Chapter 9 - Install and Configure Active Directory Domain Services (AD DS) Flashcards

Question 1

Q

You are the administrator for your company network. Your company has one Active Direc- tory Domain Services (AD DS) forest that contains two domains. All servers run Windows Server 2016. The company uses iSCSI storage and Fibre Channel storage. You plan to deploy a single Hyper-V failover cluster that uses Cluster Shared Volumes (CSV). The clus- ter must include virtual machines from both domains. What should you do if you need to ensure that you can deploy a failover cluster?
A. Deploy clustered storage spaces.
B. Deploy Serial Attached SCSI (SAS).
C. Join each Hyper-V host server to the same AD DS domain.
D. Join each Hyper-V host server to different AD DS domains.

Answer

A

C. All servers in the cluster must be in the same Active Directory domain. As a best practice, all clustered servers should have the same domain role (either member server or domain controller). The recommended role is member server

Question 2

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Read-Only Domain Controller (RODC) named RODC1. What should you run if you need to retrieve a list of accounts that have their pass- words cached on RODC1?
A. dcdiag.exe 
B. netdom.exe 
C. ntdsutil.exe 
D. repadmin.exe

Answer

A

D. repadmin.exe is a command-line tool that can assist administrators in diagnosing rep- lication problems between Windows domain controllers. Administrators can use Repadmin to retrieve a list of accounts that have their passwords cached on an RODC. Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest.

Question 3

Q

You are the administrator for your company network. Your network contains an Active Directory domain. All users are in an organizational unit (OU) named CorpUsers. You plan to modify the description of all the users who have a string of 603 in their mobile phone numbers. What PowerShell cmdlet should you run if you need to view a list of the users who will be modified?
A. Get-ADUser-Filter “MobilePhone-like ‘603’”
B. Get-ADOrganizationalUnit-Filter “MobilePhone-like ‘603 “’ C. Get-ADUser-LDAPFilter “(MobilePhone=’603)”
D. Get-ADOrganizationalUnit-LDAPFilter “(MobilePhone=’603’)”

Answer

A

A. The Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects. To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. -Filter specifies a query string that retrieves Active Directory objects.

Question 4

Q

You are the administrator for your company network. Your company is always changing, with new employees coming and going. One of your common tasks requires the deletion of user accounts for employees who are no longer with the company. What command can you use to delete user accounts?
A. dsmod 
B. dspromo 
C. LDIFDE 
D. netsh

Answer

A

C. LDAP Data Interchange Format Directory Exchange (LDIFDE.exe) is a powerful util- ity that can be useful in adding, deleting, and modifying user accounts in Active Directory. This utility enables you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve or update AD information.

Question 5

Q

You are the administrator for your company network. Your network contains an Active Direc-
tory forest. What should you do if you need to identify which server is the schema master?
A. Run Get-ADDomainController -Discover -Service using PowerShell.
B. Run netdom query fsmo using an elevated command prompt.
C. Open Active Directory Users and Computers, right-click the forest in the console tree, and click Operations Master.
D. Open Active Directory Users and Computers, right-click the forest in the console tree, and click RID Master.

Answer

A

B. You can open an elevated command prompt and execute the command netdom query fsmo. This will list the FSMO role holder server. It will show you the five FSMO roles:
■■ Schema Master—Forest-wide and one per forest
■■ Domain Naming Master—Forest-wide and one per forest
■■ RID Master—Domain-specific and one for each domain
■■ PDC—Domain-specific and one for each domain
■■ Infrastructure Master—Domain-specific and one for each domain

Question 6

Q

You re the administrator for your company network. You have the Active Directory Recycle Bin enabled. You discover that a colleague accidentally removed 100 users from an Active Directory group named Group1 an hour ago. What should you do if you need to restore the membership of Group1?
A. Perform tombstone reanimation.
B. Export and import data by using Dsamain.
C. Perform a nonauthoritative restore.
D. Recover the items by using Active Directory Recycle Bin.

Answer

A

B. This is a trick question because a group has been modified but nothing has been deleted.
Therefore, options A and D will not work. Option C would work if it was an authoritative restore, but it won’t work for a nonauthoritative restore. The solution is to recover an earlier copy of the group from a backup or Active Directory checkpoint by using Dsamain.

Question 7

Q

You are the administrator for your company network. You have recently implemented Win- dows Server 2016. You have a few remote sites that are not very secure. You have decided to implement Read-Only Domain Controllers (RODCs). To do the installation of the RODCs, what forest and functional levels does the network need? (Choose all that apply.)
A. Windows Server 2016
B. Windows Server 2008 R2 
C. Windows Server 2012 R2 
D. Windows Server 2008

Answer

A

A, B, C, D. To install an RODC, ensure that the forest and functional levels are Windows 2003 or newer.

Question 8

Q

You are the administrator for your company network. What is the maximum number of domains that a Windows Server 2016 computer configured as a domain controller may participate in at one time?
A. Zero
B. One
C. Two
D. Any number of domains

Answer

A

B. A domain controller can contain Active Directory information for only one domain. If you want to use a multidomain environment, you must use multiple domain controllers configured in either a tree or a forest setting.

Question 9

Q

You are the administrator for your company network. Your network contains a single Active Directory domain. The domain contains five Windows Server 2008 R2 domain controllers. What should you perform if you plan to install a new Windows Server 2016 domain controller? (Choose two.)
A. Run adprep.exe /rodcprep at the command line.
B. Run adprep.exe /forestprep at the command line.
C. Run adprep.exe /domainprep at the command line.
D. Raise the functional level of the domain from Active Directory Domains and Trusts.
E. Prestage the RODC computer account from Active Directory Users and Computers.

Answer

A

B, C. You need to run the adprep command when installing your first Windows Server 2016 domain controller onto a Windows Server 2008 R2 domain. If you are doing an in-place upgrade of an existing domain controller to the Windows Server 2016 operating system, you will need to run adprep /forestprep and adprep /domainprep manually. adprep /forestprep needs to be run only once in the forest. adprep /domainprep needs to be run once in each domain in which you have domain controllers that you are upgrad- ing to Windows Server 2016. adprep /rodcprep gets the network ready to install a read- only domain controller and not a GUI version.

Question 10

Q

You are the administrator for your company network. Your network has a single Active Directory domain. A user who has left the company returns after eight weeks. The user tries to log on to her old computer and receives an error stating that authentication has failed. The user’s account has been enabled. What should you do if you need to ensure that the user is able to log on to the domain using that computer?
A. Re-create the user account and then reconnect the user account to the computer account.
B. Reset the computer account in Active Directory. Disjoin the computer from the domain and then rejoin the computer to the domain.
C. Rejoin the computer account by running the Adadd command.
D. Run the MMC utility on the user’s computer and add the Domain Computers snap-in.

Answer

A

B. A computer account and the domain authenticate each other by using a password. The password resets every 30 days. Since the machine has not connected to the domain for eight weeks, the computer needs to be rejoined to the domain.

