacls.exe. B. Deploy a logon script that runs Auditpol.exe. C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration. D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration. Correct Answer: B / Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain. Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want. QUESTION 23 Your network contains an Active Directory domain named contoso.com. You need to create a central store for the Group Policy Administrative templates. A. Run dfsrmig.exe /createglobalobjects. B. Run adprep.exe /domainprep /gpprep. C. Copy the %SystemRoot%\PolicyDefinitions folder to the \\contoso.com\sysvol\contoso.com\policies folder. D. Copy the %SystemRoot%\System32\GroupPolicy folder to the \\contoso.com\sysvol\contoso.com \Policies folder. Correct Answer: C / QUESTION 24 You configure and deploy a Group Policy object (GPO) that contains AppLocker settings. You need to identify whether a specific application file is allowed to run on a computer. Which Windows PowerShell cmdlet should you use?

107 A. Get-AppLockerFileInformation B. Get-GPOReport C. Get-GPPermissions D. Test-AppLockerPolicy Correct Answer: D / Test-AppLockerPolicy Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy. QUESTION 25 You create a Password Settings object (PSO). You need to apply the PSO to a domain user named User1. A. Modify the properties of the PSO. B. Modify the account options of the User1 account. C. Modify the security settings of the User1 account. D. Modify the password policy of the Default Domain Policy Group Policy object (GPO). Correct Answer: A / To apply PSOs to users or global security groups using the Windows interface 1. Open Active Directory Users and Computers 2. On the View menu, ensure that Advanced Features is checked. 3. In the console tree, click Password Settings Container. 4. In the details pane, right-click the PSO, and then click Properties. 5. Click the Attribute Editor tab. 6. Select the msds-psoappliesto attribute, and then click Edit. 7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK. QUESTION 26 You need to create a Password Settings object (PSO). Which tool should you use? A. Active Directory Users and Computers B. ADSI Edit C. Group Policy Management Console

108 D. Ntdsutil Correct Answer: B / You can create Password Settings objects (PSOs): using the Active Directory module for Windows PowerShell using ADSI Edit using ldifde QUESTION 27 Your network contains an Active Directory domain. All servers run Windows Server 2008 R2. You need to audit the deletion of registry keys on each server. A. From Audit Policy, modify the Object Access settings and the Process Tracking settings. B. From Audit Policy, modify the System Events settings and the Privilege Use settings. C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings. D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings. Correct Answer: D / Advanced Security Audit Policy Step-by-Step Guide A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry. QUESTION 28 Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to enable the Active Directory Recycle Bin. What should you use? A. the Dsmod tool B. the Enable-ADOptionalFeature cmdlet C. the Ntdsutil tool D. the Set-ADDomainMode cmdlet Correct Answer: B

109 / Similar question to question L/Q5. Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe QUESTION 29 Your network contains a single Active Directory domain. You need to create an Active Directory Domain Services snapshot. A. Use the Ldp tool. B. Use the NTDSUtil tool. C. Use the Wbadmin tool. D. From Windows Server Backup, perform a full backup. Correct Answer: B / To create an AD DS or AD LDS snapshot 1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group. 2. Click Start, right-click Command Prompt, and then click Run as administrator. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot 6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 7. At the snapshot prompt, type the following command, and then press ENTER: create QUESTION 30 Your network contains a single Active Directory domain. A domain controller named DC2 fails. You need to remove DC2 from Active Directory. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. At the command prompt, run dcdiag.exe /fix. B. At the command prompt, run netdom.exe remove dc2. C. From Active Directory Sites and Services, delete DC2.

110 D. From Active Directory Users and Computers, delete DC2. Correct Answer: CD / Clean Up Server Metadata Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed. Metadata cleanup removes data from AD DS that identifies a domain controller to the replication system. Clean up server metadata by using GUI tools Clean up server metadata by using Active Directory Users and Computers 1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers. 3. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete. Clean up server metadata by using Active Directory Sites and Services 1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services 2. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete. QUESTION 31 Your network contains a single Active Directory domain. The functional level of the forest is Windows Server The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server All domain controllers run Windows Server 2008 R2. You need to ensure that you can enable the Active Directory Recycle Bin. A. Change the functional level of the forest. B. Change the functional level of the domain. C. Modify the Active Directory schema. D. Modify the Universal Group Membership Caching settings. Correct Answer: A / Active Directory Recycle Bin Step-by-Step Guide By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2.

111 QUESTION 32 Your network contains an Active Directory domain. The domain contains several domain controllers. All domain controllers run Windows Server 2008 R2. You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings. A. Run dcgpofix.exe /target:dc. B. Run dcgpofix.exe /target:domain. C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync. D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force. Correct Answer: A / Dcgpofix Recreates the default Group Policy Objects (GPOs) for a domain. Syntax DCGPOFix [/ignoreschema] [/target: {Domain DC Both}] [/?] /ignoreschema Ignores the version of the Active Directory schema when you run this command. Otherwise, the command only works on the same schema version as the Windows version in which the command was shipped. /target {Domain DC Both} Specifies which GPO to restore. You can restore the Default Domain Policy GPO, the Default Domain Controllers GPO, or both. Examples Restore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that you have made to this GPO. dcgpofix /ignoreschema /target:dc QUESTION 33 Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1. You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort. A. On DC1, run the Restore-ADObject cmdlet.

112 B. On DC3, run the Restore-ADObject cmdlet. C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services. D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services. Correct Answer: D / Practically the same question as J/Q2 and K/Q28. We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." See Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 692 An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers. Reference 2: Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. QUESTION 34 Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. You perform a full backup of the domain controllers every night by using Windows Server Backup. You update a script in the SYSVOL folder. You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script. What should you do first? A. Run the Restore-ADObject cmdlet. B. Restore the system state to its original location. C. Restore the system state to an alternate location. D. Attach the VHD file created by Windows Server Backup. Correct Answer: D

113 / QUESTION 35 Your network contains an Active Directory domain. You need to restore a deleted computer account from the Active Directory Recycle Bin. A. From the command prompt, run recover.exe. B. From the command prompt, run ntdsutil.exe. C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet. D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet. Correct Answer: D / QUESTION 36 You need to back up all of the group policies in a domain. The solution must minimize the size of the backup. What should you use? A. the Add-WBSystemState cmdlet B. the Group Policy Management console C. the Wbadmin tool D. the Windows Server Backup feature Correct Answer: B / To back up a Group Policy object 1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up. 2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All. QUESTION 37 You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2. You need to ensure that you can recover the private key of a certificate issued to a Web server. A. From the CA, run the Get-PfxCertificate cmdlet. B. From the Web server, run the Get-PfxCertificate cmdlet. C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.

114 D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter. Correct Answer: D / QUESTION 38 Your company has a main office and a branch office. The network contains a single Active Directory domain. The main office contains a domain controller named DC1. You need to install a domain controller in the branch office by using an offline copy of the Active Directory database. What should you do first? A. From the Ntdsutil tool, create an IFM media set. B. From the command prompt, run djoin.exe /loadfile. C. From Windows Server Backup, perform a system state backup. D. From Windows PowerShell, run the get-addomaincontroller cmdlet. Correct Answer: A / QUESTION 39 Your network contains an Active Directory domain. All domain controllers run Windows Server The functional level of the domain is Windows Server All client computers run Windows 7. You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline domain join of Server1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. From Server1, run djoin.exe. B. From Server1, run netdom.exe. C. From a Windows 7 computer, run djoin.exe. D. Upgrade one domain controller to Windows Server 2008 R2. E. Raise the functional level of the domain to Windows Server Correct Answer: AC / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages 217, 218

115 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. QUESTION 40 You have an Active Directory snapshot. You need to view the contents of the organizational units (OUs) in the snapshot. Which tools should you run? A. explorer.exe, netdom.exe, and dsa.msc B. ntdsutil.exe, dsamain.exe, and dsa.msc C. wbadmin.msc, dsamain.exe, and netdom.exe D. wbadmin.msc, ntdsutil.exe, and explorer.exe Correct Answer: B / QUESTION 41 Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller: dsamain.exe dbpath c:\$snap_ _volumec$\windows\ntds\ntds.dit ldapport allownonadminaccess The command fails. You need to ensure that the command completes successfully. How should you modify the command? A. Include the path to Dsamain. B. Change the value of the -dbpath parameter. C. Change the value of the -ldapport parameter. D. Remove the allownonadminaccess Correct Answer: C

116 / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 690 Use the AD DS database mounting tool to load the snapshot as an LDAP server. dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport portnumber Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value to ensure that you do not conflict with AD DS. Also note that you can use the minus ( ) sign or the slash (/) for the options in the command. QUESTION 42 Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed. You need to move the Active Directory database on DC1 to an alternate location. The solution must minimize impact on the network during the database move. What should you do first? A. Restart DC1 in Safe Mode. B. Restart DC1 in Directory Services Restore Mode. C. Start DC1 from Windows PE. D. Stop the Active Directory Domain Services service on DC1. Correct Answer: D / QUESTION 43 Your company has a main office and a branch office. The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server. You remove the global catalog from DC5. You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impact on all users in the branch office. What should you do first? A. Start DC5 in Safe Mode. B. Start DC5 in Directory Services Restore Mode. C. On DC5, start the Protected Storage service. D. On DC5, stop the Active Directory Domain Services service. Correct Answer: D

117 / QUESTION 44 Your network contains a domain controller that runs Windows Server 2008 R2. You need to change the location of the Active Directory log files. Which tool should you use? A. Dsamain B. Dsmgmt C. Dsmove D. Ntdsutil Correct Answer: D / QUESTION 45 Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network. You need to ensure that the new server is already joined to the domain when it first connects to the internal network. A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter. B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter. C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter. D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter. Correct Answer: C / Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.

118 Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. Reference 2: Steps for performing an offline domain join The offline domain join process includes the following steps: 1. Run the djoin.exe /provision command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As part of this command, you must specify the name of the domain that you want the computer to join. 2. Run the djoin.exe /requestodj command to insert the computer account metadata into the Windows directory of the destination computer. 3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain that you specify. QUESTION 46 Your network contains an Active Directory domain. The domain contains four domain controllers. You modify the Active Directory schema. You need to verify that all the domain controllers received the schema modification. Which command should you run? A. dcdiag.exe /a B. netdom.exe query fsmo C. repadmin.exe /showrepl * D. sc.exe query ntds Correct Answer: C / QUESTION 47 You remotely monitor several domain controllers. You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query to retrieve information from the bios of each domain controller. Which format should you use to write the query? A. XrML B. XML C. WQL D. HTML

119 Correct Answer: C / QUESTION 48 Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers. You add a logoff script to an existing Group Policy object (GPO). You need to verify that each domain controller successfully replicates the updated group policy. Which two objects should you verify on each domain controller? (Each correct answer presents part of the solution. Choose two.) A. \\servername\sysvol\contoso.com\policies\{guid}\gpt.ini B. \\servername\sysvol\contoso.com\policies\{guid}\machine\registry.pol C. the usnchanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container D. the versionnumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container Correct Answer: AD / QUESTION 49 Your network contains an Active Directory domain that contains five domain controllers. You have a management computer that runs Windows 7. From the Windows 7 computer, you need to view all account logon failures that occur in the domain. The information must be consolidated on one list. Which command should you run on each domain controller? A. Wecutil.exe qc B. Wevtutil.exe gli C. Winrm.exe quickconfig D. Winrshost.exe Correct Answer: C / QUESTION 50 You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. The domain contains five domain controllers.

120 You need to monitor the replication of the group policy template files. Which tool should you use? A. Dfsrdiag B. Fsutil C. Ntdsutil D. Ntfrsutl Correct Answer: A / It's hard to find some info on this. html [Slightly edited to make it more readable:] By Cezar ( Apr ): With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level With domain functional level 2003 you can only use Ntfrsutl.

121 Exam F QUESTION 1 You create a new Active Directory domain. The functional level of the domain is Windows Server The domain contains five domain controllers that run Windows Server 2008 R2. You need to monitor the replication of the group policy template files. Which tool should you use? A. Dfsrdiag B. Fsutil C. Ntdsutil D. Ntfrsutl Correct Answer: D / It's hard to find some info on this. html [Slightly edited to make it more readable:] By Cezar ( Apr ): With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level With domain functional level 2003 you can only use Ntfrsutl. QUESTION 2 You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine the size of the Active Directory database on Server1. A. Run the Active Directory Sizer tool. B. Run the Active Directory Diagnostics data collector set. C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file. D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder. Correct Answer: C / Nothing fancy, just check the file size in the Windows explorer. QUESTION 3 You need to receive an message whenever a domain user account is locked out. Which tool should you use?

122 A. Active Directory Administrative Center B. Event Viewer C. Resource Monitor D. Security Configuration Wizard Correct Answer: B / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, 2011) page 525 Automatically Responding to Events One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways: Start A Program - Launches an application. Often, administrators write a script that carries out a series of tasks that they would otherwise need to manually perform, and automatically run that script when an event appears. Send An - Sends an by using the Simple Mail Transport Protocol (SMTP) server you specify. Often, administrators configure urgent events to be sent to a mobile device. Display A Message - Displays a dialog box showing a message. This is typically useful only when a user needs to be notified of something happening on the computer. To trigger a task when an event occurs, follow one of these three procedures: Find an example of the event in Event Viewer. Then, right-click the event and click Attach Task To This Event. A wizard will guide you through the process. (...) QUESTION 4 Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7. You need to forward the logon events of all the domain controllers in contoso.com to Computer1. All new domain controllers must be dynamically added to the subscription. A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node. B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node. C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU). D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU). Correct Answer: A /

123 Setting up a Source Initiated Subscription Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription. QUESTION 5 Your network contains an Active Directory domain that has two sites. You need to identify whether logon scripts are replicated to all domain controllers. Which folder should you verify? A. GroupPolicy B. NTDS C. SoftwareDistribution D. SYSVOL Correct Answer: D / SYSVOL is a collection of folders that contain a copy of the domain s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). QUESTION 6 You install a standalone root certification authority (CA) on a server named Server1. You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the local computer's Trusted Root Certification Authorities store. Which command should you run on Server1? A. certreq.exe and specify the -accept parameter B. certreq.exe and specify the -retrieve parameter C. certutil.exe and specify the -dspublish parameter D. certutil.exe and specify the -importcert parameter Correct Answer: C / Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax

124 Certutil <-parameter> [-parameter] Parameter -dspublish Publish a certificate or certificate revocation list (CRL) to Active Directory QUESTION 7 Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA). On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled. You need to install an enterprise subordinate CA on the server. What should you use to log on to the new server? A. an account that is a member of the Certificate Publishers group in the child domain B. an account that is a member of the Certificate Publishers group in the forest root domain C. an account that is a member of the Schema Admins group in the forest root domain D. an account that is a member of the Enterprise Admins group in the forest root domain Correct Answer: D / In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient). QUESTION 8 You have an enterprise subordinate certification authority (CA). You have a group named Group1. You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates. A. Add Group1 to the local Administrators group. B. Add Group1 to the Certificate Publishers group. C. Assign the Manage CA permission to Group1. D. Assign the Issue and Manage Certificates permission to Group1. Correct Answer: C /

125 Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules. Revoking certificates is an activity of the Certificate Manager role. QUESTION 9 You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents. You need to ensure that all of the recovery agent certificates can be used to recover all new private keys. A. Add a data recovery agent to the Default Domain Policy. B. Modify the value in the Number of recovery agents to use box. C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates. D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates. Correct Answer: B / MS Press - Self-Paced Training Kit (Exams & ) (Microsoft Press, 2009) page 357 You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery. QUESTION 10 You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module. You need to back up Active Directory Certificate Services on the CA. Which command should you run? A. certutil.exe backup B. certutil.exe backupdb C. certutil.exe backupkey D. certutil.exe store Correct Answer: B / Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that.

126 The given commands are: certutil -backup Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb Backup set only includes certificate database certutil -backupkey Backup set only includes CA certificate and the CA key pair certutil -store Provides a dump of the certificate store onscreen. Since we cannot extract the keys from the HSM we have to use backupdb. Reference 1: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215 For the commands listed above. Reference 2: Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil <-parameter> [-parameter] Parameter -backupdb Backup the Active Directory Certificate Services database Reference 3: Blog with extra info, tips and a post: kids says: Hello, Need your expert view on this question: You have an enterprise subordinate certificate authority (CA). The CA is configured to use a hardware security module. You need to back up Active Directory Certificate Services on the CA - certutil.exe -backupkey - certutil.exe -backup - certutil.exe -store - certutil.exe -backupdb the answer is -backupdb since it using hardware security module(hsm). Am i correct? DXter says: Yes. But I whould have used: certutil.exe -backupdb KeepLog QUESTION 11 You have Active Directory Certificate Services (AD CS) deployed.

127 You create a custom certificate template. You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. In a Group Policy object (GPO), configure the autoenrollment settings. B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings. C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group. D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group. Correct Answer: AD / To automatically enroll client computers for certificates in a domain environment, you must: Configure an autoenrollment policy for the domain. (...) In Configuration Model, select Enabled to enable autoenrollment. Configure certificate templates for autoenrollment. (...) In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish Configure an enterprise CA. QUESTION 12 You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template is available on the Web enrollment pages. A. Run certutil.exe pulse. B. Run certutil.exe installcert. C. Change the certificate template to a Version 2 certificate template. D. On the certificate template, assign the Autoenroll permission to the users. Correct Answer: C / Identical to F/Q33.

128 Reference 1: Certificate Web enrollment cannot be used with version 3 certificate templates. Reference 2: The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. QUESTION 13 You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment. You increase the template key length to 2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template. Which console should you use? A. Active Directory Administrative Center B. Certification Authority C. Certificate Templates D. Group Policy Management Correct Answer: C / Practically the same question as K/Q23. Re-Enroll All Certificate Holders This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration. To re-enroll all certificate holders 1. Open the Certificate Templates snap-in. 2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders. QUESTION 14 Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard. The functional level of the domain is Windows Server You have a certification authority (CA). The relevant servers in the domain are configured as shown below:

129 You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network. A. Upgrade Server1 to Windows Server 2008 R2. B. Upgrade Server2 to Windows Server 2008 R2. C. Raise the functional level of the domain to Windows Server D. Install the Windows Server 2008 R2 Active Directory Schema updates. Correct Answer: D / Installation requirements Before installing the certificate enrollment Web services, ensure that your environment meets these requirements: A host computer as a domain member running Windows Server 2008 R2. An Active Directory forest with a Windows Server 2008 R2 schema. An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server QUESTION 15 You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation of the Active Directory database on the domain controller. You must achieve this goal without affecting the availability of the DHCP service. A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility. B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility. C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility. D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility. Correct Answer: C / We don't need to restart the server to defragment the AD database. We do need to stop AD DS in order to defragment the database.

130 To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. (...) QUESTION 16 Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication. Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing. Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder. You need to ensure that the G_Marketing members can access the folder from the network. A. From Windows Explorer, modify the NTFS permissions of the folder. B. From Windows Explorer, modify the share permissions of the folder. C. From Active Directory Users and Computers, modify the computer object for Server1. D. From Active Directory Users and Computers, modify the group object for G_Marketing. Correct Answer: C / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain. To assign this permission: 1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu. 2. Open the properties of the computer to which trusted users should be allowed to authenticate that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions. 3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission. QUESTION 17 Your network contains an Active Directory forest. You need to add a new user principal name (UPN) suffix to the forest. Which tool should you use?

131 A. Active Directory Administrative Center B. Active Directory Domains and Trusts C. Active Directory Sites and Services D. Active Directory Users and Computers Correct Answer: B / Demonstration adding a UPN Suffix To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest. QUESTION 18 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link. You discover that the cached password for a user named User1 is compromised on the RODC. On a domain controller in Site1, you change the password for User1. You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC. Which tool should you use? A. Active Directory Sites and Services B. Active Directory Users and Computers C. Repadmin D. Replmon Correct Answer: C / Repadmin /rodcpwdrepl Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs). Example: The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc: repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=janeoh,ou=execs,dc=contoso,dc=com QUESTION 19 Your network contains an Active Directory domain named contoso.com. The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

132 You need to update all service location (SRV) records for a domain controller in the domain. What should you do? A. Restart the Netlogon service. B. Restart the DNS Client service. C. Run sc.exe and specify the triggerinfo parameter. D. Run ipconfig.exe and specify the /registerdns parameter. Correct Answer: A / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

133 QUESTION 20 Your network contains an Active Directory domain. A user named User1 takes a leave of absence for one year. You need to restrict access to the User1 user account while User1 is away. A. From the Default Domain Policy, modify the account lockout settings. B. From the Default Domain Controller Policy, modify the account lockout settings. C. From the properties of the user account, modify the Account options. D. From the properties of the user account, modify the Session settings. Correct Answer: C / Account lockout settings deal with logon security, like how many times a wrong password can be entered before an account gets locked out, or after how many minutes a locked out user can try again. To really restrict access to the User1 account it has to be disabled, by modifying the account options. Disabling a user account prevents user access to and Microsoft SharePoint Online data, but retains the user s data. Disabling a user account also keeps the user license associated with that account. This is the best option to utilize when a person leaves an organization temporarily. QUESTION 21 Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You have a list that contains the mobile phone number of each user. You need to add the mobile number of each user to Active Directory. A. Create a file that contains the mobile phone numbers, and then run ldifde.exe. B. Create a file that contains the mobile phone numbers, and then run csvde.exe. C. From Adsiedit, select the CN=Users container, and then modify the properties of the container. D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the users. Correct Answer: A / CSVDE can only import and export data from AD DS. Ldifde

134 Creates, modifies, and deletes directory objects. QUESTION 22 Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server All client computers run Windows 7. From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO). You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers. You need to ensure that the audit policy is applied to all member servers and all client computers. A. Add a WMI filter to the Default Domain Policy GPO. B. Modify the security settings of the Default Domain Policy GPO. C. Configure a startup script that runs auditpol.exe on the member servers. D. Configure a startup script that runs auditpol.exe on the domain controllers. Correct Answer: C / Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers. Reference1: Advanced Security Auditing FAQ The advanced audit policy settings were introduced in Windows Vista and Windows Server The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server Note In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated with Group Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). QUESTION 23 Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six characters. You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long. What should you do first? A. Run the New-ADFineGrainedPasswordPolicy cmdlet. B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet. C. From the Default Domain Policy, modify the password policy. D. From the Default Domain Controller Policy, modify the password policy.

