Final

Question 1

After a DNS zone has been secured with DNSSEC, what additional data will be returned to a client as a result of a query?

Information about the organization administering the zone
Information about the server providing the DNS zone
Digital signatures of the administrators of the zone
Digital signatures for the returned records

Answer 1

Digital signatures for the returned records

Question 2

What is the function of the RRSIG record?

Used to sign the records
Returned to positively deny that the requested A record exists in the zone
Returned to the client in response to a successful query along with the A record
Used to sign the zone

Answer 2

Returned to the client in response to a successful query along with the A record
Used to sign the zone

Question 3

What DNS security feature in Windows Server 2012 R2 can be configured to allow source port randomization for DNS queries?

Randomization factor
Initialization vector
Socket pool
Name Resolution Policy Table

Answer 3

Socket pool

Question 4

How are values for DNS Cache Locking expressed?

As a percentage of the TTL
As a percentage of the TTL remaining
As a fixed period of time in hours
As a fixed period of time in days

Answer 4

As a percentage of the TTL

Question 5

What is the net effect if recursion is disabled on a DNS server and the DNS server does not have any forwarding or root hints configuration present?

The DNS server will be able to provide only answers to queries about internal DNS zones
The DNS server will be able to provide only answers to queries about external DNS zones
The DNS server will be able to provide answers to queries about internal and external DNS zones
None of the above

Answer 5

The DNS server will be able to provide only answers to queries about internal DNS zones

Question 6

Which of the following commands would correctly set the DNS socket pool to a value of 7,000?

dnscmd /Config /SocketPoolSize 7000
dnscmd /Set /SocketPoolSize 7000
dnscmd /GetSocketPoolSize | dnscmd /Set /SocketPoolSize 7000
dnscmd /Configure /PoolSize 7000

Answer 6

dnscmd /Config /SocketPoolSize 7000

dnscmd /Set /SocketPoolSize 7000

Question 7

What Windows Server 2012 R2 DNS feature prioritizes DNS responses based on the subnet of the requesting client?

Conditional forwarding
Iterative queries
Recursive queries
Netmask ordering

Answer 7

Netmask ordering

Question 8

The main page of your company’s Intranet portal is accessible by the FQDN home.na.adatum.corp. How would you configure an entry in the GlobalNames zone for this?

Add a single A record with the IP of one of the web servers hosting the portal
Add a single CNAME record pointing to the A record in another zone
Add multiple CNAME records pointing to all the A records in the other zones
Add multiple A records with all the IPs of the web servers hosting the portal

Answer 8

Add a single CNAME record pointing to the A record in another zone

Question 9

DNSSEC uses public key infrastructure (PKI) encryption to provide what assurances to DNS clients? (Choose all that apply)

Proof of identity of DNS records
Confidentiality of information
Availability of services
Verified denial of existence

Answer 9

Proof of identity of DNS records
&
Verified denial of existence

Question 10

How can you best go about delegating administrative access to those employees who need to be able to manage DNS?

Add the user’s Active Directory accounts to the Domain Admins security group
Add the user’s Active Directory accounts to the Enterprise Admins security group
Add the user’s Active Directory accounts to a special universal distribution group created for this purpose (e.g., DNS Service Managers) and then add that group to the DNS Admins local group.
Add the user’s Active Directory accounts to a global security group created for this purpose (e.g., DNS Service Managers) and then add that group to the DNS Admins local group.

Answer 10

Add the user’s Active Directory accounts to a global security group created for this purpose (e.g., DNS Service Managers) and then add that group to the DNS Admins local group.

Question 11

In Window Server 2012 IPAM, what is the highest-level entity within the IP address space?

IP address range
IP address block
IP address container
IP address

Answer 11

IP address block

Question 12

Which of the following statements regarding the server requirements for an IPAM server is false?

The server must have a dual-core CPU of at least 2.0 GHz
The server must be running Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2
The server must have at least 4 GB of RAM installed
The server must have at least 80 GB of free disk space available

Answer 12

The server must be running Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2

Question 13

Which of the following database types can be used with Windows IPAM? (Choose all that apply)

MySQL
Microsoft SQL
Windows Internal Database
Access

Answer 13

Microsoft SQL

& Windows Internal Database

Question 14

Which PowerShell cmdlet is the correct one to use to create the IPAM provisioning GPOs?

