70-640 Flashcards
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.com has requested that you configure DNS zone to automatically remove DNS records that are outdated.
What action should you consider?
A. You should consider running the netsh /Reset DNS command from the Command prompt.
B. You should consider enabling Scavenging in the DNS zone properties page.
C. You should consider reducing the TTL of the SOA record in the DNS zone properties page.
D. You should consider disabling updates in the DNS zone properties page.
Answer:
B. You should consider enabling Scavenging in the DNS zone properties page.
Explanation: In the scenario you should enable scavenging through the zone properties because scavenging removes the outdated DNS records from the DNS zone automatically. You should additionally note that patience would be required when enabling scavenging as there are some safety valves built into scavenging which takes long to pop.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR15. You install the Active Directory Lightweight Directory Services (AD LDS) on ABC-SR15.
Which of the following options can be used for the creation of new Organizational Units (OU’s) in the application directory partition of the AD LDS?
A. You should run the net start command on ABC-SR15.
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
C. You should run the repadmin /dsaguid command on ABC-SR15.
D. You should open the Active Directory Users and Computers Console on ABC-SR15.
Answer:
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS application directory partition. You also need to add the snap-in in the Microsoft Management Console (MMC).
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two domain controllers named ABC-DC01 and ABC-DC02. ABC-DC01 suffers a catastrophic failure. This failure is causing problems because ABC-DC01 was configured to host Schema Master Operations role. You log on to the ABC.com domain as a domain administrator but your attempts to transfer the Schema Master Operations role to ABC-DC02 are unsuccessful.
What action should you take to transfer the Schema Master Operations role to ABC-DC02?
A. Your best option would be to have the dcpromo /adv command executed on ABC-DC02.
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
C. Your best option would be to have Schmmgmt.dll registered on ABC-DC02.
D. Your best option would be to add your user account to the Schema Administrators group.
Answer:
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
Explanation: To ensure that ABC-DC02 holds the Schema Master role you need to seize the Schema Master role on ABC-DC02. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again. So to transfer the schema master operations role, you have to seize it on ABC-DC02.
You work as the network administrator at ABC.com. The ABC.com network has a single forest. The forest functional level is set at Windows Server 2008.
The ABC.com network has a Microsoft SQL Server 2005 database server named ABC-DB04 that hosts the Active Directory Rights Management Service (AD RMS).
You try to access the Active Directory Rights Management Services administration website but received an error message stating:
“SQL Server does not exist or access is denied.”
How can you access the AD RMS administration website?
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.
B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on ABC-DB04.
C. You need to reinstall the AD RMS instance on ABC-DB04.
D. You need to reinstall the SQL Server 2005 instance on ABC-DB04. E. You need to run the DCPRO command on ABC-SR04
Answer:
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.
Explanation: You need to restart the internet information server (IIS) to correct the problem. The starting of the MSSQULSVC service will allow you to access the database from AD RMS administration website.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com network has a Windows Server 2008 computer named ABC-SR03 that functions as an Enterprise Root certificate authority (CA).
A new ABC.com security policy requires that revoked certificate information should be available for examination at all times.
What action should you take adhere to the new policy?
A. This can be accomplished by having a list of trusted certificate authorities published to the ABC.com domain.
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.
C. This can be accomplished by having the OCSP Response Signing certificate imported.
D. This can be accomplished by having the Startup Type of the Certificate Propagation service set to Automatic.
E. This can be accomplished by having the computer account of ABC-SR03 added to the ABCCertificates group.
Answer:
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.
Explanation: You should use the network load balancing and publish an OCSP responder. This will ensure that the revoked certificate information will be available at all times. You do not need to download the entire CRL to check for revocation of a certificate; the OCSP is an online responder that can receive a request to check for revocation of a certificate. This will also speed up certificate revocation checking as well as reducing network bandwidth tremendously.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You are responsible for managing two servers named ABC-SR01 and ABC-SR02. They are setup with the following configuration.
- ABC-SR01 running Enterprise Root certificate authority (CA)
- ABC-SR02 running Online Responder role service
What actions must you perform for the Online Responder to be supported on ABC-SR01?
A. You should enable the Dual Certificate List extension on ABC-SR01.
B. You should ensure that ABC-SR01 is a member of the CertPublishers group.
C. You should import the OCSP Response Signing certificate to ABC-SR01.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
E. You should run the CERTSRV command on ABC-SR01.
Answer:
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
Explanation: In order to configure the online responder role service on ABC-SR01 you need to configure the AIA extension. The authority information access extension will indicate how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. This extension may be included in subject or CA certificates, and it MUST be non-critical
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.
The ABC.com network has a client computer named ABC-WS640 that was last used six months ago. During the course of the day you attempt to log on to ABC-WS640 but you are unable to authenticate during the logon process.
What action should you consider in order to log on to ABC-WS640?
A. You should consider opening the command prompt on ABC-WS640 and running the netsh set machine command.
B. You should consider opening the command prompt on ABC-WS640 and running the repadmin command.
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
D. You should consider deleting the computer account for ABC-WS640 in Active Directory Users and Computers, and then recreate the computer account.
Answer:
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
Explanation: In the scenario you should have the computer disjoined from the domain and rejoined to the domain whilst having the computer account reset as well. You should additionally note that the long inactivity caused the computer to stop responding to the authentication query using the Active Directory records. You should note by disjoining and rejoining with the account being reset would refresh the computer account passwords.
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com.
The ABC.com network has a Windows Server 2008 domain controller named ABC-DC01 that hosts the Directory Services Recovery Mode (DSRM) role.
What would be the best option to take to have the DSRM password reset?
A. The best option is to open the Active Directory Security for Computers snap-in. B. The best option is to run the ntdsutil command.
C. The best option is to run the Netsh command.
D. The best option is to open the Domain Controller security snap-in.
Answer:
B. The best option is to run the ntdsutil command.
Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use Ntdsutil.exe to reset this password for the server on which you are working, or for another domain controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm password.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has two offices in Chicago and Dallas.
The network has the following setup.
- Chicago Office - Domain Controller named ABC-DC01
- Dallas Office - Read-Only Domain Controller named ABC-DC02
How can you make sure that Dallas Office users use only ABC-DC02 for authentication?
A. You should consider having ABC-DC02 configured as a bridehead server in the Dallas office.
B. You should consider installing and configuring the Password Replication Policy on ABC-DC02.
C. You should consider having ABC-DC01 configured as a bridehead server in the Chicago office.
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
E. You should consider having the Global Catalog installed on ABC-DC01.
Answer:
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
Explanation: When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.
You work as the network administrator at ABC.com. The ABC.com network has a domain named intl.ABC.com. All servers on the ABC.com network run Windows Server 2008. The domain controllers on the ABC.com domain are configured to function as DNS servers.
What action should you take to ensure that computers that are not part of the intl.ABC.com domain are not able to dynamically register their DNS registration information in the intl.ABC.com zone?