135 Correct Answer: A / First we need to create a new Active Directory fine grained password policy, using New- ADFineGrainedPasswordPolicy. Then we can apply the new policy to Group1, using Add-ADFineGrainedPasswordPolicySubject. New-ADFineGrainedPasswordPolicy Creates a new Active Directory fine grained password policy. QUESTION 24 Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1. You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.) You need to ensure that you can take a snapshot of Instance1. A. At the command prompt, run net start VSS. B. At the command prompt, run net start Instance1. C. Set the Startup Type for the Instance1 service to Disabled. D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual. Correct Answer: A

136 / Hard to find references on this, but the solution can be found by eliminating the rest. Instance1 is running, otherwise you'd get a different message at the snaphot: create step. ("AD service must be running in order to perform this operation", on my virtual server.) Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type for the Volume Shadow Copy Service (VSS) to Manual. QUESTION 25 Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers. You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort. A. From Event Viewer on the member server, create a subscription. B. From Event Viewer on each domain controller, create a subscription. C. From Event Viewer on the member server, run the Create Basic Task Wizard. D. From Event Viewer on each domain controller, run the Create Basic Task Wizard. Correct Answer: C / Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort. To Run a Task in Response to a Given Event 1. Start Event Viewer. 2. In the console tree, navigate to the log that contains the event you want to associate with a task. 3. Right-click the event and select Attach Task to This Event. 4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an . QUESTION 26 Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2. You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1. What should you do first? A. At the command prompt, run net stop ntds. B. At the command prompt, run net stop netlogon. C. Restart DC1 in Safe Mode. D. Restart DC1 in Directory Services Restore Mode (DSRM). Correct Answer: A

137 / We don't need to restart the server to defragment the AD database. We only need to stop AD DS in order to defragment the database, using ntdsutil. To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. (...) QUESTION 27 Your network contains a single Active Directory domain named contoso.com. An administrator accidentally deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone. You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records. What should you do on each domain controller? A. Restart the Netlogon service. B. Restart the DNS Server service. C. Run dcdiag.exe /fix. D. Run ipconfig.exe /registerdns. Correct Answer: A / Reference 1: To register the required records to the single root domain controller, restart the Net Logon service on all the domain controllers. The replication works correctly if the replication window is not less than the default DNS Time to Live (TTL) entry. To restart the Net Logon service, follow these steps: 1. Click Start, click Run, type cmd in the Open box, and then press ENTER. 2. At the command prompt, type the following command, and then press ENTER: net stop netlogon 3. Type net start netlogon, and then press ENTER. Reference 2: Be sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces the DC's to register their SRV records in the _msdcs zone. QUESTION 28 Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone.

138 You need to ensure that the records are replicated to all DNS servers. Which tool should you use? A. Dnslint B. Ldp C. Nslookup D. Repadmin Correct Answer: D / Practically the same question as G/Q8, J/Q24, K/Q8, K/Q31, different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall <DC> [<NamingContext>] [<Flags>] Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners. <NamingContext> Specifies the distinguished name of the directory partition. <Flags> Performs specific actions during the replication. QUESTION 29 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu. contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso. com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

139 You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a zone delegation record in the contoso.com zone. B. Create a zone delegation record in the eu.contoso.com zone. C. Create an Active Directory-integrated zone for _msdsc.contoso.com. D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com. Correct Answer: AC / Note that the question speaks of _msdsc, instead of _msdcs. Not sure if it means something, probably a typo. QUESTION 30 You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2. A. Run defrag.exe /a /c. B. Run defrag.exe /c /u. C. From Ntdsutil, use the Files option. D. From Ntdsutil, use the Metadata cleanup option. Correct Answer: C / Reference 1:

140 Compact the Directory Database File (Offline Defragmentation) You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity. Performing offline defragmentation creates a new, compacted version of the database file in a different location. Reference 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate. 1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator. 2. Type ntdsutil, and then press Enter. 3. Type Activate instance NTDS, and press Enter. 4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter. 5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter. QUESTION 31 Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers. The servers are configured as shown in the following table. You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Configure the policy module settings. B. Configure the issuance requirements for the certificate templates. C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting. D. Configure the delegation settings for the Certificate Enrollment Web Service application pool account. Correct Answer: BD / All credit for correcting this one and providing the explanation goes to Luffy! Reference 1: The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service

141 submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA. Reference 2: Delegation is required for the Certificate Enrollment Web Service account when all of the following are true: the CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requests the authentication type is set to Windows Integrated Authentication or Client certificate authentication QUESTION 32 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard. You need to install an enterprise subordinate certification authority (CA) that supports private key archival. You must achieve this goal by using the minimum amount of administrative effort. What should you do first? A. Initialize the Trusted Platform Module (TPM). B. Upgrade the member server to Windows Server 2008 R2 Standard. C. Install the Certificate Enrollment Policy Web Service role service on the member server. D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services - Certification Authority server role template check box. Correct Answer: B / Not sure about this one. See my thoughts below. According to MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) key archival is not available in the Windows Server 2008 R2 Standard edition, so that would leave out answer B.

142 Another dump gives the following for answer B: "Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise." Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go for that. In this VCE it doesn't seem to make sense to go for B as it shouldn't work, I think. Certificate Enrollment Policy Web Service role of answer C was introduced in Windows Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008 machine. Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a hardware-based approach to manage user authentication, network access, data protection and more that takes security to higher level than software-based security." ( how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/) Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise edition. Hope the VCE is wrong. QUESTION 33 You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template is available on the Web enrollment pages. A. Run certutil.exe Cpulse. B. Run certutil.exe Cinstallcert. C. Change the certificate template to a Version 2 certificate template. D. On the certificate template, assign the Autoenroll permission to the users. Correct Answer: C

143 / Identical to F/Q12. Reference 1: Certificate Web enrollment cannot be used with version 3 certificate templates. Reference 2: The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. QUESTION 34 Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a global catalog server. A. Modify the Active Directory schema. B. From Ntdsutil, use the Roles option. C. Run the Active Directory Domain Services Installation Wizard on Server1. D. Move the Server1 computer object to the Domain Controllers organizational unit (OU). Correct Answer: C / Now it's just a member server, so you'll have to run dcpromo to start the Active Directory Domain Services Installation Wizard in order to promote the server to a domain controller. Only a domain controller can be a global catalog server. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. QUESTION 35 Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 and Forest3. You need to configure the forests to meet the following requirements: Users in Forest3 must be able to access resources in Forest1

144 Users in Forest1 must be able to access resources in Forest3. The number of trusts must be minimized. A. In Forest2, modify the name suffix routing settings. B. In Forest1 and Forest3, configure selective authentication. C. In Forest1 and Forest3, modify the name suffix routing settings. D. Create a two-way forest trust between Forest1 and Forest3. E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3. Correct Answer: D / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, December ) page 639: Forest Trusts (...) You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters.com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them. QUESTION 36 Your network contains an Active Directory domain. All domain controller run Windows Server You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2. You need to minimize the amount of SYSVOL replication traffic on the network. A. Raise the functional level of the forest to Windows Server 2008 R2. B. Modify the path of the SYSVOL folder on all of the domain controllers. C. On a global catalog server, run repadmin.exe and specify the KCC parameter. D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig. exe. Correct Answer: D / Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role. Reference 1:

145 Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share. When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated. Reference 2: Migrating to the Prepared State The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication). This migration phase includes the tasks in the following list. (...) Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state. QUESTION 37 Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table. All client computers run Windows 7. You need to ensure that all client computers in the domain keep the same time as an external time server. A. From DC1, run the time command. B. From DC2, run the time command. C. From DC1, run the w32tm.exe command. D. From DC2, run the w32tm.exe command. Correct Answer: D / Reference 1: Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest. Reference 2:

146 Windows Time Service Tools and Settings Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source. W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service. QUESTION 38 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table. All client computers have IP addresses in the to range. You need to minimize the number of client authentication requests sent to DC2. A. Create a new site named Site1. Create a new subnet object that has the /24 prefix and assign the subnet to Site1. Move DC1 to Site1. B. Create a new site named Site1. Create a new subnet object that has the /32 prefix and assign the subnet to Site1. Move DC1 to Site1. C. Create a new site named Site1. Create a new subnet object that has the /32 prefix and assign the subnet to Site1. Move DC2 to Site1. D. Create a new site named Site1. Create a new subnet object that has the /24 prefix and assign the subnet to Site1. Move DC2 to Site1. Correct Answer: C / Spider from Switzerland - Apr , 7:13 PM Creating a new site and assigning a subnet of with subnet mask of , it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself. QUESTION 39 Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configure AD RMS to use Kerberos authentication. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Register a service principal name (SPN) for AD RMS. B. Register a service connection point (SCP) for AD RMS.

147 C. Configure the identity setting of the _DRMSAppPool1 application pool. D. Configure the useapppoolcredentials attribute in the Internet Information Services (IIS) Correct Answer: AD / If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures: Set the Internet Information Services (IIS) useapppoolcredentials variable to True Set the Service Principal Names (SPN) value for the AD RMS service account QUESTION 40 Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC). You need to configure the RODC to store only the passwords of users in the remote site. A. Create a Password Settings object (PSO). B. Modify the Partial-Attribute-Set attribute of the forest. C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group. D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group. Correct Answer: C / Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group. These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msds-revealondemandgroup and msds- NeverRevealGroup Active Directory attributes mentioned earlier. QUESTION 41 Your company has four offices. The network contains a single Active Directory domain. Each office has a domain controller. Each office has an organizational unit (OU) that contains the user accounts for the users in that office. In each office, support technicians perform basic troubleshooting for the users in their respective office. You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only. The solution must prevent the technicians from creating user accounts.

148 A. For each OU, run the Delegation of Control Wizard. B. For the domain, run the Delegation of Control Wizard. C. For each office, create an Active Directory group, and then modify the security settings for each group. D. For each office, create an Active Directory group, and then modify the controlaccessrights attribute for each group. Correct Answer: A / Reference 1: To delegate control of an organizational unit 1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers. 2. To open Active Directory Users and Computers in Windows Server 2012, click Start, type dsa.msc. 3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control. 4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard. Reference 2: Delegate the following common tasks The following are common tasks that you can select to delegate control of them: (...) Reset user passwords and force password change at next logon QUESTION 42 Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1. You link a new Group Policy object (GPO) named GPO10 to OU1. You need to ensure that GPO10 is applied only to client computers that run Windows 7. A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU. B. Enable block inheritance on OU1. C. Create a WMI filter and assign the filter to GPO10. D. Modify the permissions of OU1. Correct Answer: C / To make sure that each GPO associated with a group can only be applied to computers running the correct

149 version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer. QUESTION 43 Your network contains an Active Directory domain named contoso.com. You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes. Which security policy setting should you configure? A. Audit Sensitive Privilege Use B. Audit User Account Management C. Audit Directory Service Changes D. Audit Other Account Management Events Correct Answer: C / Reference 1: Audit Directory Service Changes This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). Reference 2: AD DS Auditing Step-by-Step Guide This guide includes a description of the new Active Directory Domain Services (AD DS) auditing feature in Windows Server With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte. QUESTION 44 Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. B. Create an external trust from nwtraders.com to contoso.com. C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. D. Create an external trust from contoso.com to nwtraders.com. Correct Answer: C /

150 Same question as J/Q30. Using AD RMS trust It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. QUESTION 45 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server. You plan to add a new token-signing certificate to Server1. You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.) When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable. You need to ensure that you can use the new certificate for AD FS. A. From the properties of the certificate, modify the Certificate Policy OIDs setting. B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store. C. From the properties of the certificate, modify the Certificate purposes setting. D. Import the certificate to the local computer personal certificate store. Correct Answer: D

151 / When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server. QUESTION 46 You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC). A. Run the repadmin.exe command and specify the /prp parameter. B. From Active Directory Sites and Services, modify the properties of the RODC computer object. C. From Active Directory Users and Computers, modify the properties of the RODC computer object. D. Run the dsrm.exe command and specify the -u parameter. Correct Answer: A / Clearing the authenticated accounts list In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC. Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure. To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all. Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER. QUESTION 47 Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site. You discover that the domain controllers in the branch offices sometimes replicate directly to each other. You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office. A. Modify the firewall settings for the main office site. B. Disable the Knowledge Consistency Checker (KCC) for each branch office site. C. Disable site link bridging. D. Modify the security settings for the main office site. Correct Answer: C

152 / Configuring site link bridges By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites. Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases: (...) You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller. QUESTION 48 Your network contains an Active Directory forest. The forest contains one domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 was installed before DC2. DC1 fails. You need to ensure that you can add 1,000 new user accounts to the domain. A. Modify the permissions of the DC2 computer account. B. Seize the schema master FSMO role. C. Configure DC2 as a global catalog server. D. Seize the RID master FSMO role. Correct Answer: D / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages RID master failure A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online. QUESTION 49 Your network contains an Active Directory domain named contoso.com. You need to identify whether the Active Directory Recycle Bin is enabled.

153 A. From Ldp, search for the Reanimate-Tombstones object. B. From Ldp, search for the LostAndFound container. C. From Windows PowerShell, run the Get-ADObject cmdlet. D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet. Correct Answer: D / How can I check whether the AD Recycle-Bin is enabled in my R2 forest? [He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.] QUESTION 50 Your network contains an Active Directory domain. You create and mount an Active Directory snapshot. You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.) You need to ensure that you can browse the contents of the Active Directory snapshot. What should you? A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe. B. Change the value of the dbpath parameter, and then rerun dsamain.exe. C. Change the value of the ldapport parameter, and then rerun dsamain.exe. D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.

154 Correct Answer: B / The path in the exhibit points to the running Active Directory database, not to the snapshot. For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example: /dbpath E:\$SNAP_ _VOLUMED$\WINDOWS\NTDS\ntds.dit

155 Exam G QUESTION 1 Your network contains an Active Directory domain. You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain. A. From Group Policy Management Console (GPMC), back up the GPOs. B. From Windows Explorer, copy the content of the %systemroot%\sysvol folder. C. From Windows Server Backup, perform a system state backup. D. From Windows PowerShell, run the Backup-GPO cmdlet. Correct Answer: C / When you backup a GPO using the Group Policy Management Console or the Backup-GPO cmdlet, the links to domains/sites/ous are not included. The link is indicated in an accompanying gpreport.xml, but it's not in the backup itself. If you restore the backup, then the GPO is not linked to anything. Microsoft recommends that you do not modify the Sysvol structure. This recommendation also applies to backup and restore operations of the Sysvol structure. On top of that, the SYSVOL folder only contains the GPT part of a GPO, so it would be an incomplete backup anyway. The link between GPO and for example an OU is an attribute (gplink) of the OU, not of the GPO. So, to backup the GPOs, including the links, we have to perform a system state backup. Reference 1: Planning and Deploying Group Policy (Word-document) Backing up and restoring WMI filter data, IPsec policy settings, and links to OUs Links to WMI filters and IPsec policies are stored in GPOs and are backed up as part of a GPO. When you restore a GPO, these links are preserved if the underlying objects still exist in Active Directory. Links to OUs, however, are not part of the backup data and will not be restored during a restore operation. Reference 2: c957a123a455/ Does backup-gpo cmdlet backup GPO links and permission? "Permissions are backed up but links are not. The links are actually properties of the OU and would be backed up as part of the system state. Please see this article for more information: library/cc aspx. The article refers to the GPMC process which is the same as the PowerShell cmdlet." Reference 3: Information saved in a backup Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following information: GPO globally unique identifier (GUID) and domain. GPO settings.

156 Discretionary access control list (DACL) on the GPO. WMI filter link, if there is one, but not the filter itself. Links to IP Security Policies, if any. XML report of the GPO settings, which can be viewed as HTML from within GPMC. Date and time stamp of when the backup was taken. User-supplied description of the backup. Information not saved in a backup Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is not available when the backup is restored to the original GPO or imported into a new one. This data that becomes unavailable includes the following information: Links to a site, domain, or organizational unit. WMI filter. IP Security policy. Reference 4: Check Group Policy Infrastructure Status Each GPO is stored partly in Active Directory and partly in the SYSVOL on the domain controller. The portion of the GPO stored in Active Directory is called the Group Policy container (GPC) while the portion of the GPO stored in the SYSVOL is called the Group Policy template (GPT). GPMC and Group Policy Management Editor manage the GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC is actually setting permissions on objects in both Active Directory and the SYSVOL. It is not recommended that you manipulate these separate objects independently outside of GPMC and the Group Policy Management Editor. It is important to understand that these two separate features of a GPO rely on different replication mechanisms. The file system portion, GPT, is replicated through Distributed File Service Replication (DFS-R) or File Replication Service (FRS), independently of the replication handled by Active Directory, GPC. QUESTION 2 Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on the domain controller. Which tool should you use? A. Ntdsutil B. Dsamain C. Active Directory Users and Computers D. Local Users and Groups Correct Answer: A / To Reset the DSRM Administrator Password 1. Click, Start, click Run, type ntdsutil, and then click OK. 2. At the Ntdsutil command prompt, type set dsrm password. 3. (...) QUESTION 3 Your network contains an Active Directory forest. All client computers run Windows 7.

157 The network contains a high-volume enterprise certification authority (CA). You need to minimize the amount of network bandwidth required to validate a certificate. A. Configure an LDAP publishing point for the certificate revocation list (CRL). B. Configure an Online Certification Status Protocol (OCSP) responder. C. Modify the settings of the delta certificate revocation list (CRL). D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS). Correct Answer: B / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 779 Online responder This service is designed to respond to specific certificate validation requests through the Online Certificate Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the requested certificate, it sends back an encrypted response containing the information to the requester. Using online responders is much faster and more efficient than using CRLs. AD CS includes online responders as a new feature in Windows Server 2008 R2. QUESTION 4 Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in the exhibit. (Click the Exhibit button.)

158 You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solution must prevent GPO1 from being applied to users in the Dev OU. A. Enforce GPO1. B. Modify the security settings of the Dev OU. C. Link GPO1 to the Finance OU. D. Modify the security settings of the Finance OU. Correct Answer: C / The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. This means that GPO1 will not be applied to those OUs. For the Dev OU that's ok, but not for the Finance OU. So we have to link GPO1 to the Finance OU. Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree. QUESTION 5

159 Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed service accounts from being deleted accidentally from OU1. Which cmdlet should you use? A. Set-ADUser B. Set-ADOrganizationalUnit C. Set-ADServiceAccount D. Set-ADObject Correct Answer: D / You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to prevent OU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use Set- ADObject to protect the accounts. Set-ADObject Modifies an Active Directory object. Parameter -ProtectedFromAccidentalDeletion <Boolean> Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: $false or 0 $true or 1 The following example shows how to set this parameter to true. -ProtectedFromAccidentalDeletion $true QUESTION 6 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllers run Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS) on DC3. What should you do first? A. Run dcpromo.exe /createdcaccount on DC3. B. Run ntdsutil.exe on DC2. C. Run dcpromo.exe /adv on DC3. D. Run ntdsutil.exe on DC1. Correct Answer: D

160 / We can run dcpromo.exe /adv on DC3 to install a new writable domain controller using the Install From Media (IFM) option. That way there is less replication traffic. But before we can do that we have to create the installation media first. I suspect that's what they mean when they say "What should you do first?" So first we create the installation media, then we use the installation media to install DC3. Technet gives us instructions on how to create the installation media. It says: "You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently." "You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller." Since DC2 in answer B is a read-only domain controller, that leaves us with answer D ("Run ntdsutil.exe on DC1"). Reference 1: [Used for the information above] [Some extra info on using IFM to install the DC:] Reference 2: dcpromo /adv Performs an install from media (IFM) operation. Reference 3: Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. QUESTION 7 Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers are configured as global catalog servers. You remove the global catalog role from a domain controller named DC5. You need to reclaim the hard disk space used by the global catalog on DC5. A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC). B. From Active Directory Sites and Services, modify the general properties of DC5. C. From Ntdsutil, use the Semantic database analysis option. D. From Ntdsutil, use the Files option. Correct Answer: D

161 / Reference 1: Database defragmentation In cases in which the data decreases significantly, such as when the global catalog is removed from a domain controller, free disk space is not automatically returned to the file system. Although this condition does not affect database operation, it does result in large amounts of free disk space in the database. To decrease the size of the database file by returning free disk space from the database file to the file system, you can perform an offline defragmentation of the database. Whereas online defragmentation occurs automatically while AD DS is running, offline defragmentation requires taking the domain controller offline and using the Ntdsutil.exe command-line tool to perform the procedure. Reference 2: To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. 7. (...) QUESTION 8 A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. Ldp B. Repadmin C. Ntdsutil D. Nslookup E. Active Directory Sites And Services console F. Active Directory Domains And Trusts console G. Dnslint H. Dnscmd Correct Answer: B / Practically the same question as F/Q28, J/Q24, K/Q8, K/Q31, different set of answers sometimes.