Set-IpamGpoProvisioning
Initiate-IpamGpoProvisioning
Perform-IpamGpoProvisioning
Invoke-IpamGpoProvisioning

Answer 14

Invoke-IpamGpoProvisioning

Question 15

Which of the following categories will you not find in the Monitor and Manage section of the IPAM console?

DNS and DHCP Servers
DHCP Scopes
DNS Zone Records
DNS Zone Monitoring

Answer 15

DNS Zone Records

Question 16

Which of the following can be imported into IPAM using the IPAM console?

IP Addresses
IP Address Block
IP Address Ranges
All of the above

Answer 16

All of the above

Question 17

In Window Server 2012 IPAM, what is the second-highest-level entity within the IP address space?

IP address range
IP address block
IP address container
IP address

Answer 17

IP address range

Question 18

Which of the following advantages are provided to a SQL server when it’s used with IPAM?

Scalability
More secure
Reporting
Additional disaster recovery

Answer 18

Scalability, Reporting, & Additional disaster recovery

Question 19

As it pertains to IPAM, what is the name of the process of retrieving a list of all domain controllers, DNS servers, and DHCP servers?

Server discovery
IPAM discovery
Provisioning IPAM
Verifying IPAM access

Answer 19

IPAM discovery

Question 20

Members of which IPAM security group have the ability to view information in IPAM and can perform server management tasks?

IPAM MSM Administrators
IPAM ASM Administrators
IPAM IP Audit Administrators
IPAM Administrators

Answer 20

IPAM MSM Administrators

Question 21

Which of the following items would not be considered a logical component of Active Directory?

Domains
Organizational Units
Domain Controllers
Trust relationships

Answer 21

Domain Controllers

Question 22

In an organization that has three Active Directory forests with a total of six Active Directory domains, how many schemas will exist in the organization?

Three
Six
Nine
Eighteen

Answer 22

Three

Question 23

What are the requirements to perform an in-place upgrade of a domain controller to Windows Server 2012 R2?
(Choose all that apply)

The domain controller must be running Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2
The domain controller must be running Windows Server 2008 or Windows Server 2008 R2
The forest functional level will need to be at Windows Server 2003 or higher
The forest functional level will need to be at Windows Server 2008 or higher

Answer 23

The domain controller must be running Windows Server 2008 or Windows Server 2008 R2
&

The forest functional level will need to be at Windows Server 2008 or higher

Question 24

Which of the following desirable features first became available with the Windows Server 2008 domain functional level?

SYSVOL replication using DFSR instead of NTFRS
Automatic SPN management
Authentication mechanism assurance
UserPassword attribute

Answer 24

SYSVOL replication using DFSR instead of NTFRS

Question 25

You want to use the new features of Key Distribution Center (KDC) support for claims, compound authentication, and Kerberos armoring in your domain. What must you do first? (Choose two answers)

Raise the domain functional level to Windows Server 2008 R2
Raise the domain functional level to Windows Server 2012
Install at least one Windows Server 2012 domain controller
Retire all Windows 2000 Server member servers

Answer 25

Raise the domain functional level to Windows Server 2012

& Install at least one Windows Server 2012 domain controller

Question 26

Which of the following desirable features first became available with the Windows Server 2008 R2 forest functional level?

Active Directory recycle bin
Domain rename
Cross-forest trusts
KCC algorithm improvements

Answer 26

Active Directory recycle bin

Question 27

Which of the following accurately represents a User Principal Name?

MYCO\jdoe
jdoe@myco
jdoe.myco.corp
jdoe@myco.corp

Answer 27

jdoe@myco.corp

Question 28

Your organization currently has three business units (sales, manufacturing, and service) that function mostly independently. What would be the best approach to take when designing a new Active Directory forest environment for your organization? Be sure to consider the current-day environment and the possibility of future change.

