70-640 Flashcards
1
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.com has requested that you configure DNS zone to automatically remove DNS records that are outdated.
What action should you consider?
A. You should consider running the netsh /Reset DNS command from the Command prompt.
B. You should consider enabling Scavenging in the DNS zone properties page.
C. You should consider reducing the TTL of the SOA record in the DNS zone properties page.
D. You should consider disabling updates in the DNS zone properties page.
A
Answer:
B. You should consider enabling Scavenging in the DNS zone properties page.
Explanation: In the scenario you should enable scavenging through the zone properties because scavenging removes the outdated DNS records from the DNS zone automatically. You should additionally note that patience would be required when enabling scavenging as there are some safety valves built into scavenging which takes long to pop.
2
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR15. You install the Active Directory Lightweight Directory Services (AD LDS) on ABC-SR15.
Which of the following options can be used for the creation of new Organizational Units (OU’s) in the application directory partition of the AD LDS?
A. You should run the net start command on ABC-SR15.
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
C. You should run the repadmin /dsaguid command on ABC-SR15.
D. You should open the Active Directory Users and Computers Console on ABC-SR15.
A
Answer:
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS application directory partition. You also need to add the snap-in in the Microsoft Management Console (MMC).
3
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two domain controllers named ABC-DC01 and ABC-DC02. ABC-DC01 suffers a catastrophic failure. This failure is causing problems because ABC-DC01 was configured to host Schema Master Operations role. You log on to the ABC.com domain as a domain administrator but your attempts to transfer the Schema Master Operations role to ABC-DC02 are unsuccessful.
What action should you take to transfer the Schema Master Operations role to ABC-DC02?
A. Your best option would be to have the dcpromo /adv command executed on ABC-DC02.
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
C. Your best option would be to have Schmmgmt.dll registered on ABC-DC02.
D. Your best option would be to add your user account to the Schema Administrators group.
A
Answer:
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
Explanation: To ensure that ABC-DC02 holds the Schema Master role you need to seize the Schema Master role on ABC-DC02. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again. So to transfer the schema master operations role, you have to seize it on ABC-DC02.
4
Q
You work as the network administrator at ABC.com. The ABC.com network has a single forest. The forest functional level is set at Windows Server 2008.
The ABC.com network has a Microsoft SQL Server 2005 database server named ABC-DB04 that hosts the Active Directory Rights Management Service (AD RMS).
You try to access the Active Directory Rights Management Services administration website but received an error message stating:
“SQL Server does not exist or access is denied.”
How can you access the AD RMS administration website?
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.
B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on ABC-DB04.
C. You need to reinstall the AD RMS instance on ABC-DB04.
D. You need to reinstall the SQL Server 2005 instance on ABC-DB04. E. You need to run the DCPRO command on ABC-SR04
A
Answer:
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.
Explanation: You need to restart the internet information server (IIS) to correct the problem. The starting of the MSSQULSVC service will allow you to access the database from AD RMS administration website.
5
Q
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com network has a Windows Server 2008 computer named ABC-SR03 that functions as an Enterprise Root certificate authority (CA).
A new ABC.com security policy requires that revoked certificate information should be available for examination at all times.
What action should you take adhere to the new policy?
A. This can be accomplished by having a list of trusted certificate authorities published to the ABC.com domain.
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.
C. This can be accomplished by having the OCSP Response Signing certificate imported.
D. This can be accomplished by having the Startup Type of the Certificate Propagation service set to Automatic.
E. This can be accomplished by having the computer account of ABC-SR03 added to the ABCCertificates group.
A
Answer:
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.
Explanation: You should use the network load balancing and publish an OCSP responder. This will ensure that the revoked certificate information will be available at all times. You do not need to download the entire CRL to check for revocation of a certificate; the OCSP is an online responder that can receive a request to check for revocation of a certificate. This will also speed up certificate revocation checking as well as reducing network bandwidth tremendously.
6
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You are responsible for managing two servers named ABC-SR01 and ABC-SR02. They are setup with the following configuration.
- ABC-SR01 running Enterprise Root certificate authority (CA)
- ABC-SR02 running Online Responder role service
What actions must you perform for the Online Responder to be supported on ABC-SR01?
A. You should enable the Dual Certificate List extension on ABC-SR01.
B. You should ensure that ABC-SR01 is a member of the CertPublishers group.
C. You should import the OCSP Response Signing certificate to ABC-SR01.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
E. You should run the CERTSRV command on ABC-SR01.
A
Answer:
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
Explanation: In order to configure the online responder role service on ABC-SR01 you need to configure the AIA extension. The authority information access extension will indicate how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. This extension may be included in subject or CA certificates, and it MUST be non-critical
7
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.
The ABC.com network has a client computer named ABC-WS640 that was last used six months ago. During the course of the day you attempt to log on to ABC-WS640 but you are unable to authenticate during the logon process.
What action should you consider in order to log on to ABC-WS640?
A. You should consider opening the command prompt on ABC-WS640 and running the netsh set machine command.
B. You should consider opening the command prompt on ABC-WS640 and running the repadmin command.
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
D. You should consider deleting the computer account for ABC-WS640 in Active Directory Users and Computers, and then recreate the computer account.
A
Answer:
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
Explanation: In the scenario you should have the computer disjoined from the domain and rejoined to the domain whilst having the computer account reset as well. You should additionally note that the long inactivity caused the computer to stop responding to the authentication query using the Active Directory records. You should note by disjoining and rejoining with the account being reset would refresh the computer account passwords.
8
Q
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com.
The ABC.com network has a Windows Server 2008 domain controller named ABC-DC01 that hosts the Directory Services Recovery Mode (DSRM) role.
What would be the best option to take to have the DSRM password reset?
A. The best option is to open the Active Directory Security for Computers snap-in. B. The best option is to run the ntdsutil command.
C. The best option is to run the Netsh command.
D. The best option is to open the Domain Controller security snap-in.
A
Answer:
B. The best option is to run the ntdsutil command.
Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use Ntdsutil.exe to reset this password for the server on which you are working, or for another domain controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm password.
9
Q
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has two offices in Chicago and Dallas.
The network has the following setup.
- Chicago Office - Domain Controller named ABC-DC01
- Dallas Office - Read-Only Domain Controller named ABC-DC02
How can you make sure that Dallas Office users use only ABC-DC02 for authentication?
A. You should consider having ABC-DC02 configured as a bridehead server in the Dallas office.
B. You should consider installing and configuring the Password Replication Policy on ABC-DC02.
C. You should consider having ABC-DC01 configured as a bridehead server in the Chicago office.
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
E. You should consider having the Global Catalog installed on ABC-DC01.
A
Answer:
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
Explanation: When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.
10
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named intl.ABC.com. All servers on the ABC.com network run Windows Server 2008. The domain controllers on the ABC.com domain are configured to function as DNS servers.
What action should you take to ensure that computers that are not part of the intl.ABC.com domain are not able to dynamically register their DNS registration information in the intl.ABC.com zone?
A. You should consider removing the .(root) zone from the intl.ABC.com zone.
B. You should consider running the dnscmd /AgeAllRecords command.
C. You should consider configuring Secure Only dynamic updates.
D. You should consider configuring the intl.ABC.com zone as an Active Directory integrated zone.
A
Answer:
C. You should consider configuring Secure Only dynamic updates.
Explanation: In order to ensure that only domain members are able to register their DNS records dynamically you need to set the option Secure only for Dynamic updates. This will only allow the domain members to register their DNS records dynamically.
11
Q
You work as a network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two servers named ABC-SR01 and ABC-SR02 that are configured as domain controllers and as DNS servers. Both servers have the following setup for the ABC.com domain.
- ABC-SR01 - Standard Primary zone
- ABC-SR02 - Standard Secondary zone.
You have to perform the following tasks
- Perform the replication of ABC.com Zone Data * Make sure that Zone Data maintains encryption
- Prevent the loss of Zone Data
How can you accomplish these goals. (Each correct answer presents part of the solution. (Choose TWO.)
A. You should consider having the zone transfer settings configured on ABC-SR01 and ABC- SR02.
B. You should consider having the primary zone on ABC-SR02 converted to an Active Directory- integrated stub zone.
C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integrated zone.
D. You should consider having the secondary zone on ABC-SR02 deleted.
E. You should consider having the primary zone on ABC-SR01 deleted.
A
Answer: C,D
C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integrated zone.
D. You should consider having the secondary zone on ABC-SR02 deleted.
Explanation: In the scenario you should have the ABC.com primary zone converted to an active directory-integrated zone and delete the secondary zone as this would ensure replication of the ABC.com zone is encrypted whilst preventing data loss.
12
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
All master roles in the forest are maintained at a domain controller ABC-DC01. You have another domain controller in the network named ABC-DC02 which contains better hardware and can improve performance. ABC-DC01 is to be removed from the network.
Which option can you select in order to ensure that proper roles are transferred to ABC-DC02 without disrupting the forest wide operations?
A. You should consider transferring the RID Master role and the Schema master role.
B. You should consider transferring the Schema master role and the Domain naming master role.
C. You should consider transferring the Infrastructure master role and the PDC emulator role.
D. You should consider transferring the Infrastructure master role and the Domain naming master role.
E. You should consider transferring the RID Master role and the PDC emulator role.
A
Answer:
B. You should consider transferring the Schema master role and the Domain naming master role.
Explanation: In order to transfer all forest-wide operation master roles to another domain you need to transfer Domain naming master as well as the Schema master. Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
13
Q
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a domain controller named ABC-DC01 that has a single hard drive named Drive C. Drive C hosts the ntds.dit database. You have installed an additional hard drive named Drive D on ABC-DC01.
What would be the best option to take to transfer the ntds.dit database to Drive D?
A. The best option is to run the Ntdsutil command with the Files option.
B. The best option is to open the Windows Power Shell and use the Copy and Paste functions. C. The best option is to run the xcopy command.
D. The best option is to open the Windows Explorer and use the Cut and Paste functions.
A
Answer:
A. The best option is to run the Ntdsutil command with the Files option.
Explanation: The way you move the Active Directory database to a new volume, is to move the ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition.
14
Q
You work as the network administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR01 that functions as an Enterprise Root certificate authority (CA).
What action should you take to configure ABC-SR01 to support key archival?
A. The Hisecdc security template should be applied to ABC-SR01.
B. The OCSP Response Signing certificate should be imported to ABC-SR01.
C. The private key on ABC-SR01 should be archived.
D. The Startup Type of the Certificate Propagation service on ABC-SR01 should be set to Automatic.
A
Answer:
C. The private key on ABC-SR01 should be archived.
15
Q
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com that operates at the Windows Server 2008 functional level.
How can you configure the network so that it allows the users of ABC.com to have multiple password policies?
A. You should consider creating multiple class schema objects in the Schema console.
B. You should consider creating multiple Group Policy objects in the Group Policy Management console.
C. You should consider creating multiple Password Setting objects in the ADSI Edit console.
D. You should consider creating multiple passwords in Active Directory Users and Computers.
A
Answer:
C. You should consider creating multiple Password Setting objects in the ADSI Edit console.
16
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com Network contains a server which is configured as:
- Domain Controller
- DNS Server
What option can you use to ensure tracking of all DNS queries received by ABC-SR01?
A. You should consider having automatic logging for recursive queries enabled in the DNS Manager Console on ABC-SR01.
B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
C. You should consider having event logging configured in the DNS Manager Console on ABC- SR01.
D. You should consider having system event logging configured in the Even Viewer on ABC- SR01.
A
Answer:
B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
17
Q
You work as an enterprise administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Chicago and a branch office in Miami. The two offices are configured as separate sites.
The Miami site contains a domain controller named ABC-DC06. You receive an instruction from the CIO to install a new application at the Miami office. In order for the application to run a Global Catalog server is required.
What action should you consider to add a Global Catalog server to the Miami site?
A. You should consider running the DCPROMO command on ABC-DC06 to install the Global Catalog.
B. You should consider using the Server Manager console to configure ABC-DC06 as a Global Catalog server.
C. You should consider using the Active Directory Domains and Trusts console to configure ABC- DC06 as a Global Catalog server.
D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a Global Catalog server.
A
Answer:
D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a Global Catalog server.
18
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The network contains two sites named London and Paris. The following configuration applies to each location.
London
* Single Domain Controller named ABC-DC01 * Separate Active Directory Site.
Paris
* Single Domain Controller named ABC-DC02 * Separate Active Directory Site.
Network Setup
* Both Active Directory Sites are using DEFAULTIPSITELINK object for connectivity.
What action should you take to reduce the delay during replication between ABC-DC01 and ABC- DC02?
A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.
B. You should consider having the replication schedule for the DEFAULTIPSITELINK object increased.
C. You should consider having the cost for the DEFAULTIPSITELINK object decreased.
D. You should consider having a site link bridge installed between ABC-DC01 and ABC-DC02.
A
Answer:
A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.
19
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two servers named ABC-SR01 and ABC-SR02.
- ABC-SR01 - Enterprise Root certificate authority (CA).
- ABC-SR02 - Hosts the Online Responder role.
What step you can perform to make sure that ABC-SR02 is issuing the certificate revocation lists (CRL).
A. You should enable the Dual Certificate List extension on ABC-SR02.
B. You should ensure that ABC-SR02 is a member of the CertPublishers group.
C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR02.
E. You should run the CERTSRV command on ABC-SR02.
A
Answer:
C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.
20
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.
During the course of the day a ABC.com user named Rory Allen complains that he cannot logon to the ABC.com domain from his client computer. When he attempt to, he receives an error message stating that his account has expired.
What action should you consider to have Rory Allen log on to the ABC.com domain from his client computer?
A. You should consider reducing the account lockout duration in the default domain policy.
B. You should consider resetting Rory Allen’s user account.
C. You should consider setting Rory Allen’s user account to never expire.
D. You should consider resetting the computer account for Rory Allen’s client computer.
A
Answer:
C. You should consider setting Rory Allen’s user account to never expire.
21
Q
You work as the network administrator at ABC.com. ABC.com has its headquarters in London. The ABC.com network has a domain named ABC.com that consists of a single Active Directory site named LondonSite. The LondonSite contains a domain controller named ABC-DC01.
ABC.com opens a branch office in York and you create another Active Directory site named YorkSite.
How can you have Active Directory replication configured between the two sites?
A. You need to consider installing a new domain controller in YorkSite and creating a site link between the two sites. Then you should consider decreasing the site link cost.
B. You need to consider installing a new domain controller in the LondonSite and configuring it as a preferred bridgehead server.
C. You need to consider installing a new domain controller in the LondonSite and configuring a new site link bridge between the two sites.
D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet for the YorkSite.
A
Answer:
D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet for the YorkSite.
22
Q
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com network has three domain controllers named ABC-DC01, ABC- DC02 and ABC-DC03 that run Windows Server 2003. ABC.com purchases a new Windows Server 2008 computer named ABC-SR04.
What is the first step you should take to install ABC-SR04 as a domain controller on the ABC.com network?
A. You should consider running the dconfig command on ABC-SR04.
B. You should consider running the adprep /forestprep command on ABC-DC01.
C. You should consider raising the domain functional level to Windows Server 2008.
D. You should consider running the adprep /domainprep command on ABC-DC01.
E. You should consider running the dcpromo /remove command on ABC-DB01, ABC-DB02 and ABC-DB03.
A
Answer:
B. You should consider running the adprep /forestprep command on ABC-DC01.
23
Q
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
A new ABC.com domain controller management policy states that replication errors need to be logged to a central server.
How would you implement this policy?
A. You should consider having the RepMonitor configured for central logging.
B. You should consider having the System Performance data collector set is started on each domain controller.
C. You should consider having event log subscriptions created on each domain controller.
D. You should consider having the RepAdmin Diagnostics data collector started on each domain controller.
A
Answer:
C. You should consider having event log subscriptions created on each domain controller.
24
Q
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has six domain controllers named ABC-DC01, ABC-DC02, ABC-DC03, ABC-DC04, ABC-DC05 and ABC-DC06. All six domain controllers function as DNS servers. You are in the process of implementing a new Active Directory-integrated DNS zone.
What action should you take first if you want the new zone replicated only to ABC-DC05 and ABC- DC06?
A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 and ABC-DC06.
B. You should consider having the dnscmd /config command executed on ABC-DC05 and ABC- DC06.
C. You should consider having the .(root) zone is deleted from ABC-DC01, ABC-DC02, ABC- DC03 and ABC-DC04.
D. You should consider having BIND secondaries enabled on ABC-DC05 and ABC-DC06.
E. You should consider having the dnscmd /unenlistdirectorypartition command executed on ABC- DC01, ABC-DC02, ABC-DC03 and ABC-DC04.
A
Answer:
A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 and ABC-DC06.
25
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a domain controller named ABC-SR01 that also functions as a DNS server. You add a new stand alone server named ABC-SR02 and configure it as a DNS server. You then configure a standard secondary zone on ABC-SR02 with ABC-SR01 as the master server.
What action should you take to have zone updates replicated from ABC-SR01 to ABC-SR02?
A. You should consider having ABC-SR02 made a member of the DNSUpdateProxy group.
B. You should consider having the permission of the ABC.com zone modified on ABC-SR01.
C. You should consider having the dnscmd /ZoneUpdateFromDs command run on ABC-SR02.
D. You should consider having the zone transfer settings of the ABC.com zone configured on ABC-SR01.
E. You should consider having ABC-SR02 promoted to a domain controller.
Answer:
D. You should consider having the zone transfer settings of the ABC.com zone configured on ABC-SR01.
26
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR03 that functions as an Enterprise Root certification authority (CA). ABC.com issues a new security policy that states that only a ABC.com CEO named Kara Lang must be allowed to sign code.
What action should you take to implement this policy? (Choose all that apply.)
A. You should publish a list of trusted certificate authorities and only grant Kara Lang the necessary permissions to access the Trusted Publishers list.
B. You should apply the code signing template to ABC-SR03 and configure the template only grant Kara Lang the necessary permissions to request code signing certificates.
C. You should import the Online Certificate Status Protocol (OCSP) Response Signing certificate to ABC-SR03 and only grant Kara Lang the necessary permissions to distribute code signing certificates.
D. You should add ABC-SR03 to the CertPublishers group and only grant Kara Lang the necessary permissions to manage ABC-SR03.