A. You should consider removing the .(root) zone from the intl.ABC.com zone.
B. You should consider running the dnscmd /AgeAllRecords command.
C. You should consider configuring Secure Only dynamic updates.
D. You should consider configuring the intl.ABC.com zone as an Active Directory integrated zone.
Answer:
C. You should consider configuring Secure Only dynamic updates.
Explanation: In order to ensure that only domain members are able to register their DNS records dynamically you need to set the option Secure only for Dynamic updates. This will only allow the domain members to register their DNS records dynamically.
You work as a network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two servers named ABC-SR01 and ABC-SR02 that are configured as domain controllers and as DNS servers. Both servers have the following setup for the ABC.com domain.
- ABC-SR01 - Standard Primary zone
- ABC-SR02 - Standard Secondary zone.
You have to perform the following tasks
- Perform the replication of ABC.com Zone Data * Make sure that Zone Data maintains encryption
- Prevent the loss of Zone Data
How can you accomplish these goals. (Each correct answer presents part of the solution. (Choose TWO.)
A. You should consider having the zone transfer settings configured on ABC-SR01 and ABC- SR02.
B. You should consider having the primary zone on ABC-SR02 converted to an Active Directory- integrated stub zone.
C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integrated zone.
D. You should consider having the secondary zone on ABC-SR02 deleted.
E. You should consider having the primary zone on ABC-SR01 deleted.
Answer: C,D
C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integrated zone.
D. You should consider having the secondary zone on ABC-SR02 deleted.
Explanation: In the scenario you should have the ABC.com primary zone converted to an active directory-integrated zone and delete the secondary zone as this would ensure replication of the ABC.com zone is encrypted whilst preventing data loss.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
All master roles in the forest are maintained at a domain controller ABC-DC01. You have another domain controller in the network named ABC-DC02 which contains better hardware and can improve performance. ABC-DC01 is to be removed from the network.
Which option can you select in order to ensure that proper roles are transferred to ABC-DC02 without disrupting the forest wide operations?
A. You should consider transferring the RID Master role and the Schema master role.
B. You should consider transferring the Schema master role and the Domain naming master role.
C. You should consider transferring the Infrastructure master role and the PDC emulator role.
D. You should consider transferring the Infrastructure master role and the Domain naming master role.
E. You should consider transferring the RID Master role and the PDC emulator role.
Answer:
B. You should consider transferring the Schema master role and the Domain naming master role.
Explanation: In order to transfer all forest-wide operation master roles to another domain you need to transfer Domain naming master as well as the Schema master. Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a domain controller named ABC-DC01 that has a single hard drive named Drive C. Drive C hosts the ntds.dit database. You have installed an additional hard drive named Drive D on ABC-DC01.
What would be the best option to take to transfer the ntds.dit database to Drive D?
A. The best option is to run the Ntdsutil command with the Files option.
B. The best option is to open the Windows Power Shell and use the Copy and Paste functions. C. The best option is to run the xcopy command.
D. The best option is to open the Windows Explorer and use the Cut and Paste functions.
Answer:
A. The best option is to run the Ntdsutil command with the Files option.
Explanation: The way you move the Active Directory database to a new volume, is to move the ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition.
You work as the network administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR01 that functions as an Enterprise Root certificate authority (CA).
What action should you take to configure ABC-SR01 to support key archival?
A. The Hisecdc security template should be applied to ABC-SR01.
B. The OCSP Response Signing certificate should be imported to ABC-SR01.
C. The private key on ABC-SR01 should be archived.
D. The Startup Type of the Certificate Propagation service on ABC-SR01 should be set to Automatic.
Answer:
C. The private key on ABC-SR01 should be archived.
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com that operates at the Windows Server 2008 functional level.
How can you configure the network so that it allows the users of ABC.com to have multiple password policies?
A. You should consider creating multiple class schema objects in the Schema console.
B. You should consider creating multiple Group Policy objects in the Group Policy Management console.
C. You should consider creating multiple Password Setting objects in the ADSI Edit console.
D. You should consider creating multiple passwords in Active Directory Users and Computers.
Answer:
C. You should consider creating multiple Password Setting objects in the ADSI Edit console.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com Network contains a server which is configured as:
- Domain Controller
- DNS Server
What option can you use to ensure tracking of all DNS queries received by ABC-SR01?
A. You should consider having automatic logging for recursive queries enabled in the DNS Manager Console on ABC-SR01.
B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
C. You should consider having event logging configured in the DNS Manager Console on ABC- SR01.
D. You should consider having system event logging configured in the Even Viewer on ABC- SR01.
Answer:
B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
You work as an enterprise administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Chicago and a branch office in Miami. The two offices are configured as separate sites.
The Miami site contains a domain controller named ABC-DC06. You receive an instruction from the CIO to install a new application at the Miami office. In order for the application to run a Global Catalog server is required.
What action should you consider to add a Global Catalog server to the Miami site?
A. You should consider running the DCPROMO command on ABC-DC06 to install the Global Catalog.
B. You should consider using the Server Manager console to configure ABC-DC06 as a Global Catalog server.
C. You should consider using the Active Directory Domains and Trusts console to configure ABC- DC06 as a Global Catalog server.
D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a Global Catalog server.
Answer:
D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a Global Catalog server.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The network contains two sites named London and Paris. The following configuration applies to each location.
London
* Single Domain Controller named ABC-DC01 * Separate Active Directory Site.
Paris
* Single Domain Controller named ABC-DC02 * Separate Active Directory Site.
Network Setup
* Both Active Directory Sites are using DEFAULTIPSITELINK object for connectivity.
What action should you take to reduce the delay during replication between ABC-DC01 and ABC- DC02?
A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.
B. You should consider having the replication schedule for the DEFAULTIPSITELINK object increased.
C. You should consider having the cost for the DEFAULTIPSITELINK object decreased.
D. You should consider having a site link bridge installed between ABC-DC01 and ABC-DC02.
Answer:
A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two servers named ABC-SR01 and ABC-SR02.
- ABC-SR01 - Enterprise Root certificate authority (CA).
- ABC-SR02 - Hosts the Online Responder role.
What step you can perform to make sure that ABC-SR02 is issuing the certificate revocation lists (CRL).
A. You should enable the Dual Certificate List extension on ABC-SR02.
B. You should ensure that ABC-SR02 is a member of the CertPublishers group.
C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR02.
E. You should run the CERTSRV command on ABC-SR02.
Answer:
C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.
During the course of the day a ABC.com user named Rory Allen complains that he cannot logon to the ABC.com domain from his client computer. When he attempt to, he receives an error message stating that his account has expired.
What action should you consider to have Rory Allen log on to the ABC.com domain from his client computer?
A. You should consider reducing the account lockout duration in the default domain policy.
B. You should consider resetting Rory Allen’s user account.
C. You should consider setting Rory Allen’s user account to never expire.
D. You should consider resetting the computer account for Rory Allen’s client computer.
Answer:
C. You should consider setting Rory Allen’s user account to never expire.
You work as the network administrator at ABC.com. ABC.com has its headquarters in London. The ABC.com network has a domain named ABC.com that consists of a single Active Directory site named LondonSite. The LondonSite contains a domain controller named ABC-DC01.