162 To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall <DC> [<NamingContext>] [<Flags>] Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners. <NamingContext> Specifies the distinguished name of the directory partition. <Flags> Performs specific actions during the replication. QUESTION 9 You have a DNS zone that is stored in a custom application partition. You need to add a domain controller to the replication scope of the custom application partition. Which tool should you use? A. DNScmd B. DNS Manager C. Server Manager D. Dsmod Correct Answer: A / After you create a Domain Name System (DNS) application directory partition to store a zone, you must enlist the DNS server that hosts the zone in the application directory partition. To enlist a DNS server in a DNS application directory partition 1. Open a command prompt. 2. Type the following command, and then press ENTER: dnscmd <ServerName> / EnlistDirectoryPartition <FQDN> QUESTION 10 Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has the Active Directory Certificate Services (AD CS) role installed. You configure a certificate template named Template1 for autoenrollment. You discover that certificates are not being issued to any client computers. The event logs on the client computers do not contain any autoenrollment

163 errors. You need to ensure that all of the client computers automatically receive certificates based on Template1. A. Modify the Default Domain Policy Group Policy object (GPO). B. Modify the Default Domain Controllers Policy Group Policy object (GPO). C. Upgrade Server1 to Windows Server 2008 R2 Enterprise. D. Restart Certificate Services on Server1. Correct Answer: A / Configure Certificate Autoenrollment Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users. To automatically enroll clients for certificates in a domain environment, you must: Configure a certificate template with Autoenroll permissions. Configure an autoenrollment policy for the domain. To configure autoenrollment Group Policy for a domain 1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit. 3. (...) QUESTION 11 Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) role installed. You need to perform an automated installation of an AD LDS instance. Which tool should you use? A. Dism.exe B. Servermanagercmd.exe C. Adaminstall.exe D. Ocsetup.exe Correct Answer: C / To perform an unattended install of an AD LDS instance

164 1. Create a new text file by using any text editor. 2. Specify the installation parameters. 3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD LDS setup files. 4. At the command prompt, type the following command, and then press ENTER: %systemroot%\adam \adaminstall.exe /answer:drive:\<pathname>\<filename>.txt" QUESTION 12 Your network contains an Active Directory domain named contoso.com. A partner company has an Active Directory domain named nwtraders.com. The networks for contoso.com and nwtraders.com connect to each other by using a WAN link. You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on the Internet. What should you do first? A. Modify the Trusted Root Certification Authorities store. B. Modify the Intermediate Certification Authorities store. C. Create conditional forwarders. D. Add a root hint to the DNS server. Correct Answer: C / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages Conditional Forwarders You can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolution for specified domains only. In other words, the local DNS server will forward all the queries that it receives for names ending with a specific domain name to the conditional forwarder. This is especially useful in situations where users in your company need access to resources in another company with a separate AD DS forest and DNS zones, such as a partner company. In such a case, specify a conditional forwarder that directs such queries to the DNS server in the partner company while other queries are forwarded to the Internet. Doing so reduces the need for adding secondary zones for partner companies on your DNS servers. QUESTION 13 Your network contains an Active Directory forest. The forest contains multiple domains. You need to ensure that users in the human resources department can search for employees by using the employeenumber attribute. A. From Active Directory Sites and Services, modify the properties of each global catalog server. B. From the Active Directory Schema snap-in, modify the properties of the user object class. C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server. D. From the Active Directory Schema snap-in, modify the properties of the employeenumber attribute. Correct Answer: D

165 / Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest." "The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeschema object as a member of the PAS, which sets the value of the ismemberofpartialattributeset attribute to TRUE. QUESTION 14 Your network contains a single Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that the encryption keys for certificates can be recovered from the CA database. You modify the certificate template to support key archival. What should you do next? A. Issue the key recovery agent certificate template. B. Run certutil.exe -recoverkey. C. Run certreq.exe-policy. D. Modify the location of the Authority Information Access (AIA) distribution point. Correct Answer: A / Identify a Key Recovery Agent A key recovery agent is a person who is authorized to recover a certificate on behalf of an end user. Because the role of key recovery agents can involve sensitive data, only highly trusted individuals should be assigned to this role. To identify a key recovery agent, you must configure the Key Recovery Agent certificate template to allow the person assigned to this role to enroll for a key recovery agent certificate. QUESTION 15 Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that the zone includes DNS records for computers that were removed from the network. You need to ensure that the DNS records are deleted automatically from the zone.

166 A. From DNS Manager, set the aging properties. B. Create a scheduled task that runs dnslint.exe /v /d contoso.com. C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record. D. Create a scheduled task that runs ipconfig.exe /flushdns. Correct Answer: A / Set Aging and Scavenging Properties for the DNS Server The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server. To set aging and scavenging properties for the DNS server using the Windows interface 1. Open DNS Manager. 2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones. 3. Select the Scavenge stale resource records check box. 4. Modify other aging and scavenging properties as needed. QUESTION 16 Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller: dsamain.exe C dbpath c:\$snap_ _volumec$\windows\ntds\ntds.dit C ldapport allownonadminaccess The command fails. You need to ensure that the command completes successfully. How should you modify the command? A. Change the value of the -dbpath parameter. B. Include the path to Dsamain. C. Change the value of the -ldapport parameter. D. Remove the CallowNonAdminAccess parameter. Correct Answer: C / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 690 Use the AD DS database mounting tool to load the snapshot as an LDAP server. dsamain -dbpath c:\$snap_datetime_volumec$\windows\ntds\ntds.dit -ldapport portnumber Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value to ensure that you do not conflict with AD DS.

167 Also note that you can use the minus ( ) sign or the slash (/) for the options in the command. QUESTION 17 Your network contains an Active Directory domain. The domain contains 10 domain controllers that run Windows Server 2008 R2. You need to monitor the following information on the domain controllers during the next five days: Memory usage Processor usage The number of LDAP queries A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. B. Use the System Performance Data Collector Set (DCS). C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template. D. Use the Active Directory Diagnostics Data Collector Set (DCS). Correct Answer: A / The System Performance Data Collector Set/System Performance template does not monitor Active Directory data (we need the number of LDAP queries). That leaves out answers B ("Use the System Performance Data Collector Set (DCS)") and C ("Create a User Defined Data Collector Set (DCS) that uses the System Performance template"). Because the Active Directory Diagnostics Data Collector Set (DCS) runs only for 5 minutes and we need to monitor for 5 days we have to use a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. For a User Defined Data Collector Set we can set the monitoring duration in seconds, minutes, hours, days or weeks. So we have to create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. aspx AD Data Collector Sets in Win2008 and beyond The Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line. If reducing or increasing the time that a data collector set runs is required, and manually stopping the collection is not desirable, then see How to Create a User Defined Data Collection Set. QUESTION 18 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) named RODC1. You need to view the most recent user accounts authenticated by RODC1. What should you do first?

168 A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate Now. B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate Now. C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, and then connect to DC1. D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1. Correct Answer: C / aspx#bkmk_auth2 To view authenticated accounts using Active Directory Users and Computers 1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively. 3. Click Domain Controllers. 4. In the details pane, right-click the RODC computer account, and then click Properties. 5. Click the Password Replication Policy tab. 6. Click Advanced. 7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

169 QUESTION 19 Your network contains an Active Directory domain. The domain contains 3,000 client computers. All of the client computers run Windows 7. Users log on to their client computers by using standard user accounts. You plan to deploy a new application named App1. The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run. You need to deploy App1 to all client computers. The solution must meet the following requirements: - App1 must automatically detect and replace corrupt application files. - App1 must be available from the Start menu on each client computer. What should you do first? A. Create a logon script that calls Setup.exe for App1. B. Create a.zap file. C. Create a startup script that calls Setup.exe for App1. D. Repackage App1 as a Windows Installer package. Correct Answer: D

170 / Windows Installer features Diagnoses and repairs corrupted applications--an application can query Windows Installer to determine whether an installed application has missing or corrupted files. If any are detected, Windows Installer repairs the application by recopying only those files found to be missing or corrupted. QUESTION 20 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named DC1. In Site1, you install a new domain controller named DC2. You ship DC2 to Site2. You discover that certain users in Site2 authenticate to DC1. You need to ensure that the users in Site2 always attempt to authenticate to DC2 first. A. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object. B. From Active Directory Sites and Services, modify the Location attribute for Site2. C. From Active Directory Sites and Services, move the DC2 server object. D. From Active Directory Users and Computers, move the DC2 computer object. Correct Answer: C / DC2 may be shipped to Site2, but it's not yet associated properly with Site2 in Active Directory. Reference1: To move a server object to a new site 1. Open Active Directory Sites and Services. 2. In the console tree, expand Sites and the site in which the server object resides. 3. Expand Servers to display the domain controllers that are currently configured for that site. 4. Right-click the server object that you want to move, and then click Move. 5. In Site Name, click the destination site, and then click OK. 6. Expand the site object to which you moved the server, and then expand the Servers container. 7. Verify that an object for the server that you moved exists. 8. Expand the server object, and verify that an NTDS Settings object exists. Reference2: Using sites Sites help facilitate several activities, including: (...) Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections. QUESTION 21 Your network contains an Active Directory domain named contoso.com.

171 Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.) When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable. You need to configure Server2 as an enterprise subordinate CA. What should you do first? A. Upgrade Server2 to Windows Server 2008 R2 Enterprise. B. Log in as an administrator and run Server Manager. C. Import the root CA certificate. D. Join Server2 to the domain. Correct Answer: D / In doubt about this one, whether to go for A ("Upgrade Server2 to Windows Server 2008 R2 Enterprise"), or D ("Join Server2 to the domain"). Left it at D ("Join Server2 to the domain"), because that's undoubtedly a necessary step we have to take here. See below for my (messy) thoughts.

172 [Someone asked this question to Brian Komar:] <begin quote> buffaloyoung Okay, so on this same note, I'm looking at a practice test type question for the exam that shows the server runnning Windows Server 2008 R2 standard, and mentions that when you set up the Enterprise Sub Certificate Authority, the Enterprise Sub CA option is not available. The mulitple choice solutions are: a. upgrade to enterprise; b. run server manager as an admin; c. import the root CA; d. Join the server to the domain. I had thought it was "A" because of the enterprise 2008 issue, but if this is changed in standard R2... looking at the fact that the info shows the Workgroup to be "WORKGROUP," I am inclined to answer D. Is this right? Or should it still be A? Brian: This forum is for helping people with real world PKI and security issues. It is not a study board <G> That being said, D would be my answer. Based on some of the other things I have heard about the exam, that may not be the answer they are looking for ;-) Brian <end quote> "that may not be the answer they are looking for", what does Brian mean by that? Was he deliberately trying to confuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard for root CA only? I'm talking about this, from the Training Kit errata page: Page 781, 1st paragraph <begin quote> The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all features. Note from the Author or Editor: Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only. <end quote> If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoft wants to hear from us, being answer A. Since the question is about an enterprise subordinate CA. QUESTION 22 Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that only members of a group named Admin1 can create certificate templates. Which tool should you use to assign permissions to Admin1? A. the Certification Authority console B. Active Directory Users and Computers

173 C. the Certificates snap-in D. Active Directory Sites and Services Correct Answer: D / We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups. The first reference lists what needs to be done, the second reference explains how to do it. Reference 1: Delegating Template Management You can delegate the ability to manage individual certificate templates or to create any certificate templates by defining appropriate permissions to global groups or universal groups that a user belongs to. There are three levels of delegation for certificate template administration: - Modify existing templates - Create new templates (by duplicating existing templates) - Full delegation (including modifying all existing templates and creating new ones) Create New Templates To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS. To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of which the user is a member: Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. Grant Full Control permission to every certificate template in the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not inherited by the individual certificate templates. Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services, CN=Services,CN=Configuration,DC=ForestRoot container. Reference 2: Windows Server PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissions for Creation of New Templates You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration, ForestRootDomain container. 1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group. 2. Open the Active Directory Sites And Services console. 3. From the View menu, ensure that the Show Services Node setting is enabled. 4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates. 5. In the console tree, right-click Certificate Templates, and then click Delegate Control. 6. In the Delegation Of Control wizard, click Next. 7. On the Users Or Groups page, click Add. 8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK. 9. On the Users Or Groups page, click Next. 10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.

174 11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation Of New Objects In This Folder, and then click Next. 12.On the Permissions page, in the Permissions list, enable Full Control, and then click Next. 13.On the Completing The Delegation Of Control wizard page, click Finish. QUESTION 23 Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.) You need to ensure that only domain members can register DNS records in the zone. What should you do first? A. Modify the zone type. B. Create a trust anchor. C. Modify the Advanced properties of the DNS server. D. Modify the Dynamic updates setting. Correct Answer: A / To ensure that only domain members are allowed to register DNS records we have to: 1. modify the zone type to Active Directory-Integrated. 2. set the Dynamic updates option to Secure only, which is only available to Active Directory-Integrated zones. Reference 1:

175 MCTS Windows Server 2008 Active Directory Configuration Study Guide (Sybex, 2008) page 53 Secure only This means that only machines with accounts in Active Directory can register with DNS. Before DNS registers any account in its database, it checks Active Directory to make sure that account is an authorized domain computer. Reference 2: Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates. QUESTION 24 Your company has a single Active Directory forest with a single domain. Consultants in different departments of the company require access to different network resources. The consultants belong to a global group named TempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The file servers contain confidential data in shared folders. You need to prevent the consultants from accessing the confidential data. A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control permission for the TempWorkers global group on the share. D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group. E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group. Correct Answer: A / Same question as D/Q8. Same answer. The other options give the consultants too much or too little rights. QUESTION 25 Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functional level of both forests is Windows Server Contoso.com contains one domain. Nwtraders.com contains two domains. You need to ensure that users in contoso.com can access the resources in all domains. The solution must require the minimum number of trusts. Which type of trust should you create? A. external B. forest C. realm D. shortcut

176 Correct Answer: B / When to create a forest trust You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server 2003 or higher provides a one-way or two-way, transitive trust relationship between every domain in each forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking a solution for administrative autonomy. QUESTION 26 You install an Active Directory domain in a test environment. You need to reset the passwords of all the user accounts in the domain from a domain controller. Which two Windows PowerShell commands should you run? (Each correct answer presents part of the solution, choose two.) A. $ newpassword = * B. Import-Module ActiveDirectory C. Import-Module WebAdministration D. Get- AdUser -filter * Set- ADAccountPossword - NewPassword $ newpassword - Reset E. Set- ADAccountPossword - NewPassword - Reset F. $ newpassword = (Read-Host - Prompt "New Password" - AsSecureString ) G. Import-Module ServerManager Correct Answer: DF / First we create a variable, $newpassword, and prompt the user for the password to assign it to the variable. Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to Set- ADAccountPassword to assign the $newpassword variable to every account's new password. Note that Set- ADAccountPossword must be a typo. Reference 1: Prompting a User to Enter Information The Read-Host cmdlet enables you to interactively prompt a user for information. For example, this command prompts the user to enter his or her name, then stores that name in the variable $Name (to answer the prompt, type a name and then press ENTER): $Name = Read-Host "Please enter your name" Reference 2: Get-ADUser Gets one or more Active Directory users.

177 Reference 3: Set-ADAccountPassword Modifies the password of an Active Directory account. Parameters NewPassword Specifies a new password value. Reset Specifies to reset the password on an account. When you use this parameter, you must set the NewPassword parameter. You do not need to specify the OldPassword parameter. QUESTION 27 Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server The functional level of both forests is Windows You need to create a forest trust between adatum.com and litwareinc.com. What should you do first? A. Create an external trust. B. Raise the functional level of both forests. C. Configure SID filtering. D. Raise the functional level of all the domains. Correct Answer: B / When to create a forest trust You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. QUESTION 28 Your network contains an Active Directory forest named adatum.com. All client computers used by the marketing department are in an organizational unit (OU) named Marketing Computers. All user accounts for the marketing department are in an OU named Marketing Users. You purchase a new application. You need to ensure that every user in the domain who logs on to a marketing department computer can use the application. The application must only be available from the marketing department computers. A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a shared folder on the network. Assign the application. B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a shared folder on the network. Assign the application. C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a local drive on each marketing department computer. Publish the application.

178 D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a folder on each marketing department computer. Publish the application. Correct Answer: B / The software must only be available on the marketing department computers, so we must link the GPO to the Marketing Computers OU. Next we need to assign the application to the Marketing Computers OU. MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 399 Assigning Software to Computers When you assign software to computers, it is available to all authenticated users of the computer, regardless of their group membership or privileges. The software package is installed when the computer is next restarted after the package has been assigned. For example, suppose that you have a design application that should be available on all computers in the Engineering OU but not to computers elsewhere on your network. You would assign this application to computers in a Group Policy object (GPO) linked to the Engineering OU. QUESTION 29 Your network contains an Active Directory forest named adatum.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. What should you install before you create the AD RMS root cluster? A. The Failover Cluster feature B. The Active Directory Certificate Services (AD CS) role C. Microsoft Exchange Server 2010 D. Microsoft SharePoint Server 2010 E. Microsoft SQL Server 2008 Correct Answer: E / Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server 2008 R2 for the first time, there are several requirements that must be met: (...) In addition to pre-installation requirements for AD RMS, we strongly recommend the following: Install the database server that is used to host the AD RMS databases on a separate computer. (...) QUESTION 30 Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains a domain controller named DC1. You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com.

179 When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping server2. contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. Which command should you run? A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain B. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest C. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport 1 D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest Correct Answer: C / Support for Globalnames must be enabled, otherwise the DNS Server service does not resolve single-label names in the GlobalNames zone. dnscmd /config Changes values in the registry for the DNS server and individual zones. Accepts server-level settings and zonelevel settings. Parameter /enableglobalnamessupport {0 1} Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of singlelabel DNS names across a forest. 0 Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Server service does not resolve single-label names in the GlobalNames zone. 1 Enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Server service resolves single-label names in the GlobalNames zone. QUESTION 31 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. A user logs on to a computer in the branch office site. You discover that the user's password is not stored on RODC1. You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office site computer. A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password Replication Group.

180 B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowed users, groups, and computers. C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1. D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1. Correct Answer: C / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages Password Replication Policy Password Replication Policy (PRP) determines which users credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller. An RODC s PRP is determined by two multivalued attributes of the RODC s computer account. These attributes are commonly known as the Allowed List and the Denied List. If a user s account is on the Allowed List, the user s credentials are cached. You can include groups on the Allowed List, in which case all users who belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user s credentials will not be cached the Denied List takes precedence. Configuring Domain-Wide Password Replication Policy To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group. QUESTION 32 You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named Server1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. Which protocol should you allow on Server1? A. Kerberos B. SSL C. SMB D. RPC Correct Answer: B / MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 903 AD FS relies on secure HTTP communications by using SSL authentication certificates to verify the identity of both the server and the client during communications. Because of this, all communications occur through port 443 over HTTPS.

181 QUESTION 33 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 R2 Standard. You need to create an enterprise subordinate certification authority (CA) that can issue certificates based on version 3 certificate templates. You must achieve this goal by using the minimum amount of administrative effort. What should you do first? A. Run the certutil.exe - addenrollmentserver command. B. Install the Active Directory Certificate Services (AD CS) role on the member server. C. Upgrade the member server to Windows Server 2008 R2 Enterprise. D. Run the certutil.exe - installdefaulttemplates command. Correct Answer: C / At first I changed the answer to B ("Install the Active Directory Certificate Services (AD CS) role on the member server."), and I reasoned like this: Version 3 certificates are supported on Windows Server 2008 R2 Standard, so there's no upgrade to Enterprise necessary. The first thing to do would be to install the Active Directory Certificate Services (AD CS) role. Reference 1: "Version 3 templates are supported by CAs installed on Windows Server 2008 Enterprise and Datacenter Editions. They are also supported by CAs installed on Windows Server 2008 R2 Standard, Enterprise, Datacenter, Foundation and Server Core Editions." Reference 2: To install a subordinate CA 1. Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. 2. (...) While this still may be true I left it at the original answer C ("Upgrade the member server to Windows Server 2008 R2 Enterprise"). Quite frankly, I'm not sure whether it's right or wrong. Hopefully someone can clear this up once and for all. Some other notes and quotes I collected: MS Press Training Kit nd Edition page 781 "Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition." Errata: "This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all

182 features." Note from the Author or Editor: Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only Version 3 certificate templates In addition to version 2 template features and autoenrollment, version 3 certificate templates provide support for Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information. Template availability Windows Server 2008 R2, all editions Windows Server 2008, Enterprise and Datacenter editions I am looking for some clarifaction on deploying a Windows Server 2008 R2 Standard CA and version 2 and version 3 certificates. I currently have a Windows Server 2008 Standard CA. Server 2008 Standard can only issue certificates based on V1 certificate templates. Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates Windows Server 2008 does not equal Windows Server 2008 R2 This ability was introduced with the Windows server 2008 R2 sku you will have one of two choices: - Upgrade to Server 2008 Enterprise - Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise Brian Komar, thank you for the answer! I have another question. In Training Kit (Exam ) described: "Enterprice CAs can run only on Windows Server 2008 R2 Enterprise edition or Datacenter edition". Is it true? If yes, how we can issue certificate based on V3 certificate templates on Windows Server 2008 R2 Standard? The training kit is incorrect. It probably was updated from Windows Server 2008 (or Windows Server 2003) where the statement was correct Brian QUESTION 34 Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password. Which console should you use? A. Active Directory Rights Management Services B. Active Directory Users and Computers C. Local Users and Groups D. Services Correct Answer: A

183 / AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed. It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. QUESTION 35 Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. A. Create a new secondary zone named ad.contoso.com on DC2. B. Create a new stub zone named ad.contoso.com on DC2. C. Configure the DNS server on DC2 to forward requests to DC1. D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone. Correct Answer: D / Three answers don't make sense, leaving us with the one that works. Create a new secondary zone named ad.contoso.com on DC2. This would create a read-only zone, so it couldn't be updated Create a new stub zone named ad.contoso.com on DC2. This stub zone would contain source information about authoritative name servers for its zone only, being DC1, but that one would be unavailable in the WAN link fails. Configure the DNS server on DC2 to forward requests to DC1. This doesn't help if the WAN link fails and DC1 is unavailable. QUESTION 36 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates. You need to archive the private key for all new EFS certificates.