Answer:
B. You should apply the code signing template to ABC-SR03 and configure the template only grant Kara Lang the necessary permissions to request code signing certificates.
27
You work as a systems administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You are responsible for managing a stand-alone server named ABC-SR05. You are in the process of configuring ABC-SR05 as an Enterprise certification authority (CA). You now want to assign the Active Directory Certificate Services (AD CS) role to ABC-SR05. However, you notice that you cannot select the Enterprise CA option.
What action should you take configuring ABC-SR05 as an Enterprise CA?
A. Your best option would be to first configure ABC-SR05 as a Standalone CA.
B. Your best option would be to first have ABC-SR05 joined to the ABC.com domain.
C. Your best option would be to first install Internet Information Services (IIS) on ABC-SR05.
D. Your best option would be to first assign the Active Directory Certificate Services (AD CS) role to ABC-SR05.
Answer:
B. Your best option would be to first have ABC-SR05 joined to the ABC.com domain.
28
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista Enterprise Edition. All client computers are located in an Organizational Unit named ClientPCs.
ABC.com has acquired a new third-party application that you need to install on the client computers. Before you can install the application you need prepare the client computers by applying a file named ABCApp.adm to them. The ABCApp.adm file makes changes to the registry on the client computers.
What action should you take to apply the ABCApp.adm file?
A. Your best option would be to create a transformation package that applies the ABCApp.adm file and assign the package to the client computers.
B. Your best option would be to copy the ABCApp.adm file to a network share and write a Microsoft Windows PowerShell script that applies the file to the client computers.
C. Your best option would be to write that the Microsoft Windows PowerShell script that copies the ABCApp.adm file to the client computers.
D. Your best option would be to create a Group Policy Object (GPO) that imports the ABCApp.adm and link the GPO to the ClientPCs OU.
Answer:
D. Your best option would be to create a Group Policy Object (GPO) that imports the ABCApp.adm and link the GPO to the ClientPCs OU.
29
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista. ABC.com has its headquarters in London and branch offices in Lisbon, Madrid and Paris. Each office is structured as a separate site named London, Lisbon, Madrid and Paris.
Due to company growth, ABC.com has hired 150 additional employees that are distributed among the four sites. You create user accounts for the new ABC.com users. However, the new users complain that when they attempt to logon to the domain they receive an error message stating that their username or password is incorrect.
What action should you take to allow the new ABC.com users to log on to the domain?
A. You should consider resetting the user accounts for the new users.
B. You should consider adding the new users to the Remote Desktop Users group.
C. You should consider running the repadmin /replicate command.
D. You should consider install Global Catalog servers at the Lisbon, Madrid and Paris sites.
Answer:
C. You should consider running the repadmin /replicate command.
30
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com.
The ABC.com network has four Windows Server 2008 domain controllers named ABC-DC01, ABC-DC02, TESKING-DC03 and ABC-DC04. All four domain controllers run the DNS Server role and are part of an Active Directory integrated zone. The ABC.com network also has a UNIX-based DNS server named ABC-SR05.
One of the administrators in your department created an Active Directory-integrated zone for ABC.com. During the course of the day you receive instruction to permit zone transfers of the ABC.com zone to ABC-SR05.
What action should you take to ensure that zone transfers to ABC-SR05 can occur?
A. You should consider installing Active Directory Lightweight Directory Services (AD LDS) on ABC-SR05.
B. You should consider running the dcpromo command on ABC-SR05.
C. You should consider having a stub zone created for ABC-SR05.
D. You should consider configuring BIND secondaries.
Answer:
D. You should consider configuring BIND secondaries.
31
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com has a Windows Server 2008 domain controller named ABC-DC01.
You log on as the Domain Administrator on ABC-DC01 to view the Active Directory Schema console. However, you cannot locate the Active Directory Schema console.
What action should you take to locate the console?
A. You should consider running the net start "Active Directory Services" command on ABC-DC01. B. You should have the Schema Master Operations role assigned to ABC-DC01.
C. You should consider having Schmmgmt.dll registered on ABC-DC01.
D. You should consider logging on to ABC-DC01 as the Local Administrator.
Answer:
C. You should consider having Schmmgmt.dll registered on ABC-DC01.
32
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR02 that functions as stand-alone Certificate Authority (CA). You want to track any modifications made to the configuration and security settings of ABC-SR02.
What action should you take?
A. You should configure auditing in the Certification Services console. B. You should add ABC-SR02 to the ABCCertificates group.
C. You should configure the Audit object Access setting on ABC-SR02.
D. You should join ABC-SR02 to the ABC.com domain.
E. You should enable the Authority Information Access (AIA) extension on ABC-SR02.
Answer:
C. You should configure the Audit object Access setting on ABC-SR02.
33
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. The domain functional level is set at Windows Server 2008.
The ABC.com network has a file server named ABC-SR04. You configure a shared folder named KINGDATA on ABC-SR04. You then move users to a new global distribution group named DISTGRP. You grant a domain local group named DLOCGRP access to KINGDATA. You then add DISTGRP to DLOCGRP.
What action should you take to make sure that all users in the DISTGRP group are able to access the KINGDATA share?
A. You should configure DISTGRP to be a universal distribution group.
B. You should configure DISTGRP to be a security group.
C. You should configure DLOCGRP to be a universal security group.
D. You should add the DISTGRP to the Local Administrators group on ABC-SR04.
Answer:
B. You should configure DISTGRP to be a security group.
34
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Chicago.
ABC.com opens a new branch office in Dallas. You need to allow ABC.com users in the Dallas office to access network resources in the Chicago office. You assign the ABC.com users in the Dallas office the Read and Execute permissions to the network resources in the Chicago office. You then create a VPN connection which the ABC.com users in the Dallas office will use to establish connectivity to the Chicago office. However, the users in the Dallas office report that they cannot connect to the Chicago office by using the VPN connection.
What action should you take to resolve this problem?
A. Your best option would to assign the Allow Access Dial-in permission to the users in the Dallas office.
B. Your best option would to make the users in the Dallas office members of the Remote Desktop Users security group.
C. Your best option would to make the users in the Dallas office members of the Network Configuration Operators security group.
D. Your best option would to delete and recreate the VPN connection.
Answer:
A. Your best option would to assign the Allow Access Dial-in permission to the users in the Dallas office.
35
You work as the network administrator at ABC.com. The network has the following configuration.
* Server named ABC-DC01.
* Setup as a domain controller.
* Running Windows Server 2008.
The client computers are using Lightweight Directory Access (LDAP).
What action should you take to determine which LDAP clients are consuming the most CPU resources on ABC-DC01?
A. You should open System Information and view the Hardware Resources node.
B. You should open Task Manager and view the Processes tab.
C. You should open the Active Directory Diagnostics Data Collector and view of the Active Directory report.
D. You should open the Resource Monitor and view the CPU performance data.
Answer:
C. You should open the Active Directory Diagnostics Data Collector and view of the Active Directory report.
36
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. All servers on the ABC.com network run Windows Server 2003.
You need to upgrade the domain controllers from Windows Server 2003 to Windows 2008.
What command can be used on the Windows Server 2003 servers to prepare ABC.com for the upgrade?
A. You should execute the dcpromo /adv command.
B. You should execute the adprep /forestprep and the adprep /domainprep commands.
C. You should set the domain functional level to Windows Server 2008.
D. You should execute the dcpromo /createdcaccount command.
Answer:
B. You should execute the adprep /forestprep and the adprep /domainprep commands.
37
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR01 configured as a domain controller as well as a DNS server configured with several Active Directory Integrated Zones.
What action should you take if you want to copy the zone files on ABC-SR01 to a network share?
A. You should consider having the dnscmd /ZoneExport command executed on ABC-SR01.
B. You should consider having the dnscmd /WriteBackFiles command executed on ABC-SR01.
C. You should consider having the dnscmd /Info command executed on ABC-SR01.
D. You should consider having the dnscmd /EnumRecords command executed on ABC-SR01.
E. You should consider having the dnscmd /EnumZones command executed on ABC-SR01.
Answer:
A. You should consider having the dnscmd /ZoneExport command executed on ABC-SR01.
38
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Seattle and branch offices in Dallas, Miami and Chicago. Each office is configured as a separate site named Seattle, Dallas, Miami and Chicago.
The Seattle site as three domain controllers named ABC-DC01, ABC-DC02 and ABC-DC03. The Dallas site has a single domain controller named ABC-DC04, the Miami site has a single domain controller named ABC-DC05 and the Chicago site has a single domain controller named ABC- DC06. ABC-DC01, ABC-DC02 and ABC-DC03 are configured as Global Catalog servers.
Where should you consider deactivating the Universal Group Membership Caching (UGMC) option at the Dallas, Miami and Chicago offices?
A. You should consider deactivating the UGMC in Active Directory Users and Computers.
B. You should consider deactivating the UGMC at the Site level.
C. You should consider deactivating the UGMC through a Group Policy Object linked to the domain.
D. You should consider deactivating the UGMC at the Organizational Unit (OU) level.
Answer:
B. You should consider deactivating the UGMC at the Site level.
39
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2003.
You have just performed the migration of domain controllers from Windows 2003 to Windows 2008.
Which of following commands can be used to configure DFS Replication (DFS-R) to replicate the Sysvol share?
A. This can be accomplished by running the netdom /dfs -r command.
B. This can be accomplished by raising the domain functional level to Windows Server 2008.
C. This can be accomplished by running dfsutil /share:sysvol command.
D. This can be accomplished by running dfsutil /addstdroot command.
Answer:
B. This can be accomplished by raising the domain functional level to Windows Server 2008.
40
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. The forest functional level is set at Windows Server 2003 Native Mode. ABC.com has its headquarters in Chicago and a branch office in Dallas.
The ABC.com network has three Windows Server 2003 domain controllers named ABC-DC01, ABC-DC02 and ABC-DC03 that are located in the Chicago office. You want to install a read-only domain controller (RODC) named ABC-DC04 in the Dallas office.
What action should you consider?
A. You should consider upgrading ABC-DC01 to Windows Server 2008 and then execute the adprep /rodcprep command on ABC-DC01.
B. You should consider configuring the Dallas network as a separate site and upgrading ABC- DC04 to Windows Server 2008.
C. You should consider upgrading all domain controllers to Windows Server 2008 and having the forest functional level set to Windows Server 2008.
D. You should consider configuring the Dallas network as a child domain with the domain functional level set at Windows Server 2008.
Answer:
A. You should consider upgrading ABC-DC01 to Windows Server 2008 and then execute the adprep /rodcprep command on ABC-DC01.
41
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You have a workstation called ABC-WS10 and performed the following tasks:
* Install Windows 7 Professional.
You plan to join ABC-WS10 to the domain. You want to ensure that a computer account for ABC- WS10 is created in a specific organizational unit (OU) instead of the default Computers container in Active Directory.
What action should you take to ensure that the ABC-WS10 computer account is created in an organizational unit (OU)?
A. You should consider using the ntdsutil command.
B. You should consider using the csvde command.
C. You should consider using the Idifde command.
D. You should consider using the dsadd command.
Answer:
D. You should consider using the dsadd command.
42
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All server on the ABC.com network run Windows Server 2008. The ABC.com network has two domain controllers named ABC-DC01 and ABC-DC02.
What action should you take to verify the successful replication of Active Directory information from ABC-DC01 to ABC-DC02?
A. You should execute the RepAdmin command on ABC-SR02.
B. You should execute the Dnscmd command on ABC-SR02.
C. You should execute the Dsmod command on ABC-SR02.
D. You should execute the RepMonitor command on ABC-SR02. E. You should execute the Rsdiag command on ABC-SR02.
Answer:
A. You should execute the RepAdmin command on ABC-SR02.
Explanation: RepAdmin is a command line utility which is used to view as well as configure Windows Server 2008 replication amid domain controllers.
43
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2. ABC.com has its headquarters in London and a branch office in Paris.
You are planning to install Windows Server 2008 on a domain controller at each office. IP addresses will be assigned using a Dynamic Host Configuration Protocol (DHCP) server at each office. Your solution must meet the following requirements:
* Administrators in London need to be able to create and modify Active Directory accounts.
* Administrators in Paris need to be able to update drivers on the domain controller in Paris, but should not be able to create or modify user accounts.
* Records in the Domain Name System (DNS) database must be kept up to date.
* Only Active Directory domain members can register with the DNS server.
* Name resolution traffic across the Wide Area Network (WAN) link should be minimized.
How would you plan the DNS configuration? (Each correct answer presents part of the solution. Choose two.)
A. Deploy a standard primary zone in London.
B. Deploy an Active Directory-Integrated zone in Paris.
C. Deploy a primary read-only zone in Paris.
D. Deploy a stub zone in Paris.
E. Deploy an Active Directory-Integrated zone in London.
Answer:
B. Deploy an Active Directory-Integrated zone in Paris.
E. Deploy an Active Directory-Integrated zone in London.
44
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You have deployed Active Directory Federation Services (AD FS) in your organization. You need to configure another organization as a federated partner. Your organization is the resource partner in this partnership.
You need to exchange partner values with the partner organization.
How would you accomplish this task using as little administrative effort as possible?
A. Add your partner's domain as an Active Directory Domain Services (AD DS) Account store.
B. Export your trust policy files and send the resulting file to the partner administrator.
C. Have the partner send its federation server's validation certificate.
D. Deploy an AD FS Proxy in the partner's perimeter network.
Answer:
B. Export your trust policy files and send the resulting file to the partner administrator.
45
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. A computer running Microsoft Windows Server 2008 is configured as a domain controller. The computer also supports other services, including the Dynamic Host Configuration Protocol (DHCP) service.
You need to move the Active Directory database on the computer. You must minimize the impact on the other services running on the computer.
What could be your first actions? (Each correct answer presents a complete solution. Choose two.)
A. Use Computer Manager to stop the Active Directory service.
B. Run Net stop to stop the Active Directory service.
C. Run Ntdsutil to compact the database.
D. Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role.
E. Restart the domain controller in Directory Services Restore Mode (DSRM).
Answer:
A. Use Computer Manager to stop the Active Directory service.
B. Run Net stop to stop the Active Directory service.
46
You work as the network administrator at ABC.com. The ABC.com network consists of 10 Microsoft Windows Server 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain. A Public Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. ABC.com users are required to enroll for a User certificate using Web enrollment.
The users complain that the response time is very slow when accessing servers that host financial data. Certificate authentication is required to access these servers. You discover that the network is extremely busy and network bandwidth is reaching capacity.
You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on the network.
What must be done?
A. Open Active Directory Sites and Services. Deny users the Enroll permission on all templates except the User template.
B. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List (CRL).
C. Open the Certificate Templates snap-in and configure auto-enrollment instead of Web-based enrollment.
D. Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL) publication interval.
Answer:
B. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List (CRL).
47
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All domain controllers are running Windows Server 2008. The network currently has only a single site. ABC.com has its headquarters in Berlin and is preparing to open a branch office in Paris.
You must ensure that administrators at the Paris office can create, modify, and delete user accounts only for employees at the branch office. Administrators must be able to manage user accounts even if the link to headquarters is unavailable.
How would you accomplish this task?
A. Install a read-only domain controller (RODC) at the Paris office.
Create a global group named BranchAdmins.
Create an organizational unit (OU) named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
B. Install a read-only domain controller (RODC) at the Paris office.
Create a global group named BranchAdmins.
Create domain local group named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
C. Install a standard domain controller at the Paris office.
Create a global group named BranchAdmins.
Create a domain local group named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
D. Install a standard domain controller at the Paris office.
Create a global group named BranchAdmins.
Create an organizational unit (OU) named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
Answer:
D. Install a standard domain controller at the Paris office.
Create a global group named BranchAdmins.
Create an organizational unit (OU) named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
48
You work as a Network Administrator for ABC.com. ABC.com has its headquarters in Los Angeles and branch offices in Denver, San Jose, and San Diego. All locations are connected through 128Kbps leased lines.
ABC.com wants you to configure a Windows 2008 Active Directory-based network. You are supposed to provide a design for the network. The ABC.com management does not want unnecessary traffic over the WAN connection.
Which of the following strategies will you implement to fulfill these requirements?
A. Create a separate site for each location. Move the domain controllers to their respective sites.
B. Create a separate site for each location. Keep all domain controllers at the headquarters site.
C. Create a site for the headquarters and move all domain controllers to this site.
D. Create a single site that covers all locations. Keep all domain controllers at the headquarters.
Answer:
A. Create a separate site for each location. Move the domain controllers to their respective sites.
49
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based network. The ABC.com network consists of two sites, namely San Francisco and San Diego. These sites are connected with a high-speed T1 line as shown in the image below:
The San Francisco site is highly protected and a firewall has been configured for its security.
You create a site link to replicate the Active Directory data between the two sites. You find that the replication is not working properly. You know that the firewall is preventing data from being replicated between the two sites.
What can you do to resolve this issue?
A. Increase the cost of the site link.
B. Remove the firewall from the San Francisco site.
C. Make the firewall proxy server of the San Francisco site a preferred bridgehead server.
D. Schedule the site link to replicate the Active Directory data twenty-four hours a day.
Answer:
C. Make the firewall proxy server of the San Francisco site a preferred bridgehead server.
50
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based network. All client computers on the network run Windows Vista Ultimate. You have configured a Dynamic DNS (DDNS) on the network.
There are a lot of mobile users who often connect to and disconnect from the network. ABC.com users on the network complain of slow network responses. You suspect that the stale records on the DNS server may be the cause of the issue. You want to remove the stale records.
Which of the following technologies will you use to accomplish this task?
A. Scavenging
B. Aging
C. Forwarding
D. RODC
Answer:
A. Scavenging
51
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based single domain network. The company has organized its OU structure according to its departments. Three organizational units (OUs) named HR, Marketing, and Administration are configured in the domain.
You create a GPO named ADM and configure it to show desktop items that are required by most of the users in the Administration department. You link the GPO with the Administration OU. You find that the users in the Administration OU are not receiving the setting that was applied by the GPO on their computers. You suspect that the issue is due to some conflicting policies that are taking higher precedence on the other policies applied by the GPO.
Which of the following actions can you take to find out the policies applied on the users? (Each correct answer represents a complete solution. Choose two.)
