Вы находитесь на странице: 1из 250

Simulado-70-640-Portugus

Number: 70-640 Passing Score: 700 Time Limit: 240 min File Version: 1.0

70-640 Exam TS: Windows Server 2008 Active Directory Configuring Traduo: Wiler Carlos Pereira

Fonte: By RedaXium Sections 1. AD Sites & Services 2. Configuring Additional AD Server Roles 3. Configuring AD Backup-Restore 4. Configuring AD Infrastructure 5. Configuring AD DNS 6. Configuring AD Certificate Services 7. Configuring AD Rights Mgmt Services 8. Configuring AD Federated Services 9. Configuring AD LDS 10. Configuring AD FSMO Roles 11. Configuring Domains and Trusts 12. Configuring Group Policy 13. Creating & Maintaining AD Objects 14. Maintaining the AD Environment 15. Powershell & Command line cmds 16. Cooper Exam D

Exam A QUESTION 1

Sua rede contm um domnio do Active Directory. Os servidores relevantes no domnio so configurados como mostrado na tabela seguinte: Server name Server1 Server2 Server3 Operating System Windows 2008 Windows 2008 R2 Windows 2008 R2 Server role Domain controller Enterprise root certification authority (CA) Network Device Enrollment Service (NDES)

Voc precisa se certificar que todos os pedidos de certificao de dispositivos usar o algoritmo de hash MD5. O que voc deve fazer? A. B. C. D. No Server2, execute a ferramenta Certutil. No Server1, atualizar o CEP modelo de certificado de criptografia. No Server1, atualizar o agente de inscrio Exchange (Pedido Offline) modelo. Em Server3, defina o valor do HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm \HashAlgorithm registry key.

Answer: D Section: Configuring AD DNS Explanation/Reference:

Configuring the Network Device Enrollment Service


HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP

HashAlgorithm\ HashAlgorithm

String

SHA1

Specifies the hash algorithm the service will use when constructing the request to the CA.

http://technet.microsoft.com/en-us/library/cc787544%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------------------------Edit the registry to enable the hash algorithm HKEY_Current_User\Software\Microsoft HKEY_Current_User\Software\Microsoft contains registry settings for user certificates that have been distributed by means other than Group Policy. These settings are stored in the following subkeys: HKEY_Current_User\Software\Microsoft\Cryptography HKEY_Current_User\Software\Microsoft\SystemCertificates The following registry entries are located under HKEY_Current_User\Software\Microsoft\Cryptography. Autoenrollment Registry path HKEY_Current_User\Software\Microsoft\Cryptography\ Version Windows Server 2003, Windows 2000, and Windows XP This setting is used to manage event logging and cached directory service data when user certificate autoenrollment has been enabled. AEExpress Registry path HKEY_Current_User\Software\Microsoft\Cryptography\Autoenrollment

QUESTION 2 Sua rede contm um domnio do Active Directory. Voc tem um servidor chamado Server1 que executa o Windows Server 2008 R2. Server1 uma empresa de raiz autoridade de certificao (CA). Voc tem um computador cliente chamado Computer1 que executa o Windows 7. Voc ativar a inscrio automtica de certificado para todos os computadores clientes que executam o Windows 7. Voc precisa verificar se o Windows 7 computadores clientes podem inscrever automaticamente certificados. Qual comando voc deve executar no Computador1? A. B. C. D. certreq.exe -retrieve certreq.exe -submit certutil.exe -getkey certutil.exe -pulse

Answer: D Section: Configuring AD Certificate Services Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx

--------------------------------------------------------------------------------------------------------------------------------------------------------------Applies To: Windows Server 2008/R2 Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. -pulse Pulse auto enrollment events -getkey Retrieve an archived private key recovery blob -resubmit Resubmit a pending certificate request the other options are not defined.

QUESTION 3 Sua rede contm duas florestas do Active Directory chamado contoso.com e adatum.com. O nvel funcional de ambas as florestas o Windows Server 2008 R2. Cada floresta contm um domnio. Servios de Certificados do Active Directory (AD CS) configurado na floresta contoso.com para permitir que usurios de ambas as florestas para registrar automaticamente certificados de usurio. Voc precisa se certificar que todos os usurios na floresta adatum.com ter um certificado de usurio da certificao contoso.com autoridade (CA). O que voc deve configurar no domnio adatum.com? A. B. C. D. Desde o Default Domain Controllers Policy, modificar as definies de segurana da empresa. Desde o Default Domain Controllers Policy, modificar as configuraes de editores confiveis A partir da Diretiva de Domnio Padro, modificar a poltica de registro de certificado. A partir da Diretiva de Domnio Padro, modificar as definies de raiz fidedigna de autoridade de certificao.

Answer: C Section: Configuring AD Certificate Services Explanation/Reference: http://technet.microsoft.com/en-us/library/dd851772.aspxConfiguring certificate enrollment policy settings by using Group Policy

Properties
Opens the Certificate Enrollment Policy Server Properties dialog box, which displays the policy details and list of enrollment policy servers for the selected enrollment policy.

Enable for automatic enrollment and renewal


Specifies that the enrollment policy is used for autoenrollment when autoenrollment is enabled. On computers running Windows 7 that are not members of a domain, autoenrollment is enabled by default. On computers that are members of a domain, autoenrollment must be enabled in Group Policy. --------------------------------------------------------------------------------------------------------------------------------------------------------------Domain Admins is the minimum group membership required to complete this procedure. To configure certificate enrollment policy settings in Group Policy Click Start, type gpmc.msc in the Search programs and files box, and press ENTER. In the console tree, expand the forest and domain that contain the policy that you want to edit, and click

Group Policy Objects. Right-click the policy that you want to edit, and then click Edit. In the console tree under Computer Configuration\Policies\Windows Settings\Security Settings, click Public Key Policies. Double-click Certificate Services Client Certificate Enrollment Policy. For more information about the settings in this dialog box, see the "Certificate Services Client Certificate Enrollment Policy Properties dialog box" table later in this topic. Click Add to open the Certificate Enrollment Policy Server dialog box. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic. Do one of the following: To add the enrollment policy provided by Active Directory Domain Services (AD DS), select the Use default Active Directory domain controller URI check box. In the Enter enrollment policy server URI box, type a certificate enrollment policy server URI. In the Authentication type list, select the authentication type required by the enrollment policy server. Click Validate, and review the messages in the Certificate enrollment policy server properties area. The Add button is available only when the enrollment policy server URI and authentication type are valid. Click Add.

QUESTION 4 Voc tem um servidor chamado Server1 que tem os seguintes Servios de Certificados do Active Directory (AD CS) servios de funo instalados: -Enterprise raiz autoridade de certificao (CA) Certificado de Servio Web de Inscrio Certificado de Matrcula Web Service Poltica Voc cria um novo modelo de certificado. Os usurios externos relatam que o novo modelo no est disponvel quando solicitar um novo certificado. Voc verifica que todos os outros modelos esto disponveis para os usurios externos. Voc precisa garantir que os usurios externos podem solicitar certificados usando o novo modelo. O que voc deve fazer em Server1? A. B. C. D. Run iisreset.exe /restart. Run gpupdate.exe /force. Run certutil.exe -dspublish. Restart the Active Directory Certificate Services service.

Answer: A Section: Configuring AD Certificate Services Explanation/Reference: Q - Normally you can use gpupdate /force and or certutil -pulse on the users computer to refresh there local certificate store for issued certificates or templates. But it states what should you do on Server1 http://technet.microsoft.com/en-us/library/gg398409.aspx http://www.tech-faq.com/the-certificate-enrollment-process.html

http://support.microsoft.com/kb/317584 --------------------------------------------------------------------------------------------------------------------------------------------------------------Restart IIS service to republish sites Overview of iisreset.exe Iisreset.exe uses the following syntax: iisreset[ computername] NOTE: Items in [] are optional. While iisreset will run this without arguments, you may wish to perform other functions. You can use the following parameters with Iisreset.exe: computername: Use this parameter to specify the computer that you want to manage. If you omit this parameter, the local computer is specified. /restart: Use this parameter to stop and restart all of the running Internet services. /start: Use this parameter to start all of the Internet services that are stopped. /stop: Use this parameter to stop all of the running Internet services. /reboot: Use this parameter to restart the computer. /rebootonerror: Use this parameter to restart the computer if an error occurs after the Internet services attempt to start, stop, or restart. /noforce: Use this parameter so that the Internet services do not shut down forcefully if you cannot stop the services gracefully. /timeout:value Use this parameter (where value is a timeout value in seconds) to specify the time the computer waits for the Internet services to stop. After the computer stops, it restarts if you use the / rebootonerror parameter. The following list describes the default values: The default value is 20 seconds if you use this parameter with /restart. The default value is 60 seconds if you use this parameter with /stop. The default value is 0 seconds if you use this parameter with /reboot. /status: Use this parameter to display the status of all of the Internet services. /enable: Use this parameter to enable the Internet services to restart. /disable: Use this parameter to disable the Internet services restart process.

QUESTION 5 A rede contm uma raiz corporativa autoridade de certificao (CA). Voc precisa garantir que um certificado emitido pela CA vlido. O que voc deve fazer? A. B. C. D. Run syskey.exe and use the Update option. Run sigverif.exe and use the Advanced option. Run certutil.exe and specify the -verify parameter. Run certreq.exe and specify the -retrieve parameter.

Answer: C Section: Configuring AD Certificate Services Explanation/Reference: http://technet.microsoft.com/en-us/library/cc962081.aspx ----------------------------------------------------------------------------------------------------------------certutil.exe -verify - verify certifcate, CRL, or chain

QUESTION 6 Voc tem uma empresa autoridade de certificao subordinada (CA). Os CA questes logon certificados de carto inteligente.

Os usurios so obrigados a fazer logon no domnio usando um carto inteligente. Poltica da sua empresa de segurana corporativa afirma que quando um empregado se demite, sua capacidade de fazer logon na rede deve ser imediatamente revogada. Um empregado se demite. Voc precisa impedir que o empregado imediatamente de fazer logon no domnio. O que voc deve fazer? A. B. C. D. Revogar o certificado do empregado carto inteligente. Desative a conta do funcionrio do Active Directory. Publicar um novo delta lista de certificados revogados (CRL). Redefinir a senha da conta do funcionrio do Active Directory.

Answer: B Section: Configuring AD Certificate Services Explanation/Reference: For most of these options, there appears to be a lag time or possible ways around the solution. Simply disabling the user's account seems to be the fastest and most fool-proof solution. http://technet.microsoft.com/en-us/library/cc781527%28WS.10%29.aspx -------------------------------------------------------------------------------------------------------------Disable an AD acct ADUC > right click - Disable/Enable Cmd Line dsmod userUserDN-disabled {yes|no}

QUESTION 7 Voc pode adicionar um Respondente Online para uma matriz de Resposta Online. Voc precisa se certificar que o novo Respondente Online resolve os conflitos de sincronizao para todos os membros do Array. O que voc deve fazer? A. De Network Load Balancing Manager, defina o ID prioridade do novo Respondente Online para 1. B. De Network Load Balancing Manager, defina o ID prioridade do novo Respondente Online a 32. C. A partir do Console de Gerenciamento on-line de Resposta, selecione o novo Respondente Online e selecione Definir como Controlador da Matriz. D. A partir do Console de Gerenciamento on-line de Resposta, selecione o novo Respondente Online e selecione sincronizar os membros com Controlador da Matriz. Answer: C Section: Configuring AD Certificate Services Explanation/Reference: Although each Online Responder in an Array can be configured and managed independently, in case of conflicts the configuration information for the Array controller will override configuration options set on other Array members. http://technet.microsoft.com/en-us/library/cc731175.aspx -------------------------------------------------------------------------------------------------------------------------------------------------Online Responder

QUESTION 8 Sua rede contm um servidor que executa o Windows Server 2008 R2. O servidor est configurado como uma empresa de raiz autoridade de certificao (CA). Voc tem um site que usa certificados X.509 para autenticao. O site est configurado para usar um mapeamento de muitos-para-um. Voc revogar um certificado emitido para um parceiro externo. Voc precisa impedir que o parceiro externo de acessar o site. O que voc deve fazer? A. B. C. D. Executar certutil.exe-crl. Executar certutil.exe -delkey. A partir do Active Directory e computadores, modificar a composio do grupo IIS_IUSRS. De Active Directory Users and Computers, modificar o objeto de contato para o parceiro externo.

Answer: A Section: Configuring AD Certificate Services Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732443%28WS.10%29.aspx ----------------------------------------------------------------------------------------------------------------certutil -CRL - Publish new certificate revocation lists (CRLs) [or only delta CRLs] -revoke - Revoke a certificate

QUESTION 9 Sua empresa, a Contoso, Ltd., tem uma sede e uma filial. Os escritrios esto conectados por um link WAN. Contoso tem uma floresta do Active Directory que contm um nico domnio chamado ad.contoso. com. O domnio ad.contoso.com contm um controlador de domnio chamado DC1 que est localizado no escritrio principal. DC1 configurado como um servidor DNS para o DNS ad.contoso.com zona. Esta zona configurado como uma zona padro primrio. Voc instala um novo controlador de domnio chamado DC2 na filial. Voc instalar o DNS no DC2. Voc precisa garantir que o servio DNS pode atualizar os registros e resolver consultas DNS no caso de um link WAN falhar. O que voc deve fazer? A. B. C. D. Criar uma zona de stub novo nomeado ad.contoso.com em DC2. Configurar o servidor DNS no DC2 para encaminhar solicitaes para DC1. Criar uma nova zona secundria chamado ad.contoso.com em DC2. Converter a zona ad.contoso.com em DC1 para uma zona integrada ao Active Directory.

Answer: D Section: Configuring AD DNS Explanation/Reference:

support.microsoft.com/kb/816101 -------------------------------------------------------------------------------------------------------------------------Convert Primary DNS Server to Active Directory Integrated Primary On the current DNS server, start DNS Manager. Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will be Primary zone, Secondary zone or Stub zone. Click Change. In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNS server is a domain controller) check box. When you are prompted to answer whether want this zone to become Active Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated"

QUESTION 10 Sua empresa tem dois controladores de domnio que so configurados como servidores DNS internos. Todas as zonas dos servidores DNS so integradas ao Active Directory zonas. As zonas de permitir que todas as atualizaes dinmicas. Voc descobre que a zona contoso.com tem vrias entradas para os nomes de host de computadores que no existem. Voc precisa configurar a zona contoso.com para remover automaticamente os registros vencidos. O que voc deve fazer? A. B. C. D. Habilite somente atualizaes seguras na zona contoso.com. Habilitar limpeza e configurar o intervalo de atualizao na zona contoso.com. Do incio de guia Autoridade, diminuir o intervalo de atualizao padro na zona contoso.com. Do incio dos Autoridade guia, aumente o intervalo de expirao padro na zona contoso.com.

Answer: B Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc759204%28WS.10%29.aspx -------------------------------------------------------------------------------------------------------------------------------Enable scavenging and configure the refresh interval - DNS If left unmanaged, the presence of stale RRs in zone data might cause some problems. The following are examples: If a large number of stale RRs remain in server zones, they can eventually take up server disk space and cause unnecessarily long zone transfers. DNS servers loading zones with stale RRs might use outdated information to answer client queries, potentially causing the clients to experience name resolution problems on the network. The accumulation of stale RRs at the DNS server can degrade its performance and responsiveness. In some cases, the presence of a stale RR in a zone could prevent a DNS domain name from being used by another computer or host device. To solve these problems, the DNS Server service has the following features: Time stamping, based on the current date and time set at the server computer, for any RRs added dynamically to primary-type zones. In addition, time stamps are recorded in standard primary zones where aging/scavenging is enabled. For RRs that you add manually, a time stamp value of zero is used, indicating that they are not affected by the aging process and can remain without limitation in zone data unless you otherwise change their time stamp or delete them. Aging of RRs in local data, based on a specified refresh time period, for any eligible zones.

Only primary type zones that are loaded by the DNS Server service are eligible to participate in this process. Scavenging for any RRs that persist beyond the specified refresh period. When a DNS server performs a scavenging operation, it can determine that RRs have aged to the point of becoming stale and remove them from zone data. Servers can be configured to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server.

QUESTION 11 . Sua empresa tem uma sede e uma filial. A empresa tem um nico domnio da floresta do Active Directory. A sede tem dois controladores de domnio chamado DC1 e DC2 que executam o Windows Server 2008 R2. A filial possui um Windows Server 2008 R2 controlador de domnio somente leitura (RODC) chamado DC3. Todos os controladores de domnio mantenha a funo de servidor DNS Server e est configurado como Active Directory integrado zonas. As zonas DNS s permite actualizaes seguras. Voc precisa habilitar atualizaes dinmicas de DNS em DC3. O que voc deve fazer? A. B. C. D. Execute os comandos Ntdsutil.exe Comportamento DS no DC3. Execute o comando Dnscmd.exe / ZoneResetType no DC3. Reinstale Active Directory Domain Services no DC3 como um controlador de domnio gravvel. Criar uma partio de diretrio de aplicativo personalizado em DC1. Configurar a partio para armazenar Active Directory zonas integradas.

Answer: C Section: Configuring Additional AD Server Roles Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx A RODC vs.a writable DC

QUESTION 12 Sua empresa tem um escritrio principal e cinco filiais que so conectadas por links WAN. A empresa tem um domnio do Active Directory chamado contoso.com. Cada filial possui um servidor membro configurado como um servidor DNS. Todos filial servidores DNS hospedar uma zona secundria para contoso.com. Voc precisa configurar a zona contoso.com para resolver consultas de clientes por pelo menos quatro dias no caso de um link WAN falhar. O que voc deve fazer? A. B. C. D. Configure a opo expira depois para a zona contoso.com a 4 dias. Configure a opo de intervalo de repetio para a zona contoso.com a 4 dias. Configure a opo de intervalo de atualizao para a zona contoso.com a 4 dias. Configure o mnimo (padro) opo TTL para a zona contoso.com a 4 dias.

Answer: A Section: AD Sites & Services Explanation/Reference:

http://technet.microsoft.com/en-us/library/bb727018.aspx -----------------------------------------------------------------------------------------------------------------------------------------DNS Config Expires After The period of time for which zone information is valid on the secondary server. If the secondary server can't download data from a primary server within this period, the secondary server lets the data in its cache expire and stops responding to DNS queries. Setting Expires After to seven days allows the data on a secondary server to be valid for seven days.

QUESTION 13 Sua empresa tem um domnio do Active Directory chamado contoso.com. A rede da empresa possui dois servidores de DNS DNS1 e DNS2 nomeados. Os servidores de DNS so configurados como mostrado na tabela seguinte: DNS1 _msdcs.contoso.com contoso.com DNS2 .(root) _msdcs.contoso.com contoso.com

Os usurios do domnio, que so configurados para usar DNS2 como o servidor DNS preferencial, so incapazes de se conectar aos sites da Internet. Voc precisa habilitar resoluo de nomes para todos os computadores clientes. O que voc deve fazer? A. B. C. D. Crie uma cpia do arquivo. (Root) em zona DNS1. Atualizar a lista de servidores de dicas de raiz em DNS2. Atualize o arquivo Cache.dns em DNS2. Configurar o encaminhamento condicional no DNS1. Exclua o arquivo. Zona (root) de DNS2. Configurar o encaminhamento condicional no DNS2.

Answer: D Section: Configuring AD DNS Explanation/Reference: http://support.microsoft.com/kb/298148 --------------------------------------------------------------------------------------------------------------------------------------------DNS Root zone When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

QUESTION 14 Sua empresa tem um domnio do Active Directory chamado contoso.com. FS1 um servidor membro em contoso.com. Voc pode adicionar uma placa de interface de rede segundo, NIC2, a FS1 e conectar NIC2 para uma subrede que contm computadores em um domnio DNS chamado fabrikam.com. Fabrikam.com tem um servidor DHCP e um servidor de DNS. Usurios em fabrikam.com so incapazes de resolver FS1 usando o DNS. Voc precisa se certificar que FS1 tem um registro no DNS fabrikam.com zona. Quais so as duas maneiras de alcanar essa meta? (Cada resposta correta apresenta uma soluo completa. Escolha dois.)

A. Configure o servidor DHCP no fabrikam.com com a opo de escopo 044 servidores WINS / NBNS. B. Configure o servidor DHCP no fabrikam.com, definindo o escopo opo 015 DNS Domain Name para o fabrikam.com nome de domnio. C. Configurar NIC2 configurando o Acrescentar estes sufixos DNS (em ordem): opo. D. Configurar NIC2 configurando Usar o sufixo DNS desta ligao no DNS opo de inscrio. E. Configure o servidor DHCP em contoso.com, definindo o escopo opo 015 DNS Domain Name para o fabrikam.com nome de domnio. Answer: BD Section: AD Sites & Services Explanation/Reference: OPT1) http://technet.microsoft.com/en-us/library/cc779282%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------To resolve an unqualified name by appending the primary DNS suffix and the DNS suffix of each connection (if configured), click Append primary and connection specific DNS suffixes. If you also want to search the parent suffixes of the primary DNS suffix up to the second level domain, select the Append parent suffixes of the primary DNS suffix check box.

OPT2) http://technet.microsoft.com/en-us/library/ee941136%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Configure a DNS domain option as a server or scope option using the DHCP MMC. Dynamic Host Configuration Protocol (DHCP) uses options to pass additional Internet Protocol (IP) settings to DHCP clients on a network. Examples of DHCP options include: The default gateway IP address The Domain Name System (DNS) server IP address The DNS domain name

QUESTION 15 A rede constituda de uma floresta do Active Directory que contm dois domnios. Todos os servidores rodam Windows Server 2008 R2. Todos os controladores de domnio so configurados como servidores DNS. Voc tem uma zona primria padro para dev.contoso.com que armazenado em um servidor membro. Voc precisa assegurar que todos os controladores de domnio pode resolver nomes da zona dev.contoso. com. O que voc deve fazer? A. No servidor membro, criar uma zona de stub. B. No servidor membro, criar um registro NS para cada controlador de domnio. C. Em um controlador de domnio, criar um encaminhador condicional. Configure o encaminhador condicional para replicar para todos os servidores DNS na floresta. D. Em um controlador de domnio, criar um encaminhador condicional. Configure o encaminhador condicional para replicar para todos os servidores DNS do domnio.

Answer: C Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc754941.aspx --------------------------------------------------------------------------------------------------------------------------------------------Conditional Forwarder When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.