ABC.com opens a branch office in York and you create another Active Directory site named YorkSite.
How can you have Active Directory replication configured between the two sites?
A. You need to consider installing a new domain controller in YorkSite and creating a site link between the two sites. Then you should consider decreasing the site link cost.
B. You need to consider installing a new domain controller in the LondonSite and configuring it as a preferred bridgehead server.
C. You need to consider installing a new domain controller in the LondonSite and configuring a new site link bridge between the two sites.
D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet for the YorkSite.
Answer:
D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet for the YorkSite.
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com network has three domain controllers named ABC-DC01, ABC- DC02 and ABC-DC03 that run Windows Server 2003. ABC.com purchases a new Windows Server 2008 computer named ABC-SR04.
What is the first step you should take to install ABC-SR04 as a domain controller on the ABC.com network?
A. You should consider running the dconfig command on ABC-SR04.
B. You should consider running the adprep /forestprep command on ABC-DC01.
C. You should consider raising the domain functional level to Windows Server 2008.
D. You should consider running the adprep /domainprep command on ABC-DC01.
E. You should consider running the dcpromo /remove command on ABC-DB01, ABC-DB02 and ABC-DB03.
Answer:
B. You should consider running the adprep /forestprep command on ABC-DC01.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
A new ABC.com domain controller management policy states that replication errors need to be logged to a central server.
How would you implement this policy?
A. You should consider having the RepMonitor configured for central logging.
B. You should consider having the System Performance data collector set is started on each domain controller.
C. You should consider having event log subscriptions created on each domain controller.
D. You should consider having the RepAdmin Diagnostics data collector started on each domain controller.
Answer:
C. You should consider having event log subscriptions created on each domain controller.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has six domain controllers named ABC-DC01, ABC-DC02, ABC-DC03, ABC-DC04, ABC-DC05 and ABC-DC06. All six domain controllers function as DNS servers. You are in the process of implementing a new Active Directory-integrated DNS zone.
What action should you take first if you want the new zone replicated only to ABC-DC05 and ABC- DC06?
A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 and ABC-DC06.
B. You should consider having the dnscmd /config command executed on ABC-DC05 and ABC- DC06.
C. You should consider having the .(root) zone is deleted from ABC-DC01, ABC-DC02, ABC- DC03 and ABC-DC04.
D. You should consider having BIND secondaries enabled on ABC-DC05 and ABC-DC06.
E. You should consider having the dnscmd /unenlistdirectorypartition command executed on ABC- DC01, ABC-DC02, ABC-DC03 and ABC-DC04.
Answer:
A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 and ABC-DC06.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a domain controller named ABC-SR01 that also functions as a DNS server. You add a new stand alone server named ABC-SR02 and configure it as a DNS server. You then configure a standard secondary zone on ABC-SR02 with ABC-SR01 as the master server.
What action should you take to have zone updates replicated from ABC-SR01 to ABC-SR02?
A. You should consider having ABC-SR02 made a member of the DNSUpdateProxy group.
B. You should consider having the permission of the ABC.com zone modified on ABC-SR01.
C. You should consider having the dnscmd /ZoneUpdateFromDs command run on ABC-SR02.
D. You should consider having the zone transfer settings of the ABC.com zone configured on ABC-SR01.
E. You should consider having ABC-SR02 promoted to a domain controller.
Answer:
D. You should consider having the zone transfer settings of the ABC.com zone configured on ABC-SR01.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR03 that functions as an Enterprise Root certification authority (CA). ABC.com issues a new security policy that states that only a ABC.com CEO named Kara Lang must be allowed to sign code.
What action should you take to implement this policy? (Choose all that apply.)
A. You should publish a list of trusted certificate authorities and only grant Kara Lang the necessary permissions to access the Trusted Publishers list.
B. You should apply the code signing template to ABC-SR03 and configure the template only grant Kara Lang the necessary permissions to request code signing certificates.
C. You should import the Online Certificate Status Protocol (OCSP) Response Signing certificate to ABC-SR03 and only grant Kara Lang the necessary permissions to distribute code signing certificates.
D. You should add ABC-SR03 to the CertPublishers group and only grant Kara Lang the necessary permissions to manage ABC-SR03.
Answer:
B. You should apply the code signing template to ABC-SR03 and configure the template only grant Kara Lang the necessary permissions to request code signing certificates.
You work as a systems administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You are responsible for managing a stand-alone server named ABC-SR05. You are in the process of configuring ABC-SR05 as an Enterprise certification authority (CA). You now want to assign the Active Directory Certificate Services (AD CS) role to ABC-SR05. However, you notice that you cannot select the Enterprise CA option.
What action should you take configuring ABC-SR05 as an Enterprise CA?
A. Your best option would be to first configure ABC-SR05 as a Standalone CA.
B. Your best option would be to first have ABC-SR05 joined to the ABC.com domain.
C. Your best option would be to first install Internet Information Services (IIS) on ABC-SR05.
D. Your best option would be to first assign the Active Directory Certificate Services (AD CS) role to ABC-SR05.
Answer:
B. Your best option would be to first have ABC-SR05 joined to the ABC.com domain.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista Enterprise Edition. All client computers are located in an Organizational Unit named ClientPCs.
ABC.com has acquired a new third-party application that you need to install on the client computers. Before you can install the application you need prepare the client computers by applying a file named ABCApp.adm to them. The ABCApp.adm file makes changes to the registry on the client computers.
What action should you take to apply the ABCApp.adm file?
A. Your best option would be to create a transformation package that applies the ABCApp.adm file and assign the package to the client computers.
B. Your best option would be to copy the ABCApp.adm file to a network share and write a Microsoft Windows PowerShell script that applies the file to the client computers.
C. Your best option would be to write that the Microsoft Windows PowerShell script that copies the ABCApp.adm file to the client computers.
D. Your best option would be to create a Group Policy Object (GPO) that imports the ABCApp.adm and link the GPO to the ClientPCs OU.
Answer:
D. Your best option would be to create a Group Policy Object (GPO) that imports the ABCApp.adm and link the GPO to the ClientPCs OU.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista. ABC.com has its headquarters in London and branch offices in Lisbon, Madrid and Paris. Each office is structured as a separate site named London, Lisbon, Madrid and Paris.
Due to company growth, ABC.com has hired 150 additional employees that are distributed among the four sites. You create user accounts for the new ABC.com users. However, the new users complain that when they attempt to logon to the domain they receive an error message stating that their username or password is incorrect.
What action should you take to allow the new ABC.com users to log on to the domain?
A. You should consider resetting the user accounts for the new users.
B. You should consider adding the new users to the Remote Desktop Users group.
C. You should consider running the repadmin /replicate command.
D. You should consider install Global Catalog servers at the Lisbon, Madrid and Paris sites.
Answer:
C. You should consider running the repadmin /replicate command.
You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com.