184 Which snap-in should you use? A. Active Directory Users and Computers B. Authorization Manager C. Group Policy Management D. Enterprise PKI E. Security Templates F. TPM Management G. Certificates H. Certification Authority I. Certificate Templates Correct Answer: I / Practically the same question as J/Q27. Configure a Certificate Template for Key Archival The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template. Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates. To configure a certificate template for key archival and recovery 1. Open the Certificate Templates snap-in. 2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template. 3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. 4. In Template, type a new template display name, and then modify any other optional properties as needed. 5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK. 6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box. 7. On the Request Handling tab, select the Archive subject's encryption private key check box. QUESTION 37 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that all of the members of a group named Group1 can view the event log entries for Certificate Services. Which snap-in should you use? A. Certificate Templates B. Certification Authority C. Authorization Manager

185 D. Active Directory Users and Computers E. TPM Management F. Security Templates G. Group Policy Management H. Enterprise PKI I. Certificates Correct Answer: G / All credit goes to Luffy for correcting this one! Practically the same as K/Q14. We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by using Group Policy Management. Reference 1: It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here's what I did in VMWare, using a domain controller and a member server. Click along if you want! In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM Start the Group Policy Management console on DC Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..." 3. I named the GPO "EventLog_TESTGROUP" 4. Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." 5. Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted Groups" 6. Right-click "Restricted Groups" and choose "Add Group..." 7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go find the Event Log Readers group. Click OK. 8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it. It should look like this now:

186 9. Click OK. 10.On MEM01 open a command prompt and run gpupdate /force. 11.Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

187 Reference 2: Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below. (...) Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

188 QUESTION 38 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate template Which snap-in should you use? A. Enterprise PKI B. TPM Management C. Certificates D. Active Directory Users and Computers E. Authorization Manager F. Certification Authority G. Group Policy Management H. Security Templates I. Certificate Templates Correct Answer: I / (...) the user should have proper permission on Certificate Templates. Please follow the steps below for troubleshooting: 1. Open MMC, add Certificate Templates snap-in. 2. Double-click IPSec (Offline Request), switch to Security tab, give the user Read and Enroll rights. 3. Close and restart IE on clients computer to test. QUESTION 39 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You have a custom certificate template named Template 1. Template1 is published to the CA. You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1. Which snap-in should you use? A. Security Templates B. Enterprise PKI C. Certification Authority D. Certificate Templates E. Certificates F. TPM Management G. Authorization Manager H. Group Policy Management I. Active Directory Users and Computers Correct Answer: D

189 / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 593 Configuring Certificate Templates AD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the following capabilities: (...) Configuring access control lists (ACLs) on certificate templates QUESTION 40 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to approve a pending certificate request. Which snap-in should you use? A. Active Directory Users and Computers B. Authorization Manager C. Certification Authority D. Group Policy Management E. Certificate Templates F. TPM Management G. Certificates H. Enterprise PKI I. Security Templates Correct Answer: C / Practically the same question as K/Q15. To issue a pending certificate request: 1. Log on to your root CA by using an account that is a certificate manager. 2. Start the Certification Authority snap-in. 3. In the console tree, expand your root CA, and click Pending Certificates. 4. In the details pane, right-click the pending CA certificate, and click Issue.

190 Exam H QUESTION 1 Your network contains an Active Directory domain named adatum.com. You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap-in should you add a zone? A. Reverse Lookup Zones B. adatum.com C. Forward Lookup Zones D. Conditional Forwarders E. _msdcs.adatum.com Correct Answer: A / Practically the same as I/Q13. Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193 A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN. QUESTION 2 Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of You need to identify the zone that contains the Pointer (PTR) record for DC1. Which zone should you identify? A. adatum.com B. _msdcs.adatum.com C in-addr.arpa D in-addr.arpa Correct Answer: D / Reference 1: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57 Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server s PTR (pointer) resource record. Reference 2: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)

191 page 45/730 You are configuring a reverse lookup zone for your network, which uses the Class C network address range of /24. Which of the following addresses should you use for the reverse lookup zone? a in-addr.arpa b in-addr.arpa c in-addr.arpa d in-addr.arpa The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is in-addr.arpa. You do not use the host portion of the IP address, so in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect. QUESTION 3 Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails. You rebuild the DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which service should you restart on the domain controllers? A. Netlogon B. DNS Server C. Network Location Awareness D. Network Store Interface Service E. Online Responder Service Correct Answer: A / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 4 Your network contains an Active Directory domain named adatum.com. The password policy of the domain requires that the passwords for all user accounts be changed every 50 days. You need to create several user accounts that will be used by services. The passwords for these accounts must be changed automatically every 50 days. Which tool should you use to create the accounts? A. Active Directory Administrative Center B. Active Directory Users and Computers C. Active Directory Module for Windows PowerShell

192 D. ADSI Edit E. Active Directory Domains and Trusts Correct Answer: C / Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic password management, making password management easier. Reference 1: What are the benefits of new service accounts? In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: (...) Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically. (...) Reference 2: Use the Active Directory module for Windows PowerShell to create a managed service account. Reference 3: To create a new managed service account 1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists. 2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon. 3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]. Reference 4: Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval. -ManagedPasswordIntervalInDays<Int32> Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msds- ManagedPasswordInterval of the group managed service account object. The following example shows how to specify a 90 day password changes interval: -ManagedPasswordIntervalInDays 90 QUESTION 5 Your network contains an Active Directory domain. The domain contains several domain controllers. You need to modify the Password Replication Policy on a read-only domain controller (RODC).

193 Which tool should you use? A. Group Policy Management B. Active Directory Domains and Trusts C. Active Directory Users and Computers D. Computer Management E. Security Configuration Wizard Correct Answer: C / Practically the same as I/Q12. Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). To configure the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers as a member of the Domain Admins group. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. 3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties. 4. Click the Password Replication Policy tab. 5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add. To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC. To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC. QUESTION 6 Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server The functional level of the domain is Windows Server From a domain controller, you need to perform an authoritative restore of an organizational unit (OU). What should you do first? A. Raise the functional level of the forest B. Modify the tombstone lifetime of the forest. C. Restore the system state. D. Raise the functional level of the domain. Correct Answer: C /

194 The Recycle Bin feature cannot be applied here, see the reference below. Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297 Active Directory Recycle Bin Recovery Let s begin this section with a very clear statement: If you need to recover a deleted Active Directory object and the Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceed to the Active Directory Authoritative Restore section. Active Directory Authoritative Restore When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active Directory database, a single object, or a container, such as an organizational unit including all objects previously stored within the container. To perform an authoritative restore of Active Directory, perform the System State restore of a domain controller. QUESTION 7 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects. You need to ensure that Attribute1 is included in the global catalog. A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeschema object. B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects. C. From the Active Directory Schema snap-in, modify the properties of the User classschema object. D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest. Correct Answer: A / Same question as D/Q39 Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeschema object as a member of the PAS, which sets the value of the ismemberofpartialattributeset attribute to TRUE. Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute

195 set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest. If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the ismemberofpartialattributeset value on the respective attributeschema object. You mark the attribute by placing a checkmark next to ismemberofpartialattributeset. If the ismemberofpartialattributeset value is checked (set to TRUE), the attribute is replicated to the global catalog. If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog. QUESTION 8 Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named Instance1 and Instance2. You need to remove Instance2 from Server1 without affecting Instance1. Which tool should you use? A. NTDSUtil B. Dsdbutil C. Programs and Features in the Control Panel D. Server Manager Correct Answer: C / Reference 1: Administering AD LDS Instances Each AD LDS instance runs as an independent and separately administered service on a computer. Reference 2: technet.microsoft.com/en-us/library/cc aspx To remove an AD LDS instance 1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features. 2. Locate and click the AD LDS instance that you want to remove. 3. Click Uninstall. Note It is not necessary to restart the computer after you remove an AD LDS instance. QUESTION 9 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to compact the Active Directory database. A. Run the Get-ADForest cmdlet. B. Configure subscriptions from Event Viewer. C. Run the eventcreate.exe command. D. Configure the Active Directory Diagnostics Data Collector Set (OCS).

196 E. Create a Data Collector Set (DCS). F. Run the repadmin.exe command. G. Run the ntdsutil.exe command. H. Run the dsquery.exe command. I. Run the dsamain.exe command. J. Create custom views from Event Viewer. Correct Answer: G / Reference 1: Compact the Directory Database File (Offline Defragmentation) You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity. Performing offline defragmentation creates a new, compacted version of the database file in a different location. Reference 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate. 1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator. 2. Type ntdsutil, and then press Enter. 3. Type Activate instance NTDS, and press Enter. 4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter. 5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter. QUESTION 10 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer. A. Run the ntdsutil.exe command. B. Run the repodmin.exe command. C. Run the Get-ADForest cmdlet. D. Run the dsamain.exe command. E. Create custom views from Event Viewer. F. Run the dsquery.exe command. G. Configure the Active Directory Diagnostics Data Collector Set (DCS), H. Configure subscriptions from Event Viewer. I. Run the eventcreate.exe command.

197 J. Create a Data Collector Set (DCS). Correct Answer: H / Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. To learn about the steps required to configure event collecting and forwarding computers, see Configure Computers to Forward and Collect Events ( en-us/library/cc aspx). QUESTION 11 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to receive a notification when more than 100 Active Directory objects are deleted per second. A. Create custom views from Event Viewer. B. Run the Get-ADForest cmdlet. C. Run the ntdsutil.exe command. D. Configure the Active Directory Diagnostics Data Collector Set (DCS). E. Create a Data Collector Set (DCS). F. Run the dsamain.exe command. G. Run the dsquery.exe command. H. Run the repadmin.exe command. I. Configure subscriptions from Event Viewer. J. Run the eventcreate.exe command. Correct Answer: E / Practically the same question as K/Q22. Configure Windows Server 2008 to Notify you when Certain Events Occur You can configure alerts to notify you when certain events occur or when certain performance thresholds are

198 reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs. To configure an alert, follow these steps: 1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set. 2. (...) 3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you ve selected. QUESTION 12 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to create a snapshot of Active Directory. A. Run the dsquery.exe command. B. Run the dsamain.exe command. C. Create custom views from Event Viewer. D. Configure subscriptions from Event Viewer. E. Create a Data Collector Set (DCS). F. Configure the Active Directory Diagnostics Data Collector Set (DCS). G. Run the repadmin.exe command. H. Run the ntdsutil.exe command. I. Run the Get-ADForest cmdlet. J. Run the eventcreate.exe command. Correct Answer: H / Practically the same question as E/Q29 To create an AD DS or AD LDS snapshot 1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group. 2. Click Start, right-click Command Prompt, and then click Run as administrator. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot 6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 7. At the snapshot prompt, type the following command, and then press ENTER: create QUESTION 13 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You mount an Active Directory snapshot.

199 You need to ensure that you can query the snapshot by using LDAP. A. Run the dsamain.exe command. B. Create custom views from Event Viewer. C. Run the ntdsutil.exe command. D. Configure subscriptions from Event Viewer. E. Run the Get-ADForest cmdlet. F. Create a Data Collector Set (DCS). G. Run the eventcreate.exe command. H. Configure the Active Directory Diagnostics Data Collector Set (DCS). I. Run the repadmin.exe command. J. Run the dsquery.exe command. Correct Answer: A / Practically the same question as K/Q25. The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (...) Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers

200 Exam I QUESTION 1 Your network contains an Active Directory forest named adatum.com. The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum. com, and africa.adatum.com. You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table. To answer, drag the appropriate group type to the correct group name in the answer area. Select and Place: Correct Answer:

201 / Windows Server 2008 R2 Unleashed (SAMS, 2010) page 128 Domain local groups Domain local groups are essentially the same thing as local groups in Windows NT, and are used to administer resources located only on their own domain. They can contain users and groups from any other trusted domain. Most typically, these types of groups are used to grant access to resources for groups in different domains. Global groups Global groups are on the opposite side from domain local groups. They can contain users only in the domain in which they exist but are used to grant access to resources in other trusted domains. These types of groups are best used to supply security membership to user accounts that share a similar function, such as the sales global group. Universal groups Universal groups can contain users and groups from any domain in the forest and can grant access to any resource in the forest. Along with this added power come a few caveats. First, universal groups are available only in domains with a functional level of Windows 2000 Native or later. Second, all members of each universal group are stored in the global catalog, increasing the replication load. It is important to note, however, that universal group membership replication has been noticeably streamlined and optimized in Windows Server 2008 R2 because the membership is incrementally replicated. QUESTION 2 Your network contains an Active Directory domain named adatum.com. You need to use Group Policies to deploy the line-of-business applications shown in the following table.

202 To answer, drag the appropriate deployment method to the correct application in the answer area. Select and Place: Correct Answer:

203 / Practically the same question as L/Q10. technet.microsoft.com/en-us/library/cc aspx Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an.xls file will trigger the installation of Microsoft Excel, if

204 it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. QUESTION 3 Your network contains an Active Directory forest. The DNS infrastructure fails. You rebuild the DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which service should you restart on the domain controllers? To answer, select the appropriate service in the answer area. Point and Shoot: Correct Answer:

205 / MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. QUESTION 4 Your network contains an Active Directory forest named contoso.com. The password policy of the forest requires that the passwords for all of the user accounts be changed every 30 days. You need to create user accounts that will be used by services. The passwords for these accounts must be changed automatically every 30 days. Which tool should you use to create these accounts? To answer, select the appropriate tool in the answer area. Point and Shoot:

206 Correct Answer: / Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic password management, making password management easier. Reference 1: What are the benefits of new service accounts? In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: (...) Unlike with regular domain accounts in which administrators must reset passwords manually, the network

207 passwords for these accounts will be reset automatically. (...) Reference 2: Use the Active Directory module for Windows PowerShell to create a managed service account. Reference 3: To create a new managed service account 1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists. 2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon. 3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]. Reference 4: Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval. -ManagedPasswordIntervalInDays<Int32> Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msds- ManagedPasswordInterval of the group managed service account object. The following example shows how to specify a 90 day password changes interval: -ManagedPasswordIntervalInDays 90 QUESTION 5 Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7 Enterprise. You need automatically to create a local group named PowerManagers on each client computer that contains a battery. The solution must minimize the amount of administrative effort. Which node in Group Policy Management Editor should you use? To answer, select the appropriate node in the answer area. Point and Shoot:

208 Correct Answer: / Configure a Local Group Item Local Group preference items allow you to centrally create, delete, and rename local groups. Also, you can use these preference items to change local group memberships. Before you create a local group preference item, you should review the behavior of each type of action possible with the extension. Creating a Local Group item 1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit. 2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder. 3. Right-click the Local Users and Groups node, point to New, and select Local Group. 4. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.) 5. Enter local group settings for Group Policy to configure or remove. (For more information, see "Local group settings" in this topic.)

209 6. Click the Common tab, configure any options, and then type your comments in the Description box. (For more information, see Configure Common Options.) 7. Click OK. The new preference item appears in the details pane. Actions This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether a group with the same name exists. Create - Create a new local group on the local computer. If the local group exists, then do not modify it. (...) QUESTION 6 Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1. Server1 has an IP address of You need to view the Pointer (PTR) record for Server1. Which zone should you open in the DNS snap-in to view the record? To answer, select the appropriate zone in the answer area. Point and Shoot: Correct Answer:

210 / Practically the same question as H/Q2. Reference 1: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57 Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server s PTR (pointer) resource record. Reference 2: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730 You are configuring a reverse lookup zone for your network, which uses the Class C network address range of /24. Which of the following addresses should you use for the reverse lookup zone? a in-addr.arpa b in-addr.arpa c in-addr.arpa d in-addr.arpa The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is in-addr.arpa. You do not use the host portion of the IP address, so in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect. QUESTION 7 Your network contains an Active Directory domain. You need to create a new site link between two sites named Site1 and Site3. The site link must support the replication of domain objects. Under which node in Active Directory Sites and Services should you create the site link? To answer, select the appropriate node in the answer area Point and Shoot:

211 Correct Answer: / You can use this procedure to create a site link object and add the appropriate sites to it.

212 To create a site link object 8. Open Active Directory Sites and Services. 9. Expand Sites, and then expand Inter-Site Transports. 10.Right-click IP, and then click New Site Link. 11.In Name, type a name for the site link. 12.In Sites not in this site link, click a site that you want to add to the site link. Hold down the SHIFT key to click a second site that is adjacent in the list, or hold down the CTRL key to click a second site that is not adjacent in the list. 13.After you select all the sites that you want to add to the site link, click Add, and then click OK. QUESTION 8 Your company has a main office and a branch office. All servers are located in the main office. The network contains an Active Directory forest named adatum.com. The forest contains a domain controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runs Windows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connected to the network. You need to join Public_Computer to the adatum.com domain. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder: Correct Answer:

213 / Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. QUESTION 9 Your network contains two forests named contoso.com and fabrikam.com. The functional level of all the domains is Windows Server The functional level of both forests is Windows You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com can only access the servers in fabrikam.com that have the Allowed to Authenticate permission set. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder: Correct Answer:

214 / Still not really sure whether an external trust or forest trust is needed here. Just left it as it is. Selective authentication over an external trust restricts access to only those users in a trusted domain who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting domain. To explicitly give authentication permissions to computer objects in the trusting domain to certain users, administrators must grant those users the Allowed to Authenticate permission in Active Directory. QUESTION 10 Your network contains an Active Directory forest named contoso.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder: Correct Answer: /

215 During the installation of the AD RMS root cluster we need to select a configuration database, so we need to install SQL Server 2008 first. Next we need to install the AD RMS root cluster, only then can we install the AD RMS licensing-only cluster. The last step is to deploy the AD RMS policy templates. Reference 1: Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server 2008 R2 for the first time, there are several requirements that must be met: (...) In addition to pre-installation requirements for AD RMS, we strongly recommend the following: Install the database server that is used to host the AD RMS databases on a separate computer. (...) Reference 2: A root AD RMS cluster must already be present in the AD DS forest before you can install the licensingonly cluster. QUESTION 11 Your network contains an Active Directory forest named contoso.com. The forest contains a domain controller named DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runs Windows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7. Computer1 is not connected to the network. You need to join Computer1 to the contoso.com domain. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder: Correct Answer:

216 / Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. Reference 2: Performing an offline domain join using different physical computers To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller, one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain. 1. On the provisioning server, open an elevated command prompt. 2. Type the following command to provision the computer account: djoin /provision /domain <domain to be joined> /machine <name of the destination computer> /savefile blob.txt 3. Copy the blob.txt file to the client computer. 4. On the client computer, open an elevated command prompt, and then type the following command to request the domain join: djoin /requestodj /loadfile blob.txt /windowspath %SystemRoot% /localos 5. Reboot the client computer. The computer will be joined to the domain. QUESTION 12 You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? To answer, select the appropriate tool in the answer area. Point and Shoot:

217 Correct Answer: / Practically the same as H/Q5. Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). To configure the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers as a member of the Domain Admins group. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

218 domain. 3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties. 4. Click the Password Replication Policy tab. 5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add. To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC. To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC. QUESTION 13 Your network contains an Active Directory domain named contoso.com. You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap-in should you add a zone? To answer, select the appropriate node in the answer area. Point and Shoot: Correct Answer: /

219 Practically the same as H/Q1. Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193 A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN. QUESTION 14 Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operations master roles. DC1 fails. You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations master roles to their original state. You perform a metadata cleanup and remove all references of DC1. Which three actions should you perform next? (To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.) Build List and Reorder: Correct Answer: / First we need to seize the operations master roles from DC1 to DC2. They are important and need to be in place. Next we rebuild DC1 (not DC2, we need it) and transfer the operations master roles back to DC1.

220 QUESTION 15 A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on the C: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform in sequence? (To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.) Build List and Reorder: Correct Answer: / html NTDSUTIL NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory. Important Usage To relocate AD LDS directory partition, use the NTDSUTIL tool. Take the following steps: Stop the LDS by using the net stop command. Move the Database file through NTDSUTIL tool. Start the directory service using the net start command.

221 QUESTION 16 You need to perform an offline defragmentation of an Active Directory database. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.) Build List and Reorder: Correct Answer: / Compact the database file to a local directory or remote shared folder, as follows: 1. Open a Command Prompt as an administrator. 2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER. 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. 7. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER. 8. If defragmentation completes successfully, type quit, and then press ENTER to quit the file maintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. (...) Note

222 You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a secured network drive. If the compaction of the database does not work properly, you can then easily restore the database by copying it back to the original location. Do not delete the copy of the Ntds.dit file until you have at least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.dit file to preserve it. Avoid overwriting the original Ntds.dit file. 9. Manually copy the compacted database file to the original location, as follows: copy <temporarydrive>:\ntds.dit <originaldrive>:\<pathtooriginaldatabasefile> \ntds.dit Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file. (...) 10.Restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds QUESTION 17 Your company has an Active Directory forest that contains multiple domain controllers. The domain controllers run Windows Server You need to perform an an authoritative restore of a deleted orgainzational unit and its child objects. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them in the correct order.) Build List and Reorder: Correct Answer:

223 / References: Performing Authoritative Restore of Active Directory Objects Restart the Domain Controller in Directory Services Restore Mode Locally Restore AD DS from Backup (Nonauthoritative Restore) Mark an Object or Objects as Authoritative Restart the Domain Controller in Directory Services Restore Mode Locally If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller. During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account. Restore AD DS from Backup (Nonauthoritative Restore) Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current state to the previous state of a backup. Use this procedure before you perform an authoritative restore procedure to recover objects that were deleted after the time of the backup. To restore AD DS from backup, use a system state or critical-volumes backup. Mark an Object or Objects as Authoritative In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers. Restart the domain controller [Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.] QUESTION 18 ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6000 objects. You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state. Which three actions should you perform? Build List and Reorder:

224 Correct Answer: / References: Performing Authoritative Restore of Active Directory Objects Restart the Domain Controller in Directory Services Restore Mode Locally Restore AD DS from Backup (Nonauthoritative Restore) Mark an Object or Objects as Authoritative Restart the Domain Controller in Directory Services Restore Mode Locally If you have physical access to a domain controller, you can restart the domain controller in Directory Services Restore Mode (DSRM) locally. Restarting in DSRM takes the domain controller offline. In this mode, the server is functioning as a member server, not as a domain controller. During installation of Active Directory Domain Services (AD DS), you set the Administrator password for logging on to the server in DSRM. When you start Windows Server 2008 in DSRM, you must log on by using this DSRM password for the local Administrator account. Restore AD DS from Backup (Nonauthoritative Restore) Nonauthoritative restore from backup restores Active Directory Domain Services (AD DS) from its current state to the previous state of a backup. Use this procedure before you perform an authoritative restore procedure to recover objects that were deleted after the time of the backup. To restore AD DS from backup, use a system state or critical-volumes backup. Mark an Object or Objects as Authoritative In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers.