QUESTION 16 Voc tem um controlador de domnio que executa o Windows Server 2008 R2 e est configurado como um servidor DNS. Voc precisa registrar todas as consultas de entrada DNS para o servidor. O que voc deve configurar no console do Gerenciador de DNS? A. B. C. D. Ativar o log de depurao. Permitir o teste automtico para consultas simples. Permitir o teste automtico para consultas recursivas. Configurar o log de eventos para registrar os erros e avisos.

Answer: A Section: Configuring AD DNS Explanation/Reference: Using server debug logging options The following DNS debug logging options are available: Direction of packets Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file. Content of packets Standard queries Specifies that packets containing standard queries (per RFC 1034) are logged in the DNS server log file. Updates Specifies that packets containing dynamic updates (per RFC 2136) are logged in the DNS server log file. Notifies Specifies that packets containing notifications (per RFC 1996) are logged in the DNS server log file. Type of packet Request Specifies that request packets are logged in the DNS server log file (a request packet is characterized by a QR bit set to 0 in the DNS message header). Response Specifies that response packets are logged in the DNS server log file (a response packet is characterized by a QR bit set to 1 in the DNS message header).

http://technet.microsoft.com/en-us/library/cc776361%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------DNS Logging Dns.log contains debug logging activity. By default, it is located in the windir\System32\Dns folder. To enable and use file-based logging, see Select and enable debug logging options on the DNS server.

QUESTION 17 A rede constituda de uma floresta do Active Directory chamado contoso.com. Todos os servidores rodam Windows Server 2008 R2. Todos os controladores de domnio so configurados como servidores DNS. O contoso.com zona DNS armazenada na partio de aplicativo ForestDnsZones Active Directory. Voc tem um servidor membro que contm um padro primrio da zona DNS para dev.contoso.com. Voc precisa assegurar que todos os controladores de domnio pode resolver nomes para dev.contoso. com. O que voc deve fazer? A. B. C. D. Criar um registro NS na zona contoso.com. Criar uma delegao na zona contoso.com. Crie uma zona secundria padro em um servidor de catlogo global. Modificar as propriedades do registro SOA na zona contoso.com.

Answer: B Section: Configuring AD Backup-Restore Explanation/Reference: When delegating zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.

http://technet.microsoft.com/en-us/library/cc785881%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Create a DNS Delegation Using the Windows interface Open the DNS console. In the console tree, right-click the applicable subdomain, and then click New Delegation. Follow the instructions provided in the New Delegation Wizard to finish creating the new delegated domain. Using a command line dnscmdServerName/RecordAddZoneNameNodeName [/Aging] [/OpenAcl] [Ttl] NS {HostName|FQDN}

QUESTION 18 A rede contm uma floresta do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2 e so configurados como servidores de DNS. Voc tem uma zona integrada ao Active Directory para contoso.com. Voc tem um UNIX baseada em servidor DNS. Voc precisar configurar o Windows Server 2008 R2 ambiente para permitir transferncias de zona da zona contoso.com para o servidor de DNS baseado em UNIX. O que voc deve fazer no console do Gerenciador de DNS? A. B. C. D. Desativar a recursividade. Criar uma zona de stub. Crie uma zona secundria. Habilitar secundrios BIND.

Answer: D Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc786538%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Enable BIND - DNS To enable or disable fast DNS zone transfers using the Windows interface Open the DNS snap-in. In the console tree, click the applicable DNS server. Where? DNS/applicable DNS server On the Action menu, click Properties. Click the Advanced tab. In Server options, select the BIND secondaries check box, and then click OK.

QUESTION 19 A rede constituda de uma floresta do Active Directory que contm um domnio chamado contoso.com. Todos os controladores de domnio executem o Windows Server 2008 R2 e so configurados como servidores de DNS. Voc tem duas Active Directory zonas integradas: contoso.com e nwtraders.com. Voc precisa garantir que um usurio capaz de modificar os registros na zona contoso.com. Voc deve impedir que o usurio modificar o registro SOA na zona nwtraders.com. O que voc deve fazer? A. A partir do console do Gerenciador de DNS, modificar as permisses da zona contoso.com. B. A partir do console do Gerenciador de DNS, modificar as permisses da zona nwtraders.com. C. Dos usurios do Active Directory e consola computadores, execute o Assistente para delegao de controle. D. Dos usurios do Active Directory e consola computadores, modificar as permisses da unidade organizacional Controladores de Domnio (OU). Answer: A Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc780538%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------DNS Security

QUESTION 20 Contoso, Ltd. tem um domnio do Active Directory chamado ad.contoso.com. Fabrikam, Inc. tem um domnio do Active Directory chamado intranet.fabrikam.com. Fabrikam poltica de segurana probe a transferncia de dados internos da zona DNS fora da rede Fabrikam. Voc precisa garantir que os usurios da Contoso so capazes de resolver os nomes do domnio intranet. fabrikam.com. What should you do? A. B. C. D. Criar uma nova zona de stub para o domnio intranet.fabrikam.com. Configurar o encaminhamentoforwarding para o domnio intranet.fabrikam.com. Criar uma zona secundria padro para o domnio intranet.fabrikam.com. Criar uma zona activa Directoryintegrated para o domnio intranet.fabrikam.com.

Answer: B Section: Configuring AD DNS Explanation/Reference: http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windowsserver-2008.aspx --------------------------------------------------------------------------------------------------------------------------------------------Configure Conditional Forwarding

Exam B QUESTION 1 Sua empresa tem um domnio do Active Directory chamado ad.contoso.com. O domnio tem dois controladores de domnio chamado DC1 e DC2. Ambos os controladores de domnio tm a funo de servidor DNS Server instalado. Voc instala um novo servidor DNS chamado DNS1.contoso.com na rede de permetro. Voc pode configurar o DC1 para encaminhar todas as solicitaes de nomes no resolvidos para DNS1.contoso.com. Voc descobre que a opo de encaminhamento de DNS no est disponvel no DC2. Voc precisa configurar o redirecionamento de DNS no servidor DC2 para apontar para o servidor DNS1.contoso.com. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. Limpe o cache de DNS no DC2. Excluir a zona raiz DC2. Configurar o encaminhamento condicional no DC2. Configure o escuta em endereos no DC2.

Answer: BC Section: Configuring AD DNS Explanation/Reference: http://support.microsoft.com/kb/298148 --------------------------------------------------------------------------------------------------------------------------------------------DNS Root zone When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

QUESTION 2 A rede constituda de uma floresta do Active Directory que contm um domnio. Todos os controladores de domnio executem o Windows Server 2008 R2 e so configurados como servidores de DNS. Voc tem uma zona integrada ao Active Directory. Voc tem dois sites do Active Directory. Cada site contm cinco controladores de domnio. Voc adiciona um novo registro NS para a zona. Voc precisa assegurar que todos os controladores de domnio recebe imediatamente o registro NS novo. O que voc deve fazer? A. B. C. D. A partir do console do Gerenciador de DNS, recarregue a zona. A partir dos snap-in Servios, reinicie o servio do servidor DNS. No prompt de comando, execute repadmin / syncall. A partir do console do Gerenciador de DNS, aumentar o nmero de verso do registro SOA.

Answer: C Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc835086%28WS.10%29.aspx

--------------------------------------------------------------------------------------------------------------------------------------------Sync Replication repadmin /syncall Synchronizes a specified domain controller with all of its replication partners.

QUESTION 3 Voc tem um controlador de domnio chamado DC1 que executa o Windows Server 2008 R2. DC1 configurado como um servidor DNS para contoso.com. Voc instalar a funo de servidor DNS Server em um servidor membro nomeado Server1 e depois criar uma zona secundria padro para contoso.com. Voc pode configurar DC1 como o servidor principal para a zona. Voc precisa se certificar que Server1 recebe atualizaes zona de DC1. O que voc deve fazer? A. B. C. D. No Server1, adicione um encaminhador condicional. Em DC1, modificar as permisses de contoso.com zona. Em DC1, modificar as configuraes de transferncia de zona para zona contoso.com. Adicione a conta de computador Server1 ao grupo DnsUpdateProxy.

Answer: C Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc739056%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Modify zone transfer settings Updated: January 21, 2005 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2 To modify DNS zone transfer settings Using the Windows interface Open DNS. Right-click a DNS zone, and then click Properties. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow zone transfers check box. If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To any server. To allow zone transfers only to the DNS servers listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

Using a command line dnscmdServerName/ZoneResetSecondariesZoneName {/NoXfr | /NonSecure | /SecureNs | /SecureList [SecondaryIPAddress...]}

QUESTION 4 Sua rede consiste de um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2008 R2 e so configurados como servidores de DNS. Um controlador de domnio chamado DC1 tem uma zona primria padro para contoso.com. Um controlador de domnio chamado DC2 tem uma zona secundria padro para contoso.com. necessrio assegurar que a replicao do fuso contoso.com codificada. Voc no deve perder todos os dados da zona. O que voc deve fazer? A. Em ambos os servidores, modificar a interface que o servidor DNS escuta. B. Converter a zona primria em uma zona integrada ao Active Directory. Excluir a zona secundria. C. Converter a zona primria em uma zona de stub integrado ao Active Directory. Excluir a zona secundria. D. Configurar as configuraes de zona de transferncia de zona primria padro. Modificar servidores as listas mestre na zona secundria. Answer: B Section: Configuring AD DNS Explanation/Reference: support.microsoft.com/kb/816101 -------------------------------------------------------------------------------------------------------------------------Convert Primary DNS Server to Active Directory Integrated Primary On the current DNS server, start DNS Manager. Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will be Primary zone, Secondary zone or Stub zone. Click Change. In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNS server is a domain controller) check box. When you are prompted to answer whether want this zone to become Active Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated"

QUESTION 5 Sua rede consiste de um domnio nico diretrio Active. O domnio contm 10 controladores de domnio. Os controladores de domnio executem o Windows Server 2008 R2 e so configurados como servidores de DNS. Voc planeja criar uma nova zona integrada ao Active Directory. Voc precisa garantir que a nova zona s replicado para quatro dos controladores de domnio. O que voc deve fazer primeiro? A. Criar uma nova delegao na partio de diretrio de aplicativos ForestDnsZones. B. Criar uma nova delegao na partio de diretrio de aplicativos DomainDnsZones. C. No prompt de comando, execute dnscmd e especificar o parmetro / enlistdirectorypartition.

D. No prompt de comando, execute dnscmd e especificar o parmetro / createdirectorypartition. Answer: D Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc756116%28WS.10%29.aspx#BKMK_5 --------------------------------------------------------------------------------------------------------------------------------------------Dnscmd createdirectorypartition Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. This operation creates additional DNS application directory partitions. Syntax Art Image dnscmd [ServerName] /createdirectorypartition PartitionFQDN Parameters ServerName Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Host name. If omitted, the local server is used. PartitionFQDN The fully qualified domain name of the DNS application directory partition that will be created. Dnscmd deletedirectorypartition Removes an existing DNS application directory partition. Syntax Art Image dnscmd [ServerName] /deletedirectorypartition PartitionFQDN Parameters ServerName Specifies the DNS server the administrator plans to manage, represented by IP address, FQDN, or Host name. If omitted, the local server is used. PartitionFQDN The fully qualified domain name of the DNS application directory partition that will be removed. Dnscmd directorypartitioninfo Lists information about a specified DNS application directory partition. Syntax Art Image dnscmd [ServerName] /directorypartitioninfo PartitionFQDN [/detail]

QUESTION 6 Sua rede consiste de um domnio nico diretrio Active. Voc tem um controlador de domnio e um servidor membro que executar o Windows Server 2008 R2. Ambos os servidores so configurados como servidores DNS. Os computadores clientes executam o Windows XP Service Pack 3 ou Windows 7. Voc tem uma zona primria padro no controlador de domnio. O servidor membro hospeda uma cpia secundria da zona. Voc precisa garantir que apenas usurios autenticados tm permisso para atualizar host (A) registros na zona DNS. O que voc deve fazer primeiro?

A. B. C. D.

No servidor membro, adicionar um encaminhador condicional. No servidor membro, instalar Active Directory Domain Services. Adicione todas as contas de computador para o grupo DnsUpdateProxy. Converter a zona primria padro para uma zona integrada ao Active Directory.

Answer: D Section: Configuring AD DNS Explanation/Reference: support.microsoft.com/kb/816101 -------------------------------------------------------------------------------------------------------------------------Convert Primary DNS Server to Active Directory Integrated Primary On the current DNS server, start DNS Manager. Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will be Primary zone, Secondary zone or Stub zone. Click Change. In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNS server is a domain controller) check box. When you are prompted to answer whether want this zone to become Active Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated"

QUESTION 7 Sua empresa tem um domnio do Active Directory. A sede tem um servidor DNS chamado DNS1 que est configurado com Active Directory DNS integrado. A filial possui um servidor DNS chamado DNS2 que contm uma cpia secundria da zona de DNS1. Os dois escritrios esto conectados com uma ligao WAN no confiveis. Voc pode adicionar um novo servidor para o cargo principal. Cinco minutos aps a adio do servidor, um usurio a partir dos relatrios de filiais que ele incapaz de se conectar ao novo servidor. Voc precisa garantir que o usurio capaz de se conectar ao novo servidor. O que voc deve fazer? A. B. C. D. Limpe o cache de DNS2. Atualizar a zona em DNS1. Atualize a zona de DNS2. Exportar a zona de DNS1 e importar a zona de DNS2.

Answer: C Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc784052%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------DNS Dynamic update Updated: January 21, 2005 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2 Dynamic update Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server configured to load either a standard primary or directory-integrated zone. By default, the DNS Client service will dynamically update host (A) resource records (RRs) in DNS when configured for TCP/IP. For more information about RFCs, see DNS RFCs. How client and server computers update their DNS names By default, computers that are statically configured for TCP/IP attempt to dynamically register host (A) and pointer (PTR) resource records (RRs) for IP addresses configured and used by their installed network connections. By default, all computers register records based on their fully qualified domain name (FQDN). The primary full computer name, a FQDN, is based on the primary DNS suffix of a computer appended to its Computer name. Both of these settings are displayed or configured from the Computer Name tab in System properties. For more information, see View system properties.

QUESTION 8 Voc precisa implantar um controlador de domnio somente leitura (RODC) que executa o Windows Server 2008 R2. Qual o nvel de floresta mnima funcional que voc deve usar? A. B. C. D. Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000

Answer: C Section: Configuring Additional AD Server Roles Explanation/Reference: http://technet.microsoft.com/en-us/library/cc731243%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Prerequisites for Deploying an RODC Applies To: Windows Server 2008, Windows Server 2008 R2 Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-value replication (LVR) is available. This provides a higher level of replication consistency. The domain functional level must be Windows Server 2003 or higher, so that Kerberos constrained delegation is available. If the forest functional level is Windows Server 2003, the domain functional level of all domains in the forest is Windows Server 2003 or higher.

QUESTION 9 Sua empresa tem um domnio nico diretrio ativo chamado intranet.contoso.com. Todos os controladores de domnio executem o Windows Server 2008 R2. O nvel funcional do domnio for nativo do Windows 2000 eo nvel funcional da floresta o Windows 2000. Voc precisa garantir o sufixo UPN para contoso.com est disponvel para contas de usurio. O que voc deve fazer primeiro? A. Elevar o nvel funcional da floresta intranet.contoso.com para o Windows Server 2003 ou superior.

B. Elevar o nvel de domnio intranet.contoso.com funcional para o Windows Server 2003 ou superior. C. Adicione o sufixo UPN novo para a floresta. D. Altere a opo Sufixo DNS primrio em controladores de domnio padro GPO (GPO) para contoso. com. Answer: C Section: Configuring Domains and Trusts Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772007.aspx --------------------------------------------------------------------------------------------------------------------------------------------Add User Principal Name Suffixes To add UPN suffixes Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add. Repeat step 3 to add additional alternative UPN suffixes. Additional considerations To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support. UPN suffixes should conform to DNS conventions for valid characters and syntax. You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see Add User Principal Name Suffixes (http://go.microsoft.com/fwlink/?LinkId=137827). For more information about Windows PowerShell, see Windows PowerShell (http://go.microsoft.com/fwlink/?LinkID=102372).

QUESTION 10 Sua empresa: A. Datum Corporation, tem um domnio nico diretrio ativo chamado intranet.adatum.com. O domnio tem dois controladores de domnio que executam o Windows Server 2008 R2 sistema operacional. Os controladores de domnio tambm executar servidores DNS. O intranet.adatum.com zona DNS configurado como uma zona ativa Directoryintegrated com a configurao dinmica de atualizaes configurado para proteger apenas. A nova poltica de segurana corporativa exige que o intranet.adatum.com zona DNS deve ser atualizado apenas pelos controladores de domnio ou servidores membros. Voc precisa configurar a zona intranet.adatum.com para atender a exigncia da nova poltica de segurana. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Remova a conta de usurios autenticados na guia Segurana das propriedades intranet.adatum.com zona DNS.

B. Atribua a conta SELF Negar sobre permisso de gravao na guia Segurana das propriedades intranet.adatum.com zona DNS. C. Atribuir o computador do servidor representa a opo Permitir que em Escrever Tudo permisso Propriedades na guia Segurana das propriedades intranet.adatum.com zona DNS. D. Atribuir o computador do servidor representa a opo Permitir que em Create All Child Objects permisso na guia Segurana das propriedades intranet.adatum.com zona DNS. Answer: AD Section: Configuring AD DNS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc780538%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------DNS Security C is incorrect becuase there is no "Allow on Write All" permission (see screenshot below).

C is incorrect becuase there is no "Allow on Write All" permission.

QUESTION 11 Sua empresa tem uma floresta do Active Directory que contm apenas o Windows Server 2008 controladores de domnio. Voc precisa preparar o domnio do Active Directory para instalar o Windows Server 2008 R2 controladores de domnio. Quais so as duas tarefas que voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.)

A. B. C. D.

Execute o comando adprep /forestprep. Execute o comando adprep /domainprep. Elevar o nvel funcional da floresta para o Windows Server 2008. Elevar o nvel funcional do domnio para Windows Server 2008.

Answer: AB Section: Powershell & Command line cmds Explanation/Reference: http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Adprep Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008 Extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system. Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support \adprep folder. You must run adprep from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run Adprep on a 32-bit computer, run the 32-bit version (Adprep32.exe). For more information about running Adprep.exe and how to resolve errors that can occur when you run it, see Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597). For examples of how this command can be used, see Examples. For more information about running adprep /forestprep, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242). For more information about running adprep /domainprep /gpprep, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93243). For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93244).

QUESTION 12 . Sua empresa tem um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2003. Voc instalar o Windows Server 2008 R2 em um servidor. Voc precisa adicionar o novo servidor como controlador de domnio em seu domnio. O que voc deve fazer primeiro? A. No novo servidor, execute dcpromo / adv. B. No novo servidor, execute dcpromo / CreateDCAccount. C. Em um controlador de domnio executar adprep /rodcprep.

D. Em um controlador de domnio, execute adprep / forestprep. Answer: D Section: Creating & Maintaining AD Objects Explanation/Reference: http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Adprep Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008 Extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 operating system. Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation disc in the \sources\adprep folder, and it is available on the Windows Server 2008 R2 installation disk in the \support \adprep folder. You must run adprep from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run Adprep on a 32-bit computer, run the 32-bit version (Adprep32.exe). For more information about running Adprep.exe and how to resolve errors that can occur when you run it, see Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597). For examples of how this command can be used, see Examples. For more information about running adprep /forestprep, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242). For more information about running adprep /domainprep /gpprep, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93243). For more information about running adprep /rodcprep, see Prepare a Forest for a Read-Only Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93244).

QUESTION 13 . A sua empresa tem duas florestas Active Directory, como mostrado na tabela seguinte: Forest name contoso.com fabrikam.com Forest functional level Windows Server 2008 Windows Server 2008 Domain(s) contoso.com fabrikam.com eng.fabrikam.com

As florestas so conectados atravs de uma confiana de floresta bidirecional. Cada direo confiana configurado com a autenticao de toda a floresta. A nova poltica de segurana da empresa probe que os usurios do domnio eng.fabrikam.com para acessar recursos no domnio contoso.com. Voc precisar configurar a confiana de floresta para cumprir a exigncia da nova poltica de segurana. O que voc deve fazer? A. Excluir a confiana de floresta de sada no domnio contoso.com.

B. Excluir a confiana de floresta de entrada no domnio contoso.com. C. Altere as propriedades da confiana de floresta de entrada existente no domnio contoso.com de toda a floresta de autenticao para autenticao seletiva. D. Altere as propriedades da confiana de floresta existente sada no domnio contoso.com para excluir *. Eng.fabrikam.com do Sufixo Nome de roteamento Properties Trust. Answer: D Section: Maintaining the AD Environment Explanation/Reference: Name Suffixes Routing controls routing of authentication traffic. When an account attempts to authenticate and that account does not exist in the local domain, the Name Suffix Route is used to direct authentication requests to the trusted forest root domain. When you exclude a name suffix, all children of that DNS name will also be excluded, so this means also all users from fabrikam.com Exclude name suffixes from routing to a local forest http://technet.microsoft.com/en-us/library/cc758388(WS.10).aspx -Q- answer C http://technet.microsoft.com/en-us/library/cc778851%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Create a two-way, forest trust for both sides of the trust To create a two-way, forest trust for both sides of the trust Open Active Directory Domains and Trusts. In the console tree, right-click the domain node for the domain that you want to establish a trust with, and then click Properties. On the Trusts tab, click New Trust, and then click Next. On the Trust Name page, type the Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the domain, and then click Next. On the Trust Type page, click Forest trust, and then click Next. On the Direction of Trust page, click Two-way, and then click Next. For more information about the selections that are available on the Direction of Trust page, see the section "Direction of Trust" in Appendix: New Trust Wizard Pages. On the Sides of Trust page, click Both this domain and the specified domain, and then click Next. For more information about the selections that are available on the Sides of Trust page, see the section "Sides of Trust" in Appendix: New Trust Wizard Pages. On the User Name and Password page, type the user name and password for the appropriate administrator in the specified domain. On the Outgoing Trust Authentication Level--Local Forest page, do one of the following, and then click Next: Click Forest-wide authentication. Click Selective authentication. On the Outgoing Trust Authentication Level--Specified Forest page, do one of the following, and then click Next: Click Forest-wide authentication.