The ABC.com network has four Windows Server 2008 domain controllers named ABC-DC01, ABC-DC02, TESKING-DC03 and ABC-DC04. All four domain controllers run the DNS Server role and are part of an Active Directory integrated zone. The ABC.com network also has a UNIX-based DNS server named ABC-SR05.
One of the administrators in your department created an Active Directory-integrated zone for ABC.com. During the course of the day you receive instruction to permit zone transfers of the ABC.com zone to ABC-SR05.
What action should you take to ensure that zone transfers to ABC-SR05 can occur?
A. You should consider installing Active Directory Lightweight Directory Services (AD LDS) on ABC-SR05.
B. You should consider running the dcpromo command on ABC-SR05.
C. You should consider having a stub zone created for ABC-SR05.
D. You should consider configuring BIND secondaries.
Answer:
D. You should consider configuring BIND secondaries.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com has a Windows Server 2008 domain controller named ABC-DC01.
You log on as the Domain Administrator on ABC-DC01 to view the Active Directory Schema console. However, you cannot locate the Active Directory Schema console.
What action should you take to locate the console?
A. You should consider running the net start “Active Directory Services” command on ABC-DC01. B. You should have the Schema Master Operations role assigned to ABC-DC01.
C. You should consider having Schmmgmt.dll registered on ABC-DC01.
D. You should consider logging on to ABC-DC01 as the Local Administrator.
Answer:
C. You should consider having Schmmgmt.dll registered on ABC-DC01.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR02 that functions as stand-alone Certificate Authority (CA). You want to track any modifications made to the configuration and security settings of ABC-SR02.
What action should you take?
A. You should configure auditing in the Certification Services console. B. You should add ABC-SR02 to the ABCCertificates group.
C. You should configure the Audit object Access setting on ABC-SR02.
D. You should join ABC-SR02 to the ABC.com domain.
E. You should enable the Authority Information Access (AIA) extension on ABC-SR02.
Answer:
C. You should configure the Audit object Access setting on ABC-SR02.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. The domain functional level is set at Windows Server 2008.
The ABC.com network has a file server named ABC-SR04. You configure a shared folder named KINGDATA on ABC-SR04. You then move users to a new global distribution group named DISTGRP. You grant a domain local group named DLOCGRP access to KINGDATA. You then add DISTGRP to DLOCGRP.
What action should you take to make sure that all users in the DISTGRP group are able to access the KINGDATA share?
A. You should configure DISTGRP to be a universal distribution group.
B. You should configure DISTGRP to be a security group.
C. You should configure DLOCGRP to be a universal security group.
D. You should add the DISTGRP to the Local Administrators group on ABC-SR04.
Answer:
B. You should configure DISTGRP to be a security group.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Chicago.
ABC.com opens a new branch office in Dallas. You need to allow ABC.com users in the Dallas office to access network resources in the Chicago office. You assign the ABC.com users in the Dallas office the Read and Execute permissions to the network resources in the Chicago office. You then create a VPN connection which the ABC.com users in the Dallas office will use to establish connectivity to the Chicago office. However, the users in the Dallas office report that they cannot connect to the Chicago office by using the VPN connection.
What action should you take to resolve this problem?
A. Your best option would to assign the Allow Access Dial-in permission to the users in the Dallas office.
B. Your best option would to make the users in the Dallas office members of the Remote Desktop Users security group.
C. Your best option would to make the users in the Dallas office members of the Network Configuration Operators security group.
D. Your best option would to delete and recreate the VPN connection.
Answer:
A. Your best option would to assign the Allow Access Dial-in permission to the users in the Dallas office.
You work as the network administrator at ABC.com. The network has the following configuration.
- Server named ABC-DC01.
- Setup as a domain controller.
- Running Windows Server 2008.
The client computers are using Lightweight Directory Access (LDAP).
What action should you take to determine which LDAP clients are consuming the most CPU resources on ABC-DC01?
A. You should open System Information and view the Hardware Resources node.
B. You should open Task Manager and view the Processes tab.
C. You should open the Active Directory Diagnostics Data Collector and view of the Active Directory report.
D. You should open the Resource Monitor and view the CPU performance data.
Answer:
C. You should open the Active Directory Diagnostics Data Collector and view of the Active Directory report.
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. All servers on the ABC.com network run Windows Server 2003.
You need to upgrade the domain controllers from Windows Server 2003 to Windows 2008.
What command can be used on the Windows Server 2003 servers to prepare ABC.com for the upgrade?
A. You should execute the dcpromo /adv command.
B. You should execute the adprep /forestprep and the adprep /domainprep commands.
C. You should set the domain functional level to Windows Server 2008.
D. You should execute the dcpromo /createdcaccount command.
Answer:
B. You should execute the adprep /forestprep and the adprep /domainprep commands.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR01 configured as a domain controller as well as a DNS server configured with several Active Directory Integrated Zones.
What action should you take if you want to copy the zone files on ABC-SR01 to a network share?
A. You should consider having the dnscmd /ZoneExport command executed on ABC-SR01.
B. You should consider having the dnscmd /WriteBackFiles command executed on ABC-SR01.
C. You should consider having the dnscmd /Info command executed on ABC-SR01.
D. You should consider having the dnscmd /EnumRecords command executed on ABC-SR01.
E. You should consider having the dnscmd /EnumZones command executed on ABC-SR01.
Answer:
A. You should consider having the dnscmd /ZoneExport command executed on ABC-SR01.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Seattle and branch offices in Dallas, Miami and Chicago. Each office is configured as a separate site named Seattle, Dallas, Miami and Chicago.
The Seattle site as three domain controllers named ABC-DC01, ABC-DC02 and ABC-DC03. The Dallas site has a single domain controller named ABC-DC04, the Miami site has a single domain controller named ABC-DC05 and the Chicago site has a single domain controller named ABC- DC06. ABC-DC01, ABC-DC02 and ABC-DC03 are configured as Global Catalog servers.
Where should you consider deactivating the Universal Group Membership Caching (UGMC) option at the Dallas, Miami and Chicago offices?
A. You should consider deactivating the UGMC in Active Directory Users and Computers.
B. You should consider deactivating the UGMC at the Site level.
C. You should consider deactivating the UGMC through a Group Policy Object linked to the domain.
D. You should consider deactivating the UGMC at the Organizational Unit (OU) level.
Answer:
B. You should consider deactivating the UGMC at the Site level.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2003.
You have just performed the migration of domain controllers from Windows 2003 to Windows 2008.
Which of following commands can be used to configure DFS Replication (DFS-R) to replicate the Sysvol share?
A. This can be accomplished by running the netdom /dfs -r command.
B. This can be accomplished by raising the domain functional level to Windows Server 2008.
C. This can be accomplished by running dfsutil /share:sysvol command.
D. This can be accomplished by running dfsutil /addstdroot command.
Answer:
B. This can be accomplished by raising the domain functional level to Windows Server 2008.
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com. The forest functional level is set at Windows Server 2003 Native Mode. ABC.com has its headquarters in Chicago and a branch office in Dallas.