A. Use the HFNETCHK.EXE command.
B. Use the NTDSUTIL utility.
C. Use the GPRESULT /z command.
D. Use the RSoP Wizard in logging mode.
Answer:
C. Use the GPRESULT /z command.
D. Use the RSoP Wizard in logging mode.
52
You work as a Network Administrator for ABC.com. ABC.com currently has a Windows 2000 single domain Active Directory-based network. The company wants to upgrade all its servers to Windows Server 2008 and then its network to a Windows 2008 Active Directory-based network. Before upgrading the network, you want to test the transfer of user and computer accounts from the existing environment to the new environment. You take the following steps:
* Create some test users and a test group in the existing environment. * Make these users members of the group.
* Create a new Windows 2008 forest in a new server.
Which of the following tools will you use to test the successful transfer of user and computer accounts and groups?
A. Windows Easy Transfer
B. ADMT v3
C. CSVDE
D. USMT 3.0
Answer:
B. ADMT v3
53
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based single domain network. ABC.com has its headquarters in Atlanta and a branch office in Denver Both locations have been configured as separate sites. The headquarters contains 500 users, whereas the branch office in Denver contains fifty users.
ABC.com users use an application named REPORT that requires directory access.
The ABC.com management wants to raise the level of security data. The new company policy dictates that Active Directory data must be secure. You know that the physical security in the branch office can be compromised. You need to secure the domain controller in the branch office.
Which of the following steps will you take to accomplish this task?
A. Configure universal group membership caching at the branch office. Remove the domain controller.
B. Install a global catalog server at the branch office. Remove the domain controller.
C. Install an RODC at the branch office. Remove the domain controller.
D. Place the domain controller at the branch in a strong room secured with locks and keys.
Answer:
C. Install an RODC at the branch office. Remove the domain controller.
54
You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based Windows single forest network.
Organizational units (OUs) are configured separately for each department. All the department's users and computers are placed in their respective OUs. A domain-level OU is also configured on the network to implement domain-wide policies.
A ABC.com user named Rick complains that he is unable to access an application. You suspect that a group policy is preventing Rick from accessing the application. You want to find out the effective group policies on Rick.
Which command-line tool will you use to accomplish this task?
A. GPUPDATE
B. GETRESULT
C. GPRESULT
D. Resultant Set of Policy Wizard
Answer:
C. GPRESULT
55
You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based network. You have installed Windows Server 2008 on a computer. You want to configure the server as a Certificate Authority (CA).
Which of the following utilities will you use to accomplish this task?
A. Manage Your Server
B. Configure Your Server
C. Security Configuration Wizard
D. Server Manager
Answer:
D. Server Manager
56
You work as a Network Administrator for ABC.com. ABC.com has a Windows Active Directory- based single domain network. The company's offices are located in Los Angeles, Denver, San Jose, and San Diego. All locations have been configured as separates sites. The company' headquarters is located in Los Angeles.
The network is configured as shown in the image below:

You have configured domain controllers at each site. A bridgehead server is configured at the headquarters. Each branch office contains fifty users. ABC.com users make use an Active Directory integrated application. You experience that the bridgehead server at the headquarters is receiving a lot of Active Directory replication traffic from the branch offices. You are required to reduce the Active Directory replication traffic.
Which of the following steps will you take to accomplish this task?
A. Install a global catalog server at the branch offices.
B. Configure universal group membership caching at the branch offices. Remove the domain controllers from the branch offices.
C. Replace the domain controllers at the branch offices with RODCs.
D. Change the 256kbps lines to T1 lines.
Answer:
C. Replace the domain controllers at the branch offices with RODCs.
57
You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based network.
You install Server Core of Windows Server 2008 on a computer. You want to install an Active Directory Certificate Authority (CA) on the server.
Which of the following steps will you take to accomplish this task?
A. Run the Configure Your Server wizard.
B. Run the Manage Your Server wizard.
C. You cannot install AD CA in a Server Core installation of Windows Server 2008.
D. Run the Server Manager console.
Answer:
C. You cannot install AD CA in a Server Core installation of Windows Server 2008.
58
You work as a Network Administrator for ABC.com. ABC.com has a Windows Active Directory- based single forest network. The functional level of the forest is Windows Server 2008. All client computers on the network run Windows Vista Ultimate.
ABC.com has its headquarters in San Francisco and three branch offices in San Jose, San Diego, and New Orleans. Each office is configured as a different site and each site location is configured as a separate domain. The branch offices are connected to headquarters as shown in the image below:
The location information of the resources is placed in Active Directory. Users in the New Orleans domain regularly search for available resources in Active Directory by using the Entire Directory option. The ABC.com users complain of slow response time while searching Active Directory for resources. You are required to improve the response time for users at the New Orleans office.
Which of the following steps will you take to accomplish this task?
A. Configure a domain controller of the San Francisco domain at the New Orleans site.
B. Configure universal group membership caching at the New Orleans site.
C. Upgrade the 256Kbps WAN link to a 1Mbps WAN link.
D. Configure a global catalog server at the New Orleans office.
Answer:
C. Upgrade the 256Kbps WAN link to a 1Mbps WAN link.
59
You work as a Network Administrator for ABC.com. The ABC.com network is configured as a Windows Active Directory-based single forest with a single domain named ABC.com. The network contains Windows Server 2003 and Windows Server 2008 domain controllers. Client computers on the network either run Windows Vista Ultimate or Windows XP Professional.
A new security policy is to be implemented. It requires multiple password policies to be implemented on the network. You are required to prepare the network for implementing the new security policy. Your solution must involve minimum administrative efforts.
Which of the following steps will you take to accomplish this task? (Each correct answer represents a part of the solution. Choose two.)
A. Upgrade all domain controllers running Windows Server 2003 to Windows Server 2008.
B. Raise the functional level of the forest to Windows Server 2008.
C. Configure different domains for different password policies.
D. Upgrade all computers running Windows XP Professional to Windows Vista.
E. Raise the functional level of the domain to Windows Server 2008.
Answer:
A. Upgrade all domain controllers running Windows Server 2003 to Windows Server 2008.
E. Raise the functional level of the domain to Windows Server 2008.
60
You work as a Network Administrator for ABC.com. ABC.com has a Windows Server 2003- based network.
ABC.com wants to upgrade all its Windows 2003 servers to Windows Server 2008. Before upgrading the servers, you want to test the new operating system and its reliability. You also want to test various different operating systems.
Which of the following features of Windows Server 2008 allows you to install and run different operating systems on a single computer?
A. RODC
B. Hyper-V
C. RSoP
D. Online Responder
Answer:
B. Hyper-V
61
You have been hired by ABC.com to design the company's network. ABC.com has its headquarters is in Denver. The company has many branch offices. All branch offices are connected to the headquarters through dedicated T1 lines. The ABC.com management of the company wants to have a Windows 2008 Active Directory-based network.
ABC.com's policy states that only the administrators of the headquarters are allowed to create and manage user accounts. The local administrators in the branch offices are allowed to control their own resources only. Replication or authentication traffic on the WAN is not an issue here.
Which of the following designs will you use to fulfill these requirements?
A. Create a multi-forest network.
Create a forest for each branch office and one for the main office.
Delegate the authority for the resource administration to the local Administrators for their respective forests.
Delegate the authority to the main office's forest to the Domain Admins group only.
B. Create a single domain network.
Create an organizational unit (OU) for each branch office and an OU for the main office. Delegate the authority for the resource administration to the local Administrators for their own OUs.
Delegate the authority for the main office's OU to the Domain Admins group only.
C. Create a domain for the main office.
Create child domains for the branch offices.
Keep all the user accounts in the main office domain and the resources on each domain of the branch offices.
Give Administrators Full Control access to the domain controllers.
D. Create a single domain network.
Create a site for each branch office and a site for the main office.
Delegate the authority for the resource administration to the local Administrators for their respective sites.
Delegate the authority of the main office's site to the Domain Admins group only.
Answer:
B. Create a single domain network.
Create an organizational unit (OU) for each branch office and an OU for the main office. Delegate the authority for the resource administration to the local Administrators for their own OUs.
Delegate the authority for the main office's OU to the Domain Admins group only.
62
You are the systems administrator for a company named ABC.com. The ABC.com network consists of a single Active Directory forest. The network contains an Internet Information Services (IIS) server that hosts a Web application that allows users to purchase your company's products online.
ABC.com has a partner organization, a graphic design firm that designs your company's products. The partner company has its own Active Directory forest. You are required to enable users in the partner organization to access your Web application without being prompted for secondary credentials.
Which Windows Server 2008 server role should you install in your network to provide Web-based Single-Sign-On (SSO) capabilities to users in the partner organization?
A. Active Directory Rights Management Services (AD RMS)
B. Active Directory Federation Services (AD FS)
C. Active Directory Lightweight Directory Services (AD LDS)
D. Active Directory Domain Services (AD DS)
Answer:
B. Active Directory Federation Services (AD FS)
63
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers run Windows Server 2008, and all client computers run Windows Vista.
ABC.com's written security policy stipulates that employees must use certificates for remote access and secure e-mail. Only designated administrators are authorized to approve users' requests for certificates, issue certificates, and revoke certificates.
You install Certificate Services on several servers and configure them as enterprise certification authorities (CAs).
You must assign the appropriate privileges to the designated administrators in accordance with the company policy. Which of the following actions should you take?
A. Issue an Enrollment Agent certificate to each designated administrator.
B. Assign the designated administrators to the Certificate Manager role on each CA.
C. Assign the Allow - Enroll permission for each certificate template to the designated administrators.
D. Assign the Allow - Write permission for each CA to the designated administrators.
Answer:
B. Assign the designated administrators to the Certificate Manager role on each CA.
64
You are the systems administrator for ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. A computer running Windows Server 2008 has both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) roles installed. The AD LDS server contains an instance with the default name that is used by several applications that access data from and write data to the AD LDS database.
Over time, ABC.com users report to you that the AD LDS applications have become slow. To resolve this problem, you want to defragment the AD LDS database.
How would you perform an offline defragmentation of AD LDS database? (Choose all that apply. Each correct answer is part of a single solution.)
A. Restart the domain controller in Directory Services Restore Mode.
B. Run the Net stop Adam_instance1 command.
C. Run the Net stop Ntds command.
D. Use the Ntdsutil command with the appropriate parameters to defrag the database.
E. Run the Net start Adam_instance1 command.
F. Run the Net start Ntds command.
Answer:
B. Run the Net stop Adam_instance1 command.
D. Use the Ntdsutil command with the appropriate parameters to defrag the database.
E. Run the Net start Adam_instance1 command.
65
You are a network administrator for ABC.com. The ABC.com network consists of a single Active Directory domain where all servers run Windows Server 2003 and all client computers run Windows XP Professional.
You use a Group Policy object (GPO) to deploy an application on the network. Later, you receive a different application to work with the files that have the same file name extensions instead of the previously deployed application. You must deploy the new application, but users should not have to install it if they choose to use the original application instead of the new one. However, only one of these applications should be installed on the same computer.
Which actions should you take?
A. Assign the new application to computers; specify in the GPO that the original application be removed before the new one is installed.
B. Publish the new application to computers and remove the GPO that deploys the original application.
C. Assign the new application to users and remove the GPO that deploys the original application.
D. Publish the new application to users; specify in the GPO that the original application be removed before the new one is installed.
Answer:
D. Publish the new application to users; specify in the GPO that the original application be removed before the new one is installed.
66
You are the network administrator for ABC.com. The ABC.com network has a single domain, and all of the domain controllers run Windows Server 2008.
A domain controller in the branch office failed this morning. This domain controller does not hold any other roles. You bring the domain controller back on line, but you need to perform a non- authoritative restore of the domain controller. You do not have a critical volume backup of the domain controller on hand, but you do have a recent full backup.
What should be your first action to perform a non-authoritative restore of the domain controller?
A. Perform a critical backup of another domain controller. Reboot the failed domain controller into Directory Services Restore Mode (DSRM).
B. Perform a full backup of another domain controller. Reboot the failed domain controller into Directory Services Restore Mode (DSRM).
C. At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
D. At the command prompt, type bcdedit /set safeboot and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
Answer:
C. At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
67
You are the network administrator of ABC.com. ABC.com has its headquarters in Atlanta and a branch office in Denver. The Atlanta office network consists of a single Active Directory domain.
You want to create a new domain for the Denver office in the same forest as the domain at the Atlanta office.
Which operations master role must be available in the forest for you to create a new domain for the Denver office?
```
A. Schema master
B. Domain naming master
C. Relative ID (RID) master
D. Primary domain controller (PDC) emulator master
E. Infrastructure master
```
Answer:
B. Domain naming master
68
You are the network administrator of ABC.com. You install Windows Server 2008 on all servers on the network. All client computers are configured to run Windows Vista. You want to be able to use Advanced Encryption Standard (AES) with Kerberos for encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys.
What is the minimum domain functional level that is required to support AES encryption with Kerberos?
A. Windows 2000 Server mixed
B. Windows 2000 Server native
C. Windows Server 2003
D. Windows Server 2008
Answer:
D. Windows Server 2008
69
You are the systems administrator for ABC.com. The ABC.com network consists of a single Active Directory domain. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure that has a subordinate enterprise Certification Authority (CA), which issues certificates on behalf of the root CA.
You have a certificate template that allows users to autoenroll, and a group policy object that distributes the certificates to users. All users are able to automatically obtain certificates. You now want routers and other network devices are able to obtain certificates from the CA.
How would you accomplish this task?
A. Assign the routers and network devices the Autoenroll permission in a certificate template.
B. Change the Publish Delta CRL to 1 hour so expired certificates for routers and network devices are published in Active Directory.
C. Install the Online Certificate Status Protocol (OCSP) role service for AD CS.
D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
Answer:
D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
70
You are the network administrator for ABC.com. The ABC.com network has a single forest with three domains. All domain controllers in your forest are Windows Server 2008. Each domain is configured to be a separate site.
Recently the telephone company has changed the telephone number of a department in the location of one of ABC.com's domains. There are 55 accounts that are affected by the telephone number change. You need to change the telephone number property in the 55 different accounts.
How would you accomplish this as quickly as possible?
A. Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number and use CSVDE to import the accounts.
B. In Active Directory Users and Computers, select Find from the Action menu and create a saved LDAP query that will return the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their accounts' properties.
C. Create a saved LDAP query that will return user accounts of the 55 user accounts. Export the results to a tab-delimited file, modify the expiration date in the file and use the LDIFDE utility to import the file into Active Directory.
D. In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will return the 55 user accounts. Export the results to a comma-delimited file, modify the expiration date in the file and use the CSVDE utility to import the file into Active Directory.
Answer:
B. In Active Directory Users and Computers, select Find from the Action menu and create a saved LDAP query that will return the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their accounts' properties.
71
You are the administrator for ABC.com. ABC.com has over 5,000 employees. ABC.com's head office has approximately 4,500 employees, while the company’s ten branch offices have 50 users residing in each. You are often unaware of the physical security in place at these offices. However, since there is a fairly sizable amount of users at each office, you must provide them with directory services.
What is the BEST option to use for directory services when security is unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
Answer:
B. Read-only domain controllers
72
You are the administrator for ABC.com. ABC.com has just signed into a partnership with another organization. You will be responsible for ensuring that authentication can occur between both organizations without the need for additional sign-on accounts. The partner has a variety of Directory Services installed throughout their organizations.
Which of the following can Active Directory Federation Services NOT connect to?
A. Lightweight Directory Services
B. Windows Server 2003 Directory Services
C. Windows Server 2003 R2 Directory Services
D. All of the above
Answer:
B. Windows Server 2003 Directory Services
73
You are the administrator for a nationwide company named ABC.com that currently runs Windows Server 2008 DNS and are reviewing the resource records in your Active Directory–integrated DNS zone.
You notice there are hostnames that do not meet ABC.com's naming convention and verify that the computers are not members of your Active Directory domain.
What must you do to ensure these hosts cannot create records in your DNS zone?
A. Disable DNS and enable DHCP.
B. Configure your zone to enable secure dynamic updates.
C. Disable dynamic updates in your zone.
D. You cannot prevent this from occurring in DNS.
Answer:
B. Configure your zone to enable secure dynamic updates.
74
You are creating a new standard primary zone for the company you work for, ABC.com, using the domain ABC.corp. You create the zone through the DNS management console, and now you want to view the corresponding DNS zone file named ABC.corp.dns.
Where do you need to look in order to find this file?
A. You cannot view the zone file because it is stored in Active Directory.
B. You can look in the %systemroot%\system32\dns folder.
C. You cannot view the DNS file except by using the DNS management console.
D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if you want to view the file.
Answer:
B. You can look in the %systemroot%\system32\dns folder.
75
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. You have implemented DNS on a Windows Server 2008 Core Server installation. You want to list the DNS zones on this server.
What command-line utility would you use to accomplish this?
A. ocsetup.
B. netsh.
C. dnscmd.
D. None of the above. You must use the GUI from another Windows Server 2008 host.
Answer:
C. dnscmd.
76
What is the purpose of resetting an account?
A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory.
B. Helps you reboot the computer.
C. Helps you restart netlogon services.
D. Helps you change the authentication protocol from NTML to Kerberos.
Answer:
A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory.
77
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has recently has acquired a partner where all the computers are installed in a workgroup.
Which of the following actions must you perform in order to create computer accounts for the partner company? (Choose all that apply.)
A. Select Start | Run, and then type in the joinallwks /user:administrator command.
B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects.
C. Rename the existing computers in a workgroup.
D. Query for resources.
Answer:
B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects.
78
Himma is managing an Active Directory environment of a medium-size company named ABC.com that has a Windows Server 2008 Active Directory-based network. Himma is troubleshooting a problem with Active Directory. One of the administrators made an update to a user object and another reported that he had not seen the changes appear on another Domain Controller (DC). It was more than a week since the change was made. Himma checks the problem by making a change to another Active Directory object. Within a few hours, the change appears on a few DCs, but not on all of them.
Which of the following is a possible cause for this problem?