Click Selective authentication. On the Trust Selections Complete page, review the results, and then click Next. On the Trust Creation Complete page, review the results, and then click Next. On the Confirm Outgoing Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the outgoing trust. Note that if you do not confirm the trust at this stage, the secure channel will not be established until the first time the trust is used by users. If you want to confirm this trust, click Yes, confirm the outgoing trust, and then supply the appropriate administrative credentials from the specified domain. On the Confirm Incoming Trust page, do one of the following: If you do not want to confirm this trust, click No, do not confirm the incoming trust. If you want to confirm this trust, click Yes, confirm the incoming trust, and then supply the appropriate administrative credentials from the specified domain. On the Completing the New Trust Wizard page, click Finish.

QUESTION 14 Voc tem um site existente do Active Directory chamado Site1. Voc cria um site novo Active Directory e nome-la Site2. Voc precisa configurar a replicao do Active Directory entre Site1 e Site2. Voc instala um novo controlador de domnio. Voc cria o link de site entre Site1 e Site2. O que voc deve fazer a seguir? A. Use os sites do Active Directory e consola Servios para configurar um novo site objeto ponte link. B. Use os sites do Active Directory e consola Servios para diminuir o custo da ligao local entre Site1 e Site2. C. Use os sites do Active Directory e consola Servios para atribuir uma nova sub-rede IP para Site2. Mova o objeto novo controlador de domnio para Site2. D. Use os sites do Active Directory e consola Servios para configurar o novo controlador de domnio como um servidor ponte preferencial para Site1. Answer: C Section: AD Sites & Services Explanation/Reference: http://technet.microsoft.com/en-us/library/cc730718.aspx --------------------------------------------------------------------------------------------------------------------------------------------AD Sites & Services - Configure an Additional Site The tasks for configuring a new site include the following: Creating the site Mapping the correct IP addresses to the site by creating a subnet Linking the site to another site or sites by creating a site link and adding the new site to it

QUESTION 15 Sua rede consiste de um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2003. Voc atualiza todos os controladores de domnio para o Windows Server 2008 R2. Voc precisa se certificar de que o compartilhamento Sysvol repeties, utilizando a Replicao DFS (DFSR). O que voc deve fazer? A. B. C. D. No prompt de comando, execute netdom /reset. No prompt de comando, execute dfsutil /addroot: sysvol. Elevar o nvel funcional do domnio para o Windows Server 2008 R2. No prompt de comando, execute dcpromo / unattend: unattendfile.xml.

Answer: C Section: Maintaining the AD Environment Explanation/Reference: http://technet.microsoft.com/en-us/library/cc731728%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Windows Server 2008 uses the newer DFS Replication service when in domains that use the Windows Server 2008 domain functional level, and FRS for domains that run older domain functional levels.

QUESTION 16 Sua empresa tem uma filial que est configurado como um site Active Directory separado e tem um controlador de domnio do Active Directory. O site do Active Directory requer um servidor de catlogo global local para apoiar uma nova candidatura. Voc precisar configurar o controlador de domnio como um servidor de catlogo global. Qual ferramenta devo usar? A. B. C. D. E. A utilidade Dcpromo.exe O console do Server Manager O console Gerenciamento do Computador Os sites do Active Directory e console Servios Os domnios do Active Directory e console Trusts

Answer: D Section: AD Sites & Services Explanation/Reference: To add or remove the global catalog Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services. http://technet.microsoft.com/en-us/library/cc733162.aspx --------------------------------------------------------------------------------------------------------------------------------------------Adding the Global Catalog to a Site Applies To: Windows Server 2008, Windows Server 2008 R2 A global catalog server makes it possible to search the entire Active Directory Domain Services (AD DS) forest without referrals to a domain controller in the domain that stores the target of the search. When you

add the global catalog to a domain controller, a partial, read-only replica of every domain in the forest (other than the domain that the new global catalog server stores) is replicated to the domain controller. Global catalog servers are required for searching and for processing domain logons in forests where universal groups are available. Global catalog servers and domains Global catalog servers respond to forest-wide Lightweight Directory Access Protocol (LDAP) queries over port 3268. The global catalog eliminates the need for a query to be sent to multiple domain controllers until the query locates the domain that contains the requested object. When a forest contains only one domain, all domain controllers have the full complement of objects that can be searched, and a global catalog server is not required to eliminate referrals to other domains. However, because the global catalog port is different from the default LDAP port (389), global catalog queries must locate a global catalog server. In a single-domain forest, by configuring all domain controllers as global catalog servers you ensure that global catalog queries are load-balanced evenly among all domain controllers in the domain. Because no additional replication or processing of other domain data is required, the single-domain global catalog server requires no special hardware advantages over other domain controllers. If a forest contains more than one domain, however, a global catalog server must store and replicate domain data for all domains in the forest. In this case, determine the placement of global catalog servers in your forest according to site needs, as described in the following section. Global catalog servers and sites To optimize network performance in a multiple-site environment, consider adding global catalog servers in sites according to the needs in the sites for fast search responses and domain logons. In a single-site, multiple-domain environment, a single global catalog server is usually sufficient to cover common Active Directory queries and logons. Use the information in the following table to determine whether your multipledomain, multiple-site environment can benefit from additional global catalog servers.

QUESTION 17 Sua empresa tem um escritrio central e 10 filiais. Cada filial tem um site do Active Directory que contm um controlador de domnio. Controladores de domnio somente no escritrio principal so configurados como servidores de catlogo global. Voc precisa desativar o Grupo Universal opo cache de membros nos controladores de domnio nas filiais. Em que nvel voc deve desativar a opo Universal Grupo cache de membros? A. B. C. D. Site Server Domain Objeto de conexo

Answer: A Section: AD Sites & Services Explanation/Reference: http://technet.microsoft.com/en-us/magazine/ff797984.aspx --------------------------------------------------------------------------------------------------------------------------------------------Enable/disable Universal Group Membership Caching option You can enable or disable universal group membership caching by following these steps: 1. In Active Directory Sites And Services, expand and then select the site you want to work with. 2. In the details pane, right-click NTDS Site Settings, and then click Properties. 3. To enable universal group membership caching, select the Enable Universal Group Membership Caching check box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cache universal group memberships. The selected site must have a working global catalog server.

4. To disable universal group membership caching, clear the Enable Universal Group Membership Caching check box on the Site Settings tab. 5. Click OK.

QUESTION 18 Sua empresa tem uma floresta do Active Directory. Nem todos os controladores de domnio na floresta so configurados como servidores de catlogo global. Sua estrutura de domnio contm um domnio raiz e um domnio filho. Voc pode modificar as permisses de pasta em um servidor de arquivos que est no domnio filho. Voc descobre que algumas entradas de controle de acesso comea com S-1-5-21 ... e que nenhum nome da conta listado. Voc precisa listar os nomes de conta. O que voc deve fazer? A. Mova o papel de mestre de RID no domnio filho para um controlador de domnio que detm o catlogo global. B. Modificar o esquema para ativar a replicao dos friendlynames atribuir ao catlogo global. C. Mova o papel de mestre de RID no domnio filho de um controlador de domnio que no possui o catlogo global. D. Mova a funo de mestre de infra-estruturas no domnio filho para um controlador de domnio que no detm o catlogo global. Answer: D Section: Configuring AD FSMO Roles Explanation/Reference: http://support.microsoft.com/kb/22334 --------------------------------------------------------------------------------------------------------------------------------------------Infrastructure master role and the Global Catalog As a general rule, the infrastructure master should be located on a nonglobal catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are: o Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not. o Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

QUESTION 19 Sua empresa tem um domnio do Active Directory. Voc fazer logon no controlador de domnio. O Esquema do Active Directory snap-in no est disponvel no Microsoft Management Console (MMC).

Voc precisa acessar o Active Directory Schema snap-in. O que voc deve fazer? A. Registre Schmmgmt.dll. B. Faa logoff e logon novamente usando uma conta que seja membro do grupo Administradores de esquema. C. Use o comando Ntdsutil.exe para se conectar ao mestre de esquema de mestre de operaes e abrir o esquema para escrever. D. Adicione a funo do Active Directory Lightweight Directory Services (AD / LDS) para o controlador de domnio usando o Gerenciador do Servidor. Answer: A Section: Configuring AD FSMO Roles Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732110.aspx --------------------------------------------------------------------------------------------------------------------------------------------Install the Active Directory Schema Snap-In Open an elevated command prompt. Click Start, type command prompt, and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator. When the command prompt opens, type the command below, and then press ENTER: regsvr32 schmmgmt.dll Now you can open from Admin tools like the ADUC

QUESTION 20 Sua empresa tem dois controladores de domnio chamado DC1 e DC2. DC1 hospeda todos os domnios e as funes de mestre de operaes florestais. DC1 falhar. Voc precisa reconstruir DC1 reinstalando o sistema operacional. Voc tambm precisa reverter todas as funes mestre de operaes para seu estado original. Voc executar uma limpeza de metadados e remover todas as referncias de DC1. Quais as trs aes que voc deve executar a seguir? (Para responder, mover as aes apropriadas da lista de aes para a rea de resposta e organiz-los na ordem correta.)

Answer:

Section: Configuring AD FSMO Roles Explanation/Reference:

Exam C QUESTION 1 Est desclassificao um dos controladores de domnio em um domnio filho. Voc precisa de transferir todas as operaes funes de mestre de domnio no domnio filho para um controlador de domnio recminstalado no domnio filho mesmo. Quais as trs operaes funes de mestre de domnio que voc deve transferir? (Cada resposta correta representa parte da soluo. Escolha trs.) A. B. C. D. E. RID master PDC emulator Schema master Infrastructure master Domain naming master

Answer: ABD Section: Configuring AD FSMO Roles Explanation/Reference: Each domain in a forest has its own RID master, PDC emulator, and infrastructure master. http://technet.microsoft.com/en-us/library/cc779716%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Operations Master Roles The five operations master roles are assigned automatically when the first domain controller in a given domain is created. Two forest-level roles are assigned to the first domain controller created in a forest and three domain-level roles are assigned to the first domain controller created in a domain. Forestwide Operations Master Roles The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Domainwide Operations Master Roles The other operations master roles are domainwide roles, meaning that each domain in a forest has its own RID master, PDC emulator, and infrastructure master. RID Master The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain. PDC Emulator The PDC emulator operations master acts as a Windows NT PDC in domains that contain client computers operating without AD DS client software or Windows NT backup domain controllers (BDC). In addition, the PDC emulator processes password changes from clients and replicates the updates to the Windows NT BDCs. Even after all Windows NT domain controllers are upgraded to AD DS, the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain. If a logon authentication fails at another domain controller due to a bad password, that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt. Infrastructure Master

The infrastructure operations master is responsible for updating object references in its domain that point to the object in another domain. The infrastructure master updates object references locally and uses replication to bring all other replicas of the domain up to date. The object reference contains the objects globally unique identifier (GUID), distinguished name and possibly a SID. The distinguished name and SID on the object reference are periodically updated to reflect changes made to the actual object. These changes include moves within and between domains as well as the deletion of the object. If the infrastructure master is unavailable, updates to object references are delayed until it comes back online.

QUESTION 2 Sua empresa tem um domnio do Active Directory. A empresa tem dois controladores de domnio chamado DC1 e DC2. DC1 tem a funo de mestre de esquema. DC1 falhar. Voc fazer logon no Active Directory usando a conta de administrador. Voc no capaz de transferir a funo mestre de esquema. Voc precisa se certificar que DC2 tem a funo de mestre de esquema. O que voc deve fazer? A. B. C. D. Registre o Schmmgmt.dll. Inicie o Esquema do Active Directory snap-in. Configurar DC2 como um servidor ponte. No DC2, o papel de mestre de esquema. Faa logoff e logon novamente para o Active Directory usando uma conta que seja membro do grupo Administradores de esquema. Inicie o Esquema do Active Directory snap-in.

Answer: C Section: Configuring AD FSMO Roles Explanation/Reference: Only a schema admin can perform this task but you are logged on with the administrator account and he is a member of the shema admins group! http://support.microsoft.com/kb/255504 --------------------------------------------------------------------------------------------------------------------------------------------Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller We recommend that you seize FSMO roles in the following scenarios: The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

QUESTION 3 Est controladores de desmantelamento de domnio que detm todos os de toda a floresta funes mestre de operaes. Voc precisa de transferir todos os de toda a floresta funes mestre de operaes para outro controlador de domnio. Quais os dois papis que voc deve transferir? (Cada resposta correta representa parte da soluo. Escolha dois.) A. RID master B. PDC emulator C. Schema master

D. Infrastructure master E. Domain naming master Answer: CE Section: Configuring AD FSMO Roles Explanation/Reference: The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest. http://support.microsoft.com/kb/255504 --------------------------------------------------------------------------------------------------------------------------------------------Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller We recommend that you transfer FSMO roles in the following scenarios: The current role holder is operational and can be accessed on the network by the new FSMO owner. You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest. The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a live domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles. We recommend that you seize FSMO roles in the following scenarios: The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred. A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command. The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

QUESTION 4 Sua empresa tem um servidor que executa uma instncia do Active Directory Lightweight Directory Services (AD LDS). Voc precisa criar novas unidades organizacionais na partio de diretrio AD LDS aplicao. O que voc deve fazer? A. Use o Active Directory Users and Computers snap-in para criar as unidades organizacionais na partio de diretrio AD LDS aplicao. B. Use o ADSI Edit snap-in para criar as unidades organizacionais na partio de diretrio AD LDS aplicao. C. Use o comando <OrganizationalUnitDN> dsadd ou para criar as unidades organizacionais. D. Use o comando <OrganizationalUnitDN> dsmod OU para criar as unidades organizacionais. Answer: B Section: Configuring AD LDS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc794959%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Manage an AD LDS Instance Using ADSI Edit Explanation: You can use both the Adsiedit.msc tool to create a new OU in the AD LDS application directory partition.

AD LDS is usually used to store information about users, organizations, and the groups that they belong to. Lightweight Directory Access Protocol (LDAP)-based directories, such as Active Directory Domain Services (AD DS) and AD LDS, most commonly use OUs to keep users and groups organized. To create a new OU in AD LDS, you can use Adsiedit.msc tool. Active Directory Services Interfaces Editor (ADSI Edit) is a low-level editor for AD DS and AD LDS. ADSI Edit can be used to view, modify, create, and delete any object in AD DS and AD LDS.

QUESTION 5 Sua empresa tem um servidor que executa o Windows Server 2008 R2. O servidor executa uma instncia do Active Directory Lightweight Directory Services (AD LDS). preciso replicar a instncia do AD LDS em um computador de teste que est localizado na rede. O que voc deve fazer? A. B. C. D. Execute o comando repadmin / <servername> kcc no computador de teste. Criar um contexto de nomeao, executando o comando Dsmgmt no computador de teste. Crie uma nova partio de diretrio, executando o comando Dsmgmt no computador de teste. Criar e instalar uma rplica executando o Assistente de Configurao AD LDS no computador de teste.

Answer: D Section: Configuring AD LDS Explanation/Reference: http://technet.microsoft.com/en-us/library/cc771458(v=WS.10).aspx Install a replica AD LDS instance from media When you install an AD LDS replica from media, you use a restored backup of an AD LDS instance as the data source, rather than another AD LDS instance. When you restore an AD LDS instance for use in a replica installation from media, you must restore the files to an alternate location, rather than to the original location from which they were backed up. After you restore AD LDS files from a backup to an alternate location, the Adamntds.dit file and Edb*.log files will be nested in the specified alternate location. For example, if you specify C:\restore_dir as the restore location for the AD LDS files, Adamntds.dit and the Edb*.log files will be located at C:\restore_dir\Program Files\Microsoft ADAM\instancename\data, where instancename represents the AD LDS instance that was restored. To install an AD LDS replica from media Restore a backup copy of the AD LDS instance from which you want to install to an alternate location. (Do not restore the backup to the original location of the AD LDS instance.) Click Start, right-click Command Prompt, and then click Run as administrator. Type the following command, and then press ENTER: %windir%\adam\adaminstall /adv Follow the steps in the Active Directory Lightweight Directory Services Setup Wizard.

http://technet.microsoft.com/en-us/library/cc771458%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Managing Replica AD LDS Instances To create a replica AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.

On the Setup Options page, click A replica of an existing instance, and then click Next. On the Instance Name page, accept the default name instance2 (or instance1, if you are installing AD LDS on a second computer), and then click Next. noteNote AD LDS instance names have to be unique only on a given computer. On the Ports page, accept the default values of 50000 and 50001 (if you are installing onto the first computer) or 389 and 636 (if you are installing onto a second computer), and then click Next. On the Joining a Configuration Set page, in Server, type the host name or DNS name of the computer where the first AD LDS instance is installed. Then, type the LDAP port number in use by the first AD LDS instance (which is 389 by default), and then click Next. noteNote You must use a valid host name or DNS name, rather than an IP address or localhost when you specify a server on the Joining a Configuration Set page of the Active Directory Lightweight Directory Services Setup Wizard. On the Administrative Credentials for the Configuration Set page, click the account that is used as the AD LDS administrator for your first AD LDS instance. On the Copy Application Partition page, select the application directory partitions that you want to replicate to the new AD LDS instance. (The schema and configuration partitions will be replicated automatically.) Accept the default values on the remaining Active Directory Lightweight Directory Services Set Wizard pages by clicking Next on each page, and then click Finish on the Completing the Active Directory Application Mode Setup Wizard page. After the installation is complete, use the ADSI Edit snap-in to confirm that the selected directory partition has been replicated to your second AD LDS instance.

QUESTION 6 Sua empresa tem um Active Directory Rights Management Services (AD RMS). Os usurios tm computadores com Windows Vista. Um domnio do Active Directory est configurado no Windows Server 2003 nvel funcional. Voc precisa configurar o AD RMS para que os usurios so capazes de proteger os seus documentos. O que voc deve fazer? A. B. C. D. Instale o cliente AD RMS 2.0 em cada computador cliente. Adicionar a conta de servio RMS ao grupo de administradores local no servidor AD RMS. Estabelecer uma conta de e-mail no Active Directory Domain Services (AD DS) para cada usurio RMS. Atualize o domnio do Active Directory para o nvel funcional do Windows Server 2008.

Answer: C Section: Configuring AD Rights Mgmt Services Explanation/Reference: http://technet.microsoft.com/en-us/library/dd772659%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------AD RMS Prerequisites All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory. Active Directory Forest Functional Level - Any

Active Directory Domain Functional Level - Any AD RMS must be installed in an Active Directory domain in which the domain controllers are running one of the following: Windows Server 2000 with Service Pack 5 (SP5) * Windows Server 2003 with Service Pack 2 (SP2) Windows Server 2003 R2 with Service Pack 2 (SP2) Windows Server 2008 Standard Windows Server 2008 Enterprise Windows Server 2008 Datacenter Windows Small Business Server 2008 Premium Windows Small Business Server 2008 Standard Windows Essential Business Server 2008 Premium Windows Essential Business Server 2008 Standard Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Standard Windows Server 2008 R2 Foundation

QUESTION 7 Sua empresa tem uma floresta do Active Directory que executado no nvel funcional do Windows Server 2008. Voc implementar Active Directory Rights Management Services (AD RMS). Voc instalar o Microsoft SQL Server 2005. Quando voc tenta abrir o AD RMS site de administrao, voc receber a seguinte mensagem de erro: "SQL Server no existe ou acesso negado." Voc precisa abrir o AD RMS site de administrao. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. Reinicie o IIS. Instale enfileiramento de mensagens. Inicie o servio MSSQLSvc. Excluir manualmente o ponto de conexo de servio nos Servios de Domnio Active Directory (AD DS) e reiniciar o AD RMS.

Answer: AC Section: Configuring AD Rights Mgmt Services Explanation/Reference: http://technet.microsoft.com/en-us/library/cc747605%28WS.10%29.aspx#BKMK_1 --------------------------------------------------------------------------------------------------------------------------------------------RMS Administration Issues "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.

QUESTION 8 Sua empresa tem um escritrio central e 40 filiais. Cada filial configurado como um site Active Directory separado que tem um controlador de domnio dedicado somente leitura (RODC). Um servidor RODC for roubado de uma das filiais. Voc precisa identificar as contas de usurios que estavam armazenadas no servidor roubado RODC. Qual utilidade que voc deve usar? A. B. C. D. Dsmod.exe Ntdsutil.exe Active Directory Sites and Services Active Directory Users and Computers

Answer: D Section: Configuring Additional AD Server Roles Explanation/Reference: http://technet.microsoft.com/en-us/library/cc835486%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Deleting the RODC computer account using Active Directory Users and Computers An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in. To delete the RODC computer account using Active Directory Users and Computers Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively. In the console tree, expand the domain object, and then select the Domain Controllers organizational unit (OU). In the details pane, right-click the RODC computer account, and then click Delete. When the Active Directory Domain Services dialog box appears, click Yes to confirm the deletion. In the Deleting Domain Controller dialog box (shown below) select the appropriate options to indicate whether you want to reset all user account passwords or all computer account passwords and to specify the location (file system path) where you want to export a list of accounts whose current passwords were cached on the RODC. You can clear or select any of the check boxes at this point. By default, the Reset all passwords for user accounts that were cached on this Read-only Domain Controller and the Export the list of accounts that were cached on this Read-only Domain Controller to this file: check boxes are selected, as shown in the following illustration. If you want to also reset the passwords for the computer accounts that were cached on the RODC, you must select the Reset all passwords for computer accounts that were cached on this Read-only Domain Controller check box. Although computer account passwords are reset every 30 days by default, you can choose to reset those account passwords immediately, which may reduce the chance that the computer accounts that were cached on the RODC can be used by an attacker in an attempt to compromise the domain before the accounts are reset automatically. When you are ready to proceed, click Delete. noteNote If you reset the computer account passwords, you will have to rejoin the computer to the domain. If you automatically reset the computer account passwords, users will not be able to log on to the domain until they can contact an account administrator to have their passwords reset to a mutually-agreed-on password.

Delete RODC computer account The Delete Domain Controller then asks you to confirm your deletion request. Verify that the request is accurate, and then click OK to continue with the deletion, as shown in the following illustration.

QUESTION 9 Sua empresa tem uma floresta do Active Directory que contm um nico domnio. O servidor membro de domnio tem um Active Directory Federation Services (AD FS) o papel de servidor instalado. Voc precisa configurar o AD FS para garantir que as fichas do AD FS conter informaes a partir do domnio do Active Directory. O que voc deve fazer? A. B. C. D. Adicionar e configurar uma loja nova conta. Adicionar e configurar um parceiro nova conta. Adicionar e configurar um novo parceiro de recurso. Adicionar e configurar um aplicativo de reconhecimento de declarao.