The ABC.com network has three Windows Server 2003 domain controllers named ABC-DC01, ABC-DC02 and ABC-DC03 that are located in the Chicago office. You want to install a read-only domain controller (RODC) named ABC-DC04 in the Dallas office.
What action should you consider?
A. You should consider upgrading ABC-DC01 to Windows Server 2008 and then execute the adprep /rodcprep command on ABC-DC01.
B. You should consider configuring the Dallas network as a separate site and upgrading ABC- DC04 to Windows Server 2008.
C. You should consider upgrading all domain controllers to Windows Server 2008 and having the forest functional level set to Windows Server 2008.
D. You should consider configuring the Dallas network as a child domain with the domain functional level set at Windows Server 2008.
Answer:
A. You should consider upgrading ABC-DC01 to Windows Server 2008 and then execute the adprep /rodcprep command on ABC-DC01.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You have a workstation called ABC-WS10 and performed the following tasks:
- Install Windows 7 Professional.
You plan to join ABC-WS10 to the domain. You want to ensure that a computer account for ABC- WS10 is created in a specific organizational unit (OU) instead of the default Computers container in Active Directory.
What action should you take to ensure that the ABC-WS10 computer account is created in an organizational unit (OU)?
A. You should consider using the ntdsutil command.
B. You should consider using the csvde command.
C. You should consider using the Idifde command.
D. You should consider using the dsadd command.
Answer:
D. You should consider using the dsadd command.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All server on the ABC.com network run Windows Server 2008. The ABC.com network has two domain controllers named ABC-DC01 and ABC-DC02.
What action should you take to verify the successful replication of Active Directory information from ABC-DC01 to ABC-DC02?
A. You should execute the RepAdmin command on ABC-SR02.
B. You should execute the Dnscmd command on ABC-SR02.
C. You should execute the Dsmod command on ABC-SR02.
D. You should execute the RepMonitor command on ABC-SR02. E. You should execute the Rsdiag command on ABC-SR02.
Answer:
A. You should execute the RepAdmin command on ABC-SR02.
Explanation: RepAdmin is a command line utility which is used to view as well as configure Windows Server 2008 replication amid domain controllers.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2. ABC.com has its headquarters in London and a branch office in Paris.
You are planning to install Windows Server 2008 on a domain controller at each office. IP addresses will be assigned using a Dynamic Host Configuration Protocol (DHCP) server at each office. Your solution must meet the following requirements:
- Administrators in London need to be able to create and modify Active Directory accounts.
- Administrators in Paris need to be able to update drivers on the domain controller in Paris, but should not be able to create or modify user accounts.
- Records in the Domain Name System (DNS) database must be kept up to date.
- Only Active Directory domain members can register with the DNS server.
- Name resolution traffic across the Wide Area Network (WAN) link should be minimized.
How would you plan the DNS configuration? (Each correct answer presents part of the solution. Choose two.)
A. Deploy a standard primary zone in London.
B. Deploy an Active Directory-Integrated zone in Paris.
C. Deploy a primary read-only zone in Paris.
D. Deploy a stub zone in Paris.
E. Deploy an Active Directory-Integrated zone in London.
Answer:
B. Deploy an Active Directory-Integrated zone in Paris.
E. Deploy an Active Directory-Integrated zone in London.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You have deployed Active Directory Federation Services (AD FS) in your organization. You need to configure another organization as a federated partner. Your organization is the resource partner in this partnership.
You need to exchange partner values with the partner organization.
How would you accomplish this task using as little administrative effort as possible?
A. Add your partner’s domain as an Active Directory Domain Services (AD DS) Account store.
B. Export your trust policy files and send the resulting file to the partner administrator.
C. Have the partner send its federation server’s validation certificate.
D. Deploy an AD FS Proxy in the partner’s perimeter network.
Answer:
B. Export your trust policy files and send the resulting file to the partner administrator.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. A computer running Microsoft Windows Server 2008 is configured as a domain controller. The computer also supports other services, including the Dynamic Host Configuration Protocol (DHCP) service.
You need to move the Active Directory database on the computer. You must minimize the impact on the other services running on the computer.
What could be your first actions? (Each correct answer presents a complete solution. Choose two.)
A. Use Computer Manager to stop the Active Directory service.
B. Run Net stop to stop the Active Directory service.
C. Run Ntdsutil to compact the database.
D. Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role.
E. Restart the domain controller in Directory Services Restore Mode (DSRM).
Answer:
A. Use Computer Manager to stop the Active Directory service.
B. Run Net stop to stop the Active Directory service.
You work as the network administrator at ABC.com. The ABC.com network consists of 10 Microsoft Windows Server 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain. A Public Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. ABC.com users are required to enroll for a User certificate using Web enrollment.
The users complain that the response time is very slow when accessing servers that host financial data. Certificate authentication is required to access these servers. You discover that the network is extremely busy and network bandwidth is reaching capacity.
You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on the network.
What must be done?
A. Open Active Directory Sites and Services. Deny users the Enroll permission on all templates except the User template.
B. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List (CRL).
C. Open the Certificate Templates snap-in and configure auto-enrollment instead of Web-based enrollment.
D. Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL) publication interval.
Answer:
B. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List (CRL).
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All domain controllers are running Windows Server 2008. The network currently has only a single site. ABC.com has its headquarters in Berlin and is preparing to open a branch office in Paris.
You must ensure that administrators at the Paris office can create, modify, and delete user accounts only for employees at the branch office. Administrators must be able to manage user accounts even if the link to headquarters is unavailable.
How would you accomplish this task?
A. Install a read-only domain controller (RODC) at the Paris office.
Create a global group named BranchAdmins.
Create an organizational unit (OU) named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
B. Install a read-only domain controller (RODC) at the Paris office.
Create a global group named BranchAdmins.
Create domain local group named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
C. Install a standard domain controller at the Paris office.
Create a global group named BranchAdmins.
Create a domain local group named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
D. Install a standard domain controller at the Paris office.
Create a global group named BranchAdmins.
Create an organizational unit (OU) named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
Answer:
D. Install a standard domain controller at the Paris office.
Create a global group named BranchAdmins.
Create an organizational unit (OU) named BranchUsers.
Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
You work as a Network Administrator for ABC.com. ABC.com has its headquarters in Los Angeles and branch offices in Denver, San Jose, and San Diego. All locations are connected through 128Kbps leased lines.
ABC.com wants you to configure a Windows 2008 Active Directory-based network. You are supposed to provide a design for the network. The ABC.com management does not want unnecessary traffic over the WAN connection.
Which of the following strategies will you implement to fulfill these requirements?
A. Create a separate site for each location. Move the domain controllers to their respective sites.
B. Create a separate site for each location. Keep all domain controllers at the headquarters site.
C. Create a site for the headquarters and move all domain controllers to this site.
D. Create a single site that covers all locations. Keep all domain controllers at the headquarters.
Answer:
A. Create a separate site for each location. Move the domain controllers to their respective sites.
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based network. The ABC.com network consists of two sites, namely San Francisco and San Diego. These sites are connected with a high-speed T1 line as shown in the image below:
The San Francisco site is highly protected and a firewall has been configured for its security.