Question 11

Q

You are the administrator for your company network. Your network contains an Active Directory domain that includes 1,000 desktop computers and 500 laptops. An organiza- tional unit (OU) named OU1 contains the computer accounts for the desktop computers and the laptops. You create a PowerShell script named Script1.ps1 that removes tem- porary files and cookies. You create a Group Policy Object (GPO) named GPO1 and link GPO1 to OU1. What should you do if you need to run the script once a week on the laptops only?
A. Add Script1.ps1 as a startup script and attach a WMI filter to GPO1.
B. Create a File preference that uses item-level targeting in GPO1.
C. Create a Scheduled Tasks preference that uses item-level targeting in GPO1.
D. Configure the File System security policy and attach a WMI filter to GPO1.

Answer

A

C. Item-level targeting is a feature of Group Policy preferences that allows preference set- tings to be applied to individual users and/or computers within the scope of the GPO that contains the preferences. Item-level targeting allows an administrator to specify a list of conditions that must be met in order for a preference setting to be applied to a user or computer object. The Scheduled Tasks preference items let you create, replace, update, and delete scheduled tasks and their associated properties.

Question 12

Q

You are the administrator for your company network. Your network contains an Active Directory forest. The forest contains a domain named abc.com. The domain contains three domain controllers. A domain controller named DC1 fails and you are unable to repair it. What should you do if you need to prevent the other domain controllers from attempting to replicate to DC1?
A. Remove the object of DC1 from Active Directory Sites and Services.
B. Remove the computer account of DC1 from Active Directory Users and Computers.
C. Transfer the operations master roles from DC1 from Active Directory Domains and Trusts.
D. Perform a metadata cleanup using ntdsutil.exe.

Answer

A

D. To prevent replicating data between a broken domain controller and the rest, you will need to perform a metadata cleanup. This can be done using ntdsutil.exe on any workstation/ server in a network. Metadata cleanup removes all the references to the domain controller from Active Directory so that tasks like replication continue to work without any errors.

Question 13

Q

You are the administrator for your company network. You have an offline root certification authority (CA) named CA1. CA1 is hosted on a virtual machine. You only turn on CA1 when the CA must be patched or when you must generate a key for subordinate CAs. You start CA1, and you discover that the filesystem is corrupted. You resolve the filesystem cor- ruption and discover that you must reload the CA root from a backup. When you attempt to run the Restore-CARoleService cmdlet, you receive the following error message: “The process cannot access the file because it is being used by another process.” What should you do first to resolve the issue?
A. Stop the Active Directory Domain Services (AD DS) service.
B. Stop the Active Directory Certificate Services (AD CS) service.
C. Run the Restore-CARoleService cmdlet and specify the path to a valid CA key.
D. Run the Restore-CARoleService cmdlet and specify the Force parameter.

Answer

A

B. You will need to stop the Active Directory Certificate Services (AD CS) service prior to running the Restore-CARoleService cmdlet. If you’re using the Restore-CARoleService cmdlet and you receive the error message “The process cannot access the file because it is being used by another process,” you need to stop the Active Directory Certificate Services (AD CS) service first.

Question 14

Q

You are the administrator for your company network. Your network contains an Active Directory domain. What tool should you use if you need to limit the number of Active Directory Domain Services (AD DS) objects that a user can create in the domain?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsacls
D. dsadd_quota
E. Dsamain
F. Dsmod
G. Group Policy Management Console
H. Ntdsutil

Answer

A

D. You can use Active Directory and Active Directory Domain Services (AD DS) to imple- ment limitations on the number of objects that a security principal (a user, computer, and group) can create in a directory node. You can define these limitations through Active Directory quotas. dsadd_quota adds a quota specification to a directory partition. A quota specification determines the maximum number of directory objects a given security princi- pal can own in a specified directory partition.

Question 15

Q

You are the administrator for your company network. Your network contains an Active Directory domain.
You have an organizational unit (OU) named OU1 that contains the computer accounts of two servers and the user account of a user named User1. A Group Policy Object (GPO) named GPO1 is linked to OU1. You have an application named App1 that installs by using an application installer named App1.exe. What should you do if you need to publish App1 to OU1 by using Group Policy?
A. Create a Config.zap file and add a file to the File System node to the Computer Configuration node of GPO1.
B. Create a Config.xml file and add a software installation package to the User Configu- ration node of GPO1.
C. Create a Config.zap file and add a software installation package to the User Configu- ration node of GPO1.
D. Create a Config.xml file and add a software installation package to the Computer Configuration node of GPO1.

Answer

A

C. The Group Policy Software installation extension allows administrators to use the Group Policy Object Editor to centrally manage the installation of software on all client computers in an organization. When Group Policy is used to deploy software and the software is included in the GPO linked to a site, domain, or OU, the software is referred to as being advertised to the user and computer. If you’re assigning the application to a user, use the Software Installation node under the User Configuration node, Software Settings. If you’re assigning the application to a computer, use the Software Installation node under Computer Configuration, Software Settings. A .zap package is a simple text wrapper around a setup command. This information is extracted directly by the Group Policy Software installation extension.

Question 16

Q

You are the administrator for your company network. Your network contains an Active Directory forest named abc.com. The forest contains three domains named abc.com, corp.abc.com, and office.abc.com. The forest contains three Active Directory sites named Site1, Site2, and Site3. You have the three administrators as described in the following table:
Administrator Name Group Membership Domain
Admin1 Domain Admins abc.com
Admin2 Domain Admins corp.abc.com
Admin3 Enterprise Admins abc.com

You create a Group Policy Object (GPO) named GPO1. Who can link GPO1 to Site2? 
A. Admin1 and Admin2 only
B. Admin1 and Admin3 only
C. Admin1, Admin2, and Admin3
D. Admin3 only

Answer

A

B. By default, only domain administrators and enterprise administrators have this privilege for domains and OUs. Enterprise administrators and domain administrators of the forest root domain have this privilege for sites.

Question 17

Q

You are the administrator for your company network. Your network contains an Active Directory domain that has 5,000 user accounts. You have a Group Policy Object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU). What should you do if you need to use the application control policy settings to prevent several applications from running on the network?
A. Modify Administrative Templates from the Computer Configuration node of DomainPolicy.
B. Modify Administrative Templates from the User Configuration node of DomainPolicy.
C. Modify Folder Redirection from the User Configuration node of DomainPolicy.
D. Modify Security Settings from the Computer Configuration node of DCPolicy.
E. Modify Security Settings from the Computer Configuration node of DomainPolicy.
F. Modify Security Settings from the User Configuration node of DCPolicy.
G. Modify Windows Settings from Preferences in the User Configuration node of
DomainPolicy.
H. Modify Windows Settings from Preferences in the Computer Configuration node of DomainPolicy.

Answer

A

E. You would want to modify the security settings from the Computer Configuration node of the GPO named DomainPolicy. Configuring Group Policy settings enables you to cus- tomize the configuration of a user’s desktop, environment, and security settings. The actual settings are divided into two subcategories: Computer Configuration and User Configura- tions. The subcategories are referred to as Group Policy nodes. A node is simply a parent structure that holds all related settings. In this case, the node is specific to Computer Con- figurations and User Configurations.

Question 18

Q

You are the administrator for your company network. Your network contains an Active Directory forest and the functional level is Windows Server 2016. What tool should you use if you need to ensure that a domain administrator can recover a deleted Active Directory object quickly?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsacls
D. dsadd_quota
E. Dsamain
F. Dsmod
G. Group Policy Management Console
H. Ntdsutil

Answer

A

A. You can restore objects from the Active Directory Recycle Bin by using Active Directory Administrative Center. Starting with Windows Server 2012, the Active Directory Recycle Bin feature was enhanced with a new graphical user interface for users to manage and restore deleted objects. Users can now visually locate a list of deleted objects and restore them to their original or desired locations.