225 Restart the domain controller [Don't restart the domain controller in Safe Mode, you would have a 'crippled' server without AD DS.]

226 Exam J QUESTION 1 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 and a domain controller named DC1. On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription is configured to collect all events. After several days, you discover that Server1 failed to collect any events from DC1, although there are more than 100 new events in the Application log of DC1. You need to ensure that Server1 collects events from DC1. A. On Server1, run wecutil quick-config. B. On Server1, run winrm quickconfig. C. On DC1, run wecutil quick-config. D. On DC1, run winrm quickconfig. Correct Answer: D / Since the subscription has been created, wecutil quick-config has already run on Server1. Only thing left is to configure DC1 to forward the events, using winrm quickconfig. Reference1 : Mastering Windows Server 2008 R2 (Sybex, 2010) page 773 Windows event Collector Service The first time you select the Subscriptions node of Event Viewer or the Subscription tab of any log, a dialog box will appear stating that the Windows Event Collector Service must be running and configured. It then asks whether you want to start and configure the service. If you click Yes, it starts the service and changes the startup type from Manual to Automatic (Delayed Start), causing it to start each time Windows starts. Reference 2: To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig QUESTION 2 A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured as shown in the following table. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003.

227 Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00 A.M. every day. At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001. You need to restore the deleted user account. You must achieve this goal by using the minimum administrative effort. A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS. B. On DC001, run the Restore-ADObject cmdlet. C. On DC006, run the Restore-ADObject cmdlet. D. On DC001, stop AD DS, restore the system state, and then start AD DS. Correct Answer: A / Practically the same question as E/Q33 and K/Q28. We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." See Performing an authoritative restore on DC006 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 692 "An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers." Reference 2: Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. QUESTION 3 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

228 You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort. A. Modify the Group Policy permissions. B. Configure WMI filtering. C. Enable block inheritance. D. Enable loopback processing in replace mode. E. Configure the link order. F. Configure Group Policy Preferences. G. Link the GPO to the Human Resources OU. H. Configure Restricted Groups. I. Enable loopback processing in merge mode. J. Link the GPO to the Finance OU. Correct Answer: C / Same question as K/Q2, but with the exhibit. Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy

229 objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. QUESTION 4 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied. A. Configure Restricted Groups. B. Configure the link order. C. Link the GPO to the Sales OU. D. Link the GPO to the Engineer OU. E. Enable loopback processing in merge mode. F. Modify the Group Policy permissions. G. Configure WMI filtering. H. Configure Group Policy Permissions. I. Enable loopback processing in replace mode. J. Enable block inheritance. Correct Answer: B / Practically the same as J/Q22 and K/Q3. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU. figure 6-10 GPO link order

230 The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO. To change the precedence of a GPO link: 1. Select the OU, site, or domain in the GPMC console tree. 2. Click the Linked Group Policy Objects tab in the details pane. 3. Select the GPO. 4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO. QUESTION 5 All vendors belong to a global group named vendors. You place three file servers in a new organizational unit (OU) named ConfidentialFileServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the vendors to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configure the Audit object access failure audit policy setting. B. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configure the Audit privilege use Failure audit policy setting. C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab. Configure Failed Full control setting in the AuditingEntry dialog box. D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure Failed Full control setting in the AuditingEntry dialog box. E. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU. Configure the Deny access to this computer from the network user rights setting for the Vendors global group. Correct Answer: AC / Practically the same as A/Q30. Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671 Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling Audit object access and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows: Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts. Audit object access success enables you to see usage patterns. This shows misuse of privilege. After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.

231 Auditing Files and Folders The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements. Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following: 1. In Windows Explorer, right-click the file or folder to audit and select Properties. 2. Select the Security tab and then click the Advanced button. 3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button. 4. Click the Add button to display the Select User or Group window. 5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name. QUESTION 6 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-ous: HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a security group named HR Employees. All HR department computers belong to a security group named HR PCs. Company policy requires that passwords are a minimum of 6 characters. You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least 8 characters. The password length requirement should not change for employees of any other department. A. Modify the password policy in the GPO that is applied to the domain. B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU. C. Create a fine-grained password policy and apply it to the security group named HR Employees. D. Modify the password policy in the GPO that is applied to the domain controllers OU. Correct Answer: C / Thanks to Camel73 for confirming there was an error in answer C. That's fixed now. What do fine-grained password policies do? You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. Are there any special considerations? Fine-grained password policies apply only to user objects (or inetorgperson objects if they are used instead of user objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain functional level must be Windows Server 2008.

232 Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply finegrained password policy to users of an OU, you can use a shadow group. QUESTION 7 A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OU named Admins. You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited. What should you do first? A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU. B. Modify the searchflags property for the Name attribute in the Schema. C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Admins OU. D. Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategory. Correct Answer: D / Same question as J/Q37, different set of answers. Before we can use the Directory Service Changes audit policy subcategory, we have to enable it first. We can do that by using auditpol.exe. Auditing changes to objects in AD DS In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged. (...) Steps to set up auditing This section includes procedures for each of the primary steps for enabling change auditing: Step 1: Enable audit policy. Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.

233 Step 1: Enable audit policy. This step includes procedures to enable change auditing with either the Windows interface or a command line: (...) By using the Auditpol command-line tool, you can enable individual subcategories. To enable the change auditing policy using a command line 1. Click Start, right-click Command Prompt, and then click Run as administrator. 2. Type the following command, and then press ENTER: auditpol /set /subcategory:"directory service changes" /success:enable QUESTION 8 Your network contains an Active Directory forest named contoso.com. You need to provide a user named User1 with the ability to create and manage subnet objects. The solution must minimize the number of permissions assigned to User1. A. From Active Directory Users and Computers, run the Delegation of Control wizard. B. From Active Directory Administrative Centre, add User1 to the Schema Admins group. C. From Active Directory Sites and Services, run the Delegation of Control wizard. D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group. Correct Answer: C / Adding the user to the Schema Admins group, or to the Network Configuration Operators group would give User1 too much rights. Since we have to delegate an administrative task concerning subnets, we have to run the Delegation of Control wizard from Active Directory Sites and Services. Reference below is for Windows Server 2003 R2, but is still valid for 2008 R2. Delegate control of a site To delegate control of a site 1. Open Active Directory Sites and Services. 2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the Delegation of Control Wizard. 3. Follow the instructions in the Delegation of Control Wizard. Notes (...) In Active Directory Sites and Services, you can delegate control for the subnets, intersite transports, sites, and server containers. QUESTION 9 A corporate network contains a Windows Server 2008 R2 Active Directory forest. You need to add a User Principle Name (UPN) suffix to the forest. What tool should you use? A. Dsmgmt.

234 B. Active Directory Domains and Trusts console. C. Active Directory Users and Computers console. D. Active Directory Sites and Services console. Correct Answer: B / Practically the same as F/Q17 Demonstration adding a UPN Suffix To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest. QUESTION 10 Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. DC3 fails. You discover that replication no longer occurs between the sites. You verify the connectivity between DC4 and the domain controllers in Site1. On DC4, you run repadmin.exe /kcc. Replication between the sites continues to fail. You need to ensure that Active Directory data replicates between the sites. A. From Active Directory Sites and Services, configure the NTDS Site Settings of Site2. B. From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server. C. From Active Directory Users and Computers, configure the NTDS settings of DC4. D. From Active Directory Users and Computers, configure the location settings of DC4. Correct Answer: B / Same question as D/Q37. By modifying the properties of DC3 we can remove the preferred bridgehead status of DC3. Reference 1: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site s

235 other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. Reference 2: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, December ) pages 589, 590 Preferred Bridgehead Servers (...) It s important to understand that if you have specified one or more bridgehead servers and none of the bridgeheads is available, no other server is automatically selected, and replication does not occur for the site even if there are servers that could act as bridgehead servers. QUESTION 11 Your network contains an Active Directory domain named contoso.com. All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service Pack 1 (SP1). The functional level of the domain is Windows Server You need to configure SYSVOL to use DFS Replication. Which tools should you use? (Each correct answer presents part of the solution. Choose two.) A. Dfsrmig B. Frsdiag C. Ntdsutil D. Set-ADForest E. Repadmin F. Set-ADDomainMode G. DFS Management Correct Answer: AF / First we need to upgrade the domain functional level, using Set-ADDomainMode. Then, now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded (to Windows Server 2008 (R2)), we can migrate to DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. We can use Dfsrmig for that migration. Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 543 In versions of Windows Server prior to Windows Server 2008, the FRS was used to replicate the contents of SYSVOL between domain controllers. FRS has limitations in both capacity and performance that cause it to break occasionally. Unfortunately, troubleshooting and configuring FRS is quite difficult. In Windows Server 2008 and Windows Server 2008 R2 domains, you have the option to use DFS-R to replicate the contents

236 of SYSVOL. Reference 2: Set-ADDomainMode The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by setting the DomainMode parameter. The domain mode can be set to the following values that are listed in order of functionality from lowest to highest. Windows2000Domain Windows2003InterimDomain Windows2003Domain Windows2008Domain Windows2008R2Domain Reference 3: Migrating to the Prepared State The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication). This migration phase includes the tasks in the following list. (...) Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state. QUESTION 12 You manage an Active Directory forest named contoso.com. The forest contains an empty root domain named contoso.com and a child domain named child.contoso.com. All domain controllers run Windows Server The functional level of the forest is Windows Server You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal by using the minimum amount of administrative effort. To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Build List and Reorder:

237 Correct Answer: / To upgrade the forest level to Windows Server 2008 R2 we need to upgrade the servers first. And before we upgrade the servers we need to prepare the domain and forest using adprep. Reference 1: Caution Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier. Reference 2: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 96 The Adprep Utility Microsoft provides the Adprep utility to prepare a down-level Active Directory domain for receiving Windows Server 2008 and Windows Server 2008 R2 domain controllers. Found in the \sources\adprep folder of the installation DVD-ROM, this tool prepares the forest and domain by extending the Active Directory schema and

238 updating several required permissions. Running the Adprep /forestprep Command You must run the Adprep /forestprep command on the schema master of the forest first. It extends the schema to receive the new Windows Server 2008 enhancements, including the addition of directory descriptors for certain objects including granular password policies. You have to run this command and let its changes replicate throughout the forest before you run the Adprep /domainprep command. Reference 3: Not really relevant, but some info on why using an empty root domain is no longer preferable: aspx#adempty QUESTION 13 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You attempt to run adprep /domainprep and the operation fails. You discover that the first domain controller deployed to the forest failed. You need to run adprep /domainprep successfully. A. Move the domain naming master role. B. Install a read-only domain controller (RODC). C. Move the PDC emulator role. D. Move the RID master role. E. Move the infrastructure master role. F. Deploy an additional global catalog server. G. Move the bridgehead server. H. Move the schema master role. I. Restart the Active Directory Domain Services (AD DS) service. J. Move the global catalog server. Correct Answer: E / Adprep /domainprep must be run on the server holding the Infrastructure Master role. The role was originally installed on the first domain controller in the forest. Now it's down and another domain controller must get the Infrastructure Master role. Reference 1: Planning Operations Master Role Placement Operations master role holders are assigned automatically when the first domain controller in a given domain is created. The two forest-level roles (schema master and domain naming master) are assigned to the first domain controller created in a forest. In addition, the three domain-level roles (RID master, infrastructure master, and PDC emulator) are assigned to the first domain controller created in a domain. Reference 2: adprep /domainprep

239 Must be run on the infrastructure operations master for the domain. QUESTION 14 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You discover the following event in the Event log of client computers: "The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in %1 minutes." You need to ensure that the client computers can synchronize their clocks properly. A. Move the domain naming master role. B. Restart Active Directory Domain Services (AD DS) service. C. Move the PDC emulator role. D. Move the infrastructure master role. E. Move the global catalog server. F. Move the RID master role. G. Move the bridgehead server. H. Move the schema master role. I. Deploy an additional global catalog server. J. Install a read-only domain controller (RODC). Correct Answer: C / It could be that the server holding the PDC Emulator role has failed. Whatever the cause, we need to move the PDC Emulator role to another domain controller to restore time synchronization in the domain. Reference 1: +System&ProdVer=5.2&EvtID=14&EvtSrc=w32time&LCID=1033 Event ID 14 Message The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in %1 minutes. Windows Time Service is configured to use the domain hierarchy to locate its time source. It could not locate a domain controller that is a suitable time source. The time service will continue to search for an acceptable domain controller. If the time service cannot locate a time source after the maximum number of attempts, the Win32Time 49 message will be logged. Reference 2: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 531 PDC Emulator Role The PDC Emulator role performs multiple, crucial functions for a domain: (...) Provides a master time source for the domain - Active Directory, Kerberos, File Replication Service (FRS), and Distributed File System Replication (DFS-R) each rely on timestamps, so synchronizing the time

240 across all systems in a domain is crucial. The PDC emulator in the forest root domain is the time master for the entire forest, by default. The PDC emulator in each domain synchronizes its time with the forest root PDC emulator. Other domain controllers in the domain synchronize their clocks against that domain s PDC emulator. All other domain members synchronize their time with their preferred domain controller. This hierarchical structure of time synchronization, all implemented through the Win32Time service, ensures consistency of time. Coordinated Universal Time (UTC) is synchronized, and the time displayed to users is adjusted based on the time zone setting of the computer. QUESTION 15 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1. You discover that RODC1 does not have any application directory partitions. You need to ensure that RODC1 has a directory partition of contoso.com. A. From DNS Manager, create secondary zones. B. Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter. C. From DNS Manager, right-click RODC1 and click Update Server Data Files. D. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter. Correct Answer: B / RODC Post-Installation Configuration If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions. To enlist a DNS server in a DNS application directory partition 1. Open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /EnlistDirectoryPartition <FQDN> For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child. contoso.com, type the following command: dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com QUESTION 16 Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group. Which tool should you use?

241 A. Credential Manager B. Group Policy Management Editor C. Active Directory Users and Computers D. Active Directory Sites and Services Correct Answer: C / Practically the same question as K/Q7, different set of answers. Use Active Directory Users and Computers to determine the value of the msds-psoapplied attribute of the specific group: 1. Open the Properties windows for the group in Active Directory Users and Computers 2. Click the Attribute Editor tab, and then click Filter 3. Ensure that the Show attributes/optional check box is selected. 4. Ensure that the Show read-only attributes/backlinks check box is selected. 5. Locate the value of msds-psoapplied in the Attributes list. Defining the scope of fine-grained password policies A PSO can be linked to a user (or inetorgperson) or a group object that is in the same domain as the PSO: (...) A new attribute named msds-psoapplied has been added to the user and group objects in Windows Server The msds-psoapplied attribute contains a back-link to the PSO. Because the msds- PSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it. As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msds-psoapplied attribute of the user and group objects has a back-link to the PSO. QUESTION 17 Your network contains an Active Directory domain named contoso.com. You need to create one password policy for administrators and another password policy for all other users. Which tool should you use? A. Group Policy Management Editor B. Group Policy Management Console (GPMC) C. Authorization Manager D. Ldifde Correct Answer: D / Same question as K/Q6, different set of answers. Creating a PSO using ldifde

242 You can use the ldifde command as a scriptable alternative for creating PSOs. To create a PSO using ldifde 1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: add objectclass: msds-passwordsettings msds-maximumpasswordage: msds-minimumpasswordage: msds-minimumpasswordlength:8 msds-passwordhistorylength:24 msds-passwordcomplexityenabled:true msds-passwordreversibleencryptionenabled:false msds-lockoutobservationwindow: msds-lockoutduration: msds-lockoutthreshold:0 msds-passwordsettingsprecedence:20 msds-psoappliesto:cn=user1,cn=users,dc=dc1,dc=contoso,dc=com 2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK. 3. Type the following command, and then press ENTER: ldifde i f pso.ldf QUESTION 18 Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains one domain. A two-way forest trust exists between the forests. You plan to add users from fabrikam.com to groups in contoso.com. You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com. To which group should you add the users? A. Group 1: Security Group - Domain Local. B. Group 2: Distribution Group - Domain Local. C. Group 3: Security Group - Global. D. Group 4: Distribution Group - Global. E. Group 5: Security Group - Universal. F. Group 6: Distribution Group - Univeral. Correct Answer: C / This one is a bit tricky. According to Microsoft's advice we should put Users Accounts into a Global Group, then add the Global Group to a Universal Group, and then add the Universal Group to a Domain Local group which is used to assigned permissions to. Microsoft calls this AGUDLP. See the reference below. So, the users need to be put in a Global Group (answer C ("Group 3: Security Group - Global")), but it's the Universal Group that travels across the forest trust (answer E ("Group 5: Security Group - Universal")). Another way of looking at the question might be that they're asking what kind of group actually is assigned access to the shared folders. That would be a Domain Local security group, being answer A ("Group 1: Security Group - Domain Local"). Because of Microsoft's advice I choose answer C ("Group 3: Security Group - Global"). But it could just

243 as well be A or E. Again, it's tricky one. Best practices for using security groups across forests By carefully using domain local, global, and universal groups, administrators can more effectively control access to resources located in other forests. Consider the following best practices: To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users in ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the Sales Department to the group. Create the global group AccountsOrder and add users in the Accounting Department to that group. To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group. To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called OrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions. To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB. QUESTION 19 Your network contains an Active Directory domain. The domain contains 5,000 user accounts. You need to disable all of the user accounts that have a description of Temp. You must achieve this goal by using the minimum amount of administrative effort. Which tools should you use? (Each correct answer presents part of the solution. Choose two.) A. Find B. Dsget C. Dsmod D. Dsadd E. Net accounts F. Dsquery Correct Answer: CF / Here we can use Dsquery to find the accounts that have "Temp" as their description and pipe it through to Dsmod to disable them. Should look like this: dsquery user domainroot -desc "Temp" dsmod user -disabled yes Reference 1: Dsquery user

244 Finds users in the directory who match the search criteria that you specify. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery *. Syntax dsmod user Parameters domainroot Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node (<StartNode>). If you specify forestroot, dsquery searches by using the global catalog. The default value is domainroot. -desc <Description> Specifies the descriptions of the user objects you want to modify. Remarks The results from a dsquery search can be piped as input to one of the other directory service command-line tools, such as Dsget, Dsmod, Dsmove, or Dsrm. Reference 2: Dsmod user Modifies attributes of one or more existing users in the directory. Syntax dsmod user Parameter -disabled {yes no} Specifies whether AD DS disables user accounts for logon. The available values are yes and no. Yes indicates that AD DS disables user accounts for logon and no indicates that AD DS does not disable user accounts for logon. QUESTION 20 Your network contains an Active Directory domain. The domain contains two file servers. The file servers are configured as shown in the following table. You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1. You configure the advanced audit policy. You discover that the settings are not applied to Server1. The settings are applied to Server2. You need to ensure that access to the file shares on Server1 is audited. A. From Active Directory Users and Computers, modify the permissions of the computer account for Server1. B. From GPO1, configure the Security Options. C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.

245 D. On Server1, run seceditexe and specify the /configure parameter. E. On Server1, run auditpol.exe and specify the /set parameter. Correct Answer: E / Reference 1: What are the differences in auditing functionality between versions of Windows? Basic audit policy settings are available in all versions of Windows since Windows 2000 and can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts. In Windows 7 and Windows Server 2008 R2, advanced audit policy settings can be configured and applied by using local and domain Group Policy settings. Reference 2: Auditpol set Sets the per-user audit policy, system audit policy, or auditing options. QUESTION 21 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU contains over 200 user accounts. The Sales OU and the Engineering OU contain several user accounts that are members of a universal group named Group1. You have a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members of Group1 only. A. Modify the Group Policy permissions. B. Configure Restricted Groups. C. Configure WMI filtering. D. Configure the link order. E. Enable loopback processing in merge mode. F. Link the GPO to the Sales OU. G. Configure Group Policy Preferences. H. Link the GPO to the Engineering OU. I. Enable block inheritance. J. Enable loopback processing in replace mode. Correct Answer: A / Practically the same question as K/Q50.

246 Best way to handle this is how graimer from Norway desribed it in html "GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow)." The reference below explains a situation where the GPO only needs to be applied to one group, it's the other way around so to speak. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope By now, you ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO. Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify. Filtering a GPO to Apply to Specific Groups To apply a GPO to a specific security group, perform the following steps: 4. Select the GPO in the Group Policy Objects container in the console tree. 5. In the Security Filtering section, select the Authenticated Users group and click Remove. 6. Click OK to confirm the change. 7. Click Add. 8. Select the group to which you want the policy to apply and click OK. QUESTION 22 Your network contains an Active Directory domain. You have two Group Policy objects (GPOS) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Finance organizational unit (OU) and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied. A. Configure the link order. B. Configure Restricted Groups. C. Enable block inheritance. D. Link the GPO to the Finance OU. E. Enable Ioopback processing in merge mode.