You create a site link to replicate the Active Directory data between the two sites. You find that the replication is not working properly. You know that the firewall is preventing data from being replicated between the two sites.
What can you do to resolve this issue?
A. Increase the cost of the site link.
B. Remove the firewall from the San Francisco site.
C. Make the firewall proxy server of the San Francisco site a preferred bridgehead server.
D. Schedule the site link to replicate the Active Directory data twenty-four hours a day.
Answer:
C. Make the firewall proxy server of the San Francisco site a preferred bridgehead server.
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based network. All client computers on the network run Windows Vista Ultimate. You have configured a Dynamic DNS (DDNS) on the network.
There are a lot of mobile users who often connect to and disconnect from the network. ABC.com users on the network complain of slow network responses. You suspect that the stale records on the DNS server may be the cause of the issue. You want to remove the stale records.
Which of the following technologies will you use to accomplish this task?
A. Scavenging
B. Aging
C. Forwarding
D. RODC
Answer:
A. Scavenging
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based single domain network. The company has organized its OU structure according to its departments. Three organizational units (OUs) named HR, Marketing, and Administration are configured in the domain.
You create a GPO named ADM and configure it to show desktop items that are required by most of the users in the Administration department. You link the GPO with the Administration OU. You find that the users in the Administration OU are not receiving the setting that was applied by the GPO on their computers. You suspect that the issue is due to some conflicting policies that are taking higher precedence on the other policies applied by the GPO.
Which of the following actions can you take to find out the policies applied on the users? (Each correct answer represents a complete solution. Choose two.)
A. Use the HFNETCHK.EXE command.
B. Use the NTDSUTIL utility.
C. Use the GPRESULT /z command.
D. Use the RSoP Wizard in logging mode.
Answer:
C. Use the GPRESULT /z command.
D. Use the RSoP Wizard in logging mode.
You work as a Network Administrator for ABC.com. ABC.com currently has a Windows 2000 single domain Active Directory-based network. The company wants to upgrade all its servers to Windows Server 2008 and then its network to a Windows 2008 Active Directory-based network. Before upgrading the network, you want to test the transfer of user and computer accounts from the existing environment to the new environment. You take the following steps:
- Create some test users and a test group in the existing environment. * Make these users members of the group.
- Create a new Windows 2008 forest in a new server.
Which of the following tools will you use to test the successful transfer of user and computer accounts and groups?
A. Windows Easy Transfer
B. ADMT v3
C. CSVDE
D. USMT 3.0
Answer:
B. ADMT v3
You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-based single domain network. ABC.com has its headquarters in Atlanta and a branch office in Denver Both locations have been configured as separate sites. The headquarters contains 500 users, whereas the branch office in Denver contains fifty users.
ABC.com users use an application named REPORT that requires directory access.
The ABC.com management wants to raise the level of security data. The new company policy dictates that Active Directory data must be secure. You know that the physical security in the branch office can be compromised. You need to secure the domain controller in the branch office.
Which of the following steps will you take to accomplish this task?
A. Configure universal group membership caching at the branch office. Remove the domain controller.
B. Install a global catalog server at the branch office. Remove the domain controller.
C. Install an RODC at the branch office. Remove the domain controller.
D. Place the domain controller at the branch in a strong room secured with locks and keys.
Answer:
C. Install an RODC at the branch office. Remove the domain controller.
You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based Windows single forest network.
Organizational units (OUs) are configured separately for each department. All the department’s users and computers are placed in their respective OUs. A domain-level OU is also configured on the network to implement domain-wide policies.
A ABC.com user named Rick complains that he is unable to access an application. You suspect that a group policy is preventing Rick from accessing the application. You want to find out the effective group policies on Rick.
Which command-line tool will you use to accomplish this task?
A. GPUPDATE
B. GETRESULT
C. GPRESULT
D. Resultant Set of Policy Wizard
Answer:
C. GPRESULT
You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based network. You have installed Windows Server 2008 on a computer. You want to configure the server as a Certificate Authority (CA).
Which of the following utilities will you use to accomplish this task?
A. Manage Your Server
B. Configure Your Server
C. Security Configuration Wizard
D. Server Manager
Answer:
D. Server Manager
You work as a Network Administrator for ABC.com. ABC.com has a Windows Active Directory- based single domain network. The company’s offices are located in Los Angeles, Denver, San Jose, and San Diego. All locations have been configured as separates sites. The company’ headquarters is located in Los Angeles.
The network is configured as shown in the image below:

You have configured domain controllers at each site. A bridgehead server is configured at the headquarters. Each branch office contains fifty users. ABC.com users make use an Active Directory integrated application. You experience that the bridgehead server at the headquarters is receiving a lot of Active Directory replication traffic from the branch offices. You are required to reduce the Active Directory replication traffic.
Which of the following steps will you take to accomplish this task?
A. Install a global catalog server at the branch offices.
B. Configure universal group membership caching at the branch offices. Remove the domain controllers from the branch offices.
C. Replace the domain controllers at the branch offices with RODCs.
D. Change the 256kbps lines to T1 lines.
Answer:
C. Replace the domain controllers at the branch offices with RODCs.
You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based network.
You install Server Core of Windows Server 2008 on a computer. You want to install an Active Directory Certificate Authority (CA) on the server.
Which of the following steps will you take to accomplish this task?
A. Run the Configure Your Server wizard.
B. Run the Manage Your Server wizard.
C. You cannot install AD CA in a Server Core installation of Windows Server 2008.
D. Run the Server Manager console.
Answer:
C. You cannot install AD CA in a Server Core installation of Windows Server 2008.
You work as a Network Administrator for ABC.com. ABC.com has a Windows Active Directory- based single forest network. The functional level of the forest is Windows Server 2008. All client computers on the network run Windows Vista Ultimate.
ABC.com has its headquarters in San Francisco and three branch offices in San Jose, San Diego, and New Orleans. Each office is configured as a different site and each site location is configured as a separate domain. The branch offices are connected to headquarters as shown in the image below:
The location information of the resources is placed in Active Directory. Users in the New Orleans domain regularly search for available resources in Active Directory by using the Entire Directory option. The ABC.com users complain of slow response time while searching Active Directory for resources. You are required to improve the response time for users at the New Orleans office.
Which of the following steps will you take to accomplish this task?
A. Configure a domain controller of the San Francisco domain at the New Orleans site.
B. Configure universal group membership caching at the New Orleans site.
C. Upgrade the 256Kbps WAN link to a 1Mbps WAN link.
D. Configure a global catalog server at the New Orleans office.
Answer:
C. Upgrade the 256Kbps WAN link to a 1Mbps WAN link.
You work as a Network Administrator for ABC.com. The ABC.com network is configured as a Windows Active Directory-based single forest with a single domain named ABC.com. The network contains Windows Server 2003 and Windows Server 2008 domain controllers. Client computers on the network either run Windows Vista Ultimate or Windows XP Professional.