Question 19

Q

You are the administrator for your company network. Your network contains an Active
Directory domain. You recently deleted 5,000 objects from the Active Directory database. You need to reduce the amount of disk space used to store the Active Directory database on a domain controller. What tool should you use?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsacls
D. dsadd_quota
E. Dsamain
F. Dsmod
G. Group Policy Management Console
H. Ntdsutil

Answer

A

H. Ntdsutil is the primary method by which system administrators can do offline main- tenance. It is a command-line tool that is run at an elevated command prompt. The main utility we use for offline maintenance is Ntdsutil. You can use the defragmentation process to compact the Active Directory database when it’s offline. Offline defragmentation helps return free disk space and check Active Directory database integrity. When you perform a defragmentation of the Active Directory database, a new, compacted version of the data- base is created. This new database file can be created on the same machine (if space per- mits) or on a network location. After the new file is created, copy the compacted Ntds.dit file back to the original location.

Question 20

Q

You are the administrator for your company network. Your network contains an Active
Directory domain. The domain functional level is Windows Server 2016. Your company hires a new security administrator to manage sensitive user data. You create a user account named Security1 for the security administrator. What tool should you use if you need to ensure that the password for Security1 has at least 12 characters and is modified every
10 days and the solution must apply to Security1 only?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsacls
D. dsadd_quota
E. Dsamain
F. Dsmod
G. Group Policy Management Console
H. Ntdsutil

Answer

A

A. To enable Fine-Grained Password Policies (FGPPs), you need to open the Active Directory Administrative Center. Using FGPPs, you specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to differ- ent sets of users in a domain. You can apply stricter settings to privileged accounts and less strict settings to the accounts of other users.

Question 21

Q

You are the administrator for your company network. You are trying to determine which filesystem to use for a server that will become a Windows Server 2016 file server and domain controller. The company has the following requirements:
■✓ The filesystem must allow for file-level security from within Windows 2016 Server.
■✓ The filesystem must make efficient use of space on large partitions.
■✓ The domain controller Sysvol must be stored on the partition.
Which of the following filesystems meets these requirements?
A. File Allocation Table (FAT)
B. File Allocation Table 32 (FAT32)
C. High Performance File System (HPFS)
D. New Technology File System (NTFS)

Answer

A

D. NTFS has file-level security and makes efficient use of disk space. Since this machine is to be configured as a domain controller, the configuration requires at least one NTFS partition to store the SYSVOL information.

Question 22

Q

You are the administrator for your company network. You deploy a new Active Directory forest. You need to ensure that you can create a Group Managed Service Account (gMSA) for multiple member servers. What should you do?
A. Configure Kerberos constrained delegation on the computer account of each member server.
B. Configure Kerberos constrained delegation on the computer account of each domain controller.
C. Run the Set-KdsConfiguration PowerShell cmdlet on a domain controller.
D. Run the Add-KdsRootKey PowerShell cmdlet on a domain controller.

Answer

A

D. The first step in creating a gMSA is to create the KDS Root Key. Use the Add-KdsRootKey cmdlet to generate a new root key for the Microsoft Group Key Distribution Service (KdsSvc) within Active Directory. The Microsoft Group KdsSvc generates new group keys from the new root key.

Question 23

Q

You are the administrator for your company network. You think you may have an issue with name resolution, and you need to verify that you are using the correct host name. You want to test DNS on the local system and see whether the host name Server1 resolves to the IP address 10.1.1.1. Which of the following provides a solution to the problem?
A. Add an A record to the local WINS server.
B. Add a DNS server to the local subnet.
C. Add the mapping for the host name Server1 to the IP address 10.1.1.1 in the local sys- tem’s HOSTS file.
D. Add an MX record to the local DNS server

Answer

A

C. The HOSTS file is a text-file-based database of mappings between host names and IP addresses. It works like a file-based version of DNS. DNS resolves a host name to an IP address.

Question 24

Q

You are the administrator for your company network. You have one Active Directory forest in your organization that contains one domain named abc.com. You have two domain con- trollers configured with the DNS role installed. There are two Active Directory integrated zones named abc.com and abcAD.com. One of your colleagues, who is not an administra- tor, needs to be able to modify the abc.com DNS server, but you need to prevent this user from modifying the abcAD.com SOA record. What should you do?
A. Modify the permissions of the abc.com zone from the DNS Manager snap-in.
B. Modify the permissions of the abcAD.com zone from the DNS Manager snap-in.
C. Run the Delegation Of Control Wizard in Active Directory.
D. Run the Delegation Of Control Wizard in the DNS snap-in

Answer

A

A. You only need to give them rights to the abc.com zone using the DNS snap-in. If they do not have any rights to the abcAD.com zone, they will not be able to configure this zone in any way.

Question 25

Q

You are the administrator for your company network. You and a colleague are discussing Active Directory protocols and services. Which of the following protocols and services are required in order to support Active Directory? (Choose two.)
A. DHCP 
B. DNS
C. IPX/SPX 
D. NetBEUI 
E. TCP/IP

Answer

A

B, E. The use of DNS and TCP/IP is required to support Active Directory. TCP/IP is the network protocol favored by Microsoft, which determined that all Active Directory com- munication would occur on TCP/IP. DNS is required because Active Directory is inherently dependent on the domain model. DHCP is used for automatic address assignment and is not required. Similarly, NetBEUI and IPX/SPX are not available network protocols in Windows Server 2016.

Question 26

Q

You are the administrator for your company network. The network contains an Active Directory forest. The forest contains three domain controllers configured as shown:
Server Name Active Directory Site
Server1 Boston
Server2 Boston
Server3 New York
The company physically relocates Server2 from the Boston office to the New York office. You discover that both Server1 and Server2 authenticate users who sign in to the client computers in the Boston office. Only Server3 authenticates users who sign in to the comput- ers in the New York office. What should you do if you need to ensure that Server2 authenti- cates the users in the New York office during normal network operations?
A. Modify the Internet Protocol Version 4 (TCP/IPv4) configuration from Network Connections on Server2.
B. Modify the Location Property of Server2 from Active Directory Users and Computers.
C. Run the Move-ADDirectoryServer cmdlet.
D. Run the Set-ADReplicationSite cmdlet.

Answer

A

D. The Set-ADReplicationSite cmdlet is used to set the properties for an Active Direc- tory site that is being used for replication. Sites are used in Active Directory to either enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce network traffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers.

Question 27

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a web application that uses Kerberos authentica- tion. You change the domain name of the web application. What tool should you use if you need to ensure that the Service Principal Name (SPN) for the application is registered?
A. Active Directory Users and Computers
B. dnscmd
C. LDIFDE
D. rdspnf

Answer

A

A. An SPN is a unique identifier of a service instance. SPNs are used by Kerberos authen- tication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. To see if the SPNs are registered, you can use Active Directory Users and Computers.