A. Connection objects are not properly configured.
B. Himma has configured one of the DCs for manual updates.
C. There might be different DCs for different domains.
D. Creation of multiple site links between the sites.
Answer:
A. Connection objects are not properly configured.
79
You work as the network administrator at ABC.com. All servers on the ABC.com network run. The ABC.com network has a Windows Server 2008Active Directory environment that consists of two dozen sites. The physical network environment is not fully routed, and you have disabled automatic site link transitivity. Now you want to set up three site links to be transitive, as they are physically connected to one another.
Which of the following Active Directory objects is responsible for representing a transitive relationship between sites?
A. Additional sites
B. Additional site links
C. Bridgehead servers
D. Site link bridges
Answer:
D. Site link bridges
80
Maria is an administrator of a medium-size organization responsible for managing Active Directory replication traffic. She finds an error in the replication configuration. How can she look for specific error messages related to replication?
A. Use the Active Directory Sites and Services administrative tool
B. Use the Disk Management tool
C. View the System log option in the Event Viewer
D. View the Directory Service log option in the Event Viewer
Answer:
D. View the Directory Service log option in the Event Viewer
81
Martin is going to be migrating his Lotus Notes environment into his newly established Windows Server 2008 forest. He has guidance on what he will require for Group Policy settings for the different teams and departments.
He has not yet created his OU structure. How should Martin proceed in creating the required GPOs?
A. Create stand-alone GPOs
B. Create the GPOs at the Domain level
C. Create the GPOs at the Site level
D. Wait to create the GPOs until the OU structure is in place
Answer:
A. Create stand-alone GPOs
82
You work as the senior administrator at ABC.com. The ABC.com network has a single domain named ABC.com with a single site. You have full access to every computer, and to Active Directory.
The ABC.com CIO has asked you to configure a GPO that will ensure that antivirus software is installed on every computer in the company.
Which of the following actions do you take?
A. You configure a GPO at the domain level, and publish the application to all computers.
B. You configure a GPO at the site level, and assign the application to all computers.
C. You create a GPO with the required settings and link it into all OUs that have user accounts in it. You set the options to assign the application to users.
D. You configure a GPO at the domain level, and publish the application to all users.
Answer:
B. You configure a GPO at the site level, and assign the application to all computers.
83
oe is responsible for administering her ABC.com’s PKI. ABC.com has an offline root CA and four enterprise subordinate CAs, each of which issues certificates to users in a major division of the company.
As a result of corporate downsizing and reorganization, one of the four major divisions is being disbanded. Joe must ensure that resources on the network will not accept certificates from the subordinate CA located in the division that is being disbanded.
Which of the following should he do? (Each correct answer represents part of the solution. Choose three answers.)
A. At the disbanded division’s subordinate CA, revoke all the certificates that it has issued.
B. Uninstall the AD CS role from the disbanded division’s subordinate CA.
C. Bring the offline root CA online, revoke the disbanded division’s subordinate CA’s certificate, and then take the root CA back offline.
D. Publish a new base CRL.
E. Publish a new delta CRL.
F. Copy the new CRL to the network’s CRL distribution point.
G. Add the AIA extension to all URLs where certificates issued by the disbanded division’s subordinate CA can be retrieved.
Answer:
C. Bring the offline root CA online, revoke the disbanded division’s subordinate CA’s certificate, and then take the root CA back offline.
D. Publish a new base CRL.
F. Copy the new CRL to the network’s CRL distribution point.
84
Martin is responsible for administering AD CS within ABC.com’s AD DS domain. He has configured a PKI that consists of a standalone root CA and two enterprise subordinate CAs on servers running Windows Server 2008 Enterprise Edition. He wants to configure the subordinate CAs to support the Online Responder service for keeping track of revoked certificates.
Which of the following tasks must Martin perform? (Each correct answer represents part of the solution. Choose two answers.)
A. Enable the use of the OCSP Response Signing certificate template from the Certificate Templates snap-in.
B. Configure the CA servers to publish delta CRLs.
C. From the Extensions tab of the CA server’s Properties dialog box, configure a CRL distribution point on the CA servers.
D. From the Extensions tab of the CA server’s Properties dialog box, select the URL for the online responder, and select the check box labeled Include in the AIA Extension of Issued Certificates.
E. From the Extensions tab of the CA server’s Properties dialog box, select the URL for the online responder, and select the check boxes labeled Include in the AIA Extension of Issued Certificates and Include in the Online Certificate Status Protocol (OCSP) Extension.
Answer:
A. Enable the use of the OCSP Response Signing certificate template from the Certificate Templates snap-in.
E. From the Extensions tab of the CA server’s Properties dialog box, select the URL for the online responder, and select the check boxes labeled Include in the AIA Extension of Issued Certificates and Include in the Online Certificate Status Protocol (OCSP) Extension.
85
Lee is responsible for maintaining DNS on his company’s AD DS network, which consists of a single domain in which all servers run Windows Server 2008. ABC.com has an office in Denver and a branch office in Littleton.
After upgrading a member server in the Littleton office to a domain controller, users at that office report that logon to the domain is slow. Upon investigating the problem, Lee notices that the service (SRV) resource records for the new domain controller are not registered in the DNS zone for the Littleton office.
What should he do to reregister these SRV resource records as quickly as possible?
A. Restart the DNS Server service.
B. Restart the DNS Client service.
C. Restart the Netlogon service.
D. Reboot the domain controller.
Answer:
C. Restart the Netlogon service.
86
Kevin is responsible for maintaining AD DS replication on ABC.com’s network, which consists of three domains and nine sites. When he uses replmon to check the automatically configured replication topology, he notices that connection paths are not established in what he thinks is the optimum manner.
What can Kevin do to manually change the topology?
A. Edit the Registry to indicate the appropriate paths.
B. Use Active Directory Sites and Services to manually create a site link object connecting the required servers.
C. Force the Knowledge Consistency Checker (KCC) to update the replication topology.
D. Brian cannot modify the replication paths. The KCC does not permit this type of configuration.
Answer:
B. Use Active Directory Sites and Services to manually create a site link object connecting the required servers.
87
Greg is the network administrator for a company named ABC.com that operates an AD DS network consisting of a single domain. ABC.com executives have signed a long-term partnership agreement with another company that also operates an AD DS network. ABC.com users will require access to rights-protected confidential information that is stored on web servers located on the second company’s network. Users in the second company will not require access to documents on the ABC.com network.
Which of the following should Greg configure on the ABC.com network? (Each correct answer represents part of the solution. Choose two answers.)
A. Active Directory Lightweight Directory Services (AD LDS)
B. Active Directory Rights Management Services (AD RMS)
C. Active Directory Federation Services (AD FS)
D. Active Directory Certificate Services (AD CS)
E. A one-way external trust relationship
Answer:
B. Active Directory Rights Management Services (AD RMS)
C. Active Directory Federation Services (AD FS)
88
You are the network administrator for a company named ABC.com that operates an AD DS network consisting of a single domain. Servers run Windows Server 2008, and client computers run Windows Vista Enterprise. The ABC.com domain contains OUs that are structured according to the departmental structure of the company, and all OUs have multiple GPOs linked to them.
As a result of departmental reorganization, the Design OU needs to be moved under the Engineering OU. You need to determine which objects in the Design OU are adversely affected by GPOs linked to the Engineering OU.
What should you do to achieve this goal without disruption to users?
A. Use the Group Policy Modeling Wizard for the Design OU. Choose the Engineering OU to simulate policy settings.
B. Use the Group Policy Modeling Wizard for the Engineering OU. Choose the Design OU to simulate policy settings.
C. Use the Group Policy Results Wizard for the Design OU. Review the policy results for users in the OU.
D. Use the Group Policy Results Wizard for the Engineering OU. Review the policy results for users in the OU.
Answer:
A. Use the Group Policy Modeling Wizard for the Design OU. Choose the Engineering OU to simulate policy settings.
89
ABC.com operates an AD DS forest consisting of a single tree with an empty root domain and five child domains that represent operational divisions.
In total, how many FSMO roles are present in this tree?
A. One schema master, one domain naming master, six RID masters, six PDC emulators, and six infrastructure masters
B. One schema master, one domain naming master, five RID masters, five PDC emulators, and five infrastructure masters
C. Six schema masters, six domain naming masters, six RID masters, six PDC emulators, and six infrastructure masters
D. One schema master, one domain naming master, one RID master, one PDC emulator, and one infrastructure master
Answer:
A. One schema master, one domain naming master, six RID masters, six PDC emulators, and six infrastructure masters
90
You administer the network for a company called ABC.com. ABC.com operates a single domain AD DS network that includes three Windows Server 2008 computers and a mix of Windows XP Professional and Windows Vista Business clients.
ABC.com Management has notified you that a competitor has taken a keen interest in one of the company's prototypes. Two employees of ABC.com have recently resigned and taken up positions with the competitor, and management is afraid that they will attempt to steal proprietary data belonging to ABC.com by breaking into your network. You are tasked with improving logon security on ABC.com’s network by limiting the number of failed logon attempts for all users on the network and by establishing an audit policy for tracking failed logon attempts.
Which of the following tasks should you undertake to complete this task? (Each correct answer represents part of the solution. Choose two answers.)
A. Edit the Default Domain Policy GPO to enable auditing and account lockout.
B. Monitor the security log for failed account management attempts on each domain controller.
C. Monitor the security log for failed logon attempts on each domain controller.
D. Configure a local security policy on each computer in the domain.
Answer:
A. Edit the Default Domain Policy GPO to enable auditing and account lockout.
C. Monitor the security log for failed logon attempts on each domain controller.
91
Kevin is the senior network administrator for ABC.com. The ABC.com CIO has asked him to create an OU structure that enables the Research department to administer its own user accounts. The IT department staff other than Kevin should not have permissions to this OU. Kevin is the only member of the Enterprise Admins group, other than the domain’s default administrator account, whose password is known only by Kevin and the CIO.
Kevin creates a Research Admins security group and Research OU, delegates administrative permissions to the Research Admins group, and removes the IT department security group from the permissions list.
A few days later, Kevin discovers that another administrator has been resetting user accounts for Research employees. What has he missed?
A. Kevin needs to create a separate Research domain to isolate it from the corporate domain.
B. Kevin needs to change the password on the domain administrator account because the other administrator must be using that account.
C. Kevin needs to remove the Enterprise Admins group from the permissions list.
D. Kevin needs to remove the Domain Admins group from the permissions list.
Answer:
D. Kevin needs to remove the Domain Admins group from the permissions list.
92
You work as the network administrator at ABC.com. The ABC.com network has a single domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. You are configuring the properties of several GPOs, one of which is linked to the domain, and the others are linked to various OUs, including child OUs.
At the domain level, you configure a Restricted Desktop GPO that removes the Network and Games folders from the Start menu. On the Scope tab for this policy in Group Policy Management Console (GPMC), you set the Enforced option to Yes. You also configure another GPO that disables the removal of the Network folder, links it to the IT OU, and specifies Block Inheritance so that the IT staff will be able to use this folder. Later, a couple of IT staffers call to complain that they are unable to reach the Network folder.
What is the most likely reason that IT staffers are unable to reach the Network folder?
A. Block Inheritance takes precedence over Enforced.
B. Enforced takes precedence over Block Inheritance.
C. When both these options are set, they cancel each other out.
D. The policies configured at the OU level were ignored because these options can be set only at the site or domain level.
Answer:
B. Enforced takes precedence over Block Inheritance.
93
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista. ABC.com has its headquarters in London and a branch office in Paris. A WAN link connects the two offices.
ABC.com makes use of a computer in the London office named ABC-SR01 configured as the DNS server hosting a standard primary zone named internal.ABC.com. You install a computer named ABC-SR02 in the Paris office and configure it as a DNS server.
ABC.com wants ABC-SR02 to provide name resolution, even when the WAN connection is down.
What actions should you take?
A. You should consider having ABC.com converted to an Active Directory-integrated zone on ABC-SR01.
B. You should consider having a standard primary zone configured on ABC-SR02.
C. You should consider having DNS on ABC-SR01 configured to forward requests to ABC-SR02.
D. You should consider creating a delegation on ABC-SR02.
Answer:
A. You should consider having ABC.com converted to an Active Directory-integrated zone on ABC-SR01.
Explanation: In the scenario you should ensure that ABC-SR01’s DNS service is able to update and resolve DNS queries if the WAN link fails. In addition you should have the mask converted to an Active Directory-integrated zone on ABC-SR01 as this eliminates the need for primary and secondary name servers as fault tolerance is built into Active Directory which in addition is a bonus when using dynamic DNS.
94
You are employed as an administrator at ABC.com. The ABC.com network contains an Active Directory forest with a domain named ABC.com.
A server named ABC-SR04 is configured to host the Active Directory Federation Services (AD FS) role for the ABC.com network.
You have also included a newly configured account store for AD FS.
Which of the following describes the result of including a new account store?
A. AD FS authentication will occur via port 88.
B. Data from the Active Directory domain will be included in AD FS tokens.
C. SSL will be used for AD FS authentication.
D. A relying party trust will be created.
Answer:
B. Data from the Active Directory domain will be included in AD FS tokens.
Explanation: You need to add and configure a new account store. With this you can configure the AD FS trust policy to populate AD FS tokens with employee’s information from Active directory domain. AD FS allows the secure sharing of identity information between trusted business partners across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions. Because claims originate from an account store, you need to configure account store to configure the AD FS trust policy.
95
You work as a systems administrator at ABC.com. The ABC.com network has a domain named internal.ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has acquired another company named Weyland Industries that contains an Active Directory domain named internal.weyland.com. The transfer of internal DNS zone data is not allowed for zones outside the Weyland Industries network.
During the course of the day you receive an instruction from the CIO to grant employees of ABC.com the necessary name resolution permissions for resolving names from intranet.weyland.com.
How would you accomplish this task?
A. You should consider putting intranet.weyland.com in the Active Directory of ABC.com.
B. You should consider having a subzone established for the intranet.weyland.com domain.
C. You should consider reconfiguring the intranet.weyland.com domain as a standard primary zone.
D. You should consider setting conditional forwarding for the intranet.weyland.com domain.
Answer:
D. You should consider setting conditional forwarding for the intranet.weyland.com domain.
Explanation: In order to permit a ABC.com user to resolve names from intranet.weyland.com domain you need to set the conditional forwarding for the intranet.weyland.com domain. A conditional forwarding is a DNS query setting that allows a DNS server to route a request for a particular name to another DNS server by specifying a name and IP address.
96
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The Finance department of ABC.com contains an organizational unit named King Finance. In turn, King Finance contains a separate OU for ABCWorkstations, ABCGroups and ABCClients. At present KingFinance is backed up every evening.
During routine monitoring you discover that a newly appointed administrator deleted ABCGroups. You receive an instruction from the CIO to ensure that the organizational unit is reinstated. This process should not impact on ABCClients and ABCWorkstations.
What action should you consider?
A. You should consider executing a non-authoritative restore of ABCGroups.
B. You should consider executing a non-authoritative restore of KingFinance.
C. You should consider executing an authoritative restore of KingFinance.
D. You should consider executing an authoritative restore of ABCGroups.
Answer:
D. You should consider executing an authoritative restore of ABCGroups.
97
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. ABC.com has its headquarters in London and branch office in Paris. All domain controllers on the ABC.com network run Windows Server 2008 R2 and function as DNS servers.
Two domain controllers named ABC-DC01 and ABC-DC02 are located in the London office while a Read-only Domain Controller (RODC) named ABC-DC03 is located in the Paris office. All three domain controllers are set up as Active Directory-integrated zones that support secure updates only.
What action should you take to allow ABC-DC03 to support dynamic DNS updates?
A. You should consider having ABC-DC03 the Read-only Domain Controller (RODC) reconfigured to allow dynamic updates.
B. You should consider having the dnscmd/ZoneResetType command run at the command prompt on ABC-DC03.
C. You should consider having an active partition created and configured on ABC-DC01 to store the Active Directory-integrated zones.
D. You should consider having Active Directory Domain services uninstalled in ABC-DC03. You should then re-install Active Directory as a writeable domain controller.
Answer:
D. You should consider having Active Directory Domain services uninstalled in ABC-DC03. You should then re-install Active Directory as a writeable domain controller.
Explanation: In order to enable the dynamic DNS updates on ABC-DC03 you need uninstall the Active Directory Domain services on ABC-DC03. Thereafter you can reinstall it as a writeable domain controller. A writeable domain controller performs originating updates and outbound replication.
98
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com with a perimeter network. All domain controllers on the ABC.com network run Windows Server 2008 R2 and function as DNS servers.
There are two domain controllers named ABC-SR01 and ABC-SR02. During the course of the day you deploy an additional DNS server named ABC-SR03 to the perimeter network. You have later decided to configure ABC-SR01 to forward all unresolved requests to ABC-SR03.
During your routine maintenance you discover that DNS forward option is unavailable on ABC- SR02. ABC.com recently requested that you travel to the Paris office and configure DNS forwarding on ABC-SR02 so that unresolved name requests are forward to ABC-SR03.
Which of the following actions should you take? (Choose two)
A. You should consider having the Root zone removed from ABC-SR02.
B. You should consider having zone forwarding added on ABC-SR02.
C. You should consider having the DNS cache cleared on ABC-SR02.
D. You should consider having conditional forwarding configured on ABC-SR02.
Answer:
A. You should consider having the Root zone removed from ABC-SR02.
D. You should consider having conditional forwarding configured on ABC-SR02.
99
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. ABC.com has its headquarters in London and a branch office in Paris. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista.
ABC.com has recently created an organizational unit named KingProducts which has a child organizational unit object named KingSales. ABC.com has additionally created a GPO named SalesApplication and linked it to the KingProducts OU. During the course of the day you receive instruction from ABC.com to create a shadow group for the KingSales organizational unit whilst ensuring that the SalesApplication is not deployed to network users in the KingSales OU.
Which actions should you take to accomplish this task? (Choose two)
A. You should consider having the Block Inheritance setting configured on the KingSales organizational unit.
B. You should consider having security filtering configured on the SalesApplication GPO to Deny. You should then have the group policy applied for the KingSales OU.
C. You should consider having the Enforce setting configured on the SalesApplication GPO.
D. You should consider having the Block Inheritance setting configured on the KingProducts organizational unit.
Answer:
A. You should consider having the Block Inheritance setting configured on the KingSales organizational unit.
B. You should consider having security filtering configured on the SalesApplication GPO to Deny. You should then have the group policy applied for the KingSales OU.