247 F. Enable Ioopback processing in replace mode. G. Link the GPO to the Human Resources OU. H. Configure Group Policy Preferences. I. Configure WMI filtering. J. Modify the Group Policy permissions. Correct Answer: A / Practically the same as J/Q4 and K/Q3. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU. figure 6-10 GPO link order The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO. To change the precedence of a GPO link: 1. Select the OU, site, or domain in the GPMC console tree. 2. Click the Linked Group Policy Objects tab in the details pane. 3. Select the GPO. 4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO. QUESTION 23 You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS server for contoso.com. You install the DNS server server role on a member server named server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. What should you do A. On DC1, modify the permissions of contoso.com zone. B. On Server1, add a conditional forwarder.

248 C. Add the Server1 computer account to the DNsUpdateProxy group. D. On DC1, modify the zone transfer settings for the contoso.com zone. Correct Answer: D / Practically the same question as B/Q1 and K/Q45. Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer. To modify zone transfer settings using the Windows interface 1. Open DNS Manager. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. QUESTION 24 A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. Active Directory Sites And Services console B. Ntdsutil C. Dnslint D. Nslookup Correct Answer: A / Practically the same question as F/Q28, G/Q8, K/Q8, K/Q31, different set of answers sometimes.

249 Forcing Replication When you need updates to be replicated sooner than the intersite replication schedule allows, or when replication between sites is impossible because of configuration errors, you can force replication to and from domain controllers. Forcing replication of all directory updates over a connection If you want to replicate certain updates, such as a significant addition of new passwords or user accounts, to another domain controller in the domain, you can use the Replicate now option in the Active Directory Sites and Services snap-in to force replication of all directory partitions over a connection object that represents inbound replication from a specific domain controller. A connection object for a server object that represents a domain controller identifies the replication partner from which the domain controller receives replication. If the changes are made on one domain controller, you can select the connection from that domain controller and force replication to its replication partner. You can also use the Repadmin.exe command-line tool to replication changes from a server to one or more other servers or to all servers. QUESTION 25 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the Active Directoryintegrated zone for contoso.com. From DNS Manager on DC1, you enable scavenging for the contoso.com zone. You discover stale DNS records in the zone. You need to ensure that the stale DNS records are deleted from contoso.com. A. From DNS Manager, enable scavenging on DC1. B. From DNS Manager, reload the zone. C. Run dnscmd.exe and specify the ageallrecords parameter. D. Run dnscmd.exe and specify the startscavenging parameter. Correct Answer: A / According to Technet the answer should be A ("From DNS Manager, enable scavenging on DC1"). Scavenging has been enabled for the zone, but it also needs te be enabled on the server. Prerequisites for aging and scavenging Before you can use the aging and scavenging features of DNS, several conditions must be met: Scavenging and aging must be enabled, both at the DNS server and on the zone. (...) QUESTION 26 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You discover the following event in the Event log of domain controllers: The request for a new accountidentifier pool failed. The operation will be retried until the request succeeds. The error is " %1 "" You need to ensure that the domain controllers can acquire new account-identifier pools successfully.

250 A. Move the domain naming master role. B. Move the global catalog server. C. Restart the Active Directory Domain Services (AD DS) service. D. Deploy an additional global catalog server. E. Move the infrastructure master role. F. Move the PDC emulator role. G. Install a read-only domain controller (RODC). H. Move the RID master role. I. Move the bridgehead server. J. Move the schema master role. Correct Answer: H / Practically the same question as K/Q5. This error can occur when the server holding the RID master role is not available to provide a new RID pool. Moving the RID master role to another domain controller will resolve this. Event ID RID Pool Request Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted. Event Details Message The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 " Resolve Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controller can communicate with the domain controller that is identified as the RID operations master. Ensure that the RID master is online and replicating to other domain controllers. QUESTION 27 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA).

251 You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates. All users plan to encrypt files by using EFS. You need to ensure that the private keys for all new EFS certificates are archived. Which snap-in should you use? A. Share and Storage Management B. Security Configuration wizard C. Enterprise PKI D. Active Directory Administrative Center E. Certification Authority F. Group Policy Management G. Certificate Templates H. Authorization Manager I. Certificates Correct Answer: G / Practically the same question as G/Q36. Configure a Certificate Template for Key Archival The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template. Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates. To configure a certificate template for key archival and recovery 1. Open the Certificate Templates snap-in. 2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template. 3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. 4. In Template, type a new template display name, and then modify any other optional properties as needed. 5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK. 6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box. 7. On the Request Handling tab, select the Archive subject's encryption private key check box. QUESTION 28 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.

252 The network contains an enterprise certification authority (CA). You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA. You need to ensure that all of the members of a group named Sales can enroll for certificates that use Sales_Temp. Which snap-in should you use? A. Enterprise PKI B. Certification Authority C. Share and storage Management D. Certificate Templates E. Security Configuration Wizard F. Authorization Manager G. Group Policy Management H. Certificates I. Active Directory Administrative Center Correct Answer: D / Deploying Certificate Templates After creating a new certificate template, the next step is to deploy the certificate template so that a certification authority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to one or more CAs, defining which security principals have Enroll permissions for the certificate template, and deciding whether to configure autoenrollment for the certificate template. To define permissions to allow a specific security principal to enroll for certificates based on a certificate template 1. Open the Certificate Templates snap-in (Certtmpl.msc). 2. In the details pane, right-click the certificate template you want to change, and then click Properties. 3. On the Security tab, ensure that Authenticated users is assigned Read permissions. This ensures that all authenticated users on the network can see the certificate templates. 4. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK. 5. On the Security tab, select the newly added security group, and then assign Allow for the Read and Enroll permissions. 6. Click OK. Permission Design Use the following recommendations for permissions assignments: Assign permissions only to global groups or to universal groups. It is not recommended to assign permissions to domain local groups. Domain local groups are only recognized in the domain where they exist, and assigning permissions to them can result in inconsistent application of permissions. You should not assign permissions directly to an individual user or computer account. (...) QUESTION 29 Your network contains an Active Directory forest named adatum.com. All domain controllers currently run Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows Server 2003.

253 You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What should you do first? A. Deploy a writable domain controller that runs Windows Server 2008 R2. B. Raise the functional level of the forest to Windows Server C. Run adprep.exe. D. Raise the functional level of the domain to Windows Server Correct Answer: C / An RODC requires a writable domain controller running Windows Server 2008 or Windows Server 2008 R2. So, whether you install the writable domain controller first or the Windows Server 2008 R2 server (your future RODC), you have to run adprep.exe first to prepare the domain/forest for either domain controller. Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher. Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2. QUESTION 30 Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. B. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. C. Create an external trust from nwtraders.com to contoso.com. D. Create an external trust from contoso.com to nwtraders.corn. Correct Answer: B / Same question as F/Q44.

254 Using AD RMS trust It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. QUESTION 31 Your company plans to open a new branch office. The new office will have a Iow-speed connection to the Internet. You plan to deploy a read-only domain controller (RODC) in the branch office. You need to create an offline copy of the Active Directory database that can be used to install Active Directory on the new RODC. Which commands should you run from Ntdsutil? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Build List and Reorder: Correct Answer: / Same question as L/Q9, same answers. Installing AD DS from Media

255 You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. To create installation media 1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: ntdsutil 3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds 4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm 5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic), and then press ENTER. For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia Where C:\InstallationMedia is the path to the folder where you want the installation media to be created. You can save the installation media to a network shared folder or to any other type of removable media. QUESTION 32 Your network contains an Active Directory forest. All users have a value set for the Department attribute. From Active Directory Users and computers, you search a domain for all users who have a Department attribute value of Marketing. The search returns 50 users. From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing. The search does not return any users. You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute. A. Install the Windows Search Service role service on a global catalog server. B. From the Active Directory Schema snap-in, modify the properties of the Department attribute. C. Install the Indexing Service role service on a global catalog server. D. From the Active Directory Schema snap-in, modify the properties of the user class. Correct Answer: B / Same question as K/Q4. Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeschema object as a member of the PAS, which sets the value of the ismemberofpartialattributeset attribute to TRUE.

256 QUESTION 33 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The AD DS infrastructure is shown in the following graphic. When the Montreal site domain controller is offline, authentication requests for Montreal branch office users are sent to the Toronto site domain controller. You need to ensure that when the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Quebec City site domain controller. A. Create a site link bndge between the Montreal site and the Quebec City site. B. Enable the global catalog role on the Montreal site domain controller. C. Modify the Default Domain Policy Group Policy Object. D. Delete the Toronto-Montreal Site Link Correct Answer: C / Reference 1:

257 Enable Clients to Locate a Domain Controller in the Next Closest Site You can modify the Default Domain Policy to enable Windows Vista and Windows Server 2008 clients in the domain to locate domain controllers in the next closest site if no domain controller in their own site or the closest site is available. To enable clients to locate a domain controller in the next closest site 1. Click Start, click Administrative Tools, and then click Group Policy Management. 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3. Double-click Forest:forest_name, double-click Domains, and then double-click domain_name. 4. Right-click Default Domain Policy, and then click Edit. 5. In Group Policy Management Editor, in the console tree, go to Computer Configuration/Policies/ Administrative Templates/System/Netlogon/DC Locator DNS Records. 6. In the details pane, double-click Try Next Closest Site, click Enabled, and then click OK. Reference 2: Enabling Clients to Locate the Next Closest Domain Controller If you have a domain controller that runs Windows Server 2008 or Windows Server 2008 R2, you can make it possible for client computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 to locate domain controllers more efficiently by enabling the Try Next Closest Site Group Policy setting. This setting improves the Domain Controller Locator (DC Locator) by helping to streamline network traffic, especially in large enterprises that have many branch offices and sites. By default, the Try Next Closest Site setting is not enabled. When the setting is not enabled, DC Locator uses the following algorithm to locate a domain controller: Try to find a domain controller in the same site. If no domain controller is available in the same site, try to find any domain controller in the domain. If you enable the Try Next Closest Site setting, DC Locator uses the following algorithm to locate a domain controller: Try to find a domain controller in the same site. If no domain controller is available in the same site, try to find a domain controller in the next closest site. A site is closer if it has a lower site-link cost than another site with a higher site-link cost. If no domain controller is available in the next closest site, try to find any domain controller in the domain. QUESTION 34 A corporate environment includes two Active Directory Domain Services (AD DS) forests, as shown in the following table. You need to ensure that users in the contoso.com domain can access resources in the eng.fabrikam.com domain. A. Enable selective authentication. B. Enable forest-wide authentication. C. Create an external trust between contoso.com and eng.fabrikam.com. D. Enable domain-wide authentication. Correct Answer: C

258 / Creating External Trusts You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources that are located in a Windows NT 4.0 domain or in a domain that is in a separate Active Directory Domain Services (AD DS) forest that is not joined by a forest trust. QUESTION 35 Your network contains an Active Directory domain. You need to activate the Active Directory Recycle Bin in the domain. Which tool should you use? A. Dsamain B. Set-ADDomain C. Add-WindowsFeature D. Ldp Correct Answer: D / Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe QUESTION 36 Your network contains an Active Directory domain named contoso.com. You need to create a script that runs the Best Practices Analyzer (BPA) each week for all of the server roles that BPA supports on each domain controller. You must achieve this goal by using the minimum amount of administrative effort. Which tools should you use? (Each correct answer presents part of the solution. Choose three.) A. Get-Troubleshooting Pack / Invoke-Troubleshooting Pack. B. Import-Module Best Practices. C. Get-BPA Model / Invoke-BPA Model. D. Import-Module Troubleshooting Pack. E. Get- BPA Result. Correct Answer: BCE

259 / Reference 1: To scan all roles by using Windows PowerShell cmdlets 1. Open a Windows PowerShell session with elevated user rights. 2. Import the Server Manager module into your Windows PowerShell session. To import the Server Manager module, type the following, and then press ENTER. Import-Module ServerManager 3. Import the BPA module. Type the following, and then press Enter. Import-Module BestPractices 4. Pipe all roles for which BPA scans can be performed into the Invoke-BPAModel cmdlet to start scans. Get-BPAModel Invoke-BPAModel Reference 2: Get-BpaResult The Get-BPAResult cmdlet allows you to retrieve and view the results of the most recent Best Practices Analyzer (BPA) scan for a specific model. QUESTION 37 A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OU named Admins. You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited. What should you do first? A. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group Policy Object. B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU. C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object. D. Modify the searchflags property for the User class in the schema. Correct Answer: A / Same question as J/Q7, different set of answers. To audit changes made to objects in AD DS we have to use Directory Service Changes auditing, which indicates the old and new values of the changed properties of the objects that were changed. Directory Service Changes auditing is a subcategory of Audit directory service access, and is not enabled by default. To use it we have to enable it first, and we can do that specifically for Directory Service Changes by using auditpol.exe, or we can use Group Policy Management to enable Audit directory service access, which enables all subcategories, including Directory Service Changes. You do this by modifying the Default Domain Controllers Policy.

260 In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication This step includes procedures to enable change auditing with either the Windows interface or a command line: By using Group Policy Management, you can turn on the global audit policy, Audit directory service access, which enables all the subcategories for AD DS auditing. To enable the global audit policy using the Windows interface 1. Click Start, point to Administrative Tools, and then Group Policy Management. 2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit. 3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy. 4. In the details pane, right-click Audit directory service access, and then click Properties. 5. Select the Define these policy settings check box. 6. Under Audit these attempts, select the Success, check box, and then click OK.

261 Exam K QUESTION 1 Your network contains an Active Directory domain named contoso.com. The Administrator deletes an OU named OU1 accidentally. You need to restore OU1. Which cmdlet should you use? A. Set-ADObject cmdlet. B. Set-ADOrganizationalUnit cmdlet. C. Set-ADUser cmdlet. D. Set-ADGroup cmdlet. Correct Answer: A / I suspect that "Set-ADObject cmdlet" is a typo, because the Set-ADObject cmdlet modifies the properties of an Active Directory object. It think it should say Get-ADObject. Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject Active Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get- ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore- ADObject cmdlet. QUESTION 2 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

262 You have a Group Policy Object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort. A. Modify the Group Policy Permission. B. Configure WMI filtering. C. Enable block inheritance. D. Enable loopback processing in replace mode. E. Configure the link order. F. Configure Group Policy Preferences. G. Link the GPO to the Human Resources OU. H. Configure Restricted Groups. I. Enable loopback processing in merge mode. J. Link the GPO to the Finance OU. Correct Answer: C / Thanks to Wesley for pointing out the exhibit was missing! Same question as J/Q3, slightly different answers. Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. QUESTION 3 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You have two Group Policy objects (GPOs) named GP01 and GPO2. GP01 and GP02 are linked to the Sales OU and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GP01. When the policies are applied, the setting in GPO2 takes effect. You need to ensure that the settings in GP01 supersede the settings in GP02. The solution must ensure that all non-conflicting settings in both GPOs are applied. A. Configure Restricted Groups. B. Configure the link order. C. Link the GPO to the Sales OU. D. Link the GPO to the Engineering OU. E. Enable loopback processing in merge mode.

263 F. Modify the Group Policy permissions. G. Configure WMI Filtering. H. Configure Group Policy Preferences. I. Enable loopback processing in replace mode. J. Enable block inheritance. Correct Answer: B / Practically the same as J/Q4 and J/Q22. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 283 Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU. figure 6-10 GPO link order The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO. To change the precedence of a GPO link: 1. Select the OU, site, or domain in the GPMC console tree. 2. Click the Linked Group Policy Objects tab in the details pane. 3. Select the GPO. 4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO. QUESTION 4 Your network contains an Active Directory forest. All users have a value set for the Department attribute. From Active Directory Users and Computers, you search a domain for all users who have a Department attribute value of Marketing. The search returns 50 users. From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing. The search does not return any users.

264 You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute. A. Install the Windows Search Service role service on a global catalog server. B. From the Active Directory Schema snap-in modify the properties of the Department attribute. C. Install the Indexing Service role service on a global catalog server. D. From the Active Directory Schema snap-in modify the properties of the user class. Correct Answer: B / Same question as J/Q32. Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeschema object as a member of the PAS, which sets the value of the ismemberofpartialattributeset attribute to TRUE. QUESTION 5 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You discover the following event in the Event log of domain controllers: "The request for a new accountidentifier pool failed. The operation will be retried until the request succeeds. The error is " %1 "" You need to ensure that the domain controllers can acquire new account-identifier pools successfully. A. Move the PDC emulator role. B. Move the schema master role. C. Move the global catalog server. D. Move the domain naming master role. E. Move the infrastructure master role. F. Move the RID master role. G. Restart the Active Directory Domain Services (AD DS) service. H. Deploy an additional global catalog server. I. Move the bridgehead server. J. Install a read-only domain controller (RODC). Correct Answer: F / Practically the same question as J/Q26.

265 This error can occur when the server holding the RID master role is not available to provide a new RID pool. Moving the RID master role to another domain controller will resolve this. Event ID RID Pool Request Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID. Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. (...) Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted. Event Details Message The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 " Resolve Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the local domain controller can communicate with the domain controller that is identified as the RID operations master. Ensure that the RID master is online and replicating to other domain controllers. QUESTION 6 Your network contains an Active Directory domain named contoso.com. You need to create one password policy for administrators and another password policy for all other users. Which tool should you use? A. Ntdsutil B. Active Directory Users and Computers C. ADSI Edit D. Group Policy Management Console (GPMC) Correct Answer: C / Same question as J/Q17, different set of answers. Creating a PSO using ADSI Edit Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.

266 To create a PSO using ADSI Edit 1. Click Start, click Run, type adsiedit.msc, and then click OK. 2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to. 3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK. 4. Double-click the domain. 5. Double-click DC=<domain_name>. 6. Double-click CN=System. 7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domain appear. 8. Right-click CN=Password Settings Container, click New, and then click Object. 9. In the Create Object dialog box, under Select a class, click msds-passwordsettings, and then click Next. 10.In Value, type the name of the new PSO, and then click Next. 11.Continue with the wizard, and enter appropriate values for all musthave attributes. QUESTION 7 Your network contains an Active Directory forest named contoso.com. You need to identify whether a fine-grained password policy is applied to a specific group. Which tool should you use? A. Active Directory Sites and Services B. Authorization Manager C. Local Security Policy D. ADSI Edit Correct Answer: D / Practically the same question as J/Q16, different set of answers. Use ADSI Edit to determine the value of the msds-psoapplied attribute of the specific group: 1. Open the Properties windows for the group in ADSI Edit 2. On the Attribute Editor tab click Filter 3. Ensure that the Show attributes/optional check box is selected. 4. Ensure that the Show read-only attributes/backlinks check box is selected. 5. Locate the value of msds-psoapplied in the Attributes list. Defining the scope of fine-grained password policies A PSO can be linked to a user (or inetorgperson) or a group object that is in the same domain as the PSO: (...) A new attribute named msds-psoapplied has been added to the user and group objects in Windows Server The msds-psoapplied attribute contains a back-link to the PSO. Because the msds- PSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it. As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msds-psoapplied attribute of the user and group objects has a back-link to the PSO. QUESTION 8 A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.

267 You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. Repadmin B. Active Directory Domains and Trusts console C. Ldp D. Ntdsutil Correct Answer: A / Practically the same question as F/Q28, G/Q8, J/Q24, K/Q31, different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall <DC> [<NamingContext>] [<Flags>] Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners. <NamingContext> Specifies the distinguished name of the directory partition. <Flags> Performs specific actions during the replication. QUESTION 9 Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. The forest contains two sites named Seattle and Denver. Both sites contain users, client computers, and domain controllers from both domains. The Seattle site contains the first domain controller deployed to the forest. The Seattle site also contains the primary domain controller (PDC) emulator for both domains. All of the domain controllers are configured as DNS servers. All DNS zones are replicated to all of the domain controllers in the forest. The users in the Denver site report that is takes a long time to log on to their client computer when they use their user principal name (UPN). The users in the Seattle site do not experience the same issue. You need to reduce the amount of time it takes for the Denver users to log on to their client computer by using their UPN.

268 A. Reduce the cost of the site link between the Denver site and the Seattle site. B. Enable the global catalog on a domain controller in the Denver site. C. Enable universal group membership caching in the Denver site. D. Move a PDC emulator to the Denver site. E. Reduce the replication interval of the site link between the Denver site and the Seattle site. F. Add an additional domain controller to the Denver site. Correct Answer: B / Quite similar to K/Q39. Common Global Catalog Scenarios The following events require a global catalog server: (...) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication: 1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name. 2. (...) QUESTION 10 Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains a single domain. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Contoso.com contains a group named Group 1. Fabrikam.com contains a server named Server1. You need to ensure that users in Group1 can access resources on Server1. What should you modify? A. the permissions of the Group1 group B. the UPN suffixes of the contoso.com forest C. the UPN suffixes of the fabrikam.com forest D. the permissions of the Server1 computer account Correct Answer: A / Group1 must get the 'Allowed To Authenticate' permission on Server1, so I'd go for A, as given. Answer D may sound tempting, but it speaks of permissions of the Server1 computer account. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages 643, 644

269 After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain. 1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu. 2. Open the properties of the computer to which trusted users should be allowed to authenticate that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions. 3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission. QUESTION 11 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. Users in the Sates OU frequently log on to client computers in the Engineering OU. You need to meet the following requirements: - All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the Engineering OU must be applied to sales users when they log on to client computers in the Engineering OU. - Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log on to client computers in the Sales OU. - Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU. A. Modify the Group Policy permissions. B. Enable block inheritance. C. Configure the link order. D. Enable loopback processing in merge mode. E. Enable loopback processing in replace mode. F. Configure WMI filtering. G. Configure Restricted Groups. H. Configure Group Policy Preferences. I. Link the GPO to the Sales OU. J. Link the GPO to the Engineering OU. Correct Answer: D / Very similar question to L/Q6. We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO's that are linked to the Sales OU and the Engineering OU to be applied. Reference 1: Loopback processing with merge or replace Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User

270 Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory. Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings. Loopback with Replace In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user. Loopback with Merge In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict. Reference 2: For a clear and easy explanation of Loopback Processing. Recommended! Reference 3: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028 Loopback Processing When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects. To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computerlinked policies last. QUESTION 12 You have an Active Directory domain named contoso.com. You need to view the account lockout threshold and duration for the domain. Which tool should you use? A. Computer Management B. Net Config C. Active Directory Users and Computers D. Gpresult Correct Answer: C / Same question as K/Q44. Hard to find references for this one. I checked the steps below on a virtual lab.