Question 28

Q

You are the administrator for your company network. Your network contains an Active Directory domain. What should you use if you need to create a Central Store for Group Policy administrator templates?
A. dcgpofix.exe
B. File Explorer
C. Group Policy Management Console (GPMC)
D. Server Manager

Answer

A

B. Administrative Template files are divided into .admx files and language-specific .adml files for use by Group Policy administrators. To create a central store for .admx and .adml files, create a new folder in File Explorer that is named PolicyDefinitions on the domain controller—for example, \abc.com\SYSVOL\abc.com\policies\PolicyDefinitions.

Question 29

Q

You are the administrator for your company network. Your network contains an Active Directory domain. What should you use if you need to create a Central Store for Group Policy administrator templates?
A. Copy-GPO
B. Copy-Item
C. dcgpofix.exe
D. Group Policy Management Console (GPMC)

Answer

A

B. The Copy-Item cmdlet copies an item from one location to another in the same namespace. This cmdlet does not cut or delete the items being copied. Copy-Item can copy files and directories in a filesystem drive and registry keys and entries in the registry drive.

Question 30

Q

You are the administrator for a large hospital. You have dozens of doctors who are affili- ated with the hospital but do not have offices within the hospital. You have been asked to install a domain controller in a small doctor’s office that is offsite. The doctor’s office does not have a secure server room. What is the best way to complete this task?
A. Do not install a domain controller at their location. Install a Windows Server 2016 Server Core server and enable Universal Group Membership Caching on that server.
B. Install a domain controller at their office and enable certificates.
C. Make the new server a Windows Server 2016 Server Core system and install the
domain controller as a Read-Only Domain Controller (RODC) server.
D. All of the above.

Answer

A

C. By making the server a Server Core based server, you prevent users from changing the Windows Server by using the graphical user interface (GUI). Server Core has no GUI installed on it. Then by making the domain controller an RODC, you prevent changes to Active Directory.

Question 31

Q

You are the administrator for your company network. You and a colleague are discussing changing an existing partition’s filesystem to another filesystem. What command-line util- ity should you use?
A. CHANGE
B. CONVERT 
C. REVERT
D. TRANSFORM

Answer

A

B. If you want to convert an existing partition from one filesystem to another, you will need to use the CONVERT command-line utility. For example, to convert the C: partition from FAT to NTFS, you would use the following command: CONVERT c: /fs:ntfs.

Question 32

Q

You are the administrator for your company network. Your network contains an Active Directory domain. All the accounts of the users in the Marketing department are in an organizational unit (OU) named MarketingOU. An application named App1 is deployed to the user accounts in MarketingOU by using a Group Policy Object (GPO) named MarketingGPO. What should you do if you need to set the registry value of \HKEY_CURRENT_USER\Software\App1\Collaboration to 0? (Choose all that apply.)
A. Add a user preference that has an Update action.
B. Add a user preference that has a Replace action.
C. Add a user preference that has a Create action.
D. Add a user preference that has a Delete action.

Answer

A

A, B. The Update action will, if a drive mapping exists, be updated with the settings speci- fied. The Replace action will remove whatever drive mapping exists for this share and cre- ate a new one with these settings.

Question 33

Q

You are the administrator for your company network. You and a colleague are discussing installing additional domain controllers by using the Install from Media (IFM) installation method. What is the name of the utility that allows you to create installation media for the creation of an additional domain controller in the domain?
A. dcdiag.exe 
B. netdom.exe 
C. ntdsutil.exe 
D. repadmin.exe

Answer

A

C. Windows Server 2016 allows you to install a domain controller using the IFM method by using the Ntdsutil utility. The Ntdsutil utility allows you to create installation media for an additional domain controller in a domain.

Question 34

Q

You are the administrator for your company network. You and a colleague are discussing trusts. What kind of trust is set up between one domain and another domain in the same forest?
A. Domain trust 
B. External trust 
C. Forest trust 
D. Shortcut trust

Answer

A

D. Shortcut trusts are trusts that are set up between two domains in the same forest. Short- cut trusts are one-way or two-way transitive trusts that can be used when administrators need to optimize the authentication process

Question 35

Q

You are the administrator for your company network. Your network contains an Active Directory domain. You create a domain security group named Group1 and add several users to it. What should you do if you need to force all of the users in Group1 to change their passwords every 35 days while not affecting any other users?
A. Create a Password Settings Object (PSO) from Active Directory Administrative Center.
B. Create a forms authentication provider and then set the forms authentication credentials.
C. Run the Set-ADDomain cmdlet and then run the Set-ADAccountPassword cmdlet using PowerShell.
D. Modify the Password Policy settings in a Group Policy Object (GPO) that is linked to the domain and then filter the GPO to Group1 only.

Answer

A

A. PSOs are created so that you can create fine-grained password policies. You create PSOs using the Active Directory Service Interfaces (ADSI) editor, and then you can use those PSOs to create your fine-grained password policies. Fine-grained password policies allow you to specify multiple password policies in a single domain.

Question 36

Q

You are the administrator for your company network. A technician named Tech1 is assigned the task of joining the laptops to the domain. The computer accounts of each lap- top must be in an organizational unit (OU) that is associated with the department of the user who will use that laptop. The laptop names must start with four characters, indicating the department followed by a four-digit number. Tech1 is a member of only the Domain Users group. Tech1 has the administrator logon credentials for all the laptops. You need Tech1 to join the laptops to the domain. The solution must ensure that the laptops are named correctly and that the computer accounts of the laptops are in the correct OUs. What should you do? (Choose all that apply.)
A. Script the creation of files for an offline domain join and then give the files to Tech1. Instruct Tech1 to sign in to each laptop and then to run djoin.exe.
B. Pre-create the computer account of each laptop in Active Directory Users and Comput- ers. Instruct Tech1 to sign in to each laptop and then to run djoin.exe.
C. Instruct Tech1 to sign in to each laptop, rename each laptop by using System in Control Panel, and then to join each laptop to the domain by using the netdom join command.
D. Pre-create the computer account of each laptop in Active Directory Users and Comput- ers. Instruct Tech1 to sign in to each laptop, rename each laptop, and then to join each laptop to the domain by using System in Control Panel.

Answer

A

A, D. There are a few ways to join a computer to a domain. You can do it using the System icon in Control Panel or you can do it using the djoin.exe command. If you pre-created all of the computers in Active Directory, this would take a lot of extra time. Option C is incor- rect because if you add the computer to the domain using the System icon, you would not need to use the netdom command.

Question 37

Q

You are the administrator for your company network. Your network contains an Active Directory domain that has 5,000 user accounts. You have a Group Policy Object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the domain controllers organizational unit (OU). What should you do if you need to ensure that all the client computers on the network automatically download and install Windows Updates?
A. Modify Administrative Templates from the Computer Configuration node of DomainPolicy.
B. Modify Administrative Templates from the User Configuration node of DomainPolicy.
C. Modify Folder Redirection from the User Configuration node of DomainPolicy.
D. Modify Security Settings from the Computer Configuration node of DCPolicy.
E. Modify Security Settings from the Computer Configuration node of DomainPolicy.
F. Modify Security Settings from the User Configuration node of DCPolicy.
G. Modify Windows Settings from Preferences in the User Configuration node of
DomainPolicy.
H. Modify Windows Settings from Preferences in the Computer Configuration node of DomainPolicy

Answer

A

A. When you configure the Group Policy settings for WSUS, use a GPO linked to an Active Directory container appropriate for your environment. Here are the steps in automatically downloading and installing Windows Updates:

In the Group Policy Object Editor, expand Computer Configuration, expand Adminis- trative Templates, expand Windows Components, and then click Windows Update.
In the details pane, click Configure Automatic Updates.
Click Enabled and then select how you would like the updates to be installed.
Click OK.