Answer: A Section: Configuring AD Federated Services Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732095.aspx Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS)

http://technet.microsoft.com/en-us/library/cc772309%28WS.10%29.aspx http://technet.microsoft.com/en-us/library/cc734905%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Read above articles URL's for more info on ADFS Installation/Troubleshooting

QUESTION 10 Um usurio em uma filial de sua empresa tenta entrar em um computador ao domnio, mas a tentativa falhar. Voc precisa habilitar o usurio a participar de um nico computador ao domnio. Voc deve garantir que o usurio negado quaisquer direitos adicionais alm daquelas exigidas para completar a tarefa. O que voc deve fazer? A. B. C. D. Prestage conta do computador no domnio do Active Directory. Adicione o usurio ao grupo Administradores de domnio para um dia. Adicione o usurio ao grupo Operadores de Servidor no domnio do Active Directory. Conceder ao usurio o direito de fazer logon localmente usando um objeto de Diretiva de Grupo (GPO).

Answer: A Section: Creating & Maintaining AD Objects

Explanation/Reference: Prestaged clients are computer account objects that are created within Active Directory Domain Services (AD DS) before the operating system is installed. There is an additional benefit if the domain is using WDS to deploy images over the network. The prestaged accounts correspond to physical devices that will boot from the network by using Windows Deployment Services. Prestage client computers - http://technet.microsoft.com/en-us/library/cc759196%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Set permissions for users who use prestaged client computers - http://technet.microsoft.com/en-us/library/ cc779006%28WS.10%29.aspx

QUESTION 11 . Poltica de segurana da empresa requer senhas complexas. Voc tem um arquivo delimitado por vrgula chamado import.csv que contm informaes da conta do usurio. Voc precisa criar contas de usurio no domnio usando o arquivo import.csv. Voc tambm precisa garantir que as novas contas de usurio so definidas para usar senhas padro e esto desativados. O que voc deve fazer? A. Modifique o atributo userAccountControl para deficientes. Execute o csvde-i-k-f comando import.csv. Execute o utilitrio DSMOD para definir senhas padro para as contas de usurio. B. Modifique o atributo userAccountControl para contas desativadas. Execute o comando csvde-f import. csv. Execute o utilitrio DSMOD para definir senhas padro para as contas de usurio. C. Modifique o atributo userAccountControl para deficientes. Execute o comando wscript import.csv. Execute o utilitrio Dsadd para definir senhas padro para as contas de usurio importados. D. Modifique o atributo userAccountControl para deficientes. Execute o ldifde-i-f comando import.csv. Execute o utilitrio Dsadd para definir senhas para as contas de usurio importados. Answer: A Section: Powershell & Command line cmds Explanation/Reference: http://technet.microsoft.com/en-us/library/cc732101(v=WS.10).aspx

Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder. It is
available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use csvde, you must run the csvde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. For examples of how to use this command, see Examples.

Syntax
Copy Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}]

Parameters Parameter
-i

Description
Specifies import mode. If not specified, the default mode is export.

Identifies the import or export file name. Specifies the domain controller to perform the import or export operation. Replaces all occurrences of String1 with String2. You use this parameter when you import data from one domain to another and you want to replace the distinguished -c <String1> <String2> name of the export domain (String1) with the distinguished name of the import domain (String2). -v Sets verbose mode. -j <Path> Sets the log file location. The default is the current path. Specifies an LDAP port. The default LDAP port is 389. The global catalog port is -t <PortNumber> 3268. -u Specifies Unicode format. -d <BaseDN> Sets the distinguished name of the search base for data export. -r <LDAPFilter> Creates an LDAP search filter for data export. -p <Scope> Sets the search scope. Search scope options are Base, OneLevel, or SubTree. Sets the list of attributes to return in the results of an export query. LDAP can -l <LDAPAttributeList> return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes. Specifies the list of attributes to omit from the results of an export query. You use this parameter if you need to export objects from AD DS, and then import them -o <LDAPAttributeList> into another LDAP-compliant directory. If the other directory does not support certain attributes, you can use this parameter to omit those attributes from the result set. -g Omits paged searches. Omits attributes that apply only to Active Directory objects, such as the -m ObjectGUID, objectSID, pwdLastSet, and samAccountType attributes. -n Omits the export of binary values. Ignores errors during an import operation and continues processing. The following is a complete list of ignored errors: Object already exists -k Constraint violation Attribute or value already exists Performs a simple LDAP bind with the user name and password. Sets the -a command to run using the supplied UserDistinguishedName and Password. By [<UserDistinguishedNa default, the command runs using the credentials of the user who is currently me> {<Password> | *}] logged on to the network. Performs a secure LDAP bind with the NEGOTIATE authentication method. Sets -b [<UserName> the command to run using the supplied Username, Domain, and Password. By <Domain> default, the command will run using the credentials of the user who is currently {<Password> | *}] logged on to the network. /? Displays Help at the command prompt.

-f <FileName> -s <ServerName>

Remarks
You cannot import user passwords by using csvde because passwords must be sent over an encrypted channel. Csvde does not support Secure Sockets Layer (SSL) or encrypted LDAP communication. The previous references to passwords relate to the credentials of the user who is running csvde. They are not related to setting passwords for users.

Example
The following sample file contents are for a domain named Cpandl.com that has organizational units (OUs) named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file defines the Active Directory object properties for user accounts to be created by the entries in the rest of the file. The remaining lines are used to create the user accounts. The first user account is created in the default Users container, and the rest of the user accounts are created in the SW Dev, Acct, and AP OUs, respectively: Copy objectClass,dn,sAMAccountName,userPrincipalName,userAccountControl user,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,KenM@cpandl.com,514 user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,WeiY@cpandl.com,514 user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,JonM@cpandl.com,514 user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,YeX@cpandl.com,514

Note

Setting userAccountControl to 514 disables the user account. This is recommended because csvde cannot set passwords.

csvde - adv configs - http://www.computerperformance.co.uk/Logon/Logon_CSVDE_import.htm dsmod - http://technet.microsoft.com/en-us/library/cc732954%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Reason: C is wrong because Windows scripts are files with the following file name extensions: .wsf, .vbs, . js. DSMOD user to change pwds To reset multiple user passwords to a common password and force users to change their passwords when they next log on to the network, type: Copy dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" "CN=Denise Smith,CN=Users, DC=Contoso,DC=Com" -pwd A1b2C3d4 -mustchpwd yes

QUESTION 12 Sua empresa contrata 10 novos funcionrios. Voc quer que os novos funcionrios para se conectar ao escritrio central atravs de uma conexo VPN. Voc pode criar novas contas de usurio e conceder os novos funcionrios a Permitir leitura e permitem executar permisses para recursos compartilhados no escritrio principal. Os novos funcionrios so incapazes de acessar os recursos compartilhados no escritrio principal. Voc precisa garantir que os usurios so capazes de estabelecer uma conexo VPN para o escritrio principal. O que voc deve fazer? A. B. C. D. Conceder aos novos funcionrios a permisso Permitir controle total. Conceder aos novos funcionrios a opo Permitir acesso dial-in permisso. Adicione os novos funcionrios para o grupo de segurana remoto desktop do usurio. Adicione os novos funcionrios para o grupo de segurana do Windows Authorization Access.

Answer: B Section: Maintaining the AD Environment Explanation/Reference: http://technet.microsoft.com/en-us/library/dd469674.aspx

Permissions for Remote Access Users


Applies To: Windows Server 2008 R2 After the Routing and Remote Access service (RRAS) is installed, you must specify the users who are allowed to connect to the RRAS server. RRAS authorization is determined by the dial-in properties on the user account, the network policies, or both. You do not need to create user accounts just for remote access users. RRAS servers can use existing user accounts in the user accounts databases. In both Local Users and Groups and Active Directory Users and Computers, user accounts have a Dial-in tab on which you can configure remote access permissions. For a large number of users, we recommend that you configure network policies on a server running Network Policy Server (NPS). http://technet.microsoft.com/en-us/library/cc786285%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Best practices for assigning permissions on Active Directory objects

QUESTION 13 Voc precisa mudar o usurio existente e objetos de computador em sua empresa para diferentes unidades organizacionais. Quais so as duas maneiras de alcanar essa meta? (Cada resposta correta apresenta uma soluo completa. Escolha dois.) A. B. C. D. Execute o utilitrio Dsmove. Execute o Active Directory Migration Tool (ADMT). Execute o Active Directory Users and Computers utilitrio. Executar o comando move item no utilitrio Microsoft Windows PowerShell.

Answer: AC Section: Creating & Maintaining AD Objects Explanation/Reference: dsmove - http://technet.microsoft.com/en-us/library/cc731094%28WS.10%29.aspx ADUC - AD DS GUI under admin tools/RSAT on clients - http://technet.microsoft.com/en-us/library/ cc786675%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Reason: D is incorrect because move-item can move files and folders only - http://technet.microsoft.com/enus/library/dd315310.aspx B is incorrect because ADMT is used to restructure AD between forests and domains within the same forest.

QUESTION 14 Voc deseja que os usurios fazer logon no Active Directory usando um novo nome principal de usurio (UPN). Voc precisa modificar o sufixo UPN para todas as contas de usurio. Qual ferramenta devo usar? A. B. C. D. Dsmod Netdom Redirusr Active Directory Domains and Trusts

Answer: A Section: Powershell & Command line cmds Explanation/Reference: dsmod - http://technet.microsoft.com/en-us/library/cc732954%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Reason : You configure upn on Active directory domains and trusts. But you still have to modify the users with dsmod or "active directory users and computers".

http://technet.microsoft.com/en-us/library/bb742437.aspx#EEAA The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mailaddress. The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of the forest. In this and the other step-by-step guides on this site, the default UPN suffix is your FQDN for the first domain in the forest.

You can add alternate User Principal Name suffixes, which increase logon security. And you can simplify user logon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows 2000 domain and is not required to be a valid DNS domain name. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add. Click OK to close the window.

QUESTION 15 Voc est instalando um aplicativo em um computador que executa o Windows Server 2008 R2. Durante a instalao, o aplicativo ser necessrio adicionar novos atributos e classes no banco de dados do Active Directory. Voc precisa se certificar que voc pode instalar o aplicativo. O que voc deve fazer? A. Alterar o nvel funcional da floresta para o Windows Server 2008 R2. B. Faa logon usando uma conta que tenha direitos de operador de servidor. C. Faa logon usando uma conta que tenha direitos de administrador de esquema e os direitos apropriados para instalar o aplicativo. D. Faa logon usando uma conta que tenha os direitos de administrador da empresa e os direitos apropriados para instalar o aplicativo. Answer: C Section: Configuring AD FSMO Roles Explanation/Reference: http://technet.microsoft.com/en-us/library/cc756898%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Schema Admin permissions Schema Admins (only appears in the forest root domain) Members of this group can modify the Active Directory schema. By default, the Administrator account is a member of this group. Because this group has significant power in the forest, add users with caution. No default user rights.

QUESTION 16 Sua empresa tem uma unidade organizacional chamada de Produo. A unidade de produo organizacional tem uma unidade organizacional filho chamado R & D. Voc cria um GPO Implantao de Software chamado e vincul-lo unidade de produo organizacional. Voc cria um grupo de sombra para a unidade de I & D organizacional. Voc precisa implantar um aplicativo para os usurios na unidade de produo organizacional. Voc tambm precisa garantir que o aplicativo no implantado para os usurios na unidade de I & D organizacional. Quais so as duas maneiras de alcanar essa meta? (Cada resposta correta apresenta uma soluo completa. Escolha dois.)

A. B. C. D.

Configure a configurao Aplicar sobre a implantao de software GPO. Configure a definio Bloquear Herana na unidade de I & D organizacional. Configure a definio Bloquear Herana na unidade de produo organizacional. Configurar a filtragem de segurana na implantao do software GPO para negar Aplicar poltica de grupo para o grupo de segurana de P & D.

Answer: BD Section: Configuring Group Policy Explanation/Reference: Block inheritance GPO - http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Security filter GPO - http://technet.microsoft.com/en-us/library/cc779291%28WS.10%29.aspx

QUESTION 17 . Sua empresa tem um domnio do Active Directory que tem uma unidade organizacional chamada Vendas. A unidade organizacional de vendas contm dois grupos de segurana globais nomeados gerentes de vendas e executivos de vendas. Voc precisa aplicar restries de desktop para o grupo de executivos de vendas. Voc no deve aplicar estas restries de desktop para o grupo de gerentes de vendas. Voc cria um GPO DesktopLockdown chamado e vincul-lo unidade de vendas da organizao. O que voc deve fazer a seguir? A. Configure o Negar permisso Aplicar Diretiva de Grupo para os gerentes de vendas no DesktopLockdown GPO. B. Configure o Negar permisso Aplicar Diretiva de Grupo para os executivos de vendas no DesktopLockdown GPO. C. Configure o Negar permisso Aplicar Diretiva de Grupo para usurios autenticados no DesktopLockdown GPO. D. Configure o Permitir permisso Aplicar Diretiva de Grupo para usurios autenticados no DesktopLockdown GPO. Answer: A Section: Configuring Group Policy Explanation/Reference:

Security filtering
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO. In order for the GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively though group membership. http://technet.microsoft.com/en-us/library/cc786636(v=WS.10).aspx To filter the scope of Group Policy according to security group membership Open the Group Policy object whose scope you want to filter. In the console tree, right-click the icon or name of the Group Policy object, and then click Properties.

Click the Security tab, and then click the security group through which you want to filter this Group Policy object. If you want to change the list of security groups through which to filter this Group Policy object, use the Add and Remove buttons to add or remove security groups. In the Permissions box for the selected security group, select or clear the appropriate check boxes to set permissions as shown in the following table, and then click OK.

Your intention

Permissions Result

Set Apply This Group Policy object applies to members of this Members of this security group Group Policy to security group, unless they are members of at least have this Group Policy object Allow. one other security group that has Apply Group applied to them. Set Read to Policy set to Deny, or Read set to Deny, or both. Allow. Set Apply Members of this security group Group Policy to This Group Policy object never applies to members of are exempt from this Group this security group, regardless of the permissions these Deny. Policy object. members have in other security groups. Set Read to Deny. Set Apply This Group Policy object applies to members of this Group Policy to security group if and only if they have both Apply Membership in this security groupneither Allow Group Policy and Read set to Allow as is irrelevant to whether the Group nor Deny. members of at least one other security group. They Policy object should be applied. Set Read to neither Allow also must not have Apply Group Policy or Read set to Deny as members of any other security group. nor Deny.

http://technet.microsoft.com/en-us/library/cc757050%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Managing inheritance of Group Policy

QUESTION 18 Sua empresa tem uma floresta do Active Directory. A empresa tem filiais em trs locais. Cada local tem uma unidade organizacional. Voc precisa garantir que os administradores da filial so capazes de criar e aplicar GPOs apenas s suas respectivas unidades organizacionais. Quais duas aes voc deve executar? (Each correct answer presents part of the solution. Choose two.) A. Adicione as contas de usurios dos administradores de filiais para o Group Policy Creator Owners Group. B. Modificar a Gerenciado por guia em cada unidade organizacional para adicionar os administradores da filial aos seus respectivos unidades organizacionais. C. Execute o Assistente para delegao de controle e delegar o direito de vincular GPOs para o domnio para os administradores de escritrios filiais. D. Execute o Assistente para delegao de controle e delegar o direito de vincular GPOs para as suas unidades de ramo de organizao para os administradores de escritrios filiais. Answer: BD Section: Configuring Group Policy Explanation/Reference: http://technet.microsoft.com/en-us/library/cc782678%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------Creating and Working with GPOs

QUESTION 19 A sua empresa adquiriu recentemente uma empresa nova filial em Quebec. Os administradores do Active Directory da empresa filial deve usar a verso em lngua francesa, dos modelos administrativos. Voc cria uma pasta no emulador PDC para o domnio subsidiria no caminho% systemroot% \ SYSVOL \ domain \ Policies \ \ PolicyDefinitions FR. Voc precisa se certificar que a verso francesa dos modelos est disponvel. O que voc deve fazer? A. Baixe o Conf.adm, System.adm, Wuau.adm e arquivos Inetres.adm do site da Microsoft. Copie os arquivos ADM para a pasta de FR. B. Copie os arquivos ADML dos franceses mdia de instalao local para o Windows Server 2008 R2 para a pasta FR no emulador PDC subsidiria. C. Copie o arquivo Install.wim do francs de mdia locais de instalao para Windows Server 2008 R2 para a pasta FR no emulador PDC subsidiria. D. Copie os arquivos ADMX dos franceses mdia de instalao local para o Windows Server 2008 R2 para a pasta FR no emulador PDC subsidiria. Answer: B Section: Configuring Group Policy Explanation/Reference: http://technet.microsoft.com/en-us/library/cc772507%28WS.10%29.aspx --------------------------------------------------------------------------------------------------------------------------------------------.admx and .adml File Structure n order to support the multilingual display of policy settings, the ADMX file structure must be broken into two types of files: A language-neutral file, .admx, describing the structure of the categories and Administrative template policy settings displayed in the Group Policy Object Editor. A set of language-dependent files, .adml, providing the localized portions displayed in the Group Policy Object Editor. Each .adml file represents a single language you wish to support. SEE above URL for more info

QUESTION 20 Um servidor chamado DC1 tem os Servios de Domnio Active Directory (AD DS) papel e do Active Directory Lightweight Directory Services (AD LDS) papel instaladas. Uma instncia do AD LDS chamado LDS1 suas lojas de dados sobre a unidade C:. Voc precisa mudar a instncia LDS1 para a unidade D:. Quais as trs aes que voc deve executar em seqncia? (Para responder, mova as trs aes apropriadas a partir da lista de aes para a rea de resposta e organiz-los na ordem correta.)

Answer:

Section: Configuring AD LDS Explanation/Reference:

Exam D QUESTION 1 Sua empresa tem uma floresta do Active Directory. A empresa tem servidores que executam o Windows Server 2008 R2 e computadores clientes que executam o Windows 7. O domnio utiliza um conjunto de modelos de GPO administrativas que tenham sido aprovados para suportar os requisitos de conformidade regulatria. Sua empresa parceira tem uma floresta do Active Directory que contm um nico domnio. A empresa tem servidores que executam o Windows Server 2008 R2 e computadores clientes que executam o Windows 7. Voc precisa configurar o domnio da sua empresa parceira para usar o conjunto aprovado de modelos administrativos. O que voc deve fazer? A. Use o Group Policy Management Console utilitrio (GPMC) para fazer o backup do GPO para um arquivo. Em cada site, importar o GPO para a diretiva de domnio padro. B. Copie os arquivos ADMX de emulador de sua empresa PDC para a pasta PolicyDefinitions no emulador a empresa parceira do PDC. C. Copie os arquivos ADML de emulador de sua empresa PDC para a pasta PolicyDefinitions no emulador a empresa parceira do PDC. D. Baixe o Conf.adm, system.adm, wuau.adm e arquivos Inetres.adm a partir do site Microsoft Update. Copie os arquivos ADM para a pasta PolicyDefinitions no emulador a empresa parceira do PDC. Answer: B Section: Configuring Group Policy Explanation/Reference: In Group Policy for versions of Windows earlier than Windows Vista, if you modify Administrative template policy settings on local computers, the Sysvol share on a domain controller within the domain is automatically updated with the new ADM files. In Group Policy for Windows Server 2008 and Windows Vista, if you modify Administrative template policy settings on local computers, Sysvol will not be automatically updated with the new ADMX or ADML files (ADML files are XML-based ADM files that contain language-specific settings). This change in behavior is implemented to reduce network load and disk storage requirements, and to prevent conflicts from occurring between ADMX files and ADML files when edits to Administrative template policy settings are made across different locales. To ensure that any local updates are reflected in Sysvol as well, you must manually copy the updated ADMX or ADML files from the PolicyDefinitions folder on the local computer to the Sysvol\PolicyDefinitions folder on the appropriate domain controller. --------------------------------------------------------------------------------------------------------------------------------------------Reason : The requirement is administrative templates. A is wrong, GPO is not a template file. ADMX is.

QUESTION 2 Sua empresa tem uma floresta do Active Directory que contm o Windows Server 2008 R2 controladores de domnio e servidores DNS. Todos os computadores clientes executam o Windows XP SP3. Voc precisa usar seus computadores clientes para editar GPOs baseados em domnio usando os arquivos ADMX que so armazenados na loja ADMX central. O que voc deve fazer? A. B. C. D. D sua conta ao grupo Administradores de Domnio. Atualize seus computadores cliente para o Windows 7. Instalar. NET Framework 3.0 em seus computadores clientes. Crie uma pasta no emulador de PDC para o domnio no caminho PolicyDefinitions. Copie os arquivos para a pasta ADMX PolicyDefinitions.

Answer: B Section: Configuring Group Policy Explanation/Reference:

Prerequisites for Administering Domain-Based GPOs with ADMX Files


To complete the tasks in this section, you should have at least: A Windows Server 2008, Windows Server 2003, or Windows 2000 domain that uses a DNS name server. A Windows Vistabased computer to use as an administrative workstation. Since the client machine must be running at least Vista, "B" is the best answer. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 3 Sua empresa compra um novo aplicativo para implantar em 200 computadores. O aplicativo requer que voc modificar o registro em cada computador de destino antes de instalar o aplicativo. As modificaes no Registro esto em um arquivo que tem uma extenso. Adm. Voc precisa preparar os computadores de destino para a aplicao. O que voc deve fazer? A. Importe o arquivo. Adm em um novo objeto de Diretiva de Grupo (GPO). Edite o GPO e vincul-lo a uma unidade organizacional que contm os computadores de destino. B. Criar um Microsoft Windows PowerShell script para copiar o arquivo. Adm para a pasta de inicializao de cada computador de destino. C. Criar um Microsoft Windows PowerShell script para copiar o arquivo. Adm para a pasta de inicializao de cada computador de destino. D. Criar um Microsoft Windows PowerShell script para copiar o arquivo. Adm para cada computador. Execute o comando CONTAINER DN-REDIRCmp em cada computador de destino. Answer: A Section: Configuring Group Policy Explanation/Reference: --------------------------------------------------------------------------------------------------------------------------------------------Reason: An ADM template is a file that is designed to be used within Group Policy to define a Registry setting and its value

QUESTION 4 Sua empresa tem um domnio do Active Directory. Todos os consultores pertencem a um grupo global chamado TempWorkers. O grupo TempWorkers no est aninhado em outros grupos. Voc mover os objetos de computador de trs servidores de arquivos para uma nova unidade organizacional chamada SecureServers. Estes servidores de arquivos contm somente dados confidenciais em pastas compartilhadas. Voc precisa impedir que os membros do grupo TempWorkers de acessar os dados confidenciais nos servidores de arquivos. Voc deve atingir este objetivo sem afetar o acesso a recursos de domnio. O que voc deve fazer? A. Criar um novo GPO e vincul-lo unidade SecureServers organizacional. Atribuir Negar acesso a este computador do usurio de rede direito ao grupo TempWorkers global.