100
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a single domain named ABC.com.
ABC.com has a subsidiary company named Weyland Industries. The Weyland Industries network has a forest with a single domain named weyland.com. All servers on the ABC.com and Weyland Industries networks run Windows Server 2008 R2.
The functional level of the ABC.com domain is set at Windows Server 2008 while the functional level of the weyland.com domain is set at Windows Server 2003 Native mode. You have created an external trust between ABC.com and weyland.com.
Which of the following is a prerequisite for having the Kerberos AES encryption option enabled?
A. You should consider having the ABC.com domain level lowered to Windows Server 2003.
B. You should consider having the weyland.com domain functional level raised to Windows Server 2008.
C. You should consider having the ABC.com forest functional level lowered to Windows Server 2003 Native Mode.
D. You should consider having forest-wide authentication enabled for the external trust.
Answer:
B. You should consider having the weyland.com domain functional level raised to Windows Server 2008.
101
ABC.com has an Active Directory forest which runs Windows Server 2008 R2. It has branch offices all around the world. The forest includes organizational units (OUs) for offices in New York, London, Amsterdam and Rome, each with a child OU named finance. The users and computers in the finance department are stored in the finance OU.
A high speed broadband link is used to connect the London, Amsterdam and New York offices to the network while a 128-Kbps ISDN connects the Rome office. ABC.com wants you to install a new finance application for the finance department.
How would you accomplish this task? (Choose two answers. Each answer is a part of the complete solution)
A. This can be accomplished by assigning the application to the computers after a Group Policy object was created. Thereafter the GPO should be linked to the finance OU.
B. This can be accomplished by having the slow link detection setting in the GPO disabled.
C. This can be accomplished by assigning the application to the users in the OU after a Group Policy object was created. Thereafter the GPO should be linked to the finance OU.
D. This can be accomplished by having the slow link detection setting modified to 2,544 Kbps (T1) in the GPO.
Answer:
A. This can be accomplished by assigning the application to the computers after a Group Policy object was created. Thereafter the GPO should be linked to the finance OU.
D. This can be accomplished by having the slow link detection setting modified to 2,544 Kbps (T1) in the GPO.
102
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. ABC.com has its headquarters in London and a branch office in Paris. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista.
ABC.com has recently requested that you take on the responsibilities managing help desk calls and basic user account management. During the course of the day you receive instruction to add a new user named Rory Allen and to grant him permission to reset passwords for all users in an OU named ResOU. ABC.com has recently requested that you make sure Rory Allen cannot alter permission for the objects within other OU in the domain.
What actions should you take?
A. You should consider having the Rory Allen’s login account moved to an OU containing the OU. You should then have the parent OU of the one requiring administering referred.
B. You should consider having the Delegation of Control Wizard used to assign the necessary permissions on the OU that requires being administered.
C. You should consider having a special administration account created within the OU. You should then have full permissions granted to the OU for all objects within Active Directory.
D. You should consider having the Rory Allen login account moved into the OU which requires being administered.
Answer:
B. You should consider having the Delegation of Control Wizard used to assign the necessary permissions on the OU that requires being administered.
Explanation:
The Delegation of Control Wizard is designed to permit administrators the ability to have permissions on specific Active Directory objects organized.
103
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. ABC.com has its headquarters in London and branch office in Paris. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network has a server named ABC-SR01 in the London office which has the DNS Server role installed with Active Directory-integrated zone configured for two sites containing four domain controllers each.
You have executed the repadmin/syncall command at the command prompt.
Which of the following describes a reason for executing this command?
A. It is used to start the immediate replication of a specified directory partition to a destination domain controller from a source domain controller.
B. It is used to present the replication status when the specified domain controller last attempted to perform inbound replication of Active Directory partitions.
C. It is used to synchronize a particular domain controller with all of its replication partners.
D. It is used to start the replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).
Answer:
C. It is used to synchronize a particular domain controller with all of its replication partners.
104
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
At present the domain functional level as well as the forest functional level is set to Windows 2000 native mode. To ensure productivity, management wants you to make sure that the UPN suffix for ABC.com is accessible for user accounts within the network. You thus need to determine the first step that should be executed to accomplish this.
A. The ABC.com forest functional level should be raised to Windows Server 2003 or Windows Server 2008.
B. The Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) should be changed to ABC.com.
C. The new UPN suffix should be added to the forest.
D. The ABC.com domain functional level should be raised to Windows Server 2003 or Windows Server 2008.
Answer:
C. The new UPN suffix should be added to the forest.
105
ABC.com has employed you as a network administrator. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2. Half the client computers run Windows XP Professional, and the rest run Windows Vista.
The ABC.com network has a Windows Server 2008 Enterprise Root CA. You have been instructed to make sure that port 443 and port 80 cannot be accessed on the domain controller.
During the course of the week you receive an instruction from the CIO to ensure that all ABC.com users are able to have their certificates requested from the official Web site.
How would you accomplish this task?
A. You should consider having the AD CS role installed.
B. You should consider having the AD FS role installed.
C. You should consider having the Certification Authority Web Enrollment Role Service is configured on a domain controller.
D. Your subsequent step should be to ensure that the Certification Authority Web Enrollment Role Service is configured on a member server.
Answer:
A. You should consider having the AD CS role installed.
D. Your subsequent step should be to ensure that the Certification Authority Web Enrollment Role Service is configured on a member server.
106
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All domain controllers on the ABC.com network run Windows Server 2003. ABC.com has its headquarters in Paris where you are located.
Due to company growth ABC.com opens a branch office in London. Several ABC.com employees will be moved to the London office. You thus need to move the existing user as well as computer objects to another organizational unit in the London office. You need to recommend to management a plan of action that will accomplish this.
Which of the following actions should you take? (Choose all that apply.)
A. You should recommend that the DSmod utility be executed.
B. You should recommend that the Active Directory Domains and Trusts tool be used.
C. You should recommend that the Active Directory Users and Computers utility be run.
D. You should recommend that the RepAdmin utility be executed.
Answer:
A. You should recommend that the DSmod utility be executed.
C. You should recommend that the Active Directory Users and Computers utility be run.
107
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista.
The current ABC.com DNS zone is stored on the ForestDnsZones Active directory partition.
You have received instruction from ABC.com to include a domain controller named ABC-SR01 with a standard primary zone for uk.ABC.com. ABC.com has additionally requested all company domain controllers be configured appropriately to resolve names for uk.ABC.com.
What actions should you take to meet these requirements?
A. You should consider having a PTR record added in the ABC.com.com zone
B. You should consider having a Host A record added in the ABC.com.com zone
C. You should consider having a delegation created in the ABC.com zone.
D. You should consider having the properties of SOA record changed in the uk.ABC.com zone.
Answer:
C. You should consider having a delegation created in the ABC.com zone.
108
You work as the enterprise administrator at ABC.com. ABC.com has its headquarters in London and branch offices in Paris, Berlin, Milan and Athens. The network at every office is organized into a separate site, each with its own domain controller.
During the course of the day you disable an account that has administrative rights. You receive an instruction from the CIO to replicate the disabled account information to all ABC.com sites.
Which of the following actions should you take? (Choose all that apply.)
A. This can be accomplished by having the domain controllers configured as global catalog servers using Replmon.exe.
B. This can be accomplished by having the existing connection objects selected and replication forced from the Active Directory Federated Services console.
C. This can be accomplished by having the domain controllers configured as global catalog servers from the Active Directory Sites and Services console.
D. This can be accomplished by forcing replication between the site connection objects using Repadmin.exe.
Answer:
C. This can be accomplished by having the domain controllers configured as global catalog servers from the Active Directory Sites and Services console.
D. This can be accomplished by forcing replication between the site connection objects using Repadmin.exe.
109
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows XP Professional.
You want ABC.com users to only install application updates on their client computers that have been approved by management.
Which of the following actions should you take? (Choose two)
A. You should consider having automatic updates configured in the control panel of the offices client computers.
B. You should consider having a GPO created and linked to the server. You should then have the GPO configured to automatically search for updates on Microsoft update site.
C. You should consider having a GPO created and linked to the domain. You should then have the GPO configured to direct client computers to the Microsoft WSUS server for approved updates.
D. You should consider having the Microsoft WSUS application installed on a server in the environment. You should then have the WSUS server configured to search for new updates on the internet whilst approving all required updates.
Answer:
C. You should consider having a GPO created and linked to the domain. You should then have the GPO configured to direct client computers to the Microsoft WSUS server for approved updates.
D. You should consider having the Microsoft WSUS application installed on a server in the environment. You should then have the WSUS server configured to search for new updates on the internet whilst approving all required updates.
110
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. ABC.com has its headquarters in London and a branch office in Paris. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista.
During the course of the day you receive instruction from ABC.com to create an organizational unit named Products hosting two global groups named KingSales and KingSecurity. ABC.com has also asked you to apply desktop restrictions to the KingSecurity group whilst ensuring that the KingSales group does not have the desktop restrictions applied. You started by creating a GPO named KingLockdown and linked it to the Products OU.
Which actions should you consider?
A. You should consider having the Allow Apply Group Policy permission set for the Local domain users on KingLockdown GPO.
B. You should consider having the Allow Apply Group Policy permission set for the Authenticated Users on KingLockdown GPO.
C. You should consider having the Deny Apply Group Policy permission set for the KingSales on the KingLockdown GPO.
D. You should consider having the Deny Apply Group Policy permission set for the KingSecurity Executives on the KingLockdown GPO.
Answer:
C. You should consider having the Deny Apply Group Policy permission set for the KingSales on the KingLockdown GPO.
111
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. ABC.com has its headquarters in London and a branch office in Paris. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista.
ABC.com currently makes use two computers named ABC-SR01 and ABC-SR02 configured as DNS servers with both ABC-SR01 and ABC-SR02 hosting the _msdcs.tesking.com and ABC.com zones while ABC-SR02 also hosts the .(root) zone.
During the course of the day you receive complaints from the network users that they are not able to connect to Internet websites while using ABC-SR02 as their preferred DNS server. ABC.com recently requested that you enable Internet name resolution for all client computers on the network.
How would you accomplish this?
A. You should consider having the list of root hints servers updated on ABC-SR02.
B. You should consider having a copy of the .(root) zone created on ABC-SR01.
C. You should consider having the .(root)zone deleted from ABC-SR02. You should then have conditional forwarding configured on ABC-SR02.
D. You should consider having the Cache.dns file updated on ABC-SR02. You should then have conditional forwarding configured on ABC-SR01.
Answer:
C. You should consider having the .(root)zone deleted from ABC-SR02. You should then have conditional forwarding configured on ABC-SR02.
112
You work as the network administrator at ABC.com. The ABC.com network consists of two Active Directory forests named ABC-north.com and ABC-south.com. All servers on the ABC.com network run Windows Server 2008 R2 and all client computers run Windows Vista.
ABC.com currently makes use of three computers named ABC-SR01, ABC-SR02 and ABC-SR03 which are configured as DNS servers. Both ABC-SR01 and ABC-SR02 host the .(root), _msdcs.tesking-north.com and ABC-north.com zones while ABC-SR03 hosts the _msdcs.tesking- south.com and ABC-south.com zones.
ABC-SR03 is configured as the DNS server for all workstations in the ABC-south.com domain. ABC-SR01 is configured as the DNS server for the other workstations.
During routine monitoring you discover that employees from ABC-south.com are unable to connect to the servers belonging to ABC-north.com. You receive an instruction from the CIO to make sure that all ABC-south.com queries can be resolved by employees at ABC-north.com.
How should you proceed?
A. You should consider creating a Secondary zone on ABC-SR03.
B. You should consider configuring conditional forwarding on ABC-SR03 in order to forward ABC- north.com queries to ABC-SR01.
C. You should consider creating a Primary zone on ABC-SR03.
D. You should consider configuring conditional forwarding on ABC-SR01 and ABC-SR02 in order to forward ABC-south.com queries to ABC-SR03.
Answer:
B. You should consider configuring conditional forwarding on ABC-SR03 in order to forward ABC- north.com queries to ABC-SR01.
113
You work as a systems administrator at ABC.com. The ABC.com network has a forest that contains two domains named us.ABC.com and uk.ABC.com.
ABC.com management wants you to minimize the authentication time for ABC.com users between the us.ABC.com and the uk.ABC.com domains.
How would you accomplish this task?
A. This can be accomplished by creating an intransitive two-way trust from uk.ABC.com to us.ABC.com.
B. This can be accomplished by creating a new forest trust and enabling forest-wide authentication.
C. This can be accomplished by raising the domain functional level to Windows Server 2008.
D. This can be accomplished by creating a one-way shortcut trust from uk.ABC.com to us.ABC.com.
Answer:
D. This can be accomplished by creating a one-way shortcut trust from uk.ABC.com to us.ABC.com.
114
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. ABC.com has its headquarters in London and a branch office in Paris. All servers on the ABC.com network run Windows Server 2008 R2 and all workstations run Windows Vista.
You have configured two linked GPO’s for ABC.com’s network, which were used to publish the new KingSales application. A network user named Rory Allen has reported that the KingSales application is not available for installation when he logs on.
ABC.com wants you to verify whether the GPO has been applied to Rory Allen.
What is the best course of action you could take?
A. You should consider executing the Group Policy Results utility for Rory Allen’s workstation.
B. You should consider executing the Group Policy Results utility for Rory Allen.
C. You should consider executing the gpresult /u command from the command prompt.
D. You should consider executing the gpresult /r command from the command prompt.
Answer:
B. You should consider executing the Group
115
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2. The ABC.com network has a domain controller named ABC-DC01.
How would you determine if any unsuccessful logon attempts occurred on ABC-DC01?
A. You should open the Netlogon.log file on ABC-DC01.
B. You should open the Event Viewer on ABC-DC01.
C. You should configure auditing of object access on ABC-SR01.
D. You should open the System.log file on ABC-DC01.
Answer:
B. You should open the Event Viewer on ABC-DC01.
116
You work as an administrator at ABC.com. The ABC.com network consists of an Active Directory forest that contains a single domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 and all workstations run Windows XP.
ABC.com has its headquarters in Dallas, and two branch offices in Miami and Chicago. You have configured an organizational unit (OU) for the Marketing department of each office. The users and computers of the Marketing Department are included in the Marketing OU. Each Marketing OU has a child OU.
ABC.com releases a new policy that requires the computers in the Marketing OU to have a specific application installed. You have to make sure that the application is deployed for the Marketing OU computers only.
How would you accomplish this task? (Choose all that apply.)
A. You should consider creating and configuring a Group Policy Object (GPO) to assign the application to the computer account.
B. You should consider creating and configuring a Group Policy Object (GPO) to assign the application to the user account.
C. You should consider linking the GPO to the Marketing OU in each office.
D. You should consider linking the GPO to ABC.com’s forest.
Answer:
A. You should consider creating and configuring a Group Policy Object (GPO) to assign the application to the computer account.
C. You should consider linking the GPO to the Marketing OU in each office.
117
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. ABC.com has its headquarters in London and a branch office in Paris. All domain controllers on the ABC.com network run Windows Server 2008 R2 and all workstations run Windows XP Professional.
ABC.com deploys three Windows Server 2008 R2 servers that are configured as DNS servers. ABC.com’s ADMX files of are stored in the ADMX central store.
A ABC.com user named Rory Allen has been given the responsibility of dealing with all domain based group policy objects. You receive an instruction to make sure that Rory Allen’s workstation is able to edit domain-based GPO’s.
What actions should you perform?
A. You should consider having Rory Allen’s workstation upgraded to Windows Vista.
B. You should consider having Rory Allen’s workstation upgraded to Windows XP Professional SP2.
C. You should consider having Rory Allen’s workstation downgraded to Windows 2000.
D. You should consider adding Rory Allen’s account to the Domain Admins group.
Answer:
A. You should consider having Rory Allen’s workstation upgraded to Windows Vista.
118
You work as an administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
When a junior administrator named Rory Allen unintentionally deletes an organizational unit (OU) on a domain controller, you decide to make use of a non-authoritative restore prior to an authoritative restore of the OU.
How would you execute a non-authoritative restore of Active Directory Domain Services (AD DS), while maintaining the integrity the other data stored on the domain controller?
A. The best option is to backup of all the volumes.
B. The best option is to use a Critical volume backup.
C. The best option is to backup of the volume that hosts Operating system.
D. The best option is to backup of AD DS folders.
Answer:
B. The best option is to use a Critical volume backup.
Explanation: If you do not want to disrupt the data stored on domain controller, you need to use a critical volume backup to perform non-authoritative restore of AD DS.
You must first complete a non-authoritative restore before performing an authoritative restore of AD DS. You must ensure that the replication does not occur after non-authoritative restore. You must do a critical-volume backup before you perform a non-authoritative restore. To prevent the replication from occurring after the non-authoritative and to perform the authoritative restore portion of the operation, you must restart the domain controller in Directory Services Restore Mode and perform the authoritative restore at the domain controller that you are restoring. You should start the domain controller normally after performing the authoritative restore of AD DS. You should also synchronize replication with all replication partners.
119
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You are responsible for managing the Windows Server 2008 environment. You are in the process of deploying a certificate authority server into the network. After deployment you create a global security group named KingUsers. You have assigned the Certificate Manager role to KingUsers.
Which of the following is TRUE with regards to this scenario?
A. Members of the KingUsers global security group will be able to issue, approve, and revoke certificates.
B. Members of the KingUsers global security group will only be able to issue certificates.
C. Members of the KingUsers global security group will only be able to approve certificates.
D. Members of the KingUsers global security group will only be able to revoke certificates.
Answer:
A. Members of the KingUsers global security group will be able to issue, approve, and revoke certificates.
120
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2. Workstations on the ABC.com network run either Windows XP SP2 or Windows Vista.
The ABC.com network has a domain controller named ABC-DC01. The ABC.com network also has a server named ABC-SR07. ABC-DC01 and ABC-SR07 are configured as DNS servers. ABC- DC01 is configured to host a standard primary zone, while ABC-SR07 hosts a secondary copy of the zone.
You have been instructed to make sure that host (A) records in the DNS zone are updated by authenticated users only.
Which of the following describes the initial step to achieving your goal?