Question 38

Q

You are the administrator for your company network. You and a colleague are discussing
useful Windows Server 2016 command-line utilities. One allows you to back up and restore the operating system, volumes, files, folders, and applications while using the command prompt. Which utility are we discussing?
A. adsiedit.msc
B. ntdsutil.exe
C. repadmin.exe
D. wbadmin

Answer

A

D. The wbadmin command allows you to back up and restore your operating system, vol- umes, files, folders, and applications from a command prompt. You must be a member
of the Administrators group to configure a backup schedule. You must be a member of
the Backup Operators or the Administrators group (or you must have been delegated the appropriate permissions) to perform all other tasks using the wbadmin command. To use the wbadmin command, you must run it from an elevated command prompt.

Question 39

Q

You are the administrator for your company network. You have multiple Windows Server 2016 servers. You have a server named Server1 that is configured as a domain controller and a DNS server. What should you run if you need to create an Active Directory–integrated zone on Server1?
A. dism.exe
B. dns.exe
C. dnscmd.exe
D. netsh.exe
E. Set-DhcpServerDatabase
F. Set-DhcpServerv4DnsSetting G. Set-DhcpServerv6DnsSetting H. Set-DNSServerSetting

Answer

A

C. dnscmd.exe is a command-line interface for managing DNS servers. This utility is use- ful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. Here is an example:
dnscmd []

Question 40

Q

You are the administrator for your company network. You and a colleague are discussing the multiple ways in which you can install Active Directory. What are some of the ways? (Choose all that apply.)
A. Add/Remove Programs 
B. Install from Media (IFM) 
C. Server Manager
D. Windows PowerShell

Answer

A

You are the administrator for your company network. You and a colleague are discussing the multiple ways in which you can install Active Directory. What are some of the ways? (Choose all that apply.)
A. Add/Remove Programs B. Install from Media (IFM) C. Server Manager
D. Windows PowerShell

Question 41

Q

You are the administrator for your company network. The network contains an Active Directory domain and has multiple offices. An Active Directory site exists for each of the offices. All of the sites connect to each other by using DEFAULTIPSITELINK. The company plans to open a new office. The new office will have a domain controller and 100 client computers. You install Windows Server 2016 on a member server in the new office, which will become a domain controller. You need to deploy the domain controller to the new office. You must ensure that the client computers in the new office will authenticate by using the local domain controller. What should you perform next in sequence? (Choose all
that apply.)
A. Create a new connection object.
B. Create a new site object.
C. Create a new subnet object.
D. Move the server object of the domain controller.
E. Promote a member server to a domain controller.

Answer

A

B, C, E. In order, you’d want to create a new site object, create a new subnet object, and then promote the member server to a domain controller.

Question 42

Q

You are the administrator of your company network. You recently deployed a new child domain to an Active Directory forest. You discover that a user modified the Default Domain Policy to configure several Windows components in the child domain. Company policy states that the Default Domain Policy must be used only to configure domain-wide security settings. You create a new Group Policy Object (GPO) and configure the settings for the Windows components in the new GPO. What should you do if you need to restore the Default Domain Policy to the default settings from when the domain was first installed?
A. Click Starter GPOs and then click Manage Backups from Group Policy Management.
B. Run the Copy-GPO cmdlet using PowerShell.
C. Run the dcgpofix.exe command from a command prompt.
D. Run ntdsutil.exe to perform a metadata cleanup and a semantic database analysis.

Answer

A

C. Dcgpofix re-creates the default GPOs for a domain. It will restore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that you have made to the GPO.

Question 43

Q

You are the administrator for your company network. Your network has a single Windows Server 2016 Active Directory domain. The domain has OUs for Sales, Marketing, Admin, R&D, and Finance. You need the users in the Finance OU only to get Microsoft Office 2016 installed automatically onto their computers. You create a GPO named OfficeApp. What is the next step in getting all the Finance users Office 2016?
A. Edit the GPO and assign the Office application to the user’s account. Link the GPO to the Finance OU.
B. Edit the GPO and assign the Office application to the user’s account. Link the GPO to the domain.
C. Edit the GPO and assign the Office application to the computer account. Link the GPO to the domain.
D. Edit the GPO and assign the Office application to the computer account. Link the GPO to the Finance OU.

Answer

A

D. If you assign an application to a user, the application does not get automatically installed. To have an application automatically installed, you must assign the application to the computer account. Since Finance is the only OU that should receive this application, you would link the GPO to Finance only.

Question 44

Q

You are the administrator for your company network. You are working on creating a new GPO for the Sales OU. You want the GPO to take effect immediately and you need to use PowerShell. What PowerShell cmdlet would you use?
A. Invoke-GPExecute 
B. Invoke-GPForce 
C. Invoke-GPResult 
D. Invoke-GPUpdate

Answer

A

D. The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security set- tings that are set on remote computers by scheduling the running of the GPUpdate cmdlet on a remote computer. The refresh can be scheduled to immediately start a refresh of policy settings or wait for a specified period of time.

Question 45

Q

You are the administrator for your company network. You want to run adprep /forestprep to add the first Windows Server 2016 domain controller to an existing forest. In order to do so, you must be a member of what administrator group? (Choose all that apply.)
A. Administrators group
B. Domain Admins group 
C. Enterprise Admins group 
D. Schema Admins group

Answer

A

B, C, D. In order to run adprep /forestprep and to add the first Windows Server 2016 domain controller to an existing forest, the command must be run by an administrator who is a member of the Enterprise Admins group, the Schema Admins group, or the Domain Admins group of the domain that hosts the schema master.

Question 46

Q

You are the administrator for your company network. You and a colleague are discussing DNS SRV records. DNS must have service records for which of the following? (Choose all
that apply.)
A. Domain Controllers
B. Network Controllers
C. Global Catalogs
D. PDC Emulator
E. Kerberos KDC
F. Information Service

Answer

A

A, C, D, E. SRV records show that a machine is running a specific service. There are a few services that are needed for the network to properly function. DNS must have service records for the domain controllers, global catalogs, PDC emulator, and the Kerberos KDC service. The easiest way to configure the SRV records is to have these machines all be DNS clients. DNS clients will send their client information to the DNS server by default.

Question 47

Q

You are the administrator for your company network. You need to enable three of your domain controllers as Global Catalog servers. Where would you configure the domain controllers as Global Catalogs?
A. Forest, NTDS settings 
B. Domain, NTDS settings 
C. Site, NTDS settings
D. Server, NTDS settings

Answer

A

D. In the Active Directory Sites and Services console, the Server NTDS settings are where you would activate and deactivate Global Catalogs.