Create a multi-domain forest, with one domain per business unit
Create multiple forests, with one forest per business unit, with no trusts
Create multiple organizational units as needed to organize each business unit’s objects
Create multiple forests, with one forest per business unit, with trusts between each forest root domain

Answer 28

Create multiple organizational units as needed to organize each business unit’s objects

Question 29

Which Active Directory upgrade method presents the lowest overall cost and risk to an organization, assuming that required physical or virtual servers are available and on hand?

In-place upgrade
Add new domain controllers
Migrate to a new domain
None of the above

Answer 29

Add new domain controllers

Question 30

Which partition contains definitions of all objects and attributes that can be created in the directory?

Schema partition
Configuration partition
Domain partition
Application partition

Answer 30

Schema partition

Question 31

Which of the following attributes are true of the automatically generated trusts created when a domain is added to the forest? (Choose all that apply)

The trust is two-way between the child domain and the root domain
The trust can be configured to be one-way or two-way
The trust can be configured to be incoming or outgoing, or both
The trust is always transitive

Answer 31

The trust is two-way between the child domain and the root domain
&
The trust is always transitive

Question 32

You have just created a one-way incoming trust in your domain for an external domain used by a partner company to allow your domain’s users to access a resource in the partner’s domain. What is the next step that will need to be performed to complete the trust?

You will need to create a one-way outgoing trust in the external domain
The partner will need to create a one-way outgoing trust in the external domain
You will need to create a one-way outgoing trust in your domain
The partner will need to create a one-way outgoing trust in your domain

Answer 32

The partner will need to create a one-way outgoing trust in the external domain

Question 33

Which of the following commands correctly illustrates how to create a one-way external trust from the adatum.local domain to the contoso.local domain?

netdom trust adatum.local /Domain:contoso.local /add
netdom -addtrust /Local:adatum.local /External:contoso.local
netdom trust –add adatum.local /Domain:contoso.local

Answer 33

netdom trust adatum.local /Domain:contoso.local /add

Question 34

Which of the following scenarios would allow the creation of a shortcut trust? (Choose all that apply)

Between a third-level child domain and a second-level child domain in a different domain tree of the same forest
Between two third-level child domains in the same forest
Between two second-level child domains in different forests
Between a third-level child domain and a forest root domain in different forests

Answer 34

Between a third-level child domain and a second-level child domain in a different domain tree of the same forest
&
Between two third-level child domains in the same forest

Question 35

When disabling SID filtering on a forest trust, what netdom switch should be used?

/disenablesidhistory:Yes
/enablesidhistory:No
/quarantine:No
/sidhistory:Disable

Answer 35

/enablesidhistory:No

Question 36

In which scenario would you want to disable SID filtering?

There is no trust between all Domain Admins and Enterprise Admins within both trusts
Forests have been renamed
Domains have been authoritatively restored
User accounts have been involved in a domain migration

Answer 36

User accounts have been involved in a domain migration

Question 37

What is the disadvantage of configuring selective authentication for a trust?

The inability to definitively control who is accessing what resources
The administrative overhead involved to configure and maintain user access to resources
The SIDs of the foreign security principals will need to be manually obtained
Security groups from the external domain must be used for the foreign security principals

Answer 37

The administrative overhead involved to configure and maintain user access to resources

Question 38

Which of the following attributes are true when discussing manually created trusts?

The trust is two-way between the child domain and the root domain
The trust can be configured to be one-way or two-way
The trust can be configured to be incoming or outgoing, or both
The trust is always transitive

Answer 38

The trust can be configured to be one-way or two-way

& The trust can be configured to be incoming or outgoing, or both

Question 39

Which of the following scenarios represents the best reason for creating a forest trust between two Active Directory forests?

Company A has purchased Company B
Company A wants to use an application developed by Company B
Company B wants to access data on a Company A web server
Company B wants to send email to recipients in Company A

Answer 39

Company A has purchased Company B

Question 40

What type of trust allows users of an internal forest to authenticate to and/or gain access to all resources of an external forest?

Realm trusts
Shortcut trusts
Forest trusts
External trusts

Answer 40

Forest trusts

Question 41

Your organization has six offices spread over three cities in North America. At a minimum, how many Active Directory sites should you plan to have?

One
Three
Six
Eighteen

Answer 41

Three

Question 42

What management console is used to manage Active Directory Sites?