B. Criar um novo GPO e vincul-lo ao domnio. Atribuir Negar acesso a este computador do usurio de rede direito ao grupo TempWorkers global. C. Criar um novo GPO e vincul-lo ao domnio. Atribuir o Negar logon local direito de usurio para o grupo TempWorkers global. D. Criar um novo GPO e vincul-lo unidade SecureServers organizacional. Atribuir o Negar logon local direito de usurio para o grupo TempWorkers global. Answer: A Section: Configuring Group Policy Explanation/Reference: It appears the strategy is to move the servers with confidential data into their own OU, then deny access to those servers only to the global group. Should not do this at the domain level, since other resources may be needed in the domain. Denying the log on locally user right does not affect network access. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 5 Todos os consultores pertencem a um grupo global chamado TempWorkers. Voc coloca trs servidores de arquivos em uma nova unidade organizacional chamada SecureServers. Os trs servidores de arquivos contm dados confidenciais localizados em pastas compartilhadas. Voc precisa registrar todas as tentativas fracassadas feitas pelos consultores para acessar os dados confidenciais. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Criar e vincular um novo GPO unidade organizacional SecureServers. Configurar a Auditoria privilgio de uso No configurao de diretiva de auditoria. B. Criar e vincular um novo GPO unidade organizacional SecureServers. Configurar a Auditoria de acesso a objetos falha configurao de diretiva de auditoria. C. Criar e vincular um novo GPO unidade organizacional SecureServers. Configure o Negar acesso a este computador a partir dos direitos de rede de configuraes do usurio para o grupo TempWorkers global. D. Em cada pasta compartilhada sobre os trs servidores de arquivos, adicione os trs servidores para a guia Auditoria. Configurar a configurao de controle Falha total na caixa de dilogo Entrada de auditoria. E. Em cada pasta compartilhada sobre os trs servidores de arquivos, adicione o grupo global para TempWorkers na guia Auditoria. Configurar a configurao de controle Falha total na caixa de dilogo Entrada de auditoria. Answer: BE Section: Configuring Group Policy Explanation/Reference:

Audit privilege use


Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Description
Determines whether to audit each instance of a user exercising a user right. By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and in the local policies of workstations and servers. If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the

event type at all. Success audits generate an audit entry when a user right is successfully exercised. Failure audits generate an audit entry when the exercise of a user right fails. You can select No auditing by defining the policy setting and unchecking Success and Failure . --------------------------------------------------------------------------------------------------------------------------------------------Auditing Files and Folders If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is only available on NTFS volumes. You can configure file and folder auditing by completing the following steps: In Windows Explorer, right-click the file or folder to be audited, and then from the pop-up menu select Properties. Choose the Security tab, and then click Advanced. In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 13-15. If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected. If you want child objects of the current object to inherit the settings, select Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries. Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove. To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an account name to add. When you click OK, you'll see the Auditing Entry For New Folder dialog box, shown in Figure 13-16. Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit. As necessary, use the Apply Onto drop-down list box to specify where objects are audited. Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 13-5except you can't audit synchronizing of offline files and folders. Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.

QUESTION 6 Sua empresa tem um domnio Active Directory e uma unidade organizacional. A unidade organizacional nomeado Web. Voc configurar e testar novas configuraes de segurana para o Internet Information Service (IIS) em um servidor chamado IISServerA. Voc precisa implementar as novas configuraes de segurana apenas nos servidores IIS que so membros da unidade de Web da organizao. O que voc deve fazer? A. Executar secedit / configure / db iis.inf no prompt de comando em IISServerA, e em seguida, executar secedit / configure / db webou.inf a partir do prompt de comando. B. Exportar as configuraes em IISServerA para criar um modelo de segurana. Importar o modelo de segurana em um GPO e vincular o GPO unidade organizacional Web. C. Exportar as configuraes em IISServerA para criar um modelo de segurana. Executar secedit / configure / db webou.inf a partir do prompt de comando. D. Importar o modelo de arquivo Hisecws.inf em um GPO e vincular o GPO unidade organizacional Web. Answer: B Section: Maintaining the AD Environment Explanation/Reference: ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 7 Sua empresa tem uma floresta do Active Directory que contm computadores clientes que executam o Windows Vista e Windows XP. Voc precisa garantir que os usurios so capazes de instalar atualizaes de aplicativos aprovados em seus computadores. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Configurar as atualizaes automticas no Painel de controle nos computadores cliente. B. Criar um GPO e vincul-lo unidade organizacional Controladores de Domnio. Configurar o GPO para procurar automaticamente as atualizaes no site do Microsoft Update. C. Criar um GPO e vincul-lo ao domnio. Configurar o GPO para direcionar os computadores cliente para o Windows Server Update Services (WSUS) para atualizaes aprovadas. D. Instale o Windows Server Update Services (WSUS). Configurar o servidor para procurar por novas atualizaes na Internet. Aprovar todas as atualizaes necessrias. Answer: CD Section: Configuring Group Policy Explanation/Reference: ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 8 Sua empresa tem uma floresta do Active Directory. Cada filial tem uma unidade organizacional e uma unidade organizacional filho chamado Vendas. A unidade organizacional de vendas contm todos os usurios e computadores do departamento de vendas. Voc precisa instalar um aplicativo do Microsoft Office 2007 apenas nos computadores da unidade organizacional de vendas. Voc cria um GPO chamado SalesApp GPO. O que voc deve fazer a seguir? A. Configurar o GPO para atribuir a aplicao conta do computador. Vincular o SalesApp GPO ao domnio. B. Configurar o GPO para atribuir a aplicao conta de usurio. Vincular o SalesApp GPO para a unidade organizacional de vendas em cada local. C. Configurar o GPO para publicar o aplicativo para a conta de usurio. Vincular o SalesApp GPOs para a unidade organizacional de vendas em cada local. D. Configurar o GPO para atribuir a aplicao conta do computador. Vincular o SalesApp GPO para a unidade organizacional de vendas em cada local. Answer: D Section: Configuring Group Policy Explanation/Reference: Assign the application to the computer account to prevent Sales users from accessing the application when logging in on a computer outside of ou=Sales. This GPO needs to be applied at the OU level not the

domain level. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 9 Sua empresa tem uma floresta do Active Directory. A floresta inclui unidades organizacionais correspondentes aos quatro seguintes locais: - Londres - Chicago - Nova York - Madrid Cada local tem uma unidade organizacional filho chamado Vendas. A unidade organizacional de vendas contm todos os usurios e computadores do departamento de vendas. Os escritrios em Londres, Chicago e Nova York esto ligados por conexes T1. O escritrio em Madrid conectado por uma conexo de 256 Kbps ISDN. Voc precisa instalar um aplicativo em todos os computadores do departamento de vendas. Quais duas aes voc deve executar? A. Desabilite a configurao de deteco de vnculo lento no Group Policy Object (GPO). B. Configure a ligao lenta configurao de limite de deteco de 1.544 Kbps (T1) no Group Policy Object (GPO). C. Criar um objeto de Diretiva de Grupo (GPO) chamado OfficeInstall que atribui o aplicativo para os usurios. Vincular o GPO para cada unidade de vendas da organizao. D. Criar um objeto de Diretiva de Grupo (GPO) chamado OfficeInstall que atribui o aplicativo para os computadores. Vincular o GPO para cada unidade de vendas da organizao. Answer: AD Section: Configuring Group Policy Explanation/Reference: Need to create a GPO to assign the software to computers. --------------------------------------------------------------------------------------------------------------------------------------------Since the Madrid office is connected via a slow link, the slow link detection setting would stop distribution to that site.

QUESTION 10 Sua empresa tem uma floresta do Active Directory. A empresa tem trs posies. Cada local tem uma unidade organizacional e uma unidade organizacional filho chamado Vendas. A unidade organizacional de vendas contm todos os usurios e computadores do departamento de vendas. A empresa planeja implantar um aplicativo do Microsoft Office 2007 em todos os computadores dentro das trs unidades de vendas da organizao. Voc precisa se certificar de que o Office 2007 aplicativo instalado somente nos computadores das unidades organizacionais de vendas. O que voc deve fazer? A. Criar um objeto de Diretiva de Grupo (GPO) chamado usuvendas GPO. Configurar o GPO para atribuir a aplicao conta do computador. Vincular o GPO SalesAPP ao domnio.

B. Criar um objeto de Diretiva de Grupo (GPO) chamado usuvendas GPO. Configurar o GPO para atribuir a aplicao conta de usurio. Vincular o GPO SalesAPP para a unidade organizacional de vendas em cada local. C. Criar um objeto de Diretiva de Grupo (GPO) chamado usuvendas GPO. Configurar o GPO para publicar o aplicativo para a conta de usurio. Vincular o GPO SalesAPP para a unidade organizacional de vendas em cada local. D. Criar um objeto de Diretiva de Grupo (GPO) chamado usuvendas GPO. Configurar o GPO para atribuir a aplicao conta do computador. Vincular o GPO SalesAPP para a unidade organizacional de vendas em cada local. Answer: D Section: Configuring AD LDS Explanation/Reference: Need to apply this GPO to the computers in the Sales OU, not the users and not the domain level. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 11 O domnio padro GPO em sua empresa configurado usando as configuraes de diretiva de conta: - Comprimento mnimo da senha: 8 caracteres - Idade mxima da senha: 30 dias - Aplicar histrico de senhas: 12 senhas memorizadas - Limite de bloqueio de conta: 3 tentativas de logon invlidas durao do bloqueio de conta: 30 minutos. Voc instalar o Microsoft SQL Server em um computador chamado Server1 que executa o Windows Server 2008 R2. A aplicao do SQL Server usa uma conta de servio chamado SQLSrv. A conta SQLSrv tem direitos de usurio de domnio. O computador do SQL Server falhar depois de executar com sucesso por vrias semanas. A conta de usurio SQLSrv no est bloqueada. Voc precisa resolver a falha do servidor e prevenir a reincidncia da falha. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Redefinir a senha da conta de usurio SQLSrv. B. Configurar a poltica de segurana local no Server1 para conceder o Logon como um direito de servio na conta de usurio SQLSrv. C. Configure as propriedades da conta SQLSrv a senha nunca expira. D. Configure as propriedades da conta SQLSrv de usurio no pode alterar a senha. E. Configurar a poltica de segurana local no Server1 para conceder a conta de usurio SQLSrv a Permitir que o usurio logon local direito. Answer: AC Section: Configuring Group Policy Explanation/Reference: Because of default password policies, the password reached its maximum age. The password does need to be reset, and the account should be set so the password never expires - to prevent this from happening again. --------------------------------------------------------------------------------------------------------------------------------------------Reason : B iand E not correct because the account was able to logged on and performed the tasks before the password was expired.

D is not correct as it will not fix this problem or prevent it from happening again.

QUESTION 12 Voc precisa garantir que os usurios que entram trs sucessivas senhas invlidas dentro de 5 minutos so bloqueados por 5 minutos. Quais as trs aes que voc deve executar? (Cada resposta correta representa parte da soluo. Escolha trs.) A. B. C. D. E. F. Defina a configurao Durao mnima da senha para um dia. Defina a configurao Durao mxima da senha para um dia. Defina a configurao Account lockout duration setting to 5 minutes. Defina a configurao Reset account lockout counter after setting to 5 minutes. Defina a configurao Account lockout threshold setting to 3 invalid logon attempts. Defina a configurao Enforce password history setting to 3 passwords remembered.

Answer: CDE Section: Maintaining the AD Environment Explanation/Reference: Password age settings would not address the scenario requirements, nor would Enforce password history. --------------------------------------------------------------------------------------------------------------------------------------------Lockout settings ahd lockout thresholds directly apply.

QUESTION 13 Sua empresa tem um domnio do Active Directory. Um usurio tenta fazer logon no domnio de um computador cliente e recebe a seguinte mensagem: "Esta conta de usurio expirou Pergunte ao seu administrador para reativar a conta.". Voc precisa garantir que o usurio capaz de fazer logon no domnio. O que voc deve fazer? A. B. C. D. Modificar as propriedades da conta do usurio para definir a conta nunca dever expirar. Modificar as propriedades da conta de usurio para estender a definio de Logon Horas. Modificar as propriedades da conta do usurio para definir a senha para nunca expirar. Modificar a diretiva de domnio padro para diminuir a durao do bloqueio de conta.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 14 Sua rede consiste de um domnio nico diretrio Active. As contas de usurio para o departamento de engenharia esto localizadas em uma UO chamada Engenharia. Voc precisa criar uma poltica de senha para o departamento de engenharia que diferente da sua poltica de senha de domnio. O que voc deve fazer? A. Criar um novo GPO. Vincular o GPO UO Engenharia. B. Criar um novo GPO. Vincular o GPO ao domnio. Bloquear a herana poltica em todas as unidades organizacionais, exceto para a OU Engenharia. C. Criar um grupo de segurana global e adicionar todas as contas de usurio para o departamento de engenharia para o grupo. Criar um novoPassword Policy Object (PSO) e aplic-lo ao grupo. D. Criar um domnio grupo de segurana local e adicione todas as contas de usurio para o departamento de engenharia para o grupo. Dos usurios do Active Directory e console do computador, selecione o grupo e executar o Assistente para delegao de controle. Answer: C

Section: Maintaining the AD Environment Explanation/Reference: In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For example, to increase the security of privileged accounts, you can apply stricter settings to the privileged accounts and then apply less strict settings to the accounts of other users. Or in some cases, you may want to apply a special password policy for accounts whose passwords are synchronized with other data sources. To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema: Password Settings Container Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. -QWindows 2008 Fine-Grained Passwords [Password policies per OU, Group or user] Adsi edit, cn=system, cn=password settings container, RightMouse, new object, msds-passwordsettings, enter name Passwordsettings, enter values ADUC enable advanced mode, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 15 Sua empresa tem servidores de arquivos localizados em uma unidade organizacional chamada folha de pagamento. Os servidores de arquivo conter arquivos de folha de pagamento localizadas em uma pasta chamada folha de pagamento. Voc cria um GPO. Voc precisa controlar o que os empregados acessar os arquivos da folha de pagamento nos servidores de arquivos. O que voc deve fazer? A. Ative a opo de Auditoria de acesso a objetos. Vincular o GPO unidade organizacional da folha de pagamento. Nos servidores de arquivo, configurar a auditoria para o grupo Todos na pasta da folha de pagamento. B. Ative a opo de Auditoria de acesso a objetos. Vincular o GPO ao domnio. Nos controladores de domnio, configurar a auditoria para o grupo Usurios autenticados na pasta da folha de pagamento. C. Ative a opo de acompanhamento de processos de auditoria. Vincular o GPO unidade organizacional Controladores de Domnio. Nos servidores de arquivo, configurar a auditoria para o grupo Usurios autenticados na pasta da folha de pagamento. D. Ative a opo de acompanhamento de processos de auditoria. Vincular o GPO unidade organizacional da folha de pagamento. Nos servidores de arquivo, configurar a auditoria para o grupo Todos na pasta da folha de pagamento. Answer: A

Section: Configuring Group Policy Explanation/Reference: Must be configured in GPO and on the Auditing tab for the shared folder. The main question is which user groups/users would be affected, and what the trigger is to write the access event to the log. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 16 Sua rede consiste de um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2008 R2. A Auditoria conta definio de poltica de gesto e auditoria diretrio configurao de acesso de servios so habilitados para todo o domnio. Voc precisa garantir que as alteraes feitas aos objetos do Active Directory podem ser registrados. As alteraes registradas devem incluir os valores antigos e novos de todos os atributos. O que voc deve fazer? A. Ativar a diretiva Auditoria de gerenciamento de conta na poltica predefinida de controlador de domnio. B. Executar auditpol.exe e defina as configuraes de segurana do UO Controladores de Domnio. C. Executar auditpol.exe e depois ativar a Auditoria diretrio configurao de acesso de servio na diretiva de domnio padro. D. Desde o Default Domain Controllers Policy, habilite a auditoria diretrio configurao de acesso de servio e permitir mudanas no servio de diretrio. Answer: B Section: Maintaining the AD Environment Explanation/Reference: The original answer was B - wondering if C was enabled in the scenario before this answer. http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx Step 1: Enable audit policy. This step includes procedures to enable change auditing with either the Windows interface or a command line: By using Group Policy Management, you can turn on the global audit policy, Audit directory service access, which enables all the subcategories for AD DS auditing. If you need to install Group Policy Management, click Add Features in Server Manager. Select Group Policy Management and then click Install. By using the Auditpol command-line tool, you can enable individual subcategories. To enable the global audit policy using the Windows interface Click Start, point to Administrative Tools, and then Group Policy Management. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy. In the details pane, right-click Audit directory service access, and then click Properties. Select the Define these policy settings check box. Under Audit these attempts, select the Success, check box, and then click OK. To enable the change auditing policy using a command line Click Start, right-click Command Prompt, and then click Run as administrator. Type the following command, and then press ENTER:

auditpol /set /subcategory:"directory service changes" /success:enable Step 2: Set up auditing in object SACLs. The following procedure presents an example of just one of many different types of SACLs that you can set based on the operations that you want to audit. To set up auditing in object SACLs Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties. Click the Security tab, click Advanced, and then click the Auditing tab. Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK. In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties. Click OK until you exit the property sheet for the OU or other object. --------------------------------------------------------------------------------------------------------------------------------------------Reason : after applying the policy, you need to configure the properties>security>audit of the OU.

QUESTION 17 Sua rede consiste de um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2008 R2. A auditoria configurado para registrar as alteraes feitas no Gerenciado por atributo em objetos de grupo em uma unidade organizacional chamada OU1. Voc precisa fazer login alteraes feitas no atributo Descrio em todos os objetos do grupo em OU1 s. O que voc deve fazer? A. B. C. D. Executar auditpol.exe. Modificar a entrada de auditoria para OU1. Modificar a entrada de auditoria para o domnio. Criar um novo objeto de Diretiva de Grupo (GPO). Habilitar a Auditoria conta definio de poltica de gesto. Vincular o GPO para OU1.

Answer: B Section: Maintaining the AD Environment Explanation/Reference: --------------------------------------------------------------------------------------------------------------------------------------------Reason : after applying the policy, you need to configure the properties>security>audit of the OU. The question here indicates that "Auditing is configured" , this mean the policy setting is already configured. Therefore you do not need to modify the GPO anymore.

QUESTION 18 Voc tem um controlador de domnio que executa o Windows Server 2008 R2. O recurso Windows Server Backup est instalado no controlador de domnio. Voc precisa executar uma restaurao no-autorizada do controlador de domnio, usando um arquivo de backup existente. O que voc deve fazer?

A. Reinicie o controlador de domnio no diretrio do modo de restaurao de servios. Use o comando WBADMIN para executar uma restaurao volume crtico. B. Reinicie o controlador de domnio no diretrio do modo de restaurao de servios. Use o Backup do Windows Server snap-in para executar um volume crtico de restaurao. C. Reinicie o controlador de domnio no modo de segurana. Use o Backup do Windows Server snap-in para executar um volume crtico de restaurao. D. Reinicie o controlador de domnio no modo de segurana. Use o comando WBADMIN para executar uma restaurao volume crtico. Answer: A Section: Configuring AD Federated Services Explanation/Reference:

Performing a Nonauthoritative Restore of AD DS


Applies To: Windows Server 2008 To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a system state backup. For more information about the specific components that are included in a system state backup, see What's New in AD DS Backup and Recovery?. To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic uses the wbadmin start systemstaterecovery command. You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if you do not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use the wbadmin start recovery command.

Requirements for performing nonauthoritative restore of AD DS


To perform a nonauthoritative restore, you must start the domain controller in Directory Services Restore Mode (DSRM). When the domain controller starts in DSRM, you must supply the administrator password for DSRM. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 19 Sua empresa tem um domnio Active Directory que executado no Windows Server 2008 R2. A UO de Vendas contm uma unidade organizacional para computadores, uma UO para grupos, e uma unidade organizacional para os usurios. Voc pode executar backups noturnos. Um administrador exclui os Grupos de UO. Voc precisa restaurar os Grupos UO sem afetar os usurios e computadores na OU Vendas. O que voc deve fazer? A. B. C. D. Executar uma restaurao autoritativa da UO de Vendas. Executar uma restaurao autoritativa da UO Grupos. Execute uma restaurao no-autorizada da OU Grupos. Execute uma restaurao no-autorizada da OU Vendas.

Answer: B Section: Configuring AD Federated Services Explanation/Reference: The authoritative restore is needed to make certain replication does not cause the Groups OU to be delete again in replication.

You want to restore only the Groups OU, not the Sales OU, which contains the other sub-OUs -- no need to change those OUs.s ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 20 Sua empresa tem um servidor controlador de domnio que executa o Windows Server 2008 R2 sistema operacional. O servidor um servidor de backup. O servidor tem um disco de 500 GB rgido nico que tem trs parties para o sistema operacional, aplicativos e dados. Voc pode executar backups dirios do servidor. O disco rgido falhar. Voc substitui o disco rgido com um novo disco rgido da mesma capacidade. Voc reiniciar o computador em mdia de instalao. Voc seleciona a opo Reparar o seu computador. Voc precisa restaurar o sistema operacional e todos os arquivos. O que voc deve fazer? A. B. C. D. Selecione a opo System Image Recovery. Execute o utilitrio Imagex no prompt de comando. Execute o utilitrio Wbadmin no prompt de comando. Execute o utilitrio Rollback no prompt de comando.