Question 48

Q

You are the administrator for your company network. Your network contains an Active Directory forest. The forest contains two Windows Server 2016 domain controllers named DC1 and DC2. DC1 holds all of the operations master roles. DC1 experiences a hardware failure. You plan to use an automated process that will create 1,000 user accounts. You need to ensure that the automated process can complete successfully. What PowerShell cmdlet should you run?
A. Move-ADDirectoryServerOperationMasterRole
-identity “DC2” -OperationMasterRole PDCEmulator -Force
B. ntdsutil -identity “DC2” -OperationMasterRole PDC Emulator Seize PDC
C. ntdsutil -identity “DC2” -OperationMasterRole SchemaMaster -Force
D. Move-ADDirectoryServerOperationMasterRole
-identity “DC2” -OperationMasterRole PDCEmulator Seize pdc

Answer

A

A. The Move-ADDirectoryServerOperationMasterRole cmdlet moves one or more oper- ation master roles to a directory server. You can move operation master roles to a directory server in a different domain if the credentials are the same in both domains. The -identity parameter specifies the directory server that receives the roles. The -OperationMasterRole parameter is used to specify the roles for transfer. Operation roles include PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, and DomainNamingMaster. In this scenario we are using the PDCEmulator. The -Force parameter indicates that the cmdlet
is used for seize operations on domain controllers with the flexible single master operations (FSMO) role.

Question 49

Q

You are the administrator for your company network. You and a colleague are discussing domain controller cloning. What is the tool that you can use to clone domain controllers?
A. sysprep.exe
B. Windows PowerShell
C. ntdsutil.exe
D. Active Directory Users and Computers

Answer

A

B. To set up domain controller cloning, you must be a member of the Domain Admins group or have the equivalent permissions. The administrator must then run PowerShell from an elevated command prompt. The following example is used to create a clone domain controller named TestClone with a static IP address of 10.0.0.5 and a subnet mask of 255.255.0.0. This command also configures the DNS Server and WINS server configurations.
New-ADDCCloneConfigFile –CloneComputerName “TestClone” –Static -IPv4Address “10.0.0.5” –IPv4DNSResolver “10.0.0.1” –IPv4SubnetMask “255.255.0.0” – PreferredWinsServer “10.0.0.1” –AlternateWinsServer “10.0.0.2”

Question 50

Q

You are the administrator for your company network. Recently, you have been asked to make changes to some of the permissions related to OUs within the domain. To restrict security for the Texas OU further, you remove some permissions at that level. Later, a junior system administrator mentions that she is no longer able to make changes to objects within the Austin OU (which is located within the Texas OU). Assuming that no other changes have been made to Active Directory permissions, which of the following character- istics of OUs might have caused the change in permissions?
A. Delegation
B. Group Policy
C. Inheritance
D. Object properties

Answer

A

C. Inheritance is the process by which permissions placed on parent OUs affect child OUs. In this example, the permissions change for the higher-level OU (Texas) automatically caused a change in permissions for the lower-level OU (Austin).

Question 51

Q

You are the administrator for your company network. A user complains that she continues to have desktop wallpaper that she did not choose. You determine that a former employee created 20 Group Policy Objects (GPOs) and junior technicians have not been able to figure out which GPO is changing the user’s desktop wallpaper. How can you resolve this issue?
A. Run the RSoP utility against all forest computer accounts.
B. Run the RSoP utility against the user’s computer account.
C. Run the RSoP utility against the user’s user account.
D. Run the RSoP utility against all domain computer accounts.

Answer

A

C. The Resultant Set of Policy (RSoP) utility displays the exact settings that apply to individuals, users, computers, OUs, domains, and sites after inheritance and filtering have taken effect. Desktop wallpaper settings are under the User section of the GPO, so you would run the RSoP against the user account.

Question 52

Q

You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains 20 domain controllers. You find that some Group Policy Objects (GPOs) are not being applied by all the domain controllers. What should you do if you need to verify whether GPOs replicate successfully to all the domain controllers?
A. From Group Policy Management, view the Status tab for the domain.
B. Run repadmin.exe for each GPO.
C. Set BurFlags in the registry and then restart the File Replication Service (FRS). Run dcdiag.exe for each domain controller.
D. Set BurFlags in the registry and then restart the File Replication Service (FRS). View the Directory Service event log.

Answer

A

B. Repadmin is used to troubleshoot replication issues in Active Directory. This command- line tool assists administrators in diagnosing replication problems between domain control- lers. Repadmin can be used to manually create the replication topology to force replication events between domain controllers. Repadmin can also be used for monitoring the relative health of an Active Directory forest.

Question 53

Q

You are the administrator for your company network. The network contains an Active Directory domain. The domain contains a Windows Server 2016 domain controller named DC1. You start DC1 in Directory Services Restore Mode (DSRM). You need to compact the Active Directory database on DC1. What three actions should you perform? (Choose three.)
A. Run ntdsutil.exe.
B. Run activate instance ntds.
C. From the Metadata Cleanup context, select an operation target.
D. Run dsamain.exe.
E. From the Files context, run compact.
F. From the Semantic Database Analysis context, run go fixup.

Answer

A

A, B, E. In order, you would, from the Files context, run compact. Then, run ntdsutil.exe and then run activate instance ntds. Active Directory servers must be restored offline. The system must be restarted in Directory Services Restore mode. DSRM is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or restore an Active Directory database. Performing an offline defragmentation cre- ates a new version of the database file without internal fragmentation. It also re-creates all indexes. Depending on how fragmented the original database file was, the new file may be much smaller.

Question 54

Q

You are the administrator of your company network. You have a server named Server1. A Microsoft Azure Backup of Server1 is created automatically every day. You rename Server1 to Server2. Then you discover that backups are no longer being created in Azure. What should you do if you need to back up the server to Azure?
A. Upload the Server2 certificate as a management certificate from the Azure Manage- ment Portal.
B. Run the Start-OBRegistration cmdlet on Server2.
C. Run the Add-WBBackupTarget cmdlet on Server2.
D. Modify the configuration on the backup vault from the Azure Management Portal.

Answer

A

B. The Start-OBRegistration cmdlet needs to be run because it registers the server using the vault credentials downloaded during enrollment.

Question 55

Q

You are the administrator for your company network. You have a server named Server1 in a workgroup. What should you do if you need to configure a Group Policy setting on Server1 that will apply to only nonadministrative users?
A. Open Local Group Policy Editor; then from the File menu, modify the Options settings.
C. Open Local Group Policy Editor from the View menu and modify the Customize settings.
D. Open Local Users and Groups and create a new group by running the Run New-GPO cmdlet.
B. Run mmc.exe and add the Group Policy Object Editor snap-in and then change the Group Policy Object (GPO).

Answer

A

A. The Local Group Policy Editor (gpedit.msc) is a Microsoft Management Console (MMC) snap-in that provides a single user interface through which all the Computer Configuration and User Configuration settings of Local Group Policy objects can be managed. To modify the Group Policy setting on Server1, use the File menu and then select the Options settings.

Question 56

Q

You are the administrator of your company network. Your network contains an Active Directory domain. Users do not have administrative privileges to their client computer. You modify a computer setting in a Group Policy Object (GPO). What should you do if you need to ensure that the setting is applied to client computers as soon as possible?
A. Run the gpudate.exe command and specify the -Force parameter from a domain controller.
B. Run the gpresult.exe command and specify the /r parameter from each client computer.
C. Run the Get-Gpo cmdlet and specify the -alt parameter from each client computer.
D. Run the Invoke-GPUpdate cmdlet from a domain controller.