Active Directory Topology Manager
Active Directory Sites and Services
Active Directory Domains and Trusts
Active Directory Sites and Subnets

Answer 42

Active Directory Sites and Services

Question 43

__________ define the logical replication path between sites to perform _________ replication, allowing for faster and optimized replication between sites based on configured costs and frequencies.

Site links, Intrasite
Replication links, Intersite
Site links, Intersite
Connection objects, Intrasite

Answer 43

Site links, Intersite

Question 44

Why is it generally not recommended to configure bridgehead servers manually?

You might pick a server that is not a domain controller
You might overload the server if its performance is below other domain controllers
You could pick a server in the wrong site
You could disrupt the flow of replication traffic between sites

Answer 44

You could disrupt the flow of replication traffic between sites

Question 45

What default value are all site links costs configured with in Active Directory?

1
10
100
1000

Answer 45

100

Question 46

What is defined by the replication schedule?

How often replication occurs
Which site links are the preferred paths
When specific directory partitions are replicated
When replication is allowed to occur

Answer 46

When replication is allowed to occur

Question 47

When examining the netlogon.log file, what will be your indicator that you have a problem with your Active Directory sites or subnets configuration?

A NO_CLIENT_SUBNET entry
A NO_CLIENT_DC entry
A NO_CLIENT_LINK entry
A NO_CLIENT_SITE entry

Answer 47

A NO_CLIENT_SITE entry

Question 48

What undesirable side effect may result from having the “Bridge All Site Links” option disabled?

You will need to manually create site link bridges between spoke sites
Sites will only replicate among themselves directly if you configure this to occur
Replication time and traffic between spokes will increase due to needing to go through the hub location
Replication will not occur other than to the hub site

Answer 48

Replication time and traffic between spokes will increase due to needing to go through the hub location

Question 49

Which of the following represents the best reason why you need to take care when creating site links within your organization?

So you can create connection objects between domain controllers
So you can map the logical layout of site links to the physical layout of WAN links
So you can optimize replication traffic between sites by using the highest quality, or lowest cost, routes
So you can ensure all domain controllers within all sites always stay consistent within 5 minutes

Answer 49

So you can optimize replication traffic between sites by using the highest quality, or lowest cost, routes

Question 50

What Active Directory component is automatically configured to take changes made during Intrasite replication and then replicate that to a domain controller in another site?

Bridgehead servers
Knowledge Consistency Checker
Site links
Intersite Topology Generator

Answer 50

Bridgehead servers

Question 51

Regarding Intersite and Intrasite replication, which of the following statements is false?

Replication data between sites is compressed
Intrasite replication utilizes Remote Call Procedure over Internet Protocol (RPC over IP) connectivity
Intrasite replication topology is generated by the Knowledge Consistency Checker (KCC)
Replication data within a site is compressed and encrypted

Answer 51

Replication data within a site is compressed and encrypted

Question 52

When a user changes his or her password, to what domain controller is the password change notification sent?

The Domain Naming master
The Schema master
A Global Catalog
The PDC Emulator

Answer 52

The PDC Emulator

Question 53

Which of the following repadmin commands would cause updates outward to replication partners and trigger replication across the enterprise as a whole?

REPADMIN /SyncAll /AjQ
REPADMIN /SyncAll /PQ
REPADMIN /SyncAll /APd
REPADMIN /SyncAll /APed

Answer 53

REPADMIN /SyncAll /APed

Question 54

Why must an RODC be able to connect to at least one Windows Server 2008 or higher domain controller? (Choose all that apply)

To replicate the domain partition
To replicate the global catalog partition
So that the Password Replication Policy (PRP) applied to the RODC can be configured and enforced
So that the SYSVOL folder can be replicated using Distributed File System Replication (DFSR)

Answer 54

To replicate the domain partition

& So that the Password Replication Policy (PRP) applied to the RODC can be configured and enforced

Question 55

What requirements must be met in order to perform the configuration of the Filtered Attribute Set? (Choose all that apply)

The Schema Master must be on a domain controller running Windows Server 2008, Windows Server 2012, or Windows Server 2012 R2
The Schema Master must be on a domain controller running Windows Server 2012 R2
You must perform the change directly on the Schema Master
You must perform the change at the command line using the netdom command

Answer 55

The Schema Master must be on a domain controller running Windows Server 2008, Windows Server 2012, or Windows Server 2012 R2
& You must perform the change directly on the Schema Master

Question 56

What is the net result of deleting an RODC and leaving the “Reset all passwords for user accounts that were cached on this Read-Only Domain Controller” option selected?