A new security policy is to be implemented. It requires multiple password policies to be implemented on the network. You are required to prepare the network for implementing the new security policy. Your solution must involve minimum administrative efforts.
Which of the following steps will you take to accomplish this task? (Each correct answer represents a part of the solution. Choose two.)
A. Upgrade all domain controllers running Windows Server 2003 to Windows Server 2008.
B. Raise the functional level of the forest to Windows Server 2008.
C. Configure different domains for different password policies.
D. Upgrade all computers running Windows XP Professional to Windows Vista.
E. Raise the functional level of the domain to Windows Server 2008.
Answer:
A. Upgrade all domain controllers running Windows Server 2003 to Windows Server 2008.
E. Raise the functional level of the domain to Windows Server 2008.
You work as a Network Administrator for ABC.com. ABC.com has a Windows Server 2003- based network.
ABC.com wants to upgrade all its Windows 2003 servers to Windows Server 2008. Before upgrading the servers, you want to test the new operating system and its reliability. You also want to test various different operating systems.
Which of the following features of Windows Server 2008 allows you to install and run different operating systems on a single computer?
A. RODC
B. Hyper-V
C. RSoP
D. Online Responder
Answer:
B. Hyper-V
You have been hired by ABC.com to design the company’s network. ABC.com has its headquarters is in Denver. The company has many branch offices. All branch offices are connected to the headquarters through dedicated T1 lines. The ABC.com management of the company wants to have a Windows 2008 Active Directory-based network.
ABC.com’s policy states that only the administrators of the headquarters are allowed to create and manage user accounts. The local administrators in the branch offices are allowed to control their own resources only. Replication or authentication traffic on the WAN is not an issue here.
Which of the following designs will you use to fulfill these requirements?
A. Create a multi-forest network.
Create a forest for each branch office and one for the main office.
Delegate the authority for the resource administration to the local Administrators for their respective forests.
Delegate the authority to the main office’s forest to the Domain Admins group only.
B. Create a single domain network.
Create an organizational unit (OU) for each branch office and an OU for the main office. Delegate the authority for the resource administration to the local Administrators for their own OUs.
Delegate the authority for the main office’s OU to the Domain Admins group only.
C. Create a domain for the main office.
Create child domains for the branch offices.
Keep all the user accounts in the main office domain and the resources on each domain of the branch offices.
Give Administrators Full Control access to the domain controllers.
D. Create a single domain network.
Create a site for each branch office and a site for the main office.
Delegate the authority for the resource administration to the local Administrators for their respective sites.
Delegate the authority of the main office’s site to the Domain Admins group only.
Answer:
B. Create a single domain network.
Create an organizational unit (OU) for each branch office and an OU for the main office. Delegate the authority for the resource administration to the local Administrators for their own OUs.
Delegate the authority for the main office’s OU to the Domain Admins group only.
You are the systems administrator for a company named ABC.com. The ABC.com network consists of a single Active Directory forest. The network contains an Internet Information Services (IIS) server that hosts a Web application that allows users to purchase your company’s products online.
ABC.com has a partner organization, a graphic design firm that designs your company’s products. The partner company has its own Active Directory forest. You are required to enable users in the partner organization to access your Web application without being prompted for secondary credentials.
Which Windows Server 2008 server role should you install in your network to provide Web-based Single-Sign-On (SSO) capabilities to users in the partner organization?
A. Active Directory Rights Management Services (AD RMS)
B. Active Directory Federation Services (AD FS)
C. Active Directory Lightweight Directory Services (AD LDS)
D. Active Directory Domain Services (AD DS)
Answer:
B. Active Directory Federation Services (AD FS)
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers run Windows Server 2008, and all client computers run Windows Vista.
ABC.com’s written security policy stipulates that employees must use certificates for remote access and secure e-mail. Only designated administrators are authorized to approve users’ requests for certificates, issue certificates, and revoke certificates.
You install Certificate Services on several servers and configure them as enterprise certification authorities (CAs).
You must assign the appropriate privileges to the designated administrators in accordance with the company policy. Which of the following actions should you take?
A. Issue an Enrollment Agent certificate to each designated administrator.
B. Assign the designated administrators to the Certificate Manager role on each CA.
C. Assign the Allow - Enroll permission for each certificate template to the designated administrators.
D. Assign the Allow - Write permission for each CA to the designated administrators.
Answer:
B. Assign the designated administrators to the Certificate Manager role on each CA.
You are the systems administrator for ABC.com. The ABC.com network consists of a single Active Directory domain named ABC.com. A computer running Windows Server 2008 has both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) roles installed. The AD LDS server contains an instance with the default name that is used by several applications that access data from and write data to the AD LDS database.
Over time, ABC.com users report to you that the AD LDS applications have become slow. To resolve this problem, you want to defragment the AD LDS database.
How would you perform an offline defragmentation of AD LDS database? (Choose all that apply. Each correct answer is part of a single solution.)
A. Restart the domain controller in Directory Services Restore Mode.
B. Run the Net stop Adam_instance1 command.
C. Run the Net stop Ntds command.
D. Use the Ntdsutil command with the appropriate parameters to defrag the database.
E. Run the Net start Adam_instance1 command.
F. Run the Net start Ntds command.
Answer:
B. Run the Net stop Adam_instance1 command.
D. Use the Ntdsutil command with the appropriate parameters to defrag the database.
E. Run the Net start Adam_instance1 command.
You are a network administrator for ABC.com. The ABC.com network consists of a single Active Directory domain where all servers run Windows Server 2003 and all client computers run Windows XP Professional.
You use a Group Policy object (GPO) to deploy an application on the network. Later, you receive a different application to work with the files that have the same file name extensions instead of the previously deployed application. You must deploy the new application, but users should not have to install it if they choose to use the original application instead of the new one. However, only one of these applications should be installed on the same computer.
Which actions should you take?
A. Assign the new application to computers; specify in the GPO that the original application be removed before the new one is installed.
B. Publish the new application to computers and remove the GPO that deploys the original application.
C. Assign the new application to users and remove the GPO that deploys the original application.
D. Publish the new application to users; specify in the GPO that the original application be removed before the new one is installed.
Answer:
D. Publish the new application to users; specify in the GPO that the original application be removed before the new one is installed.
You are the network administrator for ABC.com. The ABC.com network has a single domain, and all of the domain controllers run Windows Server 2008.
A domain controller in the branch office failed this morning. This domain controller does not hold any other roles. You bring the domain controller back on line, but you need to perform a non- authoritative restore of the domain controller. You do not have a critical volume backup of the domain controller on hand, but you do have a recent full backup.
What should be your first action to perform a non-authoritative restore of the domain controller?
A. Perform a critical backup of another domain controller. Reboot the failed domain controller into Directory Services Restore Mode (DSRM).