A. You should consider having AD FS installed on ABC-DC01.
B. You should consider having AD FS installed on ABC-SR07.
C. You should consider having the standard primary zone converted to a stub zone.
D. You should consider having the standard primary zone converted to an Active Directory- integrated zone.
Answer:
D. You should consider having the standard primary zone converted to an Active Directory- integrated zone.
121
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows Vista.
The ABC.com network includes two domain controllers named ABC-DC01 and ABC-DC02, both of which have been configured as DNS servers. The DNS zones hosted on ABC-DC01 and ABC- DC02 are configured to be Active Directory-integrated zones that permit dynamic updates. You are instructed to make sure that old records are automatically deleted from the zone.
What course of action should you take?
A. You should consider disabling dynamic updates for the zones.
B. You should consider having aging and scavenging enabled.
C. You should consider converting the Active Directory-integrated zones to standard primary zones.
D. You should consider converting the Active Directory-integrated zones to stub zones.
Answer:
B. You should consider having aging and scavenging enabled.
122
You work as an administrator at ABC.com. The ABC.com network consists of a single domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have been instructed to deploy a certification authority (CA) server on the ABC.com network. You then install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.
Which of the following is TRUE with regards to this scenario? (Choose all that apply.)
A. The certification authority can issue certificates automatically.
B. The Certificate Enrollment policy will be modified.
C. The CA server is integrated with Active Directory Domain Services.
D. The Enterprise Trust settings will be modified.
Answer:
A. The certification authority can issue certificates automatically.
C. The CA server is integrated with Active Directory Domain Services.
123
You work as an administrator at ABC.com. The ABC.com network is made up of a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
The ABC.com network is configured in a two tier public key infrastructure (PKI). This PKI infrastructure configuration hosts an offline Root certification authority (CA), as well as an online Issuing certification authority (CA). ABC.com users need to have the ability to enroll new certificates.
Which actions should you take? (Choose two.)
A. You should have the Certificate Revocation List (CRL) on the Root certification authority (CA) renewed.
B. You should have the Certificate Revocation List (CRL) on the Intermediate CA renewed.
C. You should have the Certificate Revocation List (CRL) on the Issuing CA renewed.
D. The Certificate Revocation List (CRL) should then be copied to the CertEnroll folder on the Issuing certification authority (CA).
E. The Certificate Revocation List (CRL) should then be copied to the SystemCertificates folder in the users' profile.
Answer:
A. You should have the Certificate Revocation List (CRL) on the Root certification authority (CA) renewed.
D. The Certificate Revocation List (CRL) should then be copied to the CertEnroll folder on the Issuing certification authority (CA).
124
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
The ABC.com domain employs an Enterprise Root certification authority (CA), as well as an Enterprise Intermediate certification authority (CA). When the Enterprise Intermediate certification authority certification authority (CA) reaches its expiration date, you are tasked with making sure that a new one is distributed to all workstations in the ABC.com domain.
How would you accomplish this task?
A. You should consider having the new certificate imported into the Trusted Certification Store, which is located in the Default Domain group policy object.
B. You should consider having the new certificate imported into the Issuing Certification Store, which is located in the Default Domain group policy object.
C. You should consider having the new certificate imported into the Intermediate Certification Store, which is located in the Default Domain Controllers group policy object,
D. You should consider having the new certificate imported into the Intermediate Certification Store, which is located in the Default Domain group policy object.
E. You should consider having the new certificate imported into the Issuing Certification Store, which is located in the Default Domain Controllers group policy object,
F. You should consider having the new certificate imported into the Trusted Certification Store, which is located in the Default Domain Controllers group policy object,
Answer:
D. You should consider having the new certificate imported into the Intermediate Certification Store, which is located in the Default Domain group policy object.
125
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
A domain controller named ABC-DC02 runs the Windows Server Backup feature. When ABC- DC02 experiences problems, you decide to make use of a current backup file to restore ABC- DC02 non-authoritatively.
What actions should you take to accomplish this task?
A. You should start ABC-DC02 in Directory Services Restore Mode.
B. You should start ABC-DC02 in safe mode.
C. You should then carry out a critical volume restore by running the WBADMIN command.
D. You should then carry out a critical volume restore by running the ntbackup command.
E. You should then carry out a critical volume restore from the Windows Server Backup snap-in.
Answer:
A. You should start ABC-DC02 in Directory Services Restore Mode.
C. You should then carry out a critical volume restore by running the WBADMIN command.
126
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
You have been tasked with installing a new application on a server named ABC-SR13. Part of the installation process requires the installation of new attributes, as well as adding classes to the Active Directory database.
You are tasked with making sure that you are able to install the application successfully.
Which of the following permissions should the user account have?
A. Domain Administrator rights.
B. Schema User rights.
C. Schema Administrator rights.
D. Enterprise User rights.
Answer:
C. Schema Administrator rights.
127
You work as an administrator at ABC.com. The ABC.com network has an Active Directory forest, which has two domains named eu.ABC.com and us.ABC.com. All servers, including domain controllers, on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise. The domain controllers are also configured as DNS servers.
A server named ABC-SR02 is configured to host the standard primary zone for eu.ABC.com. ABC.com has requested that all domain controllers in the forest have the ability to resolve names for the eu.ABC.com zone.
What course of action should you follow? (Choose two.)
A. You should configure a conditional forwarder on one of ABC.com’s domain controllers.
B. You should make sure that conditional forwarder is configured to replicate to all DNS servers in the eu.ABC.com domain only.
C. You should consider having a stub zone created on one of the domain controllers.
D. You should make sure that the conditional forwarder is Configure to replicate to all DNS servers in ABC.com’s forest.
E. You should make sure that conditional forwarder is configured to replicate to all DNS servers in the us.ABC.com domain only.
F. You should consider having a stub zone created on ABC-SR02.
Answer:
A. You should configure a conditional forwarder on one of ABC.com’s domain controllers.
D. You should make sure that the conditional forwarder is Configure to replicate to all DNS servers in ABC.com’s forest.
128
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
The ABC.com network has a server named ABC-SR19 which has the Active Directory Certificate Services (AD CS) server role configured.
You have been tasked with making sure that the length of time it takes to download a certificate revocation list (CRL) is kept to a minimum.
Which actions should you take?
A. You should consider installing an Online Responder, and then making the necessary configurations.
B. You should consider modifying the replication schedule.
C. You should consider having the Intermediate CA certificate imported into the Trusted Root Certification Authorities on ABC-SR19.
D. You should consider having ABC-SR19 configured as an Issuing Certification Authority.
Answer:
A. You should consider installing an Online Responder, and then making the necessary configurations.
129
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers, including domain controllers, on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
ABC.com has an existing security policy that states that auditing must be configured to record any modifications made to the Managed By attribute on group objects located in any organizational unit (OU).
ABC.com then releases an amended security policy that maintains most of the old policy, but states that any modifications made only to the Description attribute on all group objects in an OU named TestOU13, should be logged.
Which actions should you consider to make sure that the amended policy is enforced?
A. You should consider making use of the auditpol.exe from the command line.
B. You should consider having the auditing entry for TestOU13 reconfigured.
C. You should consider having auditing configured for the Authenticated Users group
D. You should consider having the Audit process tracking option activated.
Answer:
B. You should consider having the auditing entry for TestOU13 reconfigured.
130
You work as an administrator at ABC.com. The ABC.com network has an Active Directory forest named ABC.com.
You are informed that ABC.com has acquired a new server, which runs Windows Server 2008 R2 and is configured as a read-only domain controller (RODC). The read-only domain controller (RODC) is named ABC-RODC01.
You have received instructions to deploy ABC-RODC01 to ABC.com’s forest.
Which of the following statements are TRUE with regards to the above scenario?
A. The minimum functional level that can be configured for the forest is Windows Server 2008.
B. The maximum functional level that can be configured for the forest is Windows Server 2003.
C. The maximum functional level that can be configured for the forest is Windows 2000.
D. The minimum functional level that can be configured for the forest is Windows 2003.
Answer:
D. The minimum functional level that can be configured for the forest is Windows 2003.
131
Which of the following is the purpose of the Infrastructure operations master role?
A. It is responsible for updating object references in its domain that point to the object in a different domain.
B. It is provides the most up-to-date password information whenever a logon attempt fails.
C. It assigns an object a unique security identifier (SID) whenever a domain controller creates a new security principal.
D. It deals with the addition and removal of all domains and directory partitions.
Answer:
A. It is responsible for updating object references in its domain that point to the object in a different domain.
132
Which of the following is TRUE with regards to RAID-5 volumes? (Choose two.)
A. The minimum amount of disks required is 3 disks, including the disk hosting the operating system.
B. The minimum amount of disks required is 3 disks, excluding the disk hosting the operating system.
C. You have to make use of basic disks.
D. You have to make use of dynamic disks.
Answer:
B. The minimum amount of disks required is 3 disks, excluding the disk hosting the operating system.
D. You have to make use of dynamic disks.
133
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2, while all workstations run Windows Vista Ultimate.
ABC.com has recently started making use of Windows Cardspace to enable users to provide their digital identity to online services in a simple and trusted way.
You sometimes work from your home PC, which also runs Windows Vista Ultimate, and would like to make use of your Windows Cardspace cards.
How should you proceed?
A. You should consider sending the Windows Cardspace cards to you home PC via e-mail.
B. You should consider running a data backup of your workstation to external media
C. You should consider exporting the required Windows Cardspace cards to external media.
D. You should consider making use of the Windows Cardspace application to backup the data to external media.
Answer:
D. You should consider making use of the Windows Cardspace application to backup the data to external media.
134
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2.
A domain controller named ABC-DC01 has been configured to run the Active Directory services. You need to run important updates on ABC-DC01. You would like to complete this task without restarting ABC-DC01.
How would you accomplish this task?
A. You should consider promoting ABC-DC01 to a member server.
B. You should consider running the Ntdsutil command.
C. You should consider deactivating the Active Directory domain services on ABC-DC01 prior to installing the updates.
D. You should consider running the Dnscmd.exe command.
E. You should consider reactivating the Active Directory domain services on ABC-DC01 subsequent to installing the updates.
Answer:
C. You should consider deactivating the Active Directory domain services on ABC-DC01 prior to installing the updates.
E. You should consider reactivating the Active Directory domain services on ABC-DC01 subsequent to installing the updates.
135
You work as an administrator at ABC.com. The ABC.com network is made up of an Active Directory forest that contains a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have been instructed to create a custom directory partition application named ABCPartionData. You are required to make sure that ABCPartionData is configured for data replication.
What actions should you take?
A. You should consider making use of Dnscmd and Ntdsutil to satisfy the requirements.
B. You should consider making use of Dfscmd and Dfsutil to satisfy the requirements.
C. You should consider making use of Dnscmd and Fsutil to satisfy the requirements.
D. You should consider making use of Dfscmd and Ntdsutil to satisfy the requirements.
Answer:
A. You should consider making use of Dnscmd and Ntdsutil to satisfy the requirements.
136
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. Half of the servers on the ABC.com network run Windows Server 2003 and the rest run Windows Server 2008 R2.
ABC.com has its headquarters in London, and a branch office in New York. The London office has a Windows Server 2008 R2 computer named ABC-SR05. The New York office has a server named ABC-SR12 which has been configured to run a Windows 2008 Server Core installation.
After installing Active Directory Domain Services (AD DS) on ABC-SR05, you are instructed to make sure that ABC-SR12 is configured to run as a Read-Only Domain Controller (RODC). You want to accomplish this task with as little administrative effort as possible.
How would you accomplish this task?
A. You should consider running an attended installation of AD DS on ABC-SR12 remotely from the London office.
B. You should consider running an unattended installation of AD DS on ABC-SR12 remotely from the London office.
C. You should consider travelling to New York to install AD DS on ABC-SR12.
D. You should consider assigning this task to a user in the New York office.
Answer:
B. You should consider running an unattended installation of AD DS on ABC-SR12 remotely from the London office.
137
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in London and a branch office in Paris. The Paris office has a Read-Only Domain Controller (RODC) named ABC-DC02. The protection services in the Paris office are currently inadequate.
You have been instructed to make sure that ABC-DC02 contains non-administrative accounts passwords. You decide to include the administrative accounts in the Domain RODC Password Replication Denied group.
Which of the following is TRUE with regards to the Domain RODC Password Replication Denied group?
A. User accounts are members of the Domain RODC Password Replication Denied group by default.
B. Enterprise Domain Controllers are members of the Domain RODC Password Replication Denied group by default.
C. The Domain Admins group is not a member of the Domain RODC Password Replication Denied group by default.
D. Cert Publishers are not members of the Domain RODC Password Replication Denied group by default.
Answer:
B. Enterprise Domain Controllers are members of the Domain RODC Password Replication Denied group by default.
138
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2. A server named ABC-SR07 has been configured to run Active Directory Lightweight Directory Services (AD LDS).
You have been instructed to make sure that Secure Sockets Layer (SSL) based connections to ABC-SR07 are enabled.
What is the best course of action you could take?
A. You should consider installing certificates from a trusted Certification Authority (CA) on ABC- SR07 and workstations, and then ABC.com the certificate by running the Ldp GUI tool.
B. You should consider installing certificates from a trusted Certification Authority (CA) on ABC- SR07 and workstations, and then ABC.com the certificate by running the ntdsutil.exe command from the command-line.
C. You should consider installing certificates from a trusted Certification Authority (CA) on ABC- SR07 only, before executing the Ldp GUI tool.
D. You should consider installing certificates from a trusted Certification Authority (CA) on ABC- SR07 only, before executing the ntdsutil.exe command from the command-line.
Answer:
C. You should consider installing certificates from a trusted Certification Authority (CA) on ABC- SR07 only, before executing the Ldp GUI tool.
139
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2.
ABC.com has its headquarters in London, and branch offices in Paris, New York, and Milan. Each of these branch offices are configured as a separate Active Directory site. Each of these Active Directory sites has a Read-Only Domain Controller (RODC) deployed and configured.
You have been instructed to make sure that user account cached credentials for each site are hosted by the Read-Only Domain Controller (RODC) for that particular site.
What course of action should you take to accomplish this task?
A. You should consider including a GPO on all Read-Only Domain Controllers (RODCs).
B. You should consider advising users to reconfigure their credentials.
C. You should consider installing a standard domain controller in each site.
D. You should consider including a replication policy on all RODC computer accounts.
Answer:
D. You should consider including a replication policy on all RODC computer accounts.
140
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
A server on the ABC.com network named ABC-SR13 has an instance of Active Directory Lightweight Directory Services (AD LDS) installed. The ABC.com network also has a server named ABC-SR01.
You have been tasked with making sure that the Active Directory Lightweight Directory Services (AD LDS) is replicated to ABC-SR01.
What is the best course of action you could take?
A. You should consider executing the repadmin.exe command-line tool with the /kcc parameters on ABC-SR01.
B. You should consider executing the repadmin.exe command-line tool with the /kcc parameters on ABC-SR13.
C. You should consider running Replmon.exe on ABC-SR13.
D. You should consider running Replmon.exe on ABC-SR01.
Answer:
A. You should consider executing the repadmin.exe command-line tool with the /kcc parameters on ABC-SR01.
141
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. The ABC.com network contains three servers named ABC-SR01, ABC-SR02, and ABC-SR03. ABC-SR01 is configured as a domain controller, and has Windows Server 2008 installed. ABC-SR02 is configured as an Enterprise root certification authority (CA), and has Windows Server 2008 R2. ABC-SR03 is configured with the Network Device Enrollment Service (NDES), and has Windows Server 2008 R2 installed.
ABC.com has released a written policy that requires the use of the MD5 hash algorithm for all device certificate requests. You have been tasked with enforcing the policy.
How would you accomplish this task?
A. You should consider executing the Ntdsutil.exe tool from the command-line on ABC-SR02.
B. You should have the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\EncryptionTemplate registry key defined on ABC-SR03.
C. You should have the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword\UseSinglePassword registry key defined on ABC-SR03.
D. You should have the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key defined on ABC-SR03.
Answer:
D. You should have the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key defined on ABC-SR03.
142
You work as an administrator at ABC.com. The ABC.com network has two Active Directory forests named euABC.com and usABC.com, of which each has a single domain configured. Windows Server 2008 R2 has been set as the functional level for both forests.
To permit users from both forests to enroll user certificates automatically, you have configured the Active Directory Certificate Services (AD CS) in the euABC.com forest.
ABC.com releases a written policy that requires all users in the usABC.com forest to be in possession of a user certificate from the euABC.com certification authority (CA).
How would you enforce this policy?
A. You should consider reconfiguring the settings of the Issuing Certification Authority.
B. You should consider reconfiguring the settings of the Intermediate Certification Authority.
C. You should reconfigure the Certificate Enrollment policy by accessing the Default Domain Policy.
D. You should reconfigure the Certificate Enrollment policy by accessing the Default Domain Controllers OU.
Answer:
C. You should reconfigure the Certificate Enrollment policy by accessing the Default Domain Policy.
143
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
The ABC.com network has a server named ABC-SR13 which is set up to be an enterprise root certification authority (CA). ABC.com has a Web site that authenticates by making use of x.509 certificates, and makes use many-to-one mapping.
After severing ties with an outside company, ABC.com instructs you to revoke the certificate that was supplied to them. After carrying out this task, you are instructed to make sure that the outside company is unable to log on to ABC.com’s Web site.
What actions should you consider?
A. You should consider making us of the certutil.exe command-line tool, with the –crl parameter.
B. You should consider making us of the certutil.exe command-line tool, with the -URLCache parameter.
C. You should consider making us of the certutil.exe command-line tool, with the -delreg parameter.
D. You should consider making us of the certutil.exe command-line tool, with the -verifykeys parameter.
Answer:
A. You should consider making us of the certutil.exe command-line tool, with the –crl parameter.
144
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 while all workstations run Windows 7 Enterprise.
The ABC.com domain has two domain controllers named ABC-DC01 and ABC-DC02, both of which are also configured as DNS servers. The DNS zone for ABC.com is an Active Directory- integrated zone that is configured for secure dynamic updates only.
You have received instructions to configure the ABC.com zone to only accept updates from either domain controllers, or servers that form part of the domain.
What is the best course of action you could take?