Users will be forced to use their previous password to log in the next time
Users will be forced to request a password reset before they can log in the next time
Users will be forced to request an account unlock before they can log in the next time
Users will need to have their accounts rejoined to the domain before they can log in the next time

Answer 56

Users will be forced to request a password reset before they can log in the next time

Question 57

On what domain controller should the DFSR SYSVOL migration process be performed from?

Any writable domain controller in the domain
Any global catalog server in the domain
The PDC Emulator of the domain
The Infrastructure Master of the domain

Answer 57

The PDC Emulator of the domain

Question 58

Which of the following scenarios best represents an urgent replication-inducing event?

A change in the domain account lockout policies
The creation of a new user account in the domain
The changing of a user account password
Replication performed to correct a replication conflict

Answer 58

A change in the domain account lockout policies

Question 59

Which of the following represents the best reason why you might want to prepopulate passwords on an RODC?

To speed up the initial login for the user at that site
To speed up every login for the user at that site
To reduce replication traffic to that site
To prevent security principals from needing to be added to the “Allowed RODC Password Replication Group” security group

Answer 59

To speed up the initial login for the user at that site

Question 60

Which SYSVOL replication migration state is done entirely using DFSR?

Start (State 0)
Prepared (State 1)
Redirected (State 2)
Eliminated (State 3)

Answer 60

Eliminated (State 3)

Question 61

What benefit does Single Sign-On provide for application users?

Prohibits users from being able to register multiple accounts within an application
Prevents users from needing to remember multiple usernames and passwords.
Provides users an easy way to remember the login information for the application
Provides for faster account lockout remediation

Answer 61

Prevents users from needing to remember multiple usernames and passwords.

Question 62

In order to utilize AD FS, what is the oldest version of Windows Server that any domain controller can be using?

  Windows Server 2003 SP1 
  Windows Server 2008 SP1 
  Windows Server 2008 R2 
  Windows Server 2012 
  Windows Server 2012 R2

Answer 62

Windows Server 2003 SP1

Question 63

What PowerShell cmdlet would you use to list the attribute stores currently configured for AD FS?

List-ADFSAttributeStore
Show-ADFSAttributeStore
Display-ADFSAttributeStore
Get-ADFSAttributeStore

Answer 63

Get-ADFSAttributeStore

Question 64

While testing AD FS claims-based authentication with a sample application, you encounter an error due to the self-signed certificate you opted to use. What can you do to eliminate this error? (Choose all that apply)

Add the self-signed certificate to your computer’s Trusted Root Certification Authorities store
Add the self-signed certificate to the application server’s Trusted Root Certification Authorities store
Issue a valid certificate from your internal CA
Configure AD FS to ignore self-signed certificate errors

Answer 64

Add the self-signed certificate to your computer’s Trusted Root Certification Authorities store
& Issue a valid certificate from your internal CA

Question 65

What step(s) will you need to perform while configuring a claims provider trust that you will not need to perform while configuring a relying party trust? (Choose all that apply)

Map attributes
Specify the application
Edit claims rules
Provide a URL for the partner federation server

Answer 65

Map attributes

& Edit claims rules

Question 66

In AD FS, which of the following allows you to create issuance authorization rules for relying party applications and allows you to use custom ‘Access Denied’ message?

Relying party permission policy
Multifactor access control
Usage policy
Federation Service proxy

Answer 66

Multifactor access control

Question 67

Which of the following services is used to provision a device object in AD DS and issue a certificate for the Workplace-Joined Device?

Domain Join Service
AD FS Authentication Service
Device Registration Service
Device Emulation Service

Answer 67

Device Registration Service

Question 68

Which of the following components of Active Directory Federation Services is a statement made by a trusted entity and includes information identifying the entity?