271 You can see the required settings when you: 1. Open Active Directory Users and Computers 2. Go to View in the menubar and make sure "Advanced Features"is checked. 3. Right click on the domain and choose Properties 4. On the Attribute Editor tab click on Filter 5. Ensure that the Show attributes/optional check box is selected. 6. In the Attributes list locate lockoutthreshold and lockoutduration. Played with the settings in the Group Policy Management Editor and the settings were reflected in the steps above every time. QUESTION 13 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com. The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed. You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted. A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rules and outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2 and select DC1 as the master. B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com naming context. C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com naming context. Create a secondary zone on DC1 and select DC2 as the master. D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a secondary zone on DC2 and select DC1 as the master. Correct Answer: B / This one looks a bit like question A/Q15, in which we had two domain controllers, one having a primary zone, and the second with the secondary zone. We needed to ensure that the replication of the zone was encrypted. The solution was to use an Active Directory-integrated zone, and it makes sense to apply that here too. IPsec could be a valid option too, but is not listed. DNSSEC is used to sign DNS responses between servers and clients, not to encrypt zone transfers. Reference 1: Securing DNS Zone Replication Using Active Directory Replication Replicating zones as part of Active Directory replication provides the following security benefits: Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted automatically. (...) Reference 2:

272 DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted. Reference 3: It is important to note that DNSSEC does not supply a solution for data confidentiality but only a validation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only the signature which is encrypted. Reference 4: Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of the resource records, including DNSSEC resource records, are transferred from the primary server to the secondary servers with no additional setup requirements. Reference 5: Overview of DNSSEC Domain Name System Security Extensions (DNSSEC) is a suite of extensions that adds security to the DNS protocol by providing the ability for DNS servers to validate DNS responses. With DNSSEC, resource records are accompanied by digital signatures. These digital signatures are generated when DNSSEC is applied to a DNS zone using a process called zone signing. When a resolver issues a DNS query for resource record in a signed zone, a digital signature is returned with the response so that validation can be performed. If validation is successful, this proves that the data has not been modified or tampered with in any way. QUESTION 14 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2. The network contains an enterprise certification authority (CA). You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management Correct Answer: G

273 / All credit goes to Luffy for correcting this one! Practically the same as G/Q37. We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by using Group Policy Management. Reference 1: It's a bit hard to find some good, clear reference for this. There's nothing wrong with doing it yourself, so here's what I did in VMWare, using a domain controller and a member server. Click along if you want! In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM Start the Group Policy Management console on DC Right-click the Events OU and choose "Create a GPO in this domain, and Link it here..." 3. I named the GPO "EventLog_TESTGROUP" 4. Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..." 5. Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select "Restricted Groups" 6. Right-click "Restricted Groups" and choose "Add Group..." 7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let's do the second one. Click the Browse button and go find the Event Log Readers group. Click OK. 8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it. It should look like this now:

274 9. Click OK. 10.On MEM01 open a command prompt and run gpupdate /force. 11.Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

275 Reference 2: Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below. (...) Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

276 QUESTION 15 Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA). You need to approve a pending certificate request. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management Correct Answer: E / Practically the same question as G/Q40. Reference 1: To issue a pending certificate request: 1. Log on to your root CA by using an account that is a certificate manager. 2. Start the Certification Authority snap-in. 3. In the console tree, expand your root CA, and click Pending Certificates. 4. In the details pane, right-click the pending CA certificate, and click Issue. QUESTION 16 Your network contains an Active Directory domain named contoso.com. You have an organizational unit (OU) named Sales and an OU named Engineering. You have a Group Policy object (GPO) linked to the domain. You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Sales OU. You must achieve this goal by using the minimum amount of administrative effort. A. Modify the Group Policy permissions. B. Enable block inheritance. C. Configure the link order. D. Enable loopback processing in merge mode. E. Enable loopback processing in replace mode. F. Configure WMI filtering. G. Configure Restricted Groups.

277 H. Configure Group Policy Preferences. I. Link the GPO to the Sales OU. J. Link the GPO to the Engineering OU. Correct Answer: B / Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. QUESTION 17 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You plan to create an Active Directory-integrated zone. You need to ensure that the new zone is replicated to only four of the domain controllers. What should you do first? A. Use the ntdsutil tool to modify the DS behavior for the domain. B. Use the ntdsutil tool to add a naming context. C. Create a new delegation in the ForestDnsZones application directory partition. D. Use the dnscmd tool with the /zoneadd parameter. Correct Answer: B / Practically the same question as A/Q50 and D/Q25, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

278 Reference 1: Store Data in an AD DS Application Partition You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the

279 application directory partition. Reference 2: partition management Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). This is a subcommand of Ntdsutil and Dsmgmt. Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps: 1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator. 2. Type: ntdsutil 3. Type: Ac in ntds 4. Type: partition management 5. Type: connections 6. Type: Connect to server DC_Name 7. Type: quit 8. Type: list The following partitions will be listed: 0 CN=Configuration,DC=Contoso,DC=com 1 DC=Contoso,DC=com 2 CN=Schema,CN=Configuration,DC=Contoso,DC=com 3 DC=DomainDnsZones,DC=Contoso,DC=com 4 DC=ForestDnsZones,DC=Contoso,DC=com 9. At the partition management prompt, type: create nc dc=apppartition,dc=contoso,dc=com ConDc1.contoso.com 10.Run the list command again to refresh the list of partitions. QUESTION 18 Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains: - Fabrikam.com - Eu.fabrikam.com - Na.fabrikam.com - Eu.contoso.com - Na.contoso.com You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of contoso.com when they create user accounts from Active Directory Users and Computers. Which tool should you use? A. Active Directory Sites and Services B. Set-ADDomain C. Set-ADForest D. Active Directory Administrative Center Correct Answer: C

280 / Quite similar to K/Q41. We would use the following command to achieve this: Set-ADForest Reference 1: Creating a UPN Suffix for a Forest This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest. Example The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest: Set-ADForest Reference 2 Set-ADForest Modifies an Active Directory forest. Parameter UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msds-upnsuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values. Syntax: To add values: QUESTION 19 A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS sites. The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers. You need to determine which domain controller holds the Inter-Site Topology Generator role for the Toronto site. A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site. B. Use the Ntdsutil tool with the roles parameter. C. Use the Ntdsutil tool with the LDAP policies parameter. D. Use the Active Directory Sites and Services console to view the properties of each domain controller in the Toronto site. Correct Answer: A /

281 Determine the ISTG Role Owner for a Site The Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generating the intersite topology. If you want to regenerate the intersite topology, you must determine the identity of the ISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties and determine the ISTG role owner for the site. To determine the ISTG role owner for a site 1. Open Active Directory Sites and Services. 2. In the console tree, click the site object whose ISTG role owner you want to determine. 3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current role owner appears in the Server box under Inter-Site Topology Generator. QUESTION 20 Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1. You need to identify which user accounts can have their password cached on RODC1. Which tool should you use? A. Repadmin B. Dcdiag C. Get-ADDomainControllerPasswordReplicationPolicyUsage D. Adtest Correct Answer: A / "The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list." So, this revealed list has a list of accounts whose passwords are cached on RODC's. But we don't need the accounts that are cached on RODC1, but the ones that can be cached on RODC1. Those are in the allowed list, and we can get it using repadmin. Repadmin /prp Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). Syntax repadmin /prp view <RODC> {<List_Name> <User>} Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user. Parameters <RODC> Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain. <List_Name>

282 Specifies all the security principals that are in the list that you want to view. The valid list names are as follows: auth2: The list of security principals that the RODC has authenticated. reveal: The list of security principals for which the RODC has cached passwords. allow: The list of security principals in the msds-revealondemandgroup attribute. The RODC can cache passwords for this list of security principals only. deny: The list of security principals in the msds-neverrevealgroup attribute. The RODC cannot cache passwords for any security principals in this list. QUESTION 21 A network contains an Active Directory forest. The forest contains three domains and two sites. You remove the global catalog from a domain controller named DC2. DC2 is located in Site1. You need to reduce the size of the Active Directory database on DC2. The solution must minimize the impact on all users in Site1. What should you do first? A. On DC2, start the Protected Storage service. B. On DC2, stop the Active Directory Domain Services service. C. Start DC2 in Safe Mode. D. Start DC2 in Directory Services Restore Mode. Correct Answer: B / Returning Unused Disk Space from the Active Directory Database to the File System During ordinary operation, the free disk space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented online to optimize its use within the database file. The unused disk space is maintained for the database; it is not returned to the file system. Only offline defragmentation can return unused disk space from the directory database to the file system. When database contents have decreased considerably through a bulk deletion (for example, when you remove the global catalog from a domain controller), or if the size of the database backup is significantly increased as a result of the amount of free disk space, use offline defragmentation to reduce the size of the Ntds.dit file. On domain controllers that are running Windows Server 2008, offline defragmentation does not require restarting the domain controller in Directory Services Restore Mode (DSRM), as is required on domain controllers that are running versions of Windows Server 2000 and Windows Server You can use a new feature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the AD DS service. When the service is stopped, services that depend on AD DS shut down automatically. However, any other services that are running on the domain controller, such as Dynamic Host Configuration Protocol (DHCP), continue to run and respond to clients. QUESTION 22 Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise. You need to receive a notification when more than 50 Active Directory objects are deleted per second.

283 A. Run the Get-ADDomain cmdlet. B. Run the dsget.exe command. C. Run the ntdsutil.exe command. D. Run the ocsetup.exe command. E. Run the dsamain.exe command. F. Run the eventcreate.exe command. G. Create a Data Collector Set (DCS). H. Create custom views from Event Viewer. I. Configure subscriptions from Event Viewer. J. Import the Active Directory module for Windows PowerShell. Correct Answer: G / Practically the same question as H/Q11. Configure Windows Server 2008 to Notify you when Certain Events Occur You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs. To configure an alert, follow these steps: 1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set. 2. (...) 3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you ve selected. QUESTION 23 You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment. You increase the template key length to 2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template. Which console should you use? A. Group Policy Management MMC Snap-In B. Certificates MMC Snap-In on the Certificate Authority C. Certificate Templates MMC Snap-In D. Certification Authority MMC Snap-In

284 Correct Answer: C / Practically the same question as F/Q13. Re-Enroll All Certificate Holders This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration. To re-enroll all certificate holders 1. Open the Certificate Templates snap-in. 2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders. QUESTION 24 Your network contains an Active Directory forest. The forest contains one domain named contoso.com. You attempt to create a new child domain and you receive the following error message: "An LDAP read of operational attributes failed." You need to ensure that you can add a new child domain to the forest. A. Move the PDC emulator role. B. Move the RID master role. C. Move the infrastructure master role. D. Move the schema master role. E. Move the domain naming master role. F. Move the global catalog server. G. Move the bridgehead server. H. Install a read-only domain controller (RODC). I. Deploy an additional global catalog server. J. Restart the Active Directory Domain Services (AD DS) service. Correct Answer: E / This message appears when the domain naming master is unavailable. It needs to be moved to another domain controller to resolve this. Troubleshooting Active Directory Installation Wizard Problems

285 Symptom or Error An LDAP read of operational attributes failed. Root Cause The domain naming master for the forest is offline or cannot be contacted. Solution Make the current domain naming master accessible. If necessary, see "Seizing Operations Master Roles" in this guide. QUESTION 25 Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server All domain controllers run Windows Server 2008 R2. You mount an Active Directory snapshot. You need to ensure that you can connect to the snapshot by using LDAP. A. Run the Get-ADDomain cmdlet. B. Run the dsget.exe command. C. Run the ntdsutil.exe command. D. Run the ocsetup.exe command. E. Run the dsamain.exe command. F. Run the eventcreate.exe command, G. Create a Data Collector Set (DCS). H. Create custom views from Event Viewer. I. Configure subscriptions from Event Viewer. J. Import the Active Directory module for Windows PowerShell. Correct Answer: E / Practically the same question as H/Q13. The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (...) Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers QUESTION 26 Your network contains an Active Directory domain named contoso.com.

286 You have an organizational unit (OU) named Sales and an OU named Engineering. You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the group when they log off of the client computers. A. Modify the Group Policy permissions. B. Enable block inheritance. C. Configure the link order. D. Enable loopback processing in merge mode. E. Enable loopback processing in replace mode. F. Configure WMI filtering. G. Configure Restricted Groups. H. Configure Group Policy Preferences. I. Link the Group Policy object (GPO) to the Sales OU. J. Link the Group Policy object (GPO) to the Engineering OU. Correct Answer: H / Practically the same question as L/Q QUESTION 27 Your network contains an Active Directory forest named contoso.com. The forest contains two member servers named Server1 and Server2. Server1 and Server2 have the DNS Server server role installed. Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server for contoso.com. You experience issues with the copy of the zone on Server2, You verify that both copies of the zone have the same serial number. You need to transfer a complete copy of the zone from Server1 to Server2. What should you do on Server2? A. From DNS Manager, right-click contoso.com and click Transfer from Master. B. From Services, right-click DNS Server and click Refresh. C. From Services, right-click DNS Server and click Restart. D. From DNS Manager, right-click contoso.com and click Reload. E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master. Correct Answer: E /

287 Must be a typo in E, because it's actually Transfer new copy of zone from Master. Restarting the DNS service does initiate a zone transfer request, but because the serial/version numbers are the same no zone transfer will take place. Only if the Master had a higher number would there be a zone transfer. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, 2011) page 212 Manually Updating a Secondary Zone By right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to perform the following secondary zone update operations: Reload - This operation reloads the secondary zone from the local storage. Transfer From Master - The server hosting the local secondary zone determines whether the serial number in the secondary zone s SOA resource record has expired and then pulls a zone transfer from the master server. Transfer New Copy Of Zone From Master - This operation performs a zone transfer from the secondary zone s master server regardless of the serial number in the secondary zone s SOA resource record. QUESTION 28 Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4, The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1. "A Composite Solution With Just One Click" - Certification Guaranteed 266 Microsoft Exam You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort. A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services. B. On DC3, run the Restore-ADObject cmdlet. C. On DC1, run the Restore-ADObject cmdlet. D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory Domain Services. Correct Answer: A / Practically the same question as E/Q33 and J/Q2. We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." See Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's.

288 Reference 1: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 692 "An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers." Reference 2: Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. QUESTION 29 You create a standard primary zone for contoso.com. You need to specify a user named Admin1 as the person responsible for managing the zone. (Each correct answer presents a complete solution. Choose two.) A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "hostmaster.contoso.com" to "admin1.contoso.com". B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com, Specify admin1.contoso.com as the responsible person. C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "[email protected]" to "[email protected]". D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com. Specify [email protected] as the responsible person. Correct Answer: AB / You can use Notepad to edit the dns file, but the address of the person responsible for this zone must be listed with a ".", instead of a "@". That's why C is wrong here. Reference 1: To modify the start of authority (SOA) resource record for a zone using the Windows interface 1. Open DNS Manager. 2. In the console tree, right-click the applicable zone, and then click Properties. 3. Click the Start of Authority (SOA) tab. 4. As needed, modify properties for the start of authority (SOA) resource record. 5. Click OK to save the modified properties. Reference 2: The SOA resource record contains the following information: SOA resource record fields Responsible person The address of the person responsible for administering the zone. A period (.) is used instead of an at

289 sign in this name. (...) QUESTION 30 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2 The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1. You discover that RODC1 does not have any DNS application directory partitions. You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com. (Each correct answer presents a complete solution. Choose two.) A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions. B. Run ntdsutil.exe. From the Partition Management context, run the create nc command. C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter. D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command. E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter. Correct Answer: DE / Practically the same question as J/Q15, different set of answers. RODC Post-Installation Configuration If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions. To enlist a DNS server in a DNS application directory partition 1. Open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /EnlistDirectoryPartition <FQDN> For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child. contoso.com, type the following command: dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com You might encounter the following error when you run this command: Command failed: ERROR_DS_COULDNT_CONTACT_FSMO x20AF If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated: 1. ntdsutil 2. partition management

290 3. connections 4. Connect to a writeable domain controller (not an RODC): connect to server <WriteableDC>.Child.contoso.com 5. quit 6. To enlist this server in the replication scope for this zone, run the following command: add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com <rodc Server>. Child.contoso.com QUESTION 31 A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible. Which tool should you use? A. Ntdsutil B. Dnscmd C. Repadmin D. Nslookup Correct Answer: C / Practically the same question as F/Q28, G/Q8, J/Q24, K/Q8, different set of answers sometimes. To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall <DC> [<NamingContext>] [<Flags>] Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners. <NamingContext> Specifies the distinguished name of the directory partition. <Flags> Performs specific actions during the replication. QUESTION 32 Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.

291 You plan to deploy AD FS 2.0 on ADFS2 and ADFS3. You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 and ADFS3. A. Personal Information Exchange PKCS #12 (.pfx) B. DER encoded binary X.509 (.cer) C. Cryptographic Message Syntax Standard PKCS #7 (.p7b) D. Base-64 encoded X.S09 (.cer) Correct Answer: A / Many thanks to 'confused' from Algeria and Luffy for noting this question needed a correction and for their help! Practically the same question as E/Q12. Reference 1: Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x. [The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.] Reference 2: Export the private key portion of a token-signing certificate To export the private key of a token-signing certificate 1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services. 2. Right-click Federation Service, and then click Properties. 3. On the General tab, click View. 4. In the Certificate dialog box, click the Details tab. 5. On the Details tab, click Copy to File. 6. On the Welcome to the Certificate Export Wizard page, click Next. 7. On the Export Private Key page, select Yes, export the private key, and then click Next. 8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then click Next. 9. (...) QUESTION 33 You create a user account template for the marketing department. When you copy the user account template, you discover that the Web page attribute is not copied. You need to preserve the Web page attribute when you copy the user account template. A. From Active Directory Administrative Center, modify the value of the wwwhomepage attribute for the user account template. B. From the Active Directory Schema snap-in, modify the properties of the user class.

292 C. From Active Directory Users and Computers, modify the value of the wwwhomepage attribute for the user account template. D. From ADSI Edit, modify the properties of the wwwhomepage attribute. Correct Answer: B / You can modify which default attributes are carried over to a newly copied user or specify additional attributes that will be copied to the new user. To do this, open the Active Directory Schema snap-in, view the desired attribute properties, and select (or clear) the Attribute is copied when duplicating user check box. You can modify or add only the attributes that are instances of the user class. QUESTION 34 Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2. The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings. On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration settings by using a local GPO. You need to identify what will be audited on DC1. Which tool should you use? A. Get-ADObject B. Secedit C. Security Configuration and Analysis D. Auditpol Correct Answer: D / Reference 1: Auditpol get Retrieves the system policy, per-user policy, auditing options, and audit security descriptor object. Reference 2: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670 You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and subcategories, use the following command: auditpol /get /category:* QUESTION 35 A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.

293 Which tool should you use? A. Dsmod B. Csvde C. Ldifde D. Dsrm Correct Answer: B / We can achieve this by using csvde: CSVDE -f onlyusers.csv -r "objectcategory=person" -l "CN,<CustomAttributeName>" The exported CSV file can be viewed in Excel. Csvde Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard. Syntax Csvde [-i] [-f <FileName>] [-r <LDAPFilter>] [-l <LDAPAttributeList>] (...) Parameters -i Specifies import mode. If not specified, the default mode is export. -f <FileName> Identifies the import or export file name. -r <LDAPFilter> Creates an LDAP search filter for data export. -l <LDAPAttributeList> Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes. QUESTION 36 Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. All domain controllers run Windows Server All forest-wide operations master roles are in child.contoso.com. An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack 1 (SP1) installation media. You plan to run adprep.exe /domainprep in each domain. You need to ensure that you have the required user rights to run the command successfully in each domain. Of which groups should you be a member? (Each correct answer presents part of the solution. Choose two.)

294 A. Administrators in child.contoso.com B. Enterprise Admins in contoso.com C. Domain Admins in child.contoso.com D. Domain Admins in contoso.com E. Administrators in contoso.com F. Schema Admins in contoso.com Correct Answer: CD / adprep /domainprep Prepares a domain for the introduction of a domain controller that runs Windows Server You run this command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest. Run this command in each domain where you plan to add a domain controller that runs Windows Server You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain Admins group to run this command. QUESTION 37 Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1). The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory partition. You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn. Which tool should you use? A. Active Directory Sites and Services B. Dsmod C. Dcpromo D. Dsmgmt Correct Answer: C / Dcpromo Installs and removes Active Directory Domain Services (AD DS). Parameter ApplicationPartitionsToReplicate:"" Specifies the application directory partitions that dcpromo will replicate. Use the following format: "partition1" "partition2" "partitionn" Use * to replicate all application directory partitions.

295 QUESTION 38 A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS) domain. You need to enable Universal Group Membership Caching on several domain controllers in the domain. Which tool should you use? A. Dsmod B. Dscmd C. Ntdsutil D. Active Directory Sites and Services console Correct Answer: D / Enable Universal Group Membership Caching in a Site In a branch site that has no global catalog server and in a forest that has multiple domains, you can use this procedure to enable Universal Group Membership Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user logon. To enable Universal Group Membership Caching in a site 1. Open Active Directory Sites and Services. 2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching. 3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. 4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching. 5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK. QUESTION 39 Your network contains an Active Directory forest. The forest contains three domains. All domain controllers have the DNS Server server role installed. The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client computers, and domain controllers of each domain. Site1 contains the first domain controller deployed to the forest. The sites connect to each other by using unreliable WAN links. The users in Site2 and Site3 report that is takes a long time to log on to their client computer when they use their user principal name (UPN). The users in Site1 do not experience the same issue. You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their client computer by using their UPN. A. Configure a global catalog server in Site2 and a global catalog server in Site3. B. Reduce the replication interval of the site links. C. Move a primary domain controller (PDC) emulator to Site2 and to Site3. D. Add additional domain controllers to Site2 and to Site3. E. Reduce the cost of the site links.