Answer: C Section: Configuring AD Federated Services Explanation/Reference: Wbadmin is the correct utility for this job. ---------------------------------------------------------------------------------------------------------------------------------------------

Exam E QUESTION 1 Voc rede consiste em um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa reiniciar o Directory Services Restore Mode senha (DSRM) em um controlador de domnio. Que ferramenta voc deve usar? A. B. C. D. dsmod ntdsutil Local Users and Groups snap-in Active Directory Users and Computers snap-in

Answer: B Section: Powershell & Command line cmds Explanation/Reference: #ntdsutil #set dsrm password ---------------------------------------------------------------------------------------------------------------------------------------------

To Reset the DSRM Administrator Password Click, Start, click Run, type ntdsutil, and then click OK.
At the Ntdsutil command prompt, type set dsrm password. At the DSRM command prompt, type one of the following lines: To reset the password on the server on which you are working, type reset password on server null. The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when you are prompted. Note that no characters appear while you type the password. -orTo reset the password for another server, type reset password on server servername, where servername is the DNS name for the server on which you are resetting the DSRM password. Type the new password when you are prompted. Note that no characters appear while you type the password. At the DSRM command prompt, type q. At the Ntdsutil command prompt, type q to exit.

QUESTION 2 Um controlador de domnio chamado DC12 executa servios crticos. Reestruturao da hierarquia de unidade organizacional para o domnio foi concluda e objetos desnecessrios foram eliminados. Voc precisa executar uma desfragmentao offline do banco de dados do Active Directory no DC12. Voc tambm precisa garantir que os servios essenciais permanecem online. O que voc deve fazer? A. Inicie o controlador de domnio no diretrio do modo de restaurao de servios. Execute o utilitrio Defrag. B. Inicie o controlador de domnio no diretrio do modo de restaurao de servios. Execute o utilitrio Ntdsutil. C. Pare o servio de controlador de domnio no Servios (local) Microsoft Management Console (MMC). Execute o utilitrio Defrag.

D. Pare o servio de controlador de domnio no Servios (local) Microsoft Management Console (MMC). Execute o utilitrio Ntdsutil. Answer: D Section: Powershell & Command line cmds Explanation/Reference:

To perform offline defragmentation of the directory database


Compact the database file to a local directory or remote shared folder, as follows: Local directory: Go to step 2.

Remote directory: If you are compacting the database file to a shared folder on a remote computer,
before you stop AD DS, prepare a shared directory on a remote server in the domain. For example, create the share \\ServerName\NTDS. Allow access to only the Builtin Administrators group. On the domain controller, map a network drive to this shared folder.

Important
You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a network drive. If the compaction of the database does not work properly, you can then easily restore the database by copying back the copy of the Ntds.dit file that you made. Do not delete this copy of the Ntds. dit file until you have verified that the domain controller starts properly. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. At the command prompt, type the following command, and then press ENTER: net stop ntds Type Y to agree to stop additional services, and then press ENTER. At the command prompt, type ntdsutil, and then press ENTER. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. At the ntdsutil prompt, type files, and then press ENTER. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER. If you mapped a drive to a shared folder on a remote computer, type the drive letter only, for example, compact to K:\.

Note
When you compact the database to a local drive, you must provide a path. If the path contains any spaces, enclose the entire path in quotation marks (for example, compact to "c:\new folder"). If the directory does not exist, Ntdsutil.exe creates the directory and then creates the file named Ntds.dit in that location. If defragmentation completes successfully, type quit, and then press ENTER to quit the file maintenance: prompt. Type quit again, and then press ENTER to quit Ntdsutil.exe. Go to step 9. If defragmentation completes with errors, go to step 12.

Caution
Do not overwrite the original Ntds.dit file or delete any log files. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to: To delete all the log files in the log directory, type the following command, and then press ENTER: del <drive>:\<pathToLogFiles>\*.log Ntdsutil provides the correct path to the log files in the onscreen instructions.

Note
You do not have to delete the Edb.chk file. You should make a copy of the existing Ntds.dit file if at all possible, even if you have to store that copy on a secured network drive. If the compaction of the database does not work properly, you can then easily restore the database by copying it back to the original location. Do not delete the copy of the Ntds.dit file

until you have at least verified that the domain controller starts properly. If space allows, you can rename the original Ntds.dit file to preserve it. Avoid overwriting the original Ntds.dit file. Manually copy the compacted database file to the original location, as follows: copy <temporaryDrive>:\ntds.dit <originalDrive>: \<pathToOriginalDatabaseFile> \ntds.dit Ntdsutil provides the correct paths to the temporary and original locations of the Ntds.dit file. At the command prompt, type ntdsutil, and then press ENTER. At the ntdsutil: prompt, type files, and then press ENTER. At the file maintenance: prompt, type integrity, and then press ENTER. If the integrity check fails, the likely cause is that an error occurred during the copy operation in step 9.c. Repeat steps 9.c through step 12. If the integrity check fails again: Contact Microsoft Customer Service and Support. Or Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location, and repeat the offline defragmentation procedure. If the integrity check succeeds, proceed as follows: If the initial compact to command failed, go back to step 7 and perform steps 7 through 12. If the initial compact to command succeeded, type quit and press ENTER to quit the file maintenance: prompt, and then type quit and press ENTER again to quit Ntdsutil.exe. Restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds If errors appear when you restart AD DS: Stop AD DS. At the command prompt, type the following command, and then press ENTER: net stop ntds Type Y to agree to stop additional services, and then press ENTER. Check the errors in Event Viewer. If the following events are logged in the Directory Service log in Event Viewer when you restart AD DS, respond to the events as follows: Event ID 1046. The Active Directory database engine caused an exception with the following parameters. In this case, AD DS cannot recover from this error and you must restore from backup media. Event ID 1168. Internal error: An Active Directory error has occurred. In this case, information is missing from the registry and you must restore from backup media. Check database integrity, and then proceed as follows: If the integrity check fails, try repeating step 9.c through step 12 above, and then repeat the integrity check. If the integrity check fails again: Contact Microsoft Customer Service and Support. Or Copy the original version of the Ntds.dit file that you preserved in step 9.b. to the original database location and repeat the offline defragmentation procedure. If the integrity check succeeds, follow the steps in the procedure If the Database Integrity Check Fails, Perform Semantic Database Analysis with Fixup.

If semantic database analysis with fixup succeeds, quit Ntdsutil.exe, and then restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds

Compacting or defragging the AD database (ntds.dit) Stop active directory domain services #ntdsutil: files #file maintenance: compact to c:\temp ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 3 Voc precisa identificar todas as tentativas fracassadas de logon nos controladores de domnio. O que voc deve fazer? A. B. C. D. Executar Visualizador de Eventos. Ver o arquivo Netlogon.log. Execute o Assistente de Configurao de Segurana. Ver na guia Segurana no objeto de computador do controlador de domnio.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 4 Voc cria 200 novas contas de usurio. Os usurios esto localizados em seis locais diferentes. Novos usurios relatam que eles recebem a seguinte mensagem de erro quando tenta fazer logon em: "O nome de usurio ou senha est incorreta." Voc confirma que as contas de usurios existem e esto habilitados. Voc tambm confirmar que o nome de usurio e senha fornecidos esto corretos. Voc precisa identificar a causa da falha. Voc tambm precisa garantir que os novos usurios so capazes de fazer logon. Qual utilidade que voc deve correr? A. B. C. D. Rsdiag Rstools Repadmin Active Directory Domains and Trusts

Answer: C Section: Powershell & Command line cmds Explanation/Reference:

Repadmin
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2 Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems. Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go. microsoft.com/fwlink/?LinkID=177813). To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-todateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest. --------------------------------------------------------------------------------------------------------------------------------------------http://technet.microsoft.com/en-us/library/cc770963(v=WS.10).aspx

QUESTION 5 Voc precisa validar se o Active Directory replicado com sucesso entre dois controladores de domnio. O que voc deve fazer? A. B. C. D. Execute o comando dsget. Execute o comando Dsquery. Execute o comando repadmin. Execute o Windows System Resource Manager.

Answer: C Section: Powershell & Command line cmds Explanation/Reference:

Repadmin
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2 Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems. Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go. microsoft.com/fwlink/?LinkID=177813). To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-todateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest. --------------------------------------------------------------------------------------------------------------------------------------------http://technet.microsoft.com/en-us/library/cc770963(v=WS.10).aspx

QUESTION 6 Sua rede consiste de um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa identificar os Lightweight Directory Access Protocol (LDAP) clientes que esto usando a maior quantidade de recursos de CPU em um controlador de domnio. O que voc deve fazer? A. B. C. D. Reveja os dados de desempenho em Monitor de Recursos. Revise o hardware log de eventos no Visualizador de eventos. Executar o Diagnostics LAN Conjunto de Coletores de Dados. Reveja a LAN relatrio Diagnstico. Execute o Active Directory Diagnostics Conjunto de Coletores de Dados. Revise o relatrio Active Directory Diagnostics.

Answer: D Section: Configuring AD LDS Explanation/Reference: server manager diagnostics reliability and performance system Active Directory Diagnostics --------------------------------------------------------------------------------------------------------------------------------------------To run the Active Directory Data Collector follow these steps: Open Server Manager on a Full version of Windows Server 2008 or later, or go to Start > Run > Perfmon.msc and then press enter. Expand Diagnostics > Reliability and Performance > Data Collector Sets > System Right-click on Active Directory Diagnostics and then click Start in the menu which appears. The default setting will gather data for the report for 300 seconds (5 minutes), after which it will take an additional period to compile the report. The amount of time needed to compile the report is proportional to how much data has been gathered during the period. Once the report has compiled, look under Diagnostics > Reliability and Performance > Reports > System > Active Directory Diagnostics to view the report or reports which have been completed. The report contains eight broad categories under Diagnostic Results which will contain information and conclusions in the report. These will not always tell the exact cause of the problem but can be used to determine where to investigate in order to find the exact cause. Items to look at when facing high CPU utilization by Lsass.exe are the Diagnostic Results portion of the report, which will show general performance concerns. In addition, examining the Active Directory category will detail what actions-such as what LDAP queries are effecting performance-the domain controller is busy doing at that time. Domain controllers are often most effected by remote queries from computers in the environment asking "expensive" queries, or subjecting them to a higher volume of queries. The Network portion of the report can be useful in determining the remote clients which are communicating most with the domain controller while the diagnostic was gathering data.

QUESTION 7 Sua rede consiste de um domnio nico diretrio Active. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa capturar todos os erros de replicao de todos os controladores de domnio para um local

central. O que voc deve fazer? A. B. C. D. Configure assinaturas log de eventos. Iniciar o Sistema de Desempenho conjunto de coletores de dados. Inicie o Active Directory Diagnostics conjunto de coletores de dados. Instale o Monitor de rede e criar uma nova captura.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: server manager diagnostics eventlogs subscriptions with subscriptions you can configure eventlogs to be forwarded to a central computer.

QUESTION 8 Voc tem um domnio do Active Directory que executado no Windows Server 2008 R2. Voc precisa implementar um servidor de autoridade de certificao (CA) que atenda aos seguintes requisitos: - Permite a autoridade de certificao para emitir automaticamente certificados - Integrao com Active Directory Domain Services O que voc deve fazer? A. Instalar e configurar o Active Directory Certificate funo de servidor Servios como uma CA raiz autnoma. B. Instalar e configurar o Active Directory Certificate funo de servidor de Servios como um Enterprise Root CA. C. Comprar um certificado de uma autoridade de certificao de terceiros. Instalar e configurar o Active Directory Certificate funo de servidor Servios como uma CA subordinada autnoma. D. Comprar um certificado de uma autoridade de certificao de terceiros. Importe o certificado para o armazenamento do computador do mestre de esquema. Answer: B Section: Configuring AD Certificate Services Explanation/Reference: If you are using templates you need Windows 2008 Enterprise. --------------------------------------------------------------------------------------------------------------------------------------------Automatically issuing certificates requires ADCS

QUESTION 9 Sua empresa tem uma floresta do Active Directory. Voc planeja instalar uma certificao de Empresa autoridade (CA) em um servidor independente dedicado. Quando voc tenta adicionar os Servios de Certificado do Active Directory (AD CS) funo de servidor, voc achar que a empresa CA opo no est disponvel. Voc precisa instalar o CS AD (Certificate Services) o papel do servidor como uma CA Enterprise. O que voc deve fazer primeiro?

A. B. C. D.

Adicione a funo de servidor DNS Server. Acresentar ao servidor para o domnio. Adicione o Servidor Web funo de servidor (IIS) ea funo de servidor AD CS. Adicionar o Active Directory Lightweight Directory Services (AD LDS) funo de servidor.

Answer: B Section: Configuring AD Certificate Services Explanation/Reference: Root CA and SUB-CAs are normally NOT a member of the domain (pre-R2?) because those servers are Offline and locked-up in a vault. The Issuing CAs are a member of the domain, because they are online. --------------------------------------------------------------------------------------------------------------------------------------------In this case, however, this Server 2008 R2 server must be a member server in the domain to get the Enterprise CA option, but should not be a DC.

QUESTION 10 Voc tem um servidor Windows 2008 R2 que tem o Active Directory Certificate funo de servidor Servios instalado. Voc precisa minimizar a quantidade de tempo que leva para computadores clientes para baixar uma lista de certificados revogados (CRL). O que voc deve fazer? A. Instalar e configurar um Respondente Online. B. Instalar e configurar um controlador de domnio adicional. C. Importe o certificado da CA raiz no armazenamento de certificados raiz fidedigna em todas as estaes de trabalho cliente. D. Importe a emisso do certificado CA para o armazenamento de certificados raiz fidedigna em todas as estaes cliente. Answer: A Section: Configuring AD Certificate Services Explanation/Reference: An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 11 Voc tem um servidor Windows 2008 R2 Enterprise Root CA. A poltica de segurana impede que a porta 443 e porta 80 que est sendo aberto em controladores de domnio e na CA de emisso. Voc precisa permitir que os utilizadores solicitar certificados de uma interface web. Voc instalar os Servios de Certificados do Active Directory (AD CS) funo de servidor. O que voc deve fazer a seguir?

A. B. C. D.

Configurar o servio de funo Respondente Online em um servidor membro. Configurar o servio de funo Respondente Online em um controlador de domnio. Configurar o Certificado de Matrcula Web servio de funo de servio em um servidor membro. Configurar o Certificado de Matrcula Web servio de funo de servio em um controlador de domnio.

Answer: C Section: Configuring AD Certificate Services Explanation/Reference: The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. The Certificate Enrollment Policy Web Service uses the HTTPS protocol to communicate certificate policy information to network client computers. The Web service uses the LDAP protocol to retrieve certificate policy from Active Directory Domain Services (AD DS) and caches the policy information to service client requests. In previous versions of AD CS, certificate policy information can be accessed only by domain client computers that are using the LDAP protocol. This limits policy-based certificate issuance to the trust boundaries established by AD DS forests. --------------------------------------------------------------------------------------------------------------------------------------------Since the CEWS role uses HTTPS, the scenario says it cannot be installed on a DC, this limits the answer to C.

QUESTION 12 Sua empresa tem um servidor que executa o Windows Server 2008 R2. Servios de Certificados do Active Directory (AD CS) configurado como uma autoridade de certificao autnoma (CA) no servidor. Voc precisa auditar alteraes s definies de configurao da CA e as configuraes de segurana da CA. Quais so as duas tarefas que voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Configurar a auditoria na Autoridade de Certificao snap-in. B. Habilite a auditoria de tentativas bem-sucedidas e fracassadas de mudar permisses em arquivos no% % SYSTEM32 \ CertSrv. C. Habilite a auditoria de tentativas bem-sucedidas e fracassadas de gravar arquivos no%% SYSTEM32 \ CertLog. D. Ativar a configurao Auditoria de acesso a objetos na poltica de segurana local para os Servios de Certificados do Active Directory (AD CS) do servidor. Answer: AD Section: Configuring AD Certificate Services Explanation/Reference:

To configure CA event auditing


Open the Certification Authority snap-in. In the console tree, click the name of the CA. On the Action menu, click Properties. On the Auditing tab, click the events that you want to audit, and then click OK. On the Action menu, point to All Tasks, and then click Stop Service. On the Action menu, point to All Tasks, and then click Start Service. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 13

Sua empresa tem um domnio do Active Directory. Voc instala uma autoridade de certificao raiz corporativa (CA) em um servidor membro nomeado Server1. Voc precisa garantir que apenas o Gerente de Segurana est autorizado a revogar certificados que so fornecidos pelo Server1. O que voc deve fazer? A. B. C. D. Retire a solicitao de permisso Certificados do grupo Usurios do Domnio. Retire a solicitao de permisso Certificados do grupo Usurios autenticados. Atribuir o Permitir - Gerenciar CA permisso para apenas a conta de usurio Security Manager. Atribuir o Permitir - Emitir e Gerenciar Certificados permisso para apenas a conta de usurio segurana administrador

Answer: D Section: Configuring AD Certificate Services Explanation/Reference: A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission. When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group. This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA. You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure. For more information, see Implement Role-Based Administration.

To configure certificate manager restrictions for a CA


Open the Certification Authority snap-in, and right-click the name of the CA. Click Properties, and then click the Security tab. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply. Click the Certificate Managers tab. Click Restrict certificate managers, and verify that the name of the group or user is displayed. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny. When you are finished configuring certificate manager restrictions, click OK or Apply. --------------------------------------------------------------------------------------------------------------------------------------------Reason:A certificate manager can approve certificate enrollment and revocation requests, he can also issue certificates and manage certificates

QUESTION 14 Voc tem um servidor Windows 2008 R2 Enterprise Root autoridade de certificao (CA). Voc precisa conceder aos membros do grupo Operadores de conta a capacidade de apenas gerenciar certificados bsicos EFS. Voc concede ao grupo Operadores de Conta da Emisso e gerenciar certificados de permisso no CA. Quais as trs tarefas que voc deve executar a seguir?

(Cada resposta correta representa parte da soluo. Escolha trs.) A. B. C. D. E. Ative a opo Restringir Inscrio agentes da autoridade de certificao. Ative a opo Restringir Certificado Managers na CA. Adicione o modelo de certificado EFS bsico para o grupo Operadores de conta. Conceda conta de grupo de operadores a permisso Gerenciar CA na CA. Remova todos os modelos de certificados desnecessrios que so atribudos ao grupo Operadores de Conta.

Answer: BCE Section: Configuring AD Certificate Services Explanation/Reference: A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission. http://technet.microsoft.com/en-us/library/cc753372.aspx ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 15 .Voc tem dois servidores nomeados Server1 e Server2. Ambos os servidores rodam Windows Server 2008 R2. Server1 configurado como uma raiz corporativa autoridade de certificao (CA). Voc instala o servio de funo de Resposta Online no Server2. Voc precisar configurar Server1 para apoiar o Respondente Online. O que voc deve fazer? A. B. C. D. Importe o certificado da CA raiz corporativa. Configurar a Lista de Certificados Revogados extenso ponto de distribuio. Configurar a Autoridade de Acesso Informao extenso (AIA). Adicione a conta de computador Server2 ao grupo CertPublishers.

Answer: C Section: Configuring AD Certificate Services Explanation/Reference: To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP) Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder. Configuring a certification authority (CA) to support OCSP responder services includes the following steps: 1. Configure certificate templates and issuance properties for OCSP Response Signing certificates. 2. Configure enrollment permissions for any computers that will be hosting Online Responders. 3. If this is a Windows Server 2003based CA, enable the OCSP extension in issued certificates. 4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA. 5. Enable the OCSP Response Signing certificate template for the CA. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 16 Sua empresa tem um domnio do Active Directory. Todos os servidores rodam Windows Server 2008 R2. Sua empresa funciona uma empresa de raiz autoridade de certificao (CA). Voc precisa garantir que apenas os administradores podem assinar o cdigo. Quais so as duas tarefas que voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Publicar o modelo de assinatura de cdigo. B. Edite a diretiva do computador local do Enterprise Root CA para permitir aos usurios confiar em certificados de pares e permitem que os administradores apenas para aplicar a poltica. C. Edite a diretiva do computador local do Enterprise Root CA para permitir que apenas os administradores para gerenciar Editores Confiveis. D. Modificar as configuraes de segurana no modelo para permitir que apenas os administradores para solicitar certificados de assinatura de cdigo. Answer: AD Section: Configuring AD Certificate Services Explanation/Reference:

Default templates in Windows Server 2008 Name Applicatio Sub ns used Key ject for usage typ enhanced e key usage Application policies or enhanced key usage

Description

Admini Allows trust list signing and user authentication strator

Microsoft trust list signing Signatur Encrypting e and File System User 4.1 encrypti (EFS) on Secure e-mail Client authentication Signatur Client User 3.1 e authentication Encrypti User EFS on Encrypti Com Private key on puter archival 3.1 106.0

Authent icated Allows subjects to authenticate to a Web server Sessio n Basic Used by EFS to encrypt data EFS CA Used to protect private keys as they are sent to the Exchan CA for private key archival ge Allows the holder to act as a registration authority for CEP Simple Certificate Enrollment Protocol (SCEP) Encrypt requests; used by the Network Device Enrollment ion Service for its key exchange certificate Code Used to digitally sign software Signing

Encrypti Com Certificate 4.1 on puter request agent Signatur User Code signing 3.1 e

--------------------------------------------------------------------------------------------------------------------------------------------Reason : Code Signing is a template.

QUESTION 17

Sua empresa tem um domnio do Active Directory. Todos os servidores rodam Windows Server 2008 R2. A sua empresa utiliza uma raiz corporativa autoridade de certificao (CA) e de uma empresa intermediria CA. A Enterprise Intermediate CA certificado expirar. Voc precisa implantar uma nova Enterprise Intermediate certificado para todos os computadores no domnio. O que voc deve fazer? A. Importar o novo certificado para o armazenamento de Certificao Intermediria no servidor Enterprise Root CA. B. Importar o novo certificado para o armazenamento de Certificao Intermediria no Intermediate Enterprise CA servidor. C. Importar o novo certificado para o armazenamento de Certificao Intermediria em controladores de domnio padro objeto poltica de grupo. D. Importar o novo certificado para o armazenamento de Certificao Intermediria no padro objeto de diretiva de domnio do grupo. Answer: B Section: Configuring AD Certificate Services Explanation/Reference: -QYou bring the Root CA online and make a cert request from the Intermediate CA, send it to the Root CA for signing and then import the signed certificate into the Intermediate CA. So i think "B" instead of "D" ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 18 Sua empresa tem um domnio do Active Directory. Voc pretende instalar os Servios de Certificados do Active Directory (AD CS) funo de servidor em um servidor membro que executa o Windows Server 2008 R2. Voc precisa assegurar que os membros do grupo Operadores de Conta so capazes de emitir credenciais de cartes inteligentes. Eles no devem ser capazes de revogar certificados. Quais as trs aes que voc deve executar? (Cada resposta correta representa parte da soluo. Escolha trs.) A. Instale a funo de servidor AD CS e configur-lo como um Enterprise Root CA. B. Instale a funo de servidor AD CS e configur-lo como um CA autnomo. C. Restringir os agentes de inscrio para o certificado de logon de carto inteligente para o grupo Operadores de Conta. D. Restringir gestores de certificados para o certificado de logon de carto inteligente para o grupo Operadores de Conta. E. Criar um certificado de logon de carto inteligente. F. Criar um certificado de agente de inscrio. Answer: ACE Section: Configuring AD Certificate Services

Explanation/Reference: --------------------------------------------------------------------------------------------------------------------------------------------To configure enrollment agents, right click on the issuing CA and select properties( see screenshot below).