Federation server proxy
Claims provider
Relying party
Claim

Answer 68

Claim

Question 69

Which of the following components of Active Directory Federation Services is the server that issues claims and authenticates users?

Federation server proxy
Claims provider
Relying party
Claim

Answer 69

Claims provider

Question 70

Which of the following components of Active Directory Federation Services is the server that issues claims and authenticates users?

Federation server proxy
Claims provider
Relying party
Claim

Answer 70

Claims provider

Question 71

What is another name for Asymmetric encryption?

Public key infrastructure
Public key cryptography
Digital certificate
Certificate authority

Answer 71

Public key cryptography

Question 72

What is the name of the role in the PKI that is responsible for the distribution of keys and the validation of identities?

Certificate authority
Registration authority
Registration agent
Key recovery agent

Answer 72

Registration authority

Question 73

In Windows Server 2012 R2 AD CS, how many Root CAs can you install in a single certificate hierarchy?

One
Two
Three
Unlimited

Answer 73

One

Question 74

By default, if you install a CA server on January 1, 2014, when will the CA certificate expire?

January 1, 2019
January 1, 2024
January 1, 2029
January 1, 2034

Answer 74

January 1, 2019

Question 75

What is the function of the AIA?

It specifies where to find up-to-date CRLs that are signed by the CA
It specifies where to find up-to-date CRLs that are signed by the RA
It specifies where to find up-to-date certificates for the CA
It specifies which CAs are available to issue certificates to clients

Answer 75

It specifies where to find up-to-date certificates for the CA

Question 76

Your network has a mix of Windows, Macintosh, Linux and AIX computers. All of your internal web applications use Web Server certificates issued by your PKI. How will you need to configure your AIA and CDP?

As LDAP paths
As file server paths
As URLs (HTTP paths)
As CIFS paths

Answer 76

As URLs (HTTP paths)

Question 77

Which Windows client operating systems are capable of using the Online Responder to check certificate revocation status? (Choose all that apply)

Windows XP Professional
Windows 7
Windows 2000
Windows 8

Answer 77

Windows 7

& Windows 8

Question 78

What two values would be required in a CAPolicy.inf file to set the CRL period to 4 hours?

CRLPeriod=Hours
CRLPeriodUnits=4
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=4

Answer 78

CRLPeriod=Hours

& CRLPeriodUnits=4

Question 79

Why would you want to consider making the Root CA an offline CA?

This improves certificate issuing speed
This improves security of the root CA and its private keys
This reduces the number of CAs you actively need to manage
This prevents requests from inadvertently being sent to the Root CA

Answer 79

This improves security of the root CA and its private keys

Question 80

Which PKI role in AD CS is used to validate certificates?

CA
Online Responder
Network Device Enrollment Service
CA Web Enrollment

Answer 80

Online Responder

Question 81

What are the contents of the certificate chain?

It is a list of all trusted root certificates
It is a list of certificate authorities that can be used to authenticate an entity certificate
It is a list of all trusted root certificate authorities
It is a list of certificates that can be used to authenticate an entity certificate

Answer 81

It is a list of certificates that can be used to authenticate an entity certificate

Question 82

What usages does the User certificate allow by default? (Choose all that apply)

Secure Email
Encrypting File System
Client Authentication
Document Signing

Answer 82

Secure Email
, Encrypting File System
, & Client Authentication

Question 83

Which of the following URLs would be the correct one to visit to get to the Web Enrollment pages?

https: ///certificates
https: ///ca
https: ///certsrv
https: ///certsrvcs

Answer 83

https:///certsrv

Question 84

What minimum certificate version is required to enable key archival and recovery?
  Version 1 
  Version 2 
  Version 3 
  Version 4

Answer 84

Version 2

Question 85

What must you do immediately after issuing the first KRA certificate to a trusted user to enable key archival and recovery on the CA? (Choose all that apply)

Restart the CA
Configure key archival on the CA properties
Archive the keys for the issued KRA certificate
Perform a backup of the CA database

Answer 85

Configure key archival on the CA properties

& Archive the keys for the issued KRA certificate

Question 86

To recover a key from the CA database using the certutil utility, what information will you need to know about the certificate?