A. You should navigate to the Security tab of the ABC.com DNS zone properties. You should then remove the Authenticated Users account, and enable the Create All Child Objects permission option for ABC.com’s server computer accounts.
B. You should consider modifying the zone replication scope. You should then navigate to the Security tab of the ABC.com DNS zone properties and enable the Create All Child Objects permission option for ABC.com’s server computer accounts.
C. You should consider modifying the zone replication scope. You should then navigate to the Security tab of the ABC.com DNS zone properties and enable the Write All Properties permission option for the computer accounts of ABC.com’s servers.
D. You should navigate to the Security tab of the ABC.com DNS zone properties. You should then navigate to the Security tab of the ABC.com DNS zone properties and enable the Write All Properties permission option for the computer accounts of ABC.com’s servers.
Answer:
A. You should navigate to the Security tab of the ABC.com DNS zone properties. You should then remove the Authenticated Users account, and enable the Create All Child Objects permission option for ABC.com’s server computer accounts.
145
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers, including domain controllers, on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in Rome and a branch office in Milan. A writable domain controller named ABC-DC01 is located in Rome, and a read only domain controller (RODC) named ABC- DC02 is located in Milan.
All domain controllers in the ABC.com domain are configured as DNS servers. The DNS zone for the ABC.com zone is Active Directory-integrated, and configured to replicate to all domain controllers.
You have received instructions from the CIO to make sure that the DNS server role is removed from ABC-DC02, and that no DNS records are replicated to it.
How would you accomplish this task?
A. You should consider changing the ABC.com zone’s replication scope.
B. You should consider running the repadmin.exe /syncall /force command.
C. You should consider running the dnslint.exe /ql command.
D. You should consider altering the ABC.com zone’s zone transfer settings.
Answer:
A. You should consider changing the ABC.com zone’s replication scope.
146
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory domain named ABC.com. The ABC.com domain has two domain controllers named ABC-DC01 and ABC-DC02. The ABC.com domain also has two DNS servers named ABC-SR01 and ABC- SR02. ABC-DC01 and ABC-SR01 has Windows Server 2008 installed, while ABC-DC02 and ABC-SR02 has Windows Server 2008 R2 installed. The ABC.com zone is hosted by both ABC- SR01 and ABC-SR02. The functional level of both the domain and the forest is set at Windows Server 2003.
You have been instructed to configure the use of DNSSEC to secure all names in the ABC.com zone.
How should you proceed?
A. You should start by setting Windows Server 2008 as the functional level of ABC.com’s forest.
B. You should start by setting Windows Server 2008 as the functional level of the ABC.com domain.
C. You should start by configuring all domain controllers to run Windows Server 2008.
D. You should start by configuring ABC-SR01 to run Windows Server 2008 R2.
Answer:
D. You should start by configuring ABC-SR01 to run Windows Server 2008 R2.
147
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You have configured a child domain named us.ABC.com which has two domain controllers named ABC-DC05 and ABC-DC06. ABC-DC05 and ABC-DC06 are configured as DNS servers.
You then create a DNS delegation.
Which of the following describes a reason for doing this?
A. It makes sure that users in the ABC.com domain are able to access servers in the us.ABC.com child domain via their User Principal Name (UPN).
B. It makes sure that users in the ABC.com domain are able to access servers in the us.ABC.com child domain via their fully qualified domain names (FQDNs).
C. It makes sure that users in the ABC.com domain are prevented from accessing servers in the us.ABC.com child domain via their User Principal Name (UPN).
D. It makes sure that users in the ABC.com domain are prevented from accessing servers in the us.ABC.com child domain via their fully qualified domain names (FQDNs).
Answer:
B. It makes sure that users in the ABC.com domain are able to access servers in the us.ABC.com child domain via their fully qualified domain names (FQDNs).
148
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers, including domain controllers, on the ABC.com network run Windows Server 2008 R2.
The ABC.com domain has two domain controllers named ABC-DC01 and ABC-DC02. ABC-DC01 is configured to contain a primary zone for ABC.com, while ABC-DC02 is configured to contain the secondary zone.
After modifying the zone to an Active Directory-integrated zone on ABC-DC01, you change the settings of the zone to only allow dynamic updates that are secure.
You have been instructed to make sure that secure dynamic updates to the ABC.com zone are allowed on ABC-DC02.
What course of action should you take?
A. You should consider creating an additional DNS application directory partition on ABC-DC02.
B. You should consider reconfiguring the zone hosted on ABC-DC02 as an Active Directory- integrated zone.
C. You should consider resetting the forwarders on ABC-DC01.
D. You should consider refreshing the zone hosted by ABC-DC02.
Answer:
B. You should consider reconfiguring the zone hosted on ABC-DC02 as an Active Directory- integrated zone.
149
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory domain named ABC.com. All servers, including domain controllers, on the ABC.com network run Windows Server 2008 R2.
The ABC.com domain’s DNS zone is configured as an Active Directory-integrated zone.
You have been tasked with verifying that DNS records used Active Directory replication is registered accurately.
What actions should you consider?
A. You should consider executing the netsh.exe command-line tool.
B. You should consider executing the dnslint.exe command-line tool.
C. You should consider executing the dnscmd.exe command-line tool.
D. You should consider executing the dfsutil command-line tool.
Answer:
B. You should consider executing the dnslint.exe command-line tool.
150
You work as an administrator at ABC.com. The ABC.com network has an Active Directory forest with two domains named eu.ABC.com and us.ABC.com.
Each domain has two domain controllers running Windows Server 2008 R2. The domain controllers in the eu.ABC.com domain are named ABC-DC01 and ABC-DC02, and are each configured to host the eu.ABC.com DNS zone. The domain controllers in the us.ABC.com domain are named ABC-DC03 and ABC-DC04, and are each configured to host the us.ABC.com DNS zone. The zones have been configured as Active Directory-integrated zones.
You have received instructions to make sure that data from the eu.ABC.com domain is accessible on ABC-DC03.
What is the best course of action you could take?
A. You should consider creating an additional DNS application directory partition on ABC-DC01.
B. You should configure the eu.ABC.com zone hosted by ABC-DC01 to be moved to the built-in forest directory partition of eu.ABC.com.
C. You should configure the eu.ABC.com zone hosted by ABC-DC03 to be moved to the built-in forest directory partition of eu.ABC.com.
D. You should consider refreshing the zone hosted by ABC-DC03.
Answer:
B. You should configure the eu.ABC.com zone hosted by ABC-DC01 to be moved to the built-in forest directory partition of eu.ABC.com.
151
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have recently created a custom application directory partition to host a DNS zone. You have also deployed a new domain controller named ABC-DC02 on the ABC.com network.
You have been instructed to make sure that the DNS zone is replicated to ABC-DC02.
Which of the following actions should you take?
A. You should consider making use of the Ntdsutil command from the command-line.
B. You should consider making use of the Dsamain from the command-line.
C. You should consider making use of the Repadmin from the command-line.
D. You should consider making use of the Dnscmd tool from the command-line.
Answer:
D. You should consider making use of the Dnscmd tool from the command-line.
152
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory domain named ABC.com. The domain controllers on the ABC.com network have been configured to run Windows Server 2008 R2. You have also configured ABC.com to have Windows Server 2003 as its functional level.
You have been instructed to configure a Windows Server 2008 R2 computer named ABC-SR01 as a domain controller in the ABC.com domain.
How would you accomplish this task?
A. You should consider running dcpromo.exe with the /unattend parameter.
B. You should consider running dcpromo.exe with the /adv parameter.
C. You should raise the functional level of the ABC.com domain to Windows Server 2008.
D. You should raise the functional level of ABC.com’s forest to Windows Server 2008 R2.
Answer:
B. You should consider running dcpromo.exe with the /adv parameter.
153
You work as an administrator at ABC.com. ABC.com has an Active Directory forest that includes a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have been instructed to configure an incoming external trust relationship between the ABC.com domain and a domain in a different forest.
Which of the following is TRUE with regards to creating an incoming external trust?
A. It allows users in the ABC.com domain to access resources in the Active Directory domain outside of your forest.
B. It allows users in the ABC.com domain to more quickly access resources in another domain in your forest.
C. It allows users in ABC.com’s forest to access resources in all domains in the other forest.
D. It allows users in the ABC.com domain to access resources in a Kerberos realm.
Answer:
A. It allows users in the ABC.com domain to access resources in the Active Directory domain outside of your forest.
154
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in London and several branch offices across the world. The various offices have been configured to host numerous subnets.
You have been instructed to make sure that Active Directory subnet objects can be generated with as little administrative effort as possible.
What action should you consider taking?
A. You should consider making use of Set-ADObject cmdlet.
B. You should consider making use of Rename-ADObject cmdlet.
C. You should consider making use of New-ADObject cmdlet.
D. You should consider making use of Move-ADObject cmdlet.
Answer:
C. You should consider making use of New-ADObject cmdlet.
155
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in London and several branch offices across the world. All offices are configured as separate sites.
You have accessed Active Directory Sites and Services and plan to make changes to the NTDS Settings.
Which of the following is available for modification?
A. Global group caching.
B. Universal group membership caching.
C. Domain group membership caching.
D. Local group membership caching.
Answer:
B. Universal group membership caching.
156
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com’s network comprises multiple sites. You have been accessed Active Directory Sites and Services, and modified the IP properties to have site link bridging disabled.
Which of the following describes a reason for doing this?
A. Disables replication for the entire network.
B. Forces the domain controllers in each site to only replicate to domain controllers in contiguous sites.
C. Allows domain controllers to replicate to any domain controllers on the network.
D. Prevents the domain controllers in each site from replicating to domain controllers in contiguous sites.
Answer:
B. Forces the domain controllers in each site to only replicate to domain controllers in contiguous sites.
157
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in New York, and branch offices in London, Paris, and Milan. The Paris office contains workstations that are configured to make use of IPv6 only.
You have been instructed to make sure that the workstations in the Paris branch authenticate via the domain controller in the Paris office.
How should you proceed?
A. You should consider creating an extranet topology.
B. You should consider having Active Directory subnet objects created.
C. You should consider disabling the site links.
D. You should consider disabling replication.
Answer:
B. You should consider having Active Directory subnet objects created.
158
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in Atlanta and a branch office in Miami. The two offices are configured as separate Active Directory sites. Both sites host two domain controllers each. ABC- DC01 and ABC-DC02 in the Atlanta site, and ABC-DC03 and ABC-DC04 in the Miami site.
What action should you take to create a site link between the two sites?
A. You should consider accessing the Active Directory Sites and Services Snap-In.
B. You should consider accessing the Active Directory Federated Services Snap-In.
C. You should consider accessing the Active Directory Schema Snap-In.
D. You should consider accessing the Users and Computers MMC Snap-In.
Answer:
A. You should consider accessing the Active Directory Sites and Services Snap-In.
159
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory domain named ABC.com. You have configured ABC.com to have Windows Server 2003 as its functional level.
The ABC.com network has numerous domain controllers configured. Fifty percent of the domain controllers run Windows Server 2008 standard while the rest run Windows Server 2008 R2.
You would like to make use of Distributed File System Replication (DFSR) to guarantee SYSVOL replication.
What actions should you consider?
A. You should consider executing dsamain.exe
B. You should consider executing dcdiag.exe.exe
C. You should consider executing dsamain.exe
D. You should consider having the functional level of the ABC.com domain raised to Windows Server 2008.
Answer:
D. You should consider having the functional level of the ABC.com domain raised to Windows Server 2008.
160
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have been instructed to create a custom attribute that should be linked to ABC.com’s User objects. Subsequent to completing this task, you are required to configure the custom attribute to replicate to ABC.com’s global catalog. To accomplish this task, you want to modify the properties of the custom attribute’s class schema attribute.
What course of action should you take?
A. You should consider accessing the AD FS snap-in.
B. You should consider accessing the Active Directory Users and Computers MMC Snap-In.
C. You should consider accessing the Active Directory Sites and Services snap-in.
D. You should consider accessing the Active Directory Schema snap-in
Answer:
D. You should consider accessing the Active Directory Schema snap-in
161
You work as an administrator at ABC.com. ABC.com has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network has two servers named ABC-SR13 and ABC-SR14. Both of these servers are running Active Directory Lightweight Directory Services (AD LDS).
You have been instructed to make sure that an instance of AD LDS is replicated from ABC-SR13 to ABC-SR14.
What actions should you perform?
A. You should consider making use of the Dsmod command-line tool.
B. You should consider making use of the netdom command-line tool.
C. You should consider creating an AD LDS service user account.
D. You should consider making use of the Ldp.exe command.
Answer:
C. You should consider creating an AD LDS service user account.
162
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network has a server named ABC-SR01. After generating an Active Directory Lightweight Directory Services (AD LDS) instance named ABCInstance, you receive instructions to generate an extra AD LDS application directory partition in ABCInstance using a command-line tool.
What is the best course of action you could take?
A. You should execute the dsdbutil command-line tool.
B. You should execute the Fsutil command-line tool.
C. You should execute the Dsmod command-line tool.
D. You should execute the Ldp.exe command-line tool.
Answer:
D. You should execute the Ldp.exe command-line tool.
163
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network has a server named ABC-SR01. After generating an Active Directory Lightweight Directory Services (AD LDS) instance named ABCInstance, you make use of ADSI Edit to link up to ABCInstance.
You are tasked with creating user objects in ABCInstance. When you open the Create Object wizard to carry out this task, however, you find that the User object class is not present.
It is imperative that you are able to create user objects in ABCInstance
How would you accomplish this task?
A. You should consider creating a new instance.
B. You should consider reconfiguring ABCInstance’s schema.
C. You should execute the Set-ADServiceAccount cmdlet.
D. You should execute the Restore-ADObject cmdlet.
Answer:
B. You should consider reconfiguring ABCInstance’s schema.
164
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory domain named ABC.com. All servers, including domain controllers, on the ABC.com network run Windows Server 2008 R2.
ABC.com has its headquarters in London, and a branch office in Paris. The two offices are configured as separate Active Directory sites. The Paris site hosts a read-only domain controller (RODC) named ABC-DC04.
You have been given the responsibility of administering ABC-DC04. As soon as ABC.com employee named Mia Hamm accesses her workstation, you notice that her password has not been saved on ABC-DC04.
Which of the following actions should you take to rectify this?
A. You should consider assigning Mia Hamm elevated permissions.
B. You should consider verifying whether Mia Hamm’s user account has been added to the correct group.
C. You should consider verifying whether the computer account for ABC-DC04 has been configured properly.
D. You should verify whether Mia Hamm’s user account has been locked out.
Answer:
B. You should consider verifying whether Mia Hamm’s user account has been added to the correct group.
165
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has multiple domain controllers that can be written to, as well as multiple read-only domain controllers (RODCs).
When you are instructed to configure a new Windows Server 2008 R2 server as a RODC, you are also instructed to use as little administrative effort as possible. You must be able to join the new RODC to the ABC.com domain.
Which of the following commands should you execute FIRST?
A. adprep.exe /rodcprep
B. adprep.exe /forestprep
C. Dcpromo.exe
D. adprep.exe /domainprep
Answer:
B. adprep.exe /forestprep
166
You work as an administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network contains two servers named ABC-SR01, and ABC-SR02. ABC-SR01 runs Active Directory Federation Services (AD FS) 2.0. You have been tasked with the deployment of AD FS 2.0 to ABC-SR02. Your deployment solution requires the token-signing certificate to be exported from ABC-SR01. The certificate should then be imported to ABC-SR02.
You choose to export the certificate using the Personal Information Exchange PKCS #12 (.pfx) file format.
Which of the following statements are TRUE with regards to this certificate file format? (Choose all that apply.)
A. It allows the secure storage of certificates, private keys, and all certificates in a certification path.
B. It is unable to export a certificate’s private key.
C. It only allows the storage of a single certificate.
D. It is the only format that can be used to export a certificate and its private key.
Answer:
A. It allows the secure storage of certificates, private keys, and all certificates in a certification path.
D. It is the only format that can be used to export a certificate and its private key.
167
You work as an administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network contains two servers named ABC-SR01, and ABC-SR02. ABC-SR01 runs Active Directory Federation Services (AD FS) 2.0, and forms part of ABC.com’s AD FS farm. You have just completed the installation of Active Directory Federation Services (AD FS) 2.0 on ABC- SR02, and would like to make it a member of the AD FS farm.
How would you accomplish this task?
A. You should execute the fsconfig command-line tool from ABC-SR01.
B. You should execute the fsconfig command-line tool from ABC-SR02.
C. You should execute the Dfsrmig command-line tool from ABC-SR01.
D. You should execute the Dfsrmig command-line tool from ABC-SR02.
Answer:
B. You should execute the fsconfig command-line tool from ABC-SR02.
168
You work as an administrator at ABC.com. The ABC.com network has a single Active Directory forest named ABC.com. You have previously configured Windows Server 2008 R2 as the functional level of the ABC.com forest.
ABC.com has a network application named ABCApp13, which is configured to make use of a user account named ABCService. All user account passwords are configured to be renewed every sixty days.
You receive a report stating that ABCApp13 stops running when sixty days have passed. After refreshing the password, ABCApp13 executes normally.
You want to prevent ABCApp13 from failing in the future, without having to change the password renewal settings.
Which of the following actions should you take?
A. You should execute the Set-ADForestMode cmdlet.
B. You should execute the Set-ADServiceAccount cmdlet.
C. You should execute the New-Object cmdlet.
D. You should execute the Restore-ADObject cmdlet.
Answer:
B. You should execute the Set-ADServiceAccount cmdlet.
169
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com.
All servers on the ABC.com network run Windows Server 2008 R2 and all workstations run either Windows XP Professional or Microsoft Windows Vista.
The CIO has requested that the deletion of registry keys be audited for every ABC.com server. You therefore decide to navigate to the Advanced Audit Policy Configuration settings.
Which of the following settings should be altered? (Choose all that apply.)
```
A. The Process Tracking settings.
B. The Object Access settings.
C. The System Events settings.
D. The Global Object Access Auditing settings.
E. The Detailed Tracking settings.
```
Answer:
B. The Object Access settings.
D. The Global Object Access Auditing settings.
170
You work as an administrator at ABC.com. The ABC.com network has an Active Directory domain named ABC.com.