Answer

A

D. The Invoke-GPUpdate cmdlet refreshes Group Policy settings, including security set- tings that are set on remote computers, by scheduling the running of the GPUpdate com- mand on a remote computer.

Question 57

Q

You are the administrator for your company network. Your network contains an Active Directory domain. A Group Policy Object (GPO) named GPO1 is linked to the domain. GPO1 has computer configuration polices, user configuration policies, and user preferences configured. You need to ensure that the user preferences in GPO1 apply only to users who sign in to computers that run Windows Server 2016. All the other settings in GPO1 must be applied, regardless of the computer to which the user signs in. What should you configure?
A. Item-level targeting B. Security filtering
C. Security settings
D. WMI filtering

Answer

A

A. Administrators have the ability to apply individual preference items only to selected users or computers using a GPO feature called item-level targeting. Item-level targeting allows an administrator to select specific items that the GPO will look at and then apply that GPO only to the specific users or computers.

Question 58

Q

You are the administrator for your company network. Your network contains an Active Directory domain. You have three top-level organizational units (OUs) named OU1, OU2, and OU3. OU1 contains the user accounts. OU2 contains the computer accounts for shared public computers. OU3 contains the computer accounts for laptops. You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 is linked to OU1. GPO2 is linked to OU2. You need to prevent the user settings in GPO1 from being applied when a user signs in to a shared public computer. What should you configure if a user signs in to a laptop and you want the user settings in GPO1 to be applied?
A. GPO link enforcement
B. Inheritance blocking
C. Loopback processing
D. Security filtering

Answer

A

C. Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based on the computer from which logon occurs. This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used.

Question 59

Q

You are the administrator for your company network. The company has multiple branch offices. The network contains an Active Directory domain. In one of the branch offices, a colleague is asked to add computers to the domain. After successfully joining multiple com- puters to the domain, she fails to join any more computers to the domain. What should you do if you need to ensure that your colleague can join an unlimited number of computers to the domain?
A. Modify the Security settings of your colleague’s user account.
B. Modify the Security settings of the Computers container.
C. Configure your colleague’s user account as a managed service account.
D. Run the redircmp.exe command.

Answer

A

D. Redircmp redirects the default container for newly created computers to a specified, tar- get organizational unit (OU) so that newly created computer objects are created in the spe- cific target OU instead of in CN=Computers. You must run the redircmp command from an elevated command prompt.

Question 60

Q

You are the administrator for your company network. Your company has a single Active Directory domain. One of the executives tries to log on to a machine and receives the error “This user account has expired. Ask your administrator to reactivate your account.” What should you do if you need to make sure that this doesn’t happen again to this user?
A. Configure the domain policy to disable account lockouts.
B. Configure the password policy to extend the maximum password age to 0.
C. Modify the user’s properties to set the Account Never Expires setting.
D. Modify the user’s properties to extend the maximum password age to 0.

Answer

A

C. By checking the box Account Never Expires, you stop this user’s account from expiring again.

Question 61

Q

You are the administrator for your company network. A colleague, Sue, has created a
new Active Directory domain in an environment that already contains two trees. Dur-
ing the promotion of the domain controller, she chose to create a new Active Directory forest. Sue is a member of the Enterprise Administrators group and has full permissions over all domains. During the organization’s migration to Active Directory, many updates were made to the information stored within the domains. Recently, users and other sys- tem administrators have complained about not being able to find specific Active Directory objects in one or more domains (although the objects exist in others). To investigate the problem, Sue wants to check for any objects that have not been properly replicated among domain controllers. If possible, she would like to restore these objects to their proper place within the relevant Active Directory domains. Which of the following actions should she perform to be able to view the relevant information? (Choose two.)
A. Change Active Directory permissions to allow object information to be viewed in all domains.
B. Examine the contents of the LostAndFound folder using the Active Directory Users and Computers tool.
C. Promote a member server in each domain to a domain controller.
D. Rebuild all domain controllers from the latest backups.
E. Select the Advanced Features item in the View menu.

Answer

A

B, E. Enabling the Advanced Features item in the View menu will allow Sue to see the LostAndFound and System folders. The LostAndFound folder contains information about objects that could not be replicated among domain controllers.

Question 62

Q

You are the administrator for your company network. Your network contains an Active Directory forest named abc.com. A partner company has a forest named xyz.com. Each forest contains one domain. You need to provide access for a group named Sales in xyz.com to resources in abc.com. What should you do so that the solution uses the least amount of administrative privilege?
A. Create an external trust from xyz.com to abc.com. Enable Active Directory split permissions in xyz.com.
B. Create an external trust from abc.com to xyz.com. Enable Active Directory split permissions in abc.com.
C. Create a one-way forest trust from abc.com to xyz.com that uses selective authentication.
D. Create a one-way forest trust from xyz.com to abc.com that uses selective authentication.

Answer

A

C. In one-way relationships, the trusting domain allows resources to be shared with the trusted domain but not the other way around. Selective authentication means that users cannot authenticate to a domain controller or resource server in the trusting forest unless they are explicitly allowed to do so.

Question 63

Q

You are the administrator for your company network. Your network contains an Active Directory forest named abc.com. You need to add a new domain named xyz.com to the forest. What command should you run?
A. Install-ADDSForest -DomainType TreeDomain
- InstallDNS:$true -NewDomainName xyz.com -ParentDomainName abc.com
B. Install-ADDSForest -DomainType ChildDomain
- InstallDNS:$true -NewDomainName xyz.com -ParentDomainName abc.com
C. Install-ADDSDomain -DomainType TreeDomain
-InstallDNS:$true -NewDomainName xyz.com -ParentDomainName abc.com
D. Install-ADDSDomain -DomainType ChildDomain
-InstallDNS:$true -NewDomainName xyz.com -ParentDomainName abc.com

Answer

A

C. The Install-ADDSDomain cmdlet installs a new Active Directory domain configura- tion. If the value set for -DomainType is TreeDomain, this parameter can be used to specify the fully qualified domain name (FQDN) for the new domain tree (for example, abc.com). -InstallDns:$true indicates that the DNS Server service will be installed and configured for the domain or domain tree. -NewDomainName indicates the new name domain to be added, and -ParentDomainName specifies the FQDN of an existing parent domain.

Question 64

Q

You are the administrator for your company network. Your network contains an Active Directory domain. You need to view a list of all the domain user accounts that are enabled. What command should you run to see those users who have not signed in over the last 30 days?
A. Get-LocalUser AccountExpiring -TimeSpan 30 -UsersOnly | Format-Table Name, UserPrincipalName
B. Net User AccountAccountInactive -TimeSpan 30 -UsersOnly | Format-Table Name, UserPrincipalName
C. ldp.exe PasswordExpired -TimeSpan 30
-UsersOnly | Format-Table Name, UserPrincipalName
D. Search-ADAccount AccountDisabled -TimeSpan 30 -UsersOnly | Format-Table Name, UserPrincipalName

Answer

A

D. The Search-ADAccount cmdlet retrieves one or more user, computer, or service accounts that meet the criteria specified by the parameters. Search criteria include account and password status. -AccountDisabled specifies a search for accounts that are disabled. An account is disabled when the ADAccount Enabled property is set to false. -TimeSpan specifies a time interval. This parameter is used to specify a time value. -UsersOnly indi- cates that this cmdlet searches for user accounts only. Format-TableName, UserPrinci- palName is the output format for the results.