QUESTION 19 Sua rede consiste de um domnio nico diretrio Active. O nvel funcional da floresta Windows Server 2008 R2. Voc precisa criar vrias diretivas de senha para os usurios em seu domnio. O que voc deve fazer? A. B. C. D. A partir do esquema do Active Directory snap-in, criar objetos de esquema mltiplas classes. Desde o ADSI Edit snap-in, criar objetos de ajustes mltiplos senha. No Assistente de Configurao de Segurana, criar mltiplas polticas de segurana. Desde o Group Policy Management snap-in, criar objetos de Diretiva de Grupo.

Answer: B Section: Maintaining the AD Environment Explanation/Reference: Fine-Grained Passwords [Password policies per OU, Group or user] Adsi edit, cn=system, cn=password settings container, RM, new object, msds-passwordsettings, enter

name Passwordsettings, enter values ADUC adv, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group. ---------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 20 Voc precisa executar uma desfragmentao offline de um banco de dados do Active Directory. Que quatro aes que voc deve executar em seqncia? (Para responder, mover as quatro aes apropriadas a partir da lista de aes para a rea de resposta e organiz-los na ordem correta.)

Answer:

Section: Configuring AD Federated Services Explanation/Reference:

Exam F QUESTION 1 Sua empresa tem um domnio do Active Directory. Todos os servidores rodam Windows Server 2008 R2. A sua empresa utiliza uma raiz corporativa autoridade de certificao (CA). Voc precisa garantir que as informaes certificado revogado altamente disponvel. O que voc deve fazer? A. Implementar um Online Certificate Status Protocol (OCSP) responder usando o Network Load Balancing. B. Implementar um Online Certificate Status Protocol (OCSP) responder usando um Internet Security and Acceleration Server matriz. C. Publicar o certificado reconhecido pela lista de autoridades para o domnio usando um objeto de Diretiva de Grupo (GPO). D. Criar um objeto de Diretiva de Grupo (GPO) que permite aos usurios confiar em certificados de pares. Vincular o GPO ao domnio. Answer: A Section: Configuring AD Certificate Services Explanation/Reference: There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance. I am going to demonstrate using the built in Windows Network Load Balancing feature of Windows Server 2008. You can of course use a third party hardware load balancer if you wish. In this example, we are going to deploy two OCSP Servers in a highly available configuration. http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-highavailability.aspx

QUESTION 2 Sua empresa tem um domnio do Active Directory. Voc tem uma de duas camadas de infra-estrutura de PKI que contm uma AC raiz offline e uma autoridade de certificao on-line de emisso. A autoridade de certificao da empresa est executando o Windows Server 2008 R2. Voc precisa garantir que os usurios so capazes de inscrever novos certificados. O que voc deve fazer? A. Renovar a Lista de Certificados Revogados (CRL) na CA raiz. Copie o CRL para a pasta CertEnroll na CA de emisso. B. Renovar a Lista de Certificados Revogados (CRL) na CA de emisso. Copie o CRL para a pasta SystemCertificates no perfil dos usurios. C. Importe o certificado da CA raiz no armazenamento de certificados raiz fidedigna em todas as estaes de trabalho cliente. D. Importe a emisso de certificado de CA para o Intermedirio loja de autoridades de certificao em todas as estaes de trabalho cliente. Answer: A Section: Configuring AD Certificate Services Explanation/Reference:

QUESTION 3 Voc tem dois servidores nomeados Server1 e Server2. Ambos os servidores rodam Windows Server 2008 R2. Server1 configurado como uma raiz corporativa autoridade de certificao (CA). Voc instala o servio de funo de Resposta Online no Server2. Voc precisar configurar Server2 para emitir listas de certificados revogados (LCR) para a raiz da empresa CA. Quais so as duas tarefas que voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. Importe o certificado da CA raiz corporativa. Importe o certificado de assinatura OCSP Response. Adicione a conta de computador Server1 ao grupo CertPublishers. Definir o tipo de inicializao do servio Propagao Certificado para Automtico.

Answer: AB Section: Configuring AD Certificate Services Explanation/Reference: The signature on OCSP responses must follow the following rules to be considered valid by a Windows Vista or Windows Server 2008 client: For Windows Vista, either the OCSP signing certificate must be issued by the same CA as the certificate being verified or the OCSP response must be signed by the issuing CA. For Windows Vista with Service Pack 1 and Windows Server 2008, the OCSP signing certificate may chain up to any trusted root CA as long as the certificate chain includes the OCSP Signing EKU extension. CryptoAPI will not support independent OCSP signer during revocation checking on this OCSP signing certificate chain to avoid circular dependency. CryptoAPI will support CRL and delegated OCSP signer only.

QUESTION 4 Sua rede contm um domnio do Active Directory. O domnio contm dois controladores de domnio chamado DC1 e DC2. DC1 apresenta um padro zona DNS primrio para o domnio. Atualizaes dinmicas so habilitadas na zona. DC2 hospeda um padro zona DNS secundria para o domnio. Voc precisa configurar o DNS para permitir somente atualizaes dinmicas seguras. O que voc deve fazer primeiro? A. B. C. D. Em Em Em Em DC1 e DC2, configurar uma ncora de confiana. DC1 e DC2, configurar uma regra de segurana de conexo. DC1 e DC2, configurar UMA Regra de Segurana de Conexo DC1, configurar a zona a ser armazenadas no Active Directory.

Answer: D Section: Configuring AD DNS Explanation/Reference:

To allow only secure dynamic updates using the Windows interface


Open DNS Manager.

In the console tree, right-click the applicable zone, and then click Properties. On the General tab, verify that the zone type is Active Directory-integrated. In Dynamic Updates, click secure only. http://technet.microsoft.com/en-us/library/cc753751.aspx

QUESTION 5 Sua rede contm um controlador de domnio que tem duas conexes de rede nomeados Interna e privados. Interno tem um endereo IP 192.168.0.20. Privado tem um endereo IP de 10.10.10.5. Voc precisa impedir que o controlador de domnio do registro Host (A) registros para o endereo IP 10.10.10.5. O que voc deve fazer? A. B. C. D. Modifique o arquivo netlogon.dns no controlador de domnio. Modificar as configuraes de nome de servidor da zona DNS para o domnio. Modificar as propriedades da conexo de rede privada no controlador de domnio. Desativar mscara de rede ordenao no servidor DNS que hospeda a zona DNS para o domnio.

Answer: C Section: Configuring AD DNS Explanation/Reference: To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid the issue).

1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -> Advanced -> DNS - > Uncheck "Register this connections Address in DNS" 2. Open the DNS server console: highlight the server on the left pane Action-> Properties and on the
"Interfaces" tab select "listen on only the following IP addresses". Remove unwanted IP address from the list

3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP address
associated with the DC. Remove unwanted IP address if it is listed. After performing this delete the existing unwanted Host A record of the DC. http://support.microsoft.com/kb/2023004#appliesto

QUESTION 6 A rede contm uma floresta do Active Directory chamado contoso.com. Voc planeja adicionar um novo domnio chamado nwtraders.com para a floresta. Todos os servidores DNS so controladores de domnio. Voc precisa garantir que os computadores em nwtraders.com pode atualizar seu Host (A) registros sobre qualquer um dos servidores DNS na floresta. O que voc deve fazer? A. Adicione as contas de computador de todos os controladores de domnio para o grupo DnsAdmins. B. Adicione as contas de computador de todos os controladores de domnio para o grupo DnsUpdateProxy. C. Crie uma zona primria padro em um controlador de domnio no domnio raiz da floresta. D. Crie uma zona integrada ao Active Directory em um controlador de domnio no domnio raiz da floresta. Answer: D

Section: Configuring AD DNS Explanation/Reference: When you use standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or that use standard file-based storage, you can change the zone to allow all dynamic updates, which permits all updates to be accepted. http://technet.microsoft.com/en-us/library/cc771255.aspx

Reason : Standard primary zone is local to the DC. The requirement here is to allow clients to register their host from any DC/DNS servers.

QUESTION 7 Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contm um controlador de domnio chamado DC1. DC1 hospeda uma zona primria padro para contoso.com. Voc descobre que os computadores no-membros do domnio registrar registros na zona contoso.com. Voc precisa impedir que os computadores no-membros do domnio de registrar recordes na zona contoso.com. Todos os computadores membros do domnio deve ser permitido registrar registros na zona contoso.com. O que voc deve fazer primeiro? A. B. C. D. Configurar uma ncora de confiana. Execute o Configuration Wizard (SCW). Alterar o fuso contoso.com para uma zona integrada ao Active Directory. Modificar as configuraes de segurana do% SystemRoot% \ System32 \ Dns.

Answer: C Section: Configuring AD DNS Explanation/Reference: When you use standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or that use standard file-based storage, you can change the zone to allow all dynamic updates, which permits all updates to be accepted. http://technet.microsoft.com/en-us/library/cc771255.aspx

Trust anchors are required on all non-authoritative DNS servers that will perform DNSSEC validation of data from a signed zone. http://technet.microsoft.com/en-us/library/ee649280%28WS.10%29.aspx

QUESTION 8 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc cria uma zona GlobalNames. Voc pode adicionar um registro de recurso de alias (CNAME) chamado Server1 para a zona. O host de destino do registro server2.contoso.com. Quando voc executa ping Server1, voc descobre que o nome no resolve. Voc resolver com xito server2.contoso.com. Voc precisa se certificar que voc pode resolver nomes usando a zona GlobalNames. O que voc deve fazer? A. A partir do prompt de comando, use a ferramenta netsh.

B. A partir do prompt de comando, use a ferramenta dnscmd. C. A partir do Gestor de DNS, modificar as propriedades da zona GlobalNames. D. No Gerenciador de DNS, modificar as configuraes avanadas do servidor DNS. Answer: B Section: Powershell & Command line cmds Explanation/Reference:

Deploying a GlobalNames zone


The specific steps for deploying a GlobalNames zone can vary somewhat, depending on the AD DS topology of your network.

Step 1: Create the GlobalNames zone


The first step in deploying a GlobalNames zone is to create the zone on a DNS server that is a domain controller running Windows Server 2008. The GlobalNames zone is not a special zone type; rather, it is simply an AD DS-integrated forward lookup zone that is called GlobalNames. For information about creating a primary forward lookup zone, see Add a Forward Lookup Zone.

Step 2: Enable GlobalNames zone support


The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest:

dnscmd <ServerName> /config /enableglobalnamessupport 1


where ServerName is the DNS name or IP address of the DNS server that hosts the GlobalNames zone. To specify the local computer, replace ServerName with a period (.), for example, dnscmd . /config / enableglobalnamessupport 1.

Step 3: Replicate the GlobalNames zone


To make the GlobalNames zone available to all DNS servers and clients in a forest, replicate the zone to all domain controllers in the forest, that is, add the GlobalNames zone to the forest-wide DNS application partition. For more information, see Change the Zone Replication Scope. If you want to limit the servers that will be authoritative for the GlobalNames zone, you can create a custom DNS application partition for replicating the GlobalNames zone. For more information, see Understanding DNS Zone Replication in Active Directory Domain Services.

Step 4: Populate the GlobalNames zone


For each server that you want to be able to provide single-label name resolution for, add an alias (CNAME) resource record to the GlobalNames zone. For more information, see Add an Alias (CNAME) Resource Record to a Zone.

Step 5: Publish the location of the GlobalNames zone in other forests


If you want DNS clients in other forests to use the GlobalNames zone for resolving names, add service location (SRV) resource records to the forest-wide DNS application partition, using the service name _globalnames._msdcs and specifying the FQDN of the DNS server that hosts the GlobalNames zone. For more information, see Add a Resource Record to a Zone and Service Location (SRV) Resource Record Dialog Box. In addition, you must run the dnscmdServerName/config /enableglobalnamessupport 1 command on every authoritative DNS server in the forests that do not host the GlobalNames zone. http://technet.microsoft.com/en-us/library/cc731744.aspx Reason Dnscmd Next , Dnscmd : GNZ is intended to aid the retirement of WINS. To enable gnz: ServerName /config /Enableglobalnamessupport 1. you can use gui to create GlobalNames zone or using command : ServerName /ZoneAdd GlobalNames /DsPrimary /DP /forest

QUESTION 9 Sua empresa tem uma sede e uma filial. A rede contm um domnio do Active Directory chamado contoso.com. A zona de DNS para contoso.com configurado como uma zona integrada ao Active Directory e replicada para todos os controladores de domnio no domnio.

O escritrio principal contm um controlador de domnio gravvel chamado DC1. A filial contm um controlador de domnio somente leitura (RODC) chamado RODC1. Todos os controladores de domnio executem o Windows Server 2008 R2 e so configurados como servidores de DNS. Voc desinstalar a funo de servidor DNS a partir de RODC1. Voc precisa impedir que registros de DNS de replicar para RODC1. O que voc deve fazer? A. B. C. D. Modificar o escopo de replicao para a zona contoso.com. Esvaziar o cache de DNS e permitir o bloqueio de cache em RODC1. Configurar o encaminhamento condicional para a zona contoso.com. Modificar as configuraes de transferncia de zona para zona contoso.com.

Answer: A Section: Configuring Additional AD Server Roles Explanation/Reference: Change the Zone Replication Scope

Applies To: Windows Server 2008, Windows Server 2008 R2 You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477. Changing zone replication scope Using the Windows interface Using a command line To change zone replication scope using the Windows interface Open DNS Manager. In the console tree, right-click the applicable zone, and then click Properties. On the General tab, note the current zone replication type, and then click Change. Select a replication scope for the zone. Additional considerations To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. To change zone replication scope using the command line At a command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /ZoneChangeDirectoryPartition <ZoneName> <NewPartitionName>

Parameter
dnscmd

Description

Specifies the name of the command-line tool for managing DNS servers. Required. Specifies the Domain Name System (DNS) host name of the DNS server. You <ServerName> can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) / ZoneChangeDir Required. Changes a zone's replication scope. ectoryPartition <ZoneName> Required. Specifies the fully qualified domain name (FQDN) of the zone. <NewPartitionN Required. The FQDN of the DNS application directory partition where the zone will be ame> stored. http://technet.microsoft.com/en-us/library/cc754916.aspx

QUESTION 10 . Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contm os servidores mostrados na tabela seguinte: nome do servidor DC1 DC2 DNS1 DNS2 sistema operacional Windows Server 2008 Windows Server 2008 R2 Windows Server 2008 Windows Server 2008 R2 papel Domain controller Domain controller DNS server DNS server

O nvel funcional da floresta o Windows Server 2003. O nvel funcional do domnio o Windows Server 2003. DNS1 e DNS2 hospedam a zona contoso.com. Todos os computadores clientes executam o Windows 7 Enterprise. Voc precisa se certificar de que todos os nomes na zona contoso.com so garantidos utilizando DNSSEC. O que voc deve fazer primeiro? A. B. C. D. Alterar o nvel funcional da floresta. Alterar o nvel funcional do domnio. Atualize DC1 para o Windows Server 2008 R2. Atualize DNS1 para o Windows Server 2008 R2.

Answer: D Section: Configuring AD DNS Explanation/Reference: Note In Windows Server 2003 and Windows Server 2008, DNSSEC is implemented on secondary zones as described in RFC 2535. Because RFC 2535 has been made obsolete by the previously mentioned RFCs, the Windows Server 2003 and Windows Server 2008 implementations are not interoperable with the Windows Server 2008 R2 or Windows 7 implementation. http://technet.microsoft.com/en-us/library/ee649205(v=WS.10).aspx

QUESTION 11 Sua rede contm um controlador de domnio que est configurado como um servidor DNS. O servidor hospeda uma zona integrada ao Active Directory para o domnio. Voc precisa reduzir o tempo que leva at registros obsoletos so excludos da zona. O que voc deve fazer? A. A partir da partio de diretrio de configurao da floresta, modificar o tempo de desativao. B. A partir da partio de diretrio de configurao da floresta, modificar o intervalo de coleta de lixo. C. A partir das propriedades de envelhecimento da zona, modificar o intervalo sem atualizao e o intervalo de atualizao.

D. Desde o incio da autoridade registo (SOA) da zona, modificar o intervalo de refrescamento e do intervalo de expirar. Answer: C Section: Configuring AD DNS Explanation/Reference:

QUESTION 12 . Voc tem um domnio do Active Directory chamado contoso.com. Voc tem um controlador de domnio chamado Server1 que configurado como um servidor DNS. Server1 hospeda uma zona primria padro para contoso.com. A configurao DNS de Server1 mostrado na exposio. (Clique no boto Exibir.)

You discover that stale resource records are not automatically removed from the contoso.com zone. You need to ensure that the stale resource records are automatically removed from the contoso.com zone. What should you do? A. B. C. D. Defina o perodo de limpeza do server1 para 0 dias. Modificar o servidor envelhecimento / limpeza de propriedades. Configure as propriedades de envelhecimento para a zona contoso.com. Converter a zona contoso.com para uma zona integrada ao Active Directory.

Answer: C Section: Configuring AD DNS Explanation/Reference:

Scavenging is set in three places on a Windows Server: On the individual resource record to be scavenged. On a zone to be scavenged. At one or more servers performing scavenging. It must be set in all three places or nothing happens.

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient. aspx?PageIndex=3

QUESTION 13 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc remove vrios computadores da rede. Voc precisa se certificar de que o anfitrio (A) registros para os computadores so removidos automaticamente excludo do DNS contoso.com zona. O que voc deve fazer? A. B. C. D. Configurar atualizaes dinmicas. Configurar o envelhecimento e limpeza. Crie uma tarefa agendada que executa o comando Dnscmd / ClearCache. Crie uma tarefa agendada que executa o Dnscmd / ZoneReload comando contoso.com

Answer: B Section: Configuring AD DNS Explanation/Reference:

Scavenging is set in three places on a Windows Server: On the individual resource record to be scavenged. On a zone to be scavenged. At one or more servers performing scavenging. It must be set in all three places or nothing happens.

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient. aspx?PageIndex=3

QUESTION 14 Voc precisa forar um controlador de domnio para registrar todas servio local (SRV) registros de recursos no DNS. Qual comando voc deve executar? A. B. C. D. ipconfig.exe /registerdns net.exe stop dnscache & net.exe start dnscache net.exe stop netlogon & net.exe start netlogon regsvr32.exe dnsrslvr.dll

Answer: C Section: Powershell & Command line cmds Explanation/Reference: To make sure that all you A and SRV records are updated corretly, please proceed like the following: Make sure that each DC / DNS server is pointing to its private IP address as primary DNS server Make sure that each DC without DNS is pointing to the correct internal DNS server a primary DNS server Check that you don't have connectivity problems Run net.exe stop netlogon & net.exe start netlogon command on all your DCs. Make sure that all your client computers / member servers are using the correct internal DNS server as primary one

QUESTION 15 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc planeja implantar um domnio filho chamado sales.contoso.com. Os controladores de domnio em sales.contoso.com ser servidores DNS para sales.contoso.com. Voc precisa garantir que os usurios em contoso.com pode se conectar a servidores em sales.contoso. com usando nomes de domnio totalmente qualificado (FQDN). O que voc deve fazer? A. B. C. D. Criar um encaminhador DNS. Criar uma delegao DNS. Configure os servidores de dica de raiz. Configurar um servidor DNS alternativo em todos os computadores cliente.

Answer: B Section: Configuring AD DNS Explanation/Reference: Create a Zone Delegation Applies To: Windows Server 2008, Windows Server 2008 R2 You can divide your Domain Name System (DNS) namespace into one or more zones. You can delegate management of part of your namespace to another location or department in your organization by delegating the management of the corresponding zone. For more information, see Understanding Zone Delegation. When you delegate a zone, remember that for each new zone that you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone. Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.

microsoft.com/fwlink/?LinkId=83477. Creating a zone delegation Using the Windows interface Using a command line To create a zone delegation using the Windows interface Open DNS Manager. In the console tree, right-click the applicable subdomain, and then click New Delegation. Follow the instructions in the New Delegation Wizard to finish creating the new delegated domain. Additional considerations To open DNS Manager, click Start, point to Administrative Tools, and then click DNS. All domains (or subdomains) that appear as part of the applicable zone delegation must be created in the current zone before delegation is performed as described here. As necessary, use DNS Manager to first add domains to the zone before you complete this procedure. To create a zone delegation using a command line Open a command prompt. Type the following command, and then press ENTER: dnscmd <ServerName> /RecordAdd <ZoneName> <NodeName> [/Aging] [/OpenAcl] [<Ttl>] NS {<HostName>|<FQDN>} Paramete Description r dnscmd Specifies the name of the command-line tool for managing DNS servers. Required. Specifies the DNS host name of the DNS server. You can also type the IP address of <ServerN the DNS server. To specify the DNS server on the local computer, you can also type a period ame> (.) / RecordAd Required. Specifies the command to add a resource record. d <ZoneNa Required. Specifies the fully qualified domain name (FQDN) of the zone. me> Required. Specifies the FQDN of the node in the DNS namespace for which the start of <NodeNa authority (SOA) resource record is added. You can also type the node name relative to the me> ZoneName or @, which specifies the zone's root node. If this command is used, this resource record is able to be aged and scavenged. If this /Aging command is not used, the resource record remains in the DNS database unless it is manually updated or removed. Specifies that new records are open to modification by any user. Without this parameter, only /OpenAcl administrators may modify the new record. Specifies the Time To Live (TTL) setting for the resource record. (The default TTL is defined in <Ttl> start of authority (SOA) resource record). Required. Specifies that you are adding a name server (NS) resource record to the zone that is NS specified in ZoneName. <HostNa me>| Required. Specifies the host name or FQDN of the new authoritative server. <FQDN> To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER: dnscmd /RecordAdd /help

QUESTION 16 Sua rede contm um domnio nico diretrio ativo chamado contoso.com. O domnio contm dois controladores de domnio chamado DC1 e DC2 que executam o Windows Server 2008 R2. DC1 hospedar uma zona primria para contoso.com. DC2 hospeda uma zona secundria para contosto.com. Em DC1, voc alterar o para uma zona integrada ao Active Directory e configurar a zona para aceitar atualizaes dinmicas seguras apenas. Voc precisa se certificar que DC2 pode aceitar atualizaes dinmicas seguras para a zona contoso.com.