B. Perform a full backup of another domain controller. Reboot the failed domain controller into Directory Services Restore Mode (DSRM).
C. At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
D. At the command prompt, type bcdedit /set safeboot and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
Answer:
C. At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
You are the network administrator of ABC.com. ABC.com has its headquarters in Atlanta and a branch office in Denver. The Atlanta office network consists of a single Active Directory domain.
You want to create a new domain for the Denver office in the same forest as the domain at the Atlanta office.
Which operations master role must be available in the forest for you to create a new domain for the Denver office?
A. Schema master B. Domain naming master C. Relative ID (RID) master D. Primary domain controller (PDC) emulator master E. Infrastructure master
Answer:
B. Domain naming master
You are the network administrator of ABC.com. You install Windows Server 2008 on all servers on the network. All client computers are configured to run Windows Vista. You want to be able to use Advanced Encryption Standard (AES) with Kerberos for encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys.
What is the minimum domain functional level that is required to support AES encryption with Kerberos?
A. Windows 2000 Server mixed
B. Windows 2000 Server native
C. Windows Server 2003
D. Windows Server 2008
Answer:
D. Windows Server 2008
You are the systems administrator for ABC.com. The ABC.com network consists of a single Active Directory domain. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure that has a subordinate enterprise Certification Authority (CA), which issues certificates on behalf of the root CA.
You have a certificate template that allows users to autoenroll, and a group policy object that distributes the certificates to users. All users are able to automatically obtain certificates. You now want routers and other network devices are able to obtain certificates from the CA.
How would you accomplish this task?
A. Assign the routers and network devices the Autoenroll permission in a certificate template.
B. Change the Publish Delta CRL to 1 hour so expired certificates for routers and network devices are published in Active Directory.
C. Install the Online Certificate Status Protocol (OCSP) role service for AD CS.
D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
Answer:
D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
You are the network administrator for ABC.com. The ABC.com network has a single forest with three domains. All domain controllers in your forest are Windows Server 2008. Each domain is configured to be a separate site.
Recently the telephone company has changed the telephone number of a department in the location of one of ABC.com’s domains. There are 55 accounts that are affected by the telephone number change. You need to change the telephone number property in the 55 different accounts.
How would you accomplish this as quickly as possible?
A. Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number and use CSVDE to import the accounts.
B. In Active Directory Users and Computers, select Find from the Action menu and create a saved LDAP query that will return the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their accounts’ properties.
C. Create a saved LDAP query that will return user accounts of the 55 user accounts. Export the results to a tab-delimited file, modify the expiration date in the file and use the LDIFDE utility to import the file into Active Directory.
D. In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will return the 55 user accounts. Export the results to a comma-delimited file, modify the expiration date in the file and use the CSVDE utility to import the file into Active Directory.
Answer:
B. In Active Directory Users and Computers, select Find from the Action menu and create a saved LDAP query that will return the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their accounts’ properties.
You are the administrator for ABC.com. ABC.com has over 5,000 employees. ABC.com’s head office has approximately 4,500 employees, while the company’s ten branch offices have 50 users residing in each. You are often unaware of the physical security in place at these offices. However, since there is a fairly sizable amount of users at each office, you must provide them with directory services.
What is the BEST option to use for directory services when security is unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
Answer:
B. Read-only domain controllers
You are the administrator for ABC.com. ABC.com has just signed into a partnership with another organization. You will be responsible for ensuring that authentication can occur between both organizations without the need for additional sign-on accounts. The partner has a variety of Directory Services installed throughout their organizations.
Which of the following can Active Directory Federation Services NOT connect to?
A. Lightweight Directory Services
B. Windows Server 2003 Directory Services
C. Windows Server 2003 R2 Directory Services
D. All of the above
Answer:
B. Windows Server 2003 Directory Services
You are the administrator for a nationwide company named ABC.com that currently runs Windows Server 2008 DNS and are reviewing the resource records in your Active Directory–integrated DNS zone.
You notice there are hostnames that do not meet ABC.com’s naming convention and verify that the computers are not members of your Active Directory domain.
What must you do to ensure these hosts cannot create records in your DNS zone?
A. Disable DNS and enable DHCP.
B. Configure your zone to enable secure dynamic updates.
C. Disable dynamic updates in your zone.
D. You cannot prevent this from occurring in DNS.
Answer:
B. Configure your zone to enable secure dynamic updates.
You are creating a new standard primary zone for the company you work for, ABC.com, using the domain ABC.corp. You create the zone through the DNS management console, and now you want to view the corresponding DNS zone file named ABC.corp.dns.
Where do you need to look in order to find this file?
A. You cannot view the zone file because it is stored in Active Directory.
B. You can look in the %systemroot%\system32\dns folder.
C. You cannot view the DNS file except by using the DNS management console.
D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if you want to view the file.
Answer:
B. You can look in the %systemroot%\system32\dns folder.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. You have implemented DNS on a Windows Server 2008 Core Server installation. You want to list the DNS zones on this server.
What command-line utility would you use to accomplish this?
A. ocsetup.
B. netsh.
C. dnscmd.
D. None of the above. You must use the GUI from another Windows Server 2008 host.
Answer:
C. dnscmd.
What is the purpose of resetting an account?
A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory.
B. Helps you reboot the computer.
C. Helps you restart netlogon services.
D. Helps you change the authentication protocol from NTML to Kerberos.
Answer:
A. Helps you reset a computer password stored in Active Directory so the computer can make a trusted connection with Active Directory.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 R2.
ABC.com has recently has acquired a partner where all the computers are installed in a workgroup.
Which of the following actions must you perform in order to create computer accounts for the partner company? (Choose all that apply.)
A. Select Start | Run, and then type in the joinallwks /user:administrator command.
B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects.
C. Rename the existing computers in a workgroup.
D. Query for resources.
Answer:
B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, and then right-click the computer container and create the computer objects.
Himma is managing an Active Directory environment of a medium-size company named ABC.com that has a Windows Server 2008 Active Directory-based network. Himma is troubleshooting a problem with Active Directory. One of the administrators made an update to a user object and another reported that he had not seen the changes appear on another Domain Controller (DC). It was more than a week since the change was made. Himma checks the problem by making a change to another Active Directory object. Within a few hours, the change appears on a few DCs, but not on all of them.
Which of the following is a possible cause for this problem?
A. Connection objects are not properly configured.
B. Himma has configured one of the DCs for manual updates.
C. There might be different DCs for different domains.
D. Creation of multiple site links between the sites.
Answer:
A. Connection objects are not properly configured.
You work as the network administrator at ABC.com. All servers on the ABC.com network run. The ABC.com network has a Windows Server 2008Active Directory environment that consists of two dozen sites. The physical network environment is not fully routed, and you have disabled automatic site link transitivity. Now you want to set up three site links to be transitive, as they are physically connected to one another.
Which of the following Active Directory objects is responsible for representing a transitive relationship between sites?
A. Additional sites
B. Additional site links
C. Bridgehead servers
D. Site link bridges
Answer:
D. Site link bridges