Answer 65

A

E. The Set-ADReplicationSite cmdlet is used to set the properties for an Active Direc- tory site that is being used for replication. Sites are used in Active Directory to either enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce network traffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers. You would want to use the -ProtectedFromAccidentalDeletion parameter, which speci- fies whether to prevent the object from being deleted. When this property is set to $True, you cannot delete the corresponding object without changing the value of the property. The acceptable values for this parameter are:
■■ $False or 0
■■ $True or 1

Answer 66

A

C. The Set-ADUser cmdlet modifies the properties of an Active Directory user. You can modify commonly used property values by using the cmdlet parameters. The parameter -UserPrincipalName specifies a UPN in the format @. The UPN is independent of the user object’s distinguished name, so a user object can be moved or renamed without affecting the user logon name. When logging on using a UPN, users don’t have to choose a domain from a list in the logon dialog box.

Answer 67

A

E. Through the use of filtering, you can choose which types of objects you want to see using the Active Directory Users and Computers tool. Several of the other choices may work, but they require changes to Active Directory settings or objects.

Answer 68

A

D. The Delegation of Control Wizard is designed to allow administrators to set up permis- sions on specific Active Directory objects. The Delegation of Control Wizard is a tool for delegating routine tasks without having to learn the complex details of Active Directory object permissions.

Answer 69

A

A. By decreasing the replication interval for the DEFAULTIPSITELINK object, you will decrease the replication latency for all sites using DEFAULTIPSITELINK.

Answer 70

A

D. Preferred bridgehead servers receive replication information for a site and transmit this information to other domain controllers within the site. By configuring one server at each site to act as a preferred bridgehead server, you can ensure that all replication traffic between the two sites is routed through the bridgehead servers and that replication traffic will flow properly between the domain controllers.

Answer 71

A

B. A service, like any process, has a primary security identity that determines the granted access rights and privileges for local and network resources. If you want a service to use
a different account, you need to go into the services properties and change which account starts the service.

Answer 72

A

D. The Get-ADUser cmdlet gets a specified user object or performs a search to get mul- tiple user objects. The Set-ADUser cmdlet modifies the properties of an Active Directory user. You can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Set-ADUser cmdlet.

Answer 73

A

B. The easiest way to configure the SRV records is to have these machines all be DNS clients. DNS clients will send their client information to the DNS server by default. But if the servers are not DNS clients or for some reason they do not register with DNS, you may need to manually create these SRV records.

Open the DNS management tool by clicking Start ➢Administrative Tools ➢DNS.
Expand the Forward Lookup Zone and expand your zone name.
Right-click _TCP and choose Other New Record.
Choose the SRV record.
Enter the SRV record information.

Answer 74

A

A. The dsadd command allows you to add an object (user’s account) to the Active Direc- tory database. To use dsadd, you must run it from an elevated command prompt. dsadd user will add a single user to the directory.

Answer 75

A

B. The Active Directory Domains and Trusts tool is used to view and change information related to the various domains in an Active Directory environment. This MMC snap-in also allows you to set up shortcut trusts.

Answer 76

A

A. The NTDS settings for the site level are where you would activate and deactivate Global Catalogs. To create a Global Catalog server, simply expand the Server object in the Active Directory Sites and Services tool, right-click NTDS Settings, and select Properties to bring up the NTDS Settings Properties dialog box. To configure a server as a Global Catalog server, simply place a check mark in the Global Catalog box.

Answer 77

A

C. When you delegate the ability to log on to an RODC to a user or a security group, the user or group is not added to the Domain Admins group and therefore does not have addi- tional rights to perform directory service operations. A delegated RODC administrator can do the following on the RODC:
■■ Install hardware devices, such as network adapters and disk drives
■■ Manage disk drives and other devices
■■ Install software updates and drivers
■■ Stop and start Active Directory Domain Services (AD DS)
■■ Install and remove other server roles and features
■■ View logs in Event Viewer
■■ Manage shares and other applications and services
By default, a delegated RODC administrator cannot make updates to SYSVOL contents. In addition, any updates that are made to the SYSVOL contents on an RODC are not repli- cated to other domain controllers because RODCs do not perform outbound replication.

Answer 78

A

C. Distribution groups are for emails only and cannot be assigned rights and permis- sions to objects. Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. Security groups allow you to set permissions once on multiple computers, then to change the membership of the group as needed. The change in group membership automatically takes effect everywhere.

Answer 79

A

B. DC1 successfully transfers the PDC emulator role to DC2. So, that is correct. DC1 fails before transferring the schema master and RID master roles to DC2. So those are incorrect. You cannot add other domains to forest, because DC1 is offline.

Answer 80

A

D. repadmin.exe is a command-line tool used to assist administrators in diagnosing repli- cation problems between domain controllers. Administrators can use repadmin to view the replication topology. Repadmin can be used to manually create the replication topology to force replication events between domain controllers and to view the replication metadata. Repadmin can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.

Answer 81

A

A. By default, connection objects are automatically created by the Active Directory replica- tion engine. You can choose to override the default behavior of Active Directory replication topology by manually creating connection objects, but this step is not required.

Answer 82

A

C. Domain local groups are used to authorize permission for access to resources. You can assign these permissions only in the same domain in which you create the domain local group. Members from any domain may be added to a domain local group.

Answer 83

A

B. The Knowledge Consistency Checker (KCC) is responsible for establishing the replica- tion topology and ensuring that all domain controllers are kept up to date. Replication
is the process by which replicas are kept up to date. Application data can be stored and updated on designated servers in the same way basic Active Directory information (such as users and groups) is synchronized between domain controllers. Application data partition replicas are managed using the KCC, which ensures that the designated domain controllers receive updated replica information.

Answer 84

A

D. Site link bridges are designed to allow site links to be transitive. That is, they allow site links to use other site links to transfer replication information between sites. By default, all site links are bridged. However, you can turn off transitivity if you want to override this behavior. A site link is created to define the types of connections that are available between the components of a site. Site links can reflect a relative cost for a network connection and can also reflect the bandwidth that is available for communications.

Answer 85

A

D. SMTP was designed for environments in which persistent connections may not always be available. SMTP uses the store-and-forward method to ensure that information is not lost if a connection cannot be made. SMTP is perhaps best known as the protocol that is used to send and receive email messages on the Internet. SMTP was designed to use a store- and-forward mechanism through which a server receives a copy of a message, records it to disk, and then attempts to forward it to another email server. If the destination server is unavailable, it holds the message and attempts to resend it at periodic intervals. DHCP is a protocol used to provide quick, automatic, and central management for the distribution of IP addresses within a network. Options B and C do not exist.

Answer 86

A

B, C, D. You can install Active Directory by using the Windows Server 2016 installation disk (Install from Media [IFM]), or by using Server Manager or Windows PowerShell.

Brainscape's Knowledge GenomeTM

Chapter 9 - Install and Configure Active Directory Domain Services (AD DS) Flashcards

Brainscape's Knowledge Genome^TM