296 F. Enable universal group membership caching in Site2 and in Site3. Correct Answer: A / Quite similar to K/Q9. Common Global Catalog Scenarios The following events require a global catalog server: (...) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication: 1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name. 2. (...) QUESTION 40 You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a source-initiated subscription. You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1. The subscription is configured to use the HTTP protocol. You discover that events from the Security log of DC1 are not collected on Computer1. Events from the Application log of DC1 and the System log of DC1 are collected on Computer1. You need to ensure that events from the Security log of DC1 are collected on Computer1. A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller. B. Add the Network Service security principal to the Event Log Readers group on the domain. C. Configure the subscription to use custom Event Delivery Optimization settings. D. Configure the subscription to use the HTTPS protocol. Correct Answer: B / Reference 1: Preparing Windows Server 2008 and Windows Server 2008 R2 You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account to the Built-in Event Log Readers group. Reference 2: 66d88b215886/ How to collect security logs using event forwarding?

297 For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it. 1. Click start->run, type CompMgmt.msc to open Computer Management Console. 2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties. 3. Click Add, then click Location button, select your computer and click OK. 4. Click Object Types button, check the checkbox of Build-in security principals and click OK. 5. Add Network Service build-in account to Event Log Readers group. 6. Reboot the client computer. After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector. QUESTION 41 Your network contains an Active Directory forest named contoso.com. The forest contains six domains. You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix oflitwareinc.com when they create user accounts by using Active Directory Users and Computers. Which tool should you use? A. Active Directory Administrative Center B. Set-ADDomain C. Active Directory Sites and Services D. Set-ADForest Correct Answer: D / Quite similar to K/Q18. We would use the following command to achieve this: Set-ADForest Reference 1: Creating a UPN Suffix for a Forest This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest. Example The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest: Set-ADForest Reference 2 Set-ADForest Modifies an Active Directory forest. Parameter UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued

298 msds-upnsuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values. Syntax: To add values: QUESTION 42 Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Sitel and Site2. Site2 contains a read-only domain controller (RODC). You need to identify which user accounts attempted to authenticate to the RODC. Which tool should you use? A. Active Directory Users and Computers B. Ntdsutil C. Get-ADAccountResultantPasswordReplicationPolicy D. Adtest Correct Answer: A / Ntdsutil cannot be used for this. Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed list or denied list of a read-only domain controller's password replication policy. Get- ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed. Adtest is used for perfomance testing. Reference 1: Review whose accounts have been authenticated to an RODC Periodically, you should review whose accounts have been authenticated to an RODC. (...) You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have been authenticated to an RODC. Reference 2: [Gives a step by step explanation on using Active Directory Users and Computers for this.] QUESTION 43 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to generate a file that contains the last logon time and the custom attribute values for each user in the forest. What should you use? A. the Get-ADUser cmdlet

299 B. the Export-CSV cmdlet C. the Net User command D. the Dsquery User tool Correct Answer: A / Practically the same question as E/Q16. I find this one a bit tricky, as both the Get-ADUser cmdlet and the Dsquery tool seem to get the job done, I think. The other two options play no role here: Export-CSV cannot perform queries. It is used to save queries that have been piped through. Net User is too limited for our question. Get-ADUser References: e0f5f3a591d7 Export-Csv Saving Data as a Comma-Separated Values File The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process to grab information about all the processes running on the computer, then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt: Get-Process Export-Csv c:\scripts\test.txt. Net User Adds or modifies user accounts, or displays user account information. DSQUERY Reference 1: Parameters {<StartNode> forestroot domainroot} Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify forestroot, AD DS searches by using the global catalog. -attr {<AttributeList> *} Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a

300 distinguished name. Reference 2: Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need. Reference 3: e0f787/ List all last login times for all users, regardless of whether they are disabled. dsquery * -filter "(&(objectcategory=user)(objectclass=user))" -limit 0 -attr givenname sn samaccountname lastlogon >>c:\last_logon_for_all.txt QUESTION 44 You have an Active Directory domain named contoso.com. You need to view the account lockout threshold and duration for the domain. Which tool should you use? A. Net User B. Active Directory Users and Computers C. Group Policy Management Console (GPMC) D. Computer Management Correct Answer: C / Same question as K/Q12. For K/Q12 I thought there was only one option, but here there are two correct answers: B ("Active Directory Users and Computers") C ("Group Policy Management Console (GPMC)")

301 Am I missing something? Which is the "right" one? You tell me. QUESTION 45 A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server for fabrikam.com. You install the DNS Server server role on a member server named DNS1 and then you create a standard secondary zone for fabrikam.com. You configure DC4 as the master server for the zone.

302 You need to ensure that DNS1 receives zone updates from DC4. A. Add the DNS1 computer account to the DNSUpdateProxy group. B. On DC4, modify the permissions offabrikam.com zone. C. On DNS1, add a conditional forwarder. D. On DC4, modify the zone transfer settings for the fabrikam.com zone. Correct Answer: D / Practically the same question as B/Q1 and J/Q23. Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer. To modify zone transfer settings using the Windows interface 1. Open DNS Manager. 2. Right-click a DNS zone, and then click Properties. 3. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. 4. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers. QUESTION 46 A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module for private key storage. You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available. You need to install the AD CS server role as an Enterprise CA on CA1. What should you do first? A. Add the DNS Server server role to CA1. B. Add the Web Server (IIS) server role and the AD CS server role to CA1. C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1. D. Join CA1 to the domain. Correct Answer: D

303 / Reference 1: Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it s unavailable. Well, you need to fulfill basic requirements: 1. Server machine has to be a member server (domain joined). 2. (...) Reference 2: I am trying to install a new enterprise root CA on my windows server 2008 r2 system, but the enterprise option is always greyed out. The server was originally setup and put on the domain, but has since been removed from the domain and left in a workgroup. its greyed out because it's not in a domain; that's one of the requirements for Enterprise CA. QUESTION 47 Your company has an Active Directory forest. Each regional office has an organizational unit (OU) named Marketing. The Marketing OU contains all users and computers in the region's Marketing department. You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs. You create a GPO named MarketingApps. What should you do next? A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain. B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU. C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU. D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU. Correct Answer: C / Practically the same question as A/Q38. We need to assign the software to the computers, and link the GPO to each Marketing OU. We do not link it to the domain, then every computer would have the software. You can use Group Policy to distribute computer programs by using the following methods: Assigning Software You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed. Publishing Software

304 You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there. QUESTION 48 Your network contains an Active Directory domain named contoso.com. The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.) You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between the sites. Exhibit: A. Configure DC1 as a preferred bridgehead server for IP transport. B. Configure DC4 as a preferred bridgehead server for IP transport. C. From the DC4 server object, create a Connection object for DC1. D. From the DC1 server object, create a Connection object for DC4. Correct Answer: B / Same question as L/Q4, with a different Exhibit, so with a different answer. MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than

305 between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. QUESTION 49 Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are both set to three days. The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit button.) You open the properties of a static record named Server1 as shown in the Server1 Record exhibit. (Click the Exhibit button.)

306 You discover that the scavenging process ran today, but the record for Server1 was not deleted. You run dnscmd.exe and specify the ageallrecords parameter. You need to identify when the record for Server1 will be deleted from the zone. In how many days will the record be deleted? A. 13 B. 10 C. 23 D. 7 Correct Answer: D / The blank Record time stamp field indicates a static record. That's the reason it wasn't deleted. The timestamp has been set using dnscmd /ageallrecords. The Time to live setting means that the server will hold a cached record for 10 days, so it has nothing to do with this question. The record will become stale in six days (no-refresh interval + refresh interval, that's days), so now that the timestamp has been set it will be deleted when the next scavenging operation occurs, in seven days.

307 Reference 1: dnscmd /ageallrecords Sets the current time on all time stamps in a zone or node. Record scavenging does not occur unless the records are time stamped. Name server (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records are not included in the scavenging process, and they are not time stamped even when the ageallrecords command runs. Reference 2: When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging feature considers the record stale and deletes it. So, when you set No-refresh interval to 3 days and Refresh interval to 5 days, scavenging will delete records that are more than 8 days old. QUESTION 50 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.) Each organizational unit (OU) contains over 500 user accounts. The Finance OU and the Human Resources OU contain several user accounts that are members of a universal group named Group1. You have a Group Policy object (GPO) linked to the domain. You need to prevent the GPO from being applied to the members of Group1 only. Exhibit:

308 A. Modify the Group Policy permissions. B. Enable block inheritance. C. Configure the link order. D. Enable loopback processing in merge mode. E. Enable loopback processing in replace mode. F. Configure WMI filtering. G. Configure Restricted Groups. H. Configure Group Policy Preferences. I. Link the GPO to the Finance OU. J. Link the GPO to the Human Resources OU. Correct Answer: A / Practically the same question as J/Q21. Best way to handle this is how graimer from Norway desribed it in html "GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow)." The reference below explains a situation where the GPO only needs to be applied to one group, it's the other

309 way around so to speak. MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope By now, you ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO. Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify. Filtering a GPO to Apply to Specific Groups To apply a GPO to a specific security group, perform the following steps: 4. Select the GPO in the Group Policy Objects container in the console tree. 5. In the Security Filtering section, select the Authenticated Users group and click Remove. 6. Click OK to confirm the change. 7. Click Add. 8. Select the group to which you want the policy to apply and click OK.

310 Exam L QUESTION 1 Your network contains an Active Directory domain. The domain contains a domain controller named DC1 that runs windows Server 2008 R2 Service Pack 1 (SP1). You need to implement a central store for domain policy templates. To answer, select the source content that should be copied to the destination folder in the answer area. Hot Area: Correct Answer: / In the reference below the entire PolicyDefinitions folder gets copied. In the question we copy the contents of that PolicyDefinitions folder, which has the same result of course. Creating a Central Store Creating a central store is actually a rather simple process. The first thing that you will have to do is to log onto a computer that is running either Windows Vista or Windows Server If you have one particular machine that has all of your group policy template files installed on it, then that machine is a good candidate. The next thing that you must do is to open Windows Explorer, and then go into the C:\Windows folder. Locate the PolicyDefinitions folder, right click on it, and then choose the Copy command from the shortcut menu. This will copy the folder and its contents to the Windows clipboard.

311 The next step in the process is to map a network drive letter to the sysvol folder on a domain controller. The full path that you will need to access on the domain controller is c:\windows\sysvol\domain\policies. Finally, copy the PolicyDefinitions folder to the \Windows\SYSVOL\domain\Policies folder on the domain controller. You can see what this looks like in Figure A. Figure A Copy the PolicyDefinitions folder to the domain controller s \Windows\Sysvol\Domain\Policies folder. QUESTION 2 Your network contains an Active Directory forest named contoso.com. You plan to migrate all user accounts to a new forest named litwareinc.com. The functional level of the contoso.com forest is Windows Server Contoso.com contains four servers. The servers are configured as shown in the following table.

312 The functional level of the litwareinc.com forest is Windows Server Litwareinc.com contains four servers. The servers are configured as shown in the following table. You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration Tool version 3.2 (ADMT v3.2). Which server should you identify? A. Litw_Srv4 B. Litw_Srv1 C. Litw_Srv2 D. Litw_Srv3 Correct Answer: D / Prerequisites for installing ADMT v3.2 Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments that have a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a server running Windows Server 2008 R2. In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 must not be installed under the Server Core installation option or be running as a read-only domain controller (RODC). QUESTION 3 Your network contains an Active Directory domain. The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibit

313 button.) You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit button.) You need to provide users with examples of a valid password. Which password examples should you provide to the users? (Each correct answer presents a complete solution. Choose three.) A !@#$%^ B.!@#$1234ABCD C. passwordl234 D a-b-c-e E. %%PASS1234%% F aaaaaaa Correct Answer: BDE /

314 Passwords must meet complexity requirements This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created. If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created: 1. Passwords must not contain the user's entire samaccountname (Account Name) value or entire displayname (Full Name) value. 2. Passwords must contain characters from three of the following five categories : Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) Base 10 digits (0 through 9) Nonalphanumeric characters: ~!@#$%^&*_-+=` \(){}[]:;"'<>,.?/ Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. QUESTION 4 Your network contains an Active Directory domain named contoso.com. The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.) You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between the sites. Exhibit: A. Configure DC1 as a preferred bridgehead server for IP transport. B. Configure DC4 as a preferred bridgehead server for IP transport. C. From the DC4 server object, create a Connection object for DC1.

315 D. From the DC1 server object, create a Connection object for DC4. Correct Answer: A / Same question as K/Q48, with a different Exhibit, so with a different answer. MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 Bridgehead Servers A bridgehead server is the domain controller designated by each site s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. QUESTION 5 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The forest contains a single domain. You need to ensure that objects can be restored from the Active Directory Recycle Bin. Which tool should you use? A. Ntdsutil B. Set-ADDomain C. Dsamain D. Enable-ADOptionalFeature Correct Answer: D / Similar question to question E/Q28. Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe

316 QUESTION 6 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.) Users in the Finance organizational unit (OU) frequently log on to client computers in the Human Resources OU. You need to meet the following requirements: - All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the Human Resources OU must be applied to finance users when they log on to client computers in the Engineering OU. - Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they log on to client computers in the Finance OU. - Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human Resources OU. Exhibit: A. Modify the Group Policy permissions. B. Enable block inheritance. C. Configure the link order. D. Enable loopback processing in merge mode. E. Enable loopback processing in replace mode. F. Configure WMI filtering. G. Configure Restricted Groups. H. Configure Group Policy Preferences. I. Link the GPO to the Finance OU.

317 J. Link the GPO to the Human Resources OU. Correct Answer: D / Very similar question to K/Q11. We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO's that are linked to the Sales OU and the Engineering OU to be applied. Reference 1: Loopback processing with merge or replace Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory. Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings. Loopback with Replace In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user. Loopback with Merge In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs are processed after the user's GPOs, they have precedence if any of the settings conflict. Reference 2: For a clear and easy explanation of Loopback Processing. Recommended! Reference 3: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028 Loopback Processing When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects. To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computerlinked policies last. QUESTION 7 Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The

318 computers are configured as shown in the following table. An administrator creates a script that contains the following commands: You need to identity which computers can successfully run all of the commands in the script. Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.) A. Computer1 B. Server1 C. Computer2 D. Server2 Correct Answer: CD / According to Technet the "Auditpol /resourcesacl" command applies only to Windows 7 and Windows Server 2008 R2 (and I suppose Windows 8 and Windows Server 2012), so the answer should be Computer2 and Server2 Auditpol resourcesacl Applies only to Windows 7 and Windows Server 2008 R2. QUESTION 8 Your network contains an Active Directory domain. The domain is configured as shown in the exhibit, (Click the Exhibit button.) You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the group when they log off of the client computers. Exhibit:

319 A. Modify the Group Policy permissions. B. Enable block inheritance. C. Configure the link order. D. Enable loopback processing in merge mode. E. Enable loopback processing in replace mode. F. Configure WMI filtering. G. Configure Restricted Groups. H. Configure Group Policy Preferences. I. Link the Group Policy object (GPO) to the Finance organizational unit (OU). J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU). Correct Answer: H / Practically the same question as K/Q QUESTION 9 Your company plans to open a new branch office. The new office will have a low-speed connection to the Internet. You plan to deploy a read-only domain controller (RODC) in the branch office.

320 You need to create an offline copy of the Active Directory database that can be used to install the Active Directory on the new RODC. Which commands should you run from Ntdsutil? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place: Correct Answer: / Same question as J/Q31, same answers. Installing AD DS from Media You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.

321 To create installation media 1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: ntdsutil 3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds 4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm 5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic), and then press ENTER. For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia 6. Where C:\InstallationMedia is the path to the folder where you want the installation media to be created. 7. You can save the installation media to a network shared folder or to any other type of removable media. QUESTION 10 Your network contains an Active Directory forest named contoso.com. You need to use Group Policies to deploy the applications shown in the following table. To answer, drag the appropriate deployment method to the correct application in the answer area. Select and Place: Correct Answer:

322 / Practically the same question as I/Q2. technet.microsoft.com/en-us/library/cc aspx Software installation You can use the Software Installation extension of Group Policy to centrally manage software distribution in your organization. You can assign and publish software for groups of users and computers using this extension. Assigning Applications When you assign applications to users or computers, the applications are automatically installed on their computers at logon (for user-assigned applications) or startup (for computer-assigned applications.) When assigning applications to users, the default behavior is that the application will be advertised to the computer the next time the user logs on. This means that the application shortcut appears on the Start menu, and the registry is updated with information about the application, including the location of the application package and the location of the source files for the installation. With this advertisement information on the user's computer, the application is installed the first time the user tries to use the application. In addition to this default behavior, Windows XP Professional and Windows Server 2003 clients support an option to fully install the package at logon, as an alternative to installation upon first use. Note that if this option is set, it is ignored by computers running Windows 2000, which will always advertise user-assigned applications. When assigning applications to computers, the application is installed the next time the computer boots up. Applications assigned to computers are not advertised, but are installed with the default set of features configured for the package. Assigning applications through Group Policy requires that the application setup is authored as a Windows Installer (.msi) package. Publishing Applications You can also publish applications to users, making the application available for users to install. To install a published application, users can use Add or Remove Programs in Control Panel, which includes a list of all published applications that are available for them to install. Alternatively, if the administrator has selected the Auto-install this application by file extension activation feature, users can open a document file associated with a published application. For example, double clicking an.xls file will trigger the installation of Microsoft Excel, if it is not already installed. Publishing applications only applies to user policy; you cannot publish applications to computers. QUESTION 11 Your network contains an Active Directory domain named contoso.com. You need to view which password setting object is applied to a user. Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter option in the answer area.

323 Hot Area: Correct Answer: / View a Resultant PSO for a User or a Global Security Group You can view the resultant Password Settings object (PSO) for a user object: Viewing the resultant PSO for users using the Active Directory module for Windows PowerShell Viewing the resultant PSO for users using the Windows interface Viewing the resultant PSO for users from the command line using dsget To view the resultant PSO for a user using Windows interface 1. Open Active Directory Users and Computers. 2. On the View menu, ensure that Advanced Features is checked. 3. In the console tree, click Users. 4. In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties. 5. Click the Attribute Editor tab, and then click Filter. 6. Ensure that the Show attributes/optional check box is selected. 7. Ensure that the Show read-only attributes/constructed check box is selected.

324 8. Locate the value of the msds-resultantpso attribute in the Attributes list. QUESTION 12 Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1. You assign Contoso\Domain Users the Manage documents permission and the Print permission to a shared printer on Server1. You discover that users from contoso.com cannot access the shared printer on Server1. You need to ensure that the contoso.com users can access the shared printer on Server1. Which permission should you assign to Contoso\Domain Users. To answer, select the appropriate permission in the answer area. Hot Area: Correct Answer:

325 / Grant the Allowed to Authenticate Permission on Computers in the Trusting Domain or Forest For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest. QUESTION 13 Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.

326 The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest. You need to configure DC2 as a global catalog server. Which object's properties should you modify? To answer, select the appropriate object in the answer area. Hot Area: Correct Answer:

327 / To designate a domain controller to be a global catalog server 1. Click Start, point to Administrative Tools, and then click Active Directory Sites and Services. 2. In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server. 3. Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server. 4. Right-click the NTDS Settings object for the target server, and then click Properties. 5. Select the Global Catalog check box, and then click OK. QUESTION 14 Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-only domain controller (RODC). You accidentally delete the site link between the two sites. You recreate the site link while you are connected to a domain controller in Seattle. You need to replicate the change to the RODC in Montreal. Which node in Active Directory Sites and Services should you use? To answer, select the appropriate node in the answer area. Hot Area: Correct Answer:

328 / Reference 1: Site links are stored in the Configuration partition of the AD database. Reference 2: To use Active Directory Sites and Services to force replication of the configuration partition to an RODC 1. Open the Active Directory Sites and Services snap-in (Dssite.msc). 2. Double-click Sites, double-click the name of the site that has the RODC, double-click Servers, double-click the name of the RODC, right-click NTDS Settings, and then click Replicate configuration to the selected DC. 3. Click OK to close the message indicating that AD DS has replicated the connections. QUESTION 15 Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table. You need to enable universal group membership caching in the Seattle site. Which object's properties should you modify? To answer, select the appropriate object in the answer area.

329 Hot Area: Correct Answer: / Configure Universal Group Membership Caching in Active Directory You can enable or disable universal group membership caching by following these steps: 1. In Active Directory Sites And Services, expand and then select the site you want to work with.

330 2. In the details pane, right-click NTDS Site Settings, and then click Properties. 3. To enable universal group membership caching, select the Enable Universal Group Membership Caching check box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cache universal group memberships. The selected site must have a working global catalog server. 4. To disable universal group membership caching, clear the Enable Universal Group Membership Caching check box on the Site Settings tab. 5. Click OK. QUESTION 16 Your network contains an Active Directory forest named contoso.com. The forest contains six domains. You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of litwareinc.com when they create user accounts by using Active Directory Users and Computers. Which tool should you use? A. Active Directory Domains and Trusts B. Set-ADDomain C. Active Directory Sites and Services D. Active Directory Users and Computers Correct Answer: A / Many thanks to Camel73 for supplying this new question! To add UPN suffixes 1. Open Active Directory Domains and Trusts. 2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties. 3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add. 4. Repeat step 3 to add additional alternative UPN suffixes.