The password for the private keys
The certificate serial number
The certificate subject name
The certificate key length

Answer 86

The certificate serial number

Question 87

You work at a government agency and have been tasked to implement a PKI built on Windows Server 2012 R2. What certificate template version will you need to use to meet the requirements imposed on your agency?

Version 1
Version 2
Version 3
Version 4

Answer 87

Version 3

Question 88

What is the advantage of configuring credential roaming? (Select all that apply)

The user’s certificates are securely stored in Active Directory
The user’s certificates follow the user to each computer he or she logs in to
The user’s certificates are automatically enrolled and issued upon first login
The user’s certificates can be easily placed on a USB storage device

Answer 88

The user’s certificates are securely stored in Active Directory &
The user’s certificates follow the user to each computer he or she logs in to

Question 89

Which certificate format supports the export of a certificate and its private key?

Base64-encoded X.509
DER-encoded binary X.509
Personal Information Exchange (PKCS #12)
Cryptographic Message Syntax Standard (PKCS #7)

Answer 89

Personal Information Exchange (PKCS #12)

Question 90

Which certificate format supports storage of a single certificate, does not support storage of the private key or certification path, has contents that are of an ASCII format, and is generally used for importing into applications that require a “text blob”?

Base64-encoded X.509
DER-encoded binary X.509
Personal Information Exchange (PKCS #12)
Cryptographic Message Syntax Standard (PKCS #7)

Answer 90

Base64-encoded X.509

Question 91

How does AD RMS protect a Microsoft Office file that has been transferred out of the organization to an external recipient?

The external recipient will not be able to open the file because they cannot contact the AD RMS server
The external recipient will not be able to open the file because they will not know the unlock password
The external recipient will not be able to open the file because they do not have an account on the AD RMS server
The external recipient will not be able to open the file because they do not have the AD RMS integrated version of Office installed

Answer 91

The external recipient will not be able to open the file because they cannot contact the AD RMS server

Question 92

What issue should you be aware of if you perform the installation of AD RMS onto a Domain Controller?
AD RMS will only work for that domain
The AD RMS service account will be a domain administrator
The AD RMS service account will not support Kerberos authentication
AD RMS will not be able to automatically create a Service Connection Point

Answer 92

The AD RMS service account will be a domain administrator

Question 93

To enable Kerberos authentication with AD RMS, you will need to be a member of which groups? (Choose all that apply)

AD RMS Enterprise Administrators
Enterprise Admins
Domain Admins
Schema Admins

Answer 93

AD RMS Enterprise Administrators

& Enterprise Admins

Question 94

What tools provided in Windows Server 2012 R2 allow you to view the SCP configuration in Active Directory? (Choose all that apply)

Active Directory Users and Computers
ADSI Edit
LDP
SCP Edit

Answer 94

ADSI Edit

& LDP

Question 95

What is the name of the objects that are used to enforce the rights a user or group has on rights-protected content?

Protections policy templates
Rights policy templates
Restrictions policy templates
Rights protection templates

Answer 95

Rights policy templates

Question 96

Generally speaking, what could be considered the absolute minimum rights that a user could be granted via AD RMS that would allow the user to still consume the document?

View
Edit
Save
Extract

Answer 96

View

Question 97

A Temporary Rights Account Certificate has a validity period of how long?

15 minutes
1 hour
4 hours
1 day

Answer 97

15 minutes

Question 98

Which of the following must be deleted when you have to recreate a new AD RMS cluster within an Active Directory domain?

AD RMS SID
Publishing license
Client Licensor Certificate
Service Connection Point

Answer 98

Service Connection Point

Question 99

What is the best reason you might choose to use RMS templates when configuring RMS policies across your organization?

They allow you to standardize the implementation of AD RMS policies across the organization.
They allow you to speed up the implementation of AD RMS policies across the organization.
They allow you to delegate the implementation of AD RMS policies across the organization.
They allow you to visualize the implementation of AD RMS policies across the organization.

Answer 99

They allow you to standardize the implementation of AD RMS policies across the organization.

Question 100

The AD RMS certificate issued the first time a user attempts to access AD RMS-protected content is known as what?

Server licensor certificate
Rights account certificate
Client licensor certificate
Temporary rights account certificate

Answer 100

Rights account certificate