After configuring Windows Server 2008 R2 as ABC.com’s forest functional level, you are instructed to activate the Active Directory Recycle Bin.
How should you proceed?
A. You should execute the Restore-ADObject cmdlet.
B. You should execute the Enable-ADOptionalFeature cmdlet.
C. You should execute the New-Object cmdlet.
D. You should execute the Set-ADForestMode cmdlet.
Answer:
B. You should execute the Enable-ADOptionalFeature cmdlet.
171
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. You have installed Windows Server 2008 R2 on all domain controllers on the ABC.com network.
You have received instruction to have the Default Domain Controllers Policy Group Policy object (GPO) restored to the Windows Server 2008 R2 default configuration. You decide to make use of the dcgpofix.exe command-line tool.
What is the best course of action you could take?
A. You should specify the /target:dc parameter.
B. You should specify the /target:domain parameter.
C. You should specify the /target:both parameter.
D. You should not specify the /target parameter.
Answer:
A. You should specify the /target:dc parameter.
172
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. The ABC.com network contains a Windows Server 2008 R2 server named ABC-SR35. ABC-SR35 is configured as an enterprise root certification authority (CA).
You are informed that the private key of one of the certificates that was published to a Web server has to be retrieved. You want to make sure that you are able to accomplish this task.
What is the best course of action you could take?
A. You should log on to the Web server, and update the CEP Encryption certificate template.
B. You should log on to ABC-SR35, and update the CEP Encryption certificate template.
C. You should log on to ABC-SR35, and export the private key using the certutil command-line utility.
D. You should log on to the Web server, and export the private key using the certutil command- line utility.
Answer:
D. You should log on to the Web server, and export the private key using the certutil command- line utility.
173
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 and all workstations run Windows 7 Ultimate. You have set Windows Server 2003 as the functional level of the ABC.com domain.
You have been tasked with joining a new Windows Server 2008 R2 server named ABC-SR21 to the ABC.com domain. You are also instructed to perform this task while ABC-SR21 is offline.
How would you accomplish this task?
A. You should execute the djoin command-line tool from ABC-SR21, and then also execute the djoin command-line tool from a ABC.com workstation.
B. You should execute the netdom command-line tool from ABC-SR21, and then also execute the djoin command-line tool from a ABC.com workstation.
C. You should consider upgrading ABC.com’s domain controllers to Windows Server 2008 R2, and then also executing the djoin command-line tool from a ABC.com workstation.
D. You should consider upgrading ABC.com’s domain controllers to Windows Server 2008 R2, and then also execute the netdom command-line tool from ABC-SR21.
Answer:
A. You should execute the djoin command-line tool from ABC-SR21, and then also execute the djoin command-line tool from a ABC.com workstation.
174
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2. The ABC.com network has a Windows Server 2008 R2 domain controller named ABC- DC01.
When you receive instructions to relocate ABC.com’s Active Directory log files, you decide to perform this task from the command line.
What actions should you perform?
A. You should run the dfsrmig tool from the command-line.
B. You should run the netdom tool from the command-line.
C. You should run the Fsutil tool from the command-line.
D. You should run the Ntdsutil tool from the command-line.
Answer:
D. You should run the Ntdsutil tool from the command-line.
175
You work as an administrator at ABC.com. The ABC.com network co of an Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com acquires a new server named ABC-SR35. After installing Windows Server 2008 R2 on ABC-SR35, you deploy it. You have not, however, linked ABC-SR35 to ABC.com’s internal network.
You receive instructions to configure ABC-SR35 to join the ABC.com domain prior to linking it to ABC.com’s internal network.
How would you accomplish this task? (Choose two.)
A. You should execute the djoin command-line utility, with /provision parameter from a computer that is joined to the ABC.com domain.
B. You should execute the djoin command-line utility, with /requestodj parameter from a computer that is joined to the ABC.com domain.
C. You should execute the djoin command-line utility, with /requestodj parameter from ABC-SR35.
D. You should execute the djoin command-line utility, with /provision parameter from ABC-SR35.
Answer:
A. You should execute the djoin command-line utility, with /provision parameter from a computer that is joined to the ABC.com domain.
C. You should execute the djoin command-line utility, with /requestodj parameter from ABC-SR35.
176
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2. The ABC.com network contains multiple domain controllers.
Subsequent to making changes to the Active Directory schema, you execute the repadmin command with the /showrepl parameter.
Which of the following describes the reason for executing this command?
A. To force replication of the schema changes between the domain controllers.
B. To prevent replication of the schema changes between the domain controllers.
C. To check whether the schema changes has been replicated to all domain controllers.
D. To schedule replication of the schema changes between the domain controllers
Answer:
C. To check whether the schema changes has been replicated to all domain controllers.
177
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2 while all workstations run Windows 7.
The ABC.com network contains several domain controllers. You have run the Winrm quickconfig command from the command prompt on each of the domain controllers.
Which of the following describes the reason for running this command?
A. It compiles a list of account logon failures that take place in the ABC.com domain for each domain controller.
B. It compiles a list of account logon failures that take place in the ABC.com domain for each workstation.
C. It compiles a single consolidated list of all account logon failures that take place in the ABC.com domain.
D. It compiles a single consolidated list of all account logon failures that take place on your workstation.
Answer:
C. It compiles a single consolidated list of all account logon failures that take place in the ABC.com domain.
178
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2.
ABC.com has an existing policy that requires the replication of the group policy template files to be checked regularly.
What actions should you perform?
A. You should run the dfsutil command-line tool periodically. B. You should run the Fsutil command-line tool periodically. C. You should run the netdom command-line tool periodically.
D. You should run the Ntfrsutl command-line tool periodically.
Answer:
D. You should run the Ntfrsutl command-line tool periodically.
179
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2. The ABC.com network contains a domain controller named ABC-DC01.
While performing routine maintenance ABC-DC01, you decide to see to what size the Active Directory database has grown.
What actions should you consider?
A. You should consider accessing the Network Monitor to generate a new capture.
B. You should consider creating and configuring event log subscriptions
C. You should navigate to the ntds.dit file in the ntds sub folder of the systemroot folder and analyze the file’s properties.
D. You should consider making use of the Active Directory Diagnostics data collector set.
Answer:
C. You should navigate to the ntds.dit file in the ntds sub folder of the systemroot folder and analyze the file’s properties.
180
You work as an administrator at ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. All servers on the ABC.com network, including domain controllers, run Windows Server 2008 R2.
You have been instructed to configure the logon events of all ABC.com domain controllers to be forwarded to your Windows 7 workstation named ABC-WS07. ABC.com has also informed you that they are planning to deploy more domain controllers the following week.
To minimize administrative effort, you want to make sure that any domain controllers deployed in the future is added to the subscription dynamically.
Which of the following actions should you take? (Choose all that apply.)
A. You should consider configuring source-initiated event subscriptions from ABC-WS07.
B. You should consider configuring collector-initiated event subscriptions from ABC-WS07.
C. You should consider configuring the Event Forwarding node via a Group Policy object (GPO) connected to the Domain Controllers organizational unit (OU).
D. You should consider configure the Event Forwarding node via a Group Policy object (GPO) connected to the Domain Users organizational unit (OU).
Answer:
A. You should consider configuring source-initiated event subscriptions from ABC-WS07.
C. You should consider configuring the Event Forwarding node via a Group Policy object (GPO) connected to the Domain Controllers organizational unit (OU).
181
You work as an administrator at ABC.com. The ABC.com network consists of an Active Directory domain named ABC.com.
You have installed Windows Server 2008 Standard on all domain controllers in the ABC.com domain. You also configured Windows Server 2003 as the functional level of the domain. You then acquired and configured a certification authority (CA).
The ABC.com network contains three servers named ABC-SR01, ABC-SR02, and ABC-SR03. ABC-SR01 runs Windows Server 2003, and is configured as the Enterprise root CA. ABC-SR02 runs Windows Server 2008, and is configured as the Enterprise subordinate CA. ABC-SR03 runs Windows Server 2008 R2 Web Server, and is configured as a Web Server.
You have received instruction from the CIO to install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the ABC.com network.
Which actions should you take?
A. You should consider executing the netdom utility from the command prompt.
B. You should consider executing the dfsutil utility from the command prompt.
C. You should consider executing the dfsrmig.exe file.
D. You should consider having the updates for the Windows Server 2008 R2 Active Directory Schema installed.
Answer:
D. You should consider having the updates for the Windows Server 2008 R2 Active Directory Schema installed.
182
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has a server named ABC-SR07 which is running the Active Directory Lightweight Directory Services (AD LDS) role. You have been instructed to install an instance of AD LDS.
You would like the installation to be automated.
What is the best course of action you could take?
A. You should consider running the repadmin.exe tool.
B. You should consider running the replmon.exe tool.
C. You should consider running the adaminstall.exe tool.
D. You should consider running the dsamain.exe tool.
Answer:
C. You should consider running the adaminstall.exe tool.
183
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have previously configured an Active Directory integrated DNS zone named ABC.com. You want to make sure that DNS records for workstations that are decommissioned are automatically removed from the ABC.com zone.
How would you accomplish this task?
A. You should consider setting the aging properties for the zone via the DNS Manager console.
B. You should consider running the ntdsutil command.
C. You should consider setting the aging properties for the zone via the DHCP Management console.
D. You should consider setting the aging properties for the zone via the Active Directory Sites and Services snap-in.
Answer:
A. You should consider setting the aging properties for the zone via the DNS Manager console.
184
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has a group named ABCAdmin. ABC.com has released a policy stating that only users belonging to the ABCAdmin group should be allowed to create certificate templates.
How would you implement this policy?
A. You should consider granting the ABCAdmin group the required permissions via the Active Directory Users and Computers snap-in.
B. You should consider granting the ABCAdmin group the required permissions via the Certificate Templates snap-in.
C. You should consider granting the ABCAdmin group the required permissions via the Authorization Manager snap-in.
D. You should consider granting the ABCAdmin group the required permissions via the Active Directory Sites and Services snap-in.
Answer:
B. You should consider granting the ABCAdmin group the required permissions via the Certificate Templates snap-in.
185
You work as an administrator at ABC.com. ABC.com has an Active Directory forest named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have received instructions to configure a new Active Directory Rights Management Services (AD RMS) licensing-only cluster for ABC.com.
Which of the following actions should you take FIRST?
A. You should consider having the AD FS role installed.
B. You should consider configuring a load balancing luster.
C. You should consider installing Microsoft SQL Server 2008.
D. You should consider installing Microsoft Office 2010.
Answer:
C. You should consider installing Microsoft SQL Server 2008.
186
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has a server named ABC-SR03 which runs the Active Directory Federation Services (AD FS) Federation Service Proxy. You configured the use of the SSL authentication protocol for the Windows Firewall.
Which of the following is TRUE with regards to configuring SSL authentication protocol?
A. It allows users to authenticate via AD FS.
B. It allows users to authenticate via Kerberos.
C. It allows users to authenticate via DNS.
D. It allows users to authenticate via WINS.
Answer:
A. It allows users to authenticate via AD FS.
187
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has a server named ABC-SR15 which has Windows Server 2008 R2 Enterprise installed and has been configured as an enterprise certification authority (CA).
ABC.com has released a policy requiring users belonging to a group named ABCUsers to have the ability to view the Certificate Services event log entries.
What actions should you consider?
A. You should consider making use of the Authorization Manager snap-in.
B. You should consider making use of the Network Policy Server snap-in.
C. You should consider making use of the Active Directory Sites and Services snap-in.
D. You should consider making use of the Active Directory Users and Computers snap-in.
Answer:
A. You should consider making use of the Authorization Manager snap-in.
188
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 Enterprise. ABC.com has a server named ABC-SR15 which has been configured as an enterprise certification authority (CA).
ABC.com has released a policy requiring all ABC.com users to have the ability to enroll for certificates that make use of the IPSEC (Offline request) certificate template.
What actions should you perform?
A. You should consider making use of the Active Directory Users and Computers snap-in.
B. You should consider making use of the Certificate Templates snap-in.
C. You should consider making use of the IP Security Policy Management snap-in.
D. You should consider making use of the Active Directory Sites and Services snap-in.
Answer:
B. You should consider making use of the Certificate Templates snap-in.
189
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2 Enterprise. ABC.com has a server named ABC-SR15 which has been configured as an enterprise certification authority (CA).
You are required to perform management tasks regarding certification.
How should you proceed?
A. You should consider making use of the Active Directory Users and Computers snap-in.
B. You should consider making use of the Authorization Manager snap-in.
C. You should consider making use of the Certification Authority snap-in.
D. You should consider making use of the Active Directory Sites and Services snap-in.
Answer:
C. You should consider making use of the Certification Authority snap-in.
190
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com makes use of DNS for name resolution. You have added a reverse lookup zone via the DNS snap-in.
Which of the following is TRUE with regards to reverse lookup zones?
A. Reverse lookup zones are required for clients to be able to resolve FQDNs from IP addresses.
B. You have to include reverse lookup zones for Active Directory to work properly.
C. Reverse lookup zones are required for clients to be able to resolve UPNs from IP addresses.
D. Reverse lookup zones are required for clients to be able to resolve UPNs from FQDNs.
Answer:
A. Reverse lookup zones are required for clients to be able to resolve FQDNs from IP addresses.
191
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network contains a read-only domain controller (RODC) named ABC-DC03. You have been instructed to make changes to the Password Replication Policy on ABC-DC03.
How would you accomplish this task?
A. You should consider accessing the Active Directory Users and Computers snap-in to complete this task.
B. You should consider accessing the Active Directory Federated Services snap-in to complete this task.
C. You should consider making use of the repadmin.exe command to complete this task.
D. You should consider making use of the ntdsutil.exe command to complete this task.
Answer:
A. You should consider accessing the Active Directory Users and Computers snap-in to complete this task.
192
Which of the following is TRUE with regards to a Data Collector Set (DCS) in Windows Server 2008 R2?
A. Data Collector Sets can contain Performance counters, Event trace data, and system configuration data.
B. Data Collector Sets cannot contain Performance counters.
C. Data Collector Sets cannot contain Event trace data.
D. Data Collector Sets cannot contain System configuration data.
Answer:
A. Data Collector Sets can contain Performance counters, Event trace data, and system configuration data.
193
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You are preparing to execute the ntdsutil.exe command with the create parameter.
Which of the following describes the result of executing this command?
A. An Active Directory snapshot will be created.
B. Operations master roles will be transferred and seized.
C. Popups will be enabled.
D. Objects of decommissioned servers will be cleaned up.
Answer:
A. An Active Directory snapshot will be created.
194
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
You have recently mounted an Active Directory snapshot. A few days after mounting the snapshot, you execute the dsamain command-line tool.
Which of the following describes the result of executing this command?
A. Active Directory data stored in a snapshot will be exposed as a Lightweight Directory Access Protocol (LDAP) server.
B. Displays a list of installed device drivers and their properties.
C. A specific type of object or any general object will be deleted from Active Directory.
D. A specific type of object in Active Directory will be altered.
Answer:
A. Active Directory data stored in a snapshot will be exposed as a Lightweight Directory Access Protocol (LDAP) server.
195
You work as an administrator at ABC.com. ABC.com has a single Active Directory domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
The ABC.com network has a server named ABC-SR01. You have been tasked with mounting an Active Directory Lightweight Directory Services (AD LDS) snapshot from ABC-SR01.
What course of action should you take?
A. You should execute the netdom command-line tool.
B. You should execute the dsmgmt command-line tool.
C. You should execute the dsdbutil command-line utility.
D. You should execute the ntdsutil command-line utility.
Answer:
C. You should execute the dsdbutil command-line utility.
196
You work as a network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has organizational units (OU's) named Sales, Marketing and Admin. The Sales OU contains a file server named ABC-SR04 that hosts a shared folder named SalesDocs that contains sensitive customer information.
What action should you take to track access to the SalesDocs folder? (To answer, drag the appropriate action to the appropriate location in the work area.)
Answer:
1. Create a new GPO.
2. Enable the Audit object access option.
3. Link the GPO to the Sales OU.
4. Configure Auditing for the Everyone group on in SalesDocs on TESTKING-SR04.
197
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has four file servers named ABC-SR01, ABC-SR02, ABC-SR03 and ABC- SR04 that are placed in an Organizational Unit (OU) named ABCServers.
ABC has several contractual workers who are members of a global group named PartTimeUsers.
A new ABC.com security policy requires that any attempts by contractual workers to access the folders and files on the file servers in the ABCServers OU needs to be tracked.
To implement this policy you create a new GPO that has the Audit object access Failure audit policy setting configured. You link the GPO to the ABCServers OU.
What other action should you take? (To answer, drag the appropriate action to the appropriate location in the work area.)
Answer:
1. Add PartTimeUsers to the Auditing tab on all the shared folders of the file servers.
2. Configure Failed Full control setting in the Auditing Entry dialog box.
198
You work as a network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com and a child domain named intl.ABC.com. All domain controllers and servers on the ABC.com network run Windows Serer 2008.
The ABC.com domain has two domain controllers named ABC-DC01 and ABC-DC02 and the intl.ABC.com domain has two domain controllers named ABC-DC03 and ABC-DC04.
ABC.com decides to reorganize the forest structure by removing the intl.ABC.com child domain.
What actions should you take to remove the intl.ABC.com child domain? (To answer, drag the appropriate action to the appropriate location in the work area.)
Answer:
1. Migrate the user accounts in the intl.testking.com domain to the testking.com domain.
2. Remove the Active Directory domain services role from TESTKING-DC03 and TESTKING-DC04.
3. Stop the Domain Controller service on TESTKING-DC03 and TESTKING-DC04.
199
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a member server named ABC-SR05. You assign the Active Directory Certificate Service (AD CS) role to ABC-SR05. You create a security group named SMCGRP. You want to grant the SMCGRP group the necessary permissions to issue smartcard credentials. However, the SMCGRP must not be granted the permissions to revoke certificates.
Which actions should you take? (To answer, drag the appropriate action to the appropriate location in the work area.)
Answer:
1. Configure TESTKING-SR05 as an Enterprise Root CA.
2. Configure a Smartcard logon certificate.
3. Limit certificate managers for the Smartcard logon certificate to the SMCGRP group.