Qual comando voc deve executar? A. B. C. D. DNSCmd.exe dc2.contoso.com / dns.contoso.com createdirectorypartition DNSCmd.exe dc2.contoso.com / zoneresettype contoso.com / DsPrimary dnslint.exe /ql repadmin.exe /syncall /force

Answer: B Section: Powershell & Command line cmds Explanation/Reference:

Dnscmd zoneresettype
Changes the type of the zone.

Syntax dnscmd [ServerName] /zoneresettype ZoneName ZoneType [/overwrite_mem | / overwrite_ds] Parameters


ServerName Specifies the DNS server the administrator is planning to manage, represented by local computer syntax, IP address, FQDN, or Host name. If omitted, the local server is used. ZoneName Identifies the zone on which the type will be changed. ZoneType Specifies the type of zone to create. Each type has different required parameters.

/dsprimary
Creates an Active Directory-integrated zone. /primary /file FileName Creates a standard primary zone. /secondary MasterIPAddress [,MasterIPAddress...] Creates a standard secondary zone. /stub MasterIPAddress [,MasterIPAddress...] /file FileName Creates a file-backed stub zone. /dsstub MasterIPAddress [,MasterIPAddress...] Creates an Active Directory-integrated stub zone. /forwarder MasterIPAddress [,MasterIPAddress]... /file FileName Specifies that the created zone forwards unresolved queries to another DNS server.

/dsforwarder
Specifies that the created Active Directory-integrated zone forwards unresolved queries to another DNS server.

/overwrite_mem | /overwrite_ds
Specifies how to overwrite existing data.

/overwrite_mem
Overwrites DNS data from data in Active Directory.

/overwrite_ds
Overwrites existing data in Active Directory.

Remarks
Setting the zone type as /dsforwarder creates a zone that performs conditional forwarding.

Sample Usage
dnscmd dnssvr1.contoso.com /zoneresettype test.contoso.com /primary /file test. contoso.com.dns dnscmd dnssvr1.contoso.com /zoneresettype second.contoso.com /secondary 10.0.0.2 http://technet.microsoft.com/en-us/library/cc756116(v=WS.10).aspx#BKMK_29

Reason : dsprimary is AD integrated zone. We need AD-integrated to get the secure dynamic updates. DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues. You need to download it from Microsoft.

QUESTION 17 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc corre Nslookup.exe como mostrado na janela seguinte prompt de comando. Voc precisa se certificar que voc pode usar o Nslookup para listar todo o servio local (SRV) recurso para contoso.com. O que voc deve modificar? A. B. C. D. as dicas de raiz do servidor DNS as configuraes de segurana da zona as configuraes do Windows Firewall no servidor de DNS as configuraes de zona de transferncia da zona

Answer: D Section: Configuring AD DNS Explanation/Reference:

To modify zone transfer settings using the Windows interface


Open DNS Manager. Right-click a DNS zone, and then click Properties. On the Zone Transfers tab, do one of the following: To disable zone transfers, clear the Allow zone transfers check box. To allow zone transfers, select the Allow

zone transfers check box.

If you allowed zone transfers, do one of the following: To allow zone transfers to any server, click To

any server. Servers tab, click Only to

To allow zone transfers only to the DNS servers that are listed on the Name servers listed on the Name Servers tab. To allow zone transfers only to specific DNS servers, click Only add the IP address of one or more DNS servers.

to the following servers, and then

QUESTION 18 Sua rede contm um domnio do Active Directory chamado contoso.com. O contoso.com zona DNS armazenada no Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa identificar se todos os registros DNS usados para replicao do Active Directory esto corretamente registradas. O que voc deve fazer? A. B. C. D. No prompt de comando, use netsh.exe. No prompt de comando, use dnslint.exe. A partir do Mdulo Active Directory para o Windows PowerShell, execute o cmdlet Get-ADRootDSE. A partir do Mdulo Active Directory para o Windows PowerShell, execute o cmdlet GetADDomainController.

Answer: B Section: Powershell & Command line cmds Explanation/Reference: DNSLint is a Microsoft Windows utility that runs on Windows 2000-and-later operating systems. Among other uses, it can help you troubleshoot Active Directory replication issues. Specifically, it can help you determine two things: Whether all DNS servers that are supposed to be authoritative for the root of an Active Directory forest actually have the necessary DNS records to successfully synchronize partition replicas among domain controllers in an Active Directory forest. DNSLint identifies which DNS records are missing from each authoritative DNS server. Whether a particular Active Directory domain controller can resolve all of the necessary DNS records to successfully synchronizing partition replicas among domain controllers in an Active Directory forest. DNSLint identifies which DNS records cannot be resolved by the domain controller being tested. http://support.microsoft.com/kb/321046

Reason : DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues. You need to download it from Microsoft.

QUESTION 19 A rede contm uma floresta do Active Directory. A floresta contm um domnio e trs sites. Cada site contm dois controladores de domnio. Todos os controladores de domnio so servidores DNS. Voc cria uma nova zona integrada ao Active Directory. Voc precisa garantir que a nova zona replicada para os controladores de domnio em apenas um dos sites. O que voc deve fazer primeiro? A. B. C. D. Modificar o site NTDS objeto de configuraes para o site. Modificar as configuraes de replicao do link do site padro. Criar um objeto de conexo Active Directory. Criar uma partio do Active Directory diretrio do aplicativo.

Answer: D Section: Configuring AD Infrastructure Explanation/Reference:

Application directory partitions


An application directory partition is a directory partition that is replicated only to specific domain controllers.

QUESTION 20 A rede contm uma floresta nico diretrio Active. A floresta contm dois domnios chamados contoso.com e sales.contoso.com. Os controladores de domnio so configurados como mostrado na tabela seguinte: nome do servidor domnio DC1 DC2 DC3 DC4 contoso.com contoso.com sales.contoso.com sales.contoso.com Zonas DNS hospedado contoso.com contoso.com sales.contoso.com sales.contoso.com

Todos os controladores de domnio executem o Windows Server 2008 R2. Todas as zonas so configuradas como Active Directory zonas integradas. Voc precisa garantir que os registros Contoso.com esto disponveis no DC3. Qual comando voc deve executar? A. B. C. D. dnscmd.exe DC1.contoso.com dnscmd.exe DC1.contoso.com dnscmd.exe DC3.contoso.com dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /ZoneChangeDirectoryPartition contoso.com /ZoneChangeDirectoryPartition contoso.com /ZoneChangeDirectoryPartition contoso.com /domain /forest /domain /forest

Answer: B Section: Powershell & Command line cmds Explanation/Reference: You can use these procedures to change the replication scope for a zone using either the DNS Manager snap-in or the dnscmd command-line tool. Only Active Directoryintegrated primary and stub forward lookup zones can change their replication scope. Because they are not integrated with Active Directory, secondary forward lookup zones cannot change their replication scope.

Caution
Improperly configuring the replication scope of a zone can cause replication to fail or produce unexpected results, interfering with name resolution for the zone. You should not change the replication scope of a zone unless you fully understand how Active Directory replication works. The following table describes the available zone replication scopes for Active Directoryintegrated Domain Name System (DNS) zone data.

Zone replication scope Description


Replicates zone data to all DNS servers that are running on domain controllers in the Active Directory forest. Usually, this is the broadest scope of replication. Replicates zone data to all DNS servers that are running on domain All DNS servers in the Active controllers in the Active Directory domain. This option is the default setting Directory domain for Active Directoryintegrated DNS zone replication in Windows Server 2003 and Windows Server 2008. All domain controllers in the Replicates zone data to all domain controllers in the Active Directory Active Directory domain domain. Replicates zone data according to the replication scope of the specified All domain controllers in a application directory partition. For a zone to be stored in the specified specified application directory application directory partition, the DNS server that is hosting the zone must partition be enlisted in the specified application directory partition. All DNS servers in the Active Directory forest

To change zone replication scope using the command line


Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. At a command prompt, type the following command, and then press ENTER: Copy dnscmd <ServerName> /ZoneChangeDirectoryPartition <ZoneName> <NewPartitionName>

Exam G QUESTION 1 Voc tem uma zona de DNS que armazenado em uma partio de diretrio de aplicativos personalizados. Voc instala um novo controlador de domnio. Voc precisa se certificar que a partio de diretrio de aplicativo personalizado replicado para o novo controlador de domnio. O que voc deve usar? A. B. C. D. o Active Directory consola Centro Administrativo do Active Directory Sites e Servios do console o console do Gerenciador de DNS a ferramenta Dnscmd

Answer: D Section: Configuring AD DNS Explanation/Reference:

Create a DNS Application Directory Partition


Applies To: Windows Server 2008, Windows Server 2008 R2 You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. When you create an application directory partition for DNS, you can control the scope of replication for the zone that is stored in that partition. For more information, see Understanding Active Directory Domain Services Integration. Membership in the Enterprise Admins group is required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/? LinkId=83477.

To create a DNS application directory partition


Open a command prompt. Type the following command, and then press ENTER: Copy dnscmd <ServerName> /CreateDirectoryPartition <FQDN>

Parameter Description
dnscmd Specifies the name of the command-line tool for managing DNS servers. Required. Specifies the DNS host name of the DNS server. You can also type the IP <ServerName> address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). / CreateDirector Required. Creates a DNS application directory partition. yPartition Required. Specifies the name of the new DNS application directory partition. You must use <FQDN> a DNS fully qualified domain name (FQDN). To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER: dnscmd /CreateDirectoryPartition /? http://technet.microsoft.com/en-us/library/cc754292.aspx

QUESTION 2 Sua rede contm um domnio do Active Directory chamado contoso.com. Todos os controladores de domnio executem o Windows Server 2008 R2. O nvel funcional do domnio o Windows Server 2008 R2. O nvel funcional da floresta o Windows Server 2008. Voc tem um servidor membro nomeado Server1

que executa o Windows Server 2008. Voc precisa se certificar que voc pode adicionar Server1 para contoso.com como um controlador de domnio. O que voc deve executar antes de promover Server1? A. B. C. D. dcpromo.exe /CreateDCAccount dcpromo.exe /ReplicaOrNewDomain:replica Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest

Answer: C Section: Powershell & Command line cmds Explanation/Reference: Since the domain functional level is set to Windows Server 2008 R2, you cannot add Server1 running Windows Server 2008 as a DC until you upgrade the server or change the domain functional level.

After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003. http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by setting the DomainMode parameter. The domain mode can be set to the following values that are listed in order of functionality from lowest to highest. Windows2000Domain Windows2003InterimDomain Windows2003Domain Windows2008Domain Windows2008R2Domain You can change the domain mode to a mode with higher functionality only. For example, if the domain mode for a domain is set to Windows 2003, you can use this cmdlet to change the mode to Windows 2008. However, in the same situation, you cannot use this cmdlet to change the domain mode from Windows 2003 to Windows 2000. (must take into account the above exception) http://technet.microsoft.com/en-us/library/ee617230.aspx

/CreateDCAccount Creates a read-only domain controller (RODC) account. Only a member of the Domain Admins group or the Enterprise Admins group can run this command. ReplicaOrNewDomain:{<Replica> | ReadOnlyReplica | Domain} Specifies whether to install an additional domain controller (a writable domain controller or an RODC) or to create a new domain. The default is to install an additional writable domain controller.

QUESTION 3 A rede contm uma floresta do Active Directory. A floresta contm um nico domnio. Voc deseja acessar

recursos em um domnio que est localizado na outra floresta. Voc precisar configurar uma relao de confiana entre o domnio em sua floresta e do domnio na outra floresta. O que voc deve criar? A. B. C. D. uma relao de confiana externa de entrada uma confiana reino de entrada uma confiana de sada externa uma confiana reino de sada

Answer: A Section: Configuring Domains and Trusts Explanation/Reference: A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest) or in a Windows NT 4.0 domain. For example, if you are the administrator of sales.wingtiptoys. com and users in that domain need to access resources in the marketing.tailspintoys.com domain (which is located in another forest), you can use this procedure (in conjunction with another procedure, which is executed by the administrator in the other forest) to establish one side of the relationship so that users in your domain can access resources in the marketing.tailspintoys.com domain. http://technet.microsoft.com/en-us/library/cc816736(v=WS.10).aspx

QUESTION 4 Sua rede contm duas florestas do Active Directory. Uma floresta contm dois domnios chamados contoso.com e na.contoso.com. A outra floresta contm um domnio chamado nwtraders.com. A confiana de floresta configurado entre as duas florestas. Voc tem um usurio chamado User1 no domnio na.contoso.com. User1 relatos de que ele no consegue fazer logon em um computador no domnio nwtraders.com usando o nome de usurio NA \ User1. Outros usurios a partir do relatrio na.contoso.com que eles podem fazer logon para os computadores no domnio nwtraders.com. Voc precisa se certificar que User1 pode fazer logon no computador no domnio nwtraders.com. O que voc deve fazer? A. B. C. D. Ative a autenticao seletiva sobre a confiana de floresta. Criar uma relao de confiana unidirecional externa de na.contoso.com para nwtraders.com. Instrua User1 para fazer logon no computador usando seu nome de usurio principal (UPN). Instrua User1 para fazer logon no computador usando os nwtraders nome de usurio \ User1.

Answer: C Section: Configuring Domains and Trusts Explanation/Reference: UPN user1@na.contoso.com

QUESTION 5 Sua empresa tem uma sede e uma filial. O escritrio principal contm dois controladores de domnio. Voc cria um site do Active Directory chamado BranchOfficeSite. Voc implantar um controlador de domnio na filial, e depois adicionar o controlador de domnio para o site BranchOfficeSite.

Voc descobre que os usurios da filial esto aleatoriamente autenticado por qualquer controlador de domnio na filial ou os controladores de domnio no escritrio principal. Voc precisa garantir que os usurios da filial sempre tentar autenticar o controlador de domnio na filial em primeiro lugar. O que voc deve fazer? A. B. C. D. Criar unidades organizacionais (OUs). Criar objetos de sub-rede do Active Directory. Modificar o limiar de deteco de vnculo lento. Modifique o atributo Localizao dos objetos de computador.

Answer: B Section: AD Sites & Services Explanation/Reference: If you create a new site or if you enlarge a new site, you can use this procedure to create a subnet object or objects and associate them with the site in Active Directory Domain Services (AD DS). You can assign the appropriate network address to the subnet object so that it represents a range of TCP/IP addresses. To accomplish this procedure, you must have the following information: The site with which the subnet is to be associated. The IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix.

You can modify the Default Domain Policy to enable Windows Vista and Windows Server 2008 clients in the domain to locate domain controllers in the next closest site if no domain controller in their own site or the closest site is available.

QUESTION 6 Sua empresa tem um escritrio central e 50 filiais. Cada escritrio contm vrias sub-redes. Voc precisa automatizar a criao de objetos de sub-rede do Active Directory. O que voc deve usar? A. B. C. D. the Dsadd tool the Netsh tool the New-ADObject cmdlet the New-Object cmdlet

Answer: C Section: Powershell & Command line cmds Explanation/Reference: The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new user account. You can use this cmdlet to create any type of Active Directory object. Many object properties are defined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using the OtherAttributes parameter. You must set the Name and Type parameters to create a new Active Directory object. The Name specifies the name of the new object. The Type parameter specifies the LDAP display name of the Active Directory Schema Class that represents the type of object you want to create. Examples of Type values include computer, group, organizational unit, and user. The Path parameter specifies the container where the object will be created.. When you do not specify the Path parameter, the cmdlet creates an object in the default naming context container for Active Directory objects in the domain.

Examples

-------------------------- EXAMPLE 1 -------------------------Command Prompt: C:\PS> Copy New-ADObject -Name '192.168.1.0/26' -Type subnet -Description '192.168.1.0/255.255.255.192' -OtherAttributes @{location="Building A"; siteObject="CN=HQ,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM"} -Path "CN=Subnets,CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM"

Creates a subnet object in the HQ site with the described attributes.

Dsadd tool is only used for creation of users and ous

QUESTION 7 A rede contm uma floresta do Active Directory. A floresta contm vrios sites. Voc precisa habilitar o cache de membros de grupos universais de um site. O que voc deve fazer? A. De Active Directory Sites e Servios, modificar as configuraes NTDS. B. De Active Directory Sites e Servios, modifique os NTDS Site Settings. C. De Active Directory Users and Computers, modificar as propriedades de todos os grupos universais utilizados no site. D. De Active Directory Usurios e Computadores, modificar os objetos de computador para os controladores de domnio no site. Answer: B Section: Maintaining the AD Environment Explanation/Reference: Enable Universal Group Membership Caching in a Site Updated: January 9, 2009 Applies To: Windows Server 2008, Windows Server 2008 R2 In a branch site that has no global catalog server and in a forest that has multiple domains, you can use this procedure to enable Universal Group Membership Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user logon. You enable this setting on the NTDS Site Settings object for the site in Active Directory Domain Services (AD DS), and you can specify the site of a global catalog server to contact when the cache must be updated. In most cases, the closest global catalog server is located in the hub site. You can use this procedure to enable Universal Group Membership Caching in a site. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To enable Universal Group Membership Caching in a site Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching. In the details pane, right-click the NTDS Site Settings object, and then click Properties. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK. http://technet.microsoft.com/en-us/library/cc816928(v=ws.10).aspx

QUESTION 8 Voc precisa assegurar que os controladores de domnio s replicar entre controladores de domnio em locais adjacentes. O que voc deve configurar a partir do Active Directory Sites e Servios? A. Entre as propriedades IP, selecione Ignorar todos os horrios. B. Entre as propriedades IP, selecione Desabilitar link do site de transio. C. A partir do objeto Configuraes NTDS, configure manualmente os Servios do Active Directory Domain objetos de conexo. D. A partir das propriedades do objeto NTDS Site Settings, configure o gerador de topologia Inter-Site para cada site. Answer: B Section: AD Sites & Services Explanation/Reference:

Creating a Site Link Bridge Design


Updated: April 11, 2008 Applies To: Windows Server 2008, Windows Server 2008 R2 A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. The Knowledge Consistency Checker (KCC) uses the information on each site link to compute the cost of replication between sites in one site link and sites in the other site links of the bridge. Without the presence of a common site between site links, the KCC also cannot establish direct connections between domain controllers in the sites that are connected by the same site link bridge. By default, all site links are transitive. We recommend that you keep transitivity enabled by not changing the default value of Bridge all site links (enabled by default). However, you will need to disable Bridge all site links and complete a site link bridge design if: Your IP network is not fully routed. When you disable Bridge all site links, all site links are considered nontransitive, and you can create and configure site link bridge objects to model the actual routing behavior of your network. You need to control the replication flow of the changes made in Active Directory Domain Services (AD DS). By disabling Bridge all site links for the site link IP transport and configuring a site link bridge, the site link bridge becomes the equivalent of a disjointed network. All site links within the site link bridge can route transitively, but they do not route outside of the site link bridge. For more information about how to use the Active Directory Sites and Services snap-in to disable the Bridge all site links setting, see Enable or disable site link bridges (http://go.microsoft.com/fwlink/? LinkId=107073).

http://technet.microsoft.com/en-us/library/cc753638(v=WS.10).aspx

QUESTION 9 Sua empresa tem uma sede e uma filial. Voc descobre que, quando voc desativar IPv4 em um computador na filial, o computador autentica usando um controlador de domnio no escritrio principal. Voc precisa se certificar que o IPv6 s de computadores autenticar a controladores de domnio no mesmo site. O que voc deve fazer? A. Configure o objeto NTDS site Settings. B. Criar objetos de sub-rede do Active Directory.

C. Criar Servios do Active Directory Domain objetos de conexo. D. Instale um tnel Intra-Site Automatic Addressing Protocol roteador (ISATAP). Answer: B Section: AD Sites & Services Explanation/Reference: If you create a new site or if you enlarge a new site, you can use this procedure to create a subnet object or objects and associate them with the site in Active Directory Domain Services (AD DS). You can assign the appropriate network address to the subnet object so that it represents a range of TCP/IP addresses. To accomplish this procedure, you must have the following information: The site with which the subnet is to be associated. The IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix. http://technet.microsoft.com/nl-nl/library/cc816870%28WS.10%29.aspx

For enterprise networks, an incremental upgrade to IPv6 is possible using the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) (RFC 4214). ISATAP allows IPv6-only hosts and subnets to fully coexist and interoperate with IPv4 hosts and subnets in an intranet. In partnership with 6to4 technology, a comprehensive incremental migration solution is available to businesses transitioning their corporate networks. http://technet.microsoft.com/en-us/library/bb726949.aspx

QUESTION 10 . Sua rede contm um domnio do Active Directory. O domnio configurado como mostrado na tabela seguinte: Site do Active Directory Os controladores de domnio Main Branch1 Branch2 DC1 and DC2 DC3 None

Usurios em branch2 vezes autenticar em um controlador de domnio no branch1. Voc precisa garantir que os usurios em branch2 autenticar apenas os controladores de domnio principal. O que voc deve fazer? A. B. C. D. Em Em Em Em DC3, defina o valor AutoSiteCoverage a 0. DC3, defina o valor AutoSiteCoverage a 1. DC1 e DC2, defina o valor AutoSiteCoverage a 0. DC1 e DC2, defina o valor AutoSiteCoverage a 1.

Answer: A Section: AD Sites & Services Explanation/Reference: Usually domain controllers (DCs) register site-specific records for their local site in DNS, enabling clients to easily find DCs and other services that are closest to them. If a site contains no DCs, then DCs in the sites closest to that site (calculated by site-link costs) will register site-specific records for that site as well, to help clients find a DC as close as possible. This is known as automatic site coverage.

Start the registry editor (regedit.exe). Navigate to the HKEY_ LOCAL_MACHINE\SYSTEM CurrentControlSet\Services Netlogon\Parameters registry subkey. From the Edit menu, select New, DWORD value. Enter a name of AutoSite- Coverage and press Enter. Double-click the new value and set it to 0 to disable it (1 enables it). Click OK. http://www.windowsitpro.com/article/dns/learning-about-automatic-site-coverage

QUESTION 11 Sua rede contm um domnio nico diretrio ativo que tem dois locais nomeados Site1 e Site2. Site1 tem dois controladores de domnio chamado DC1 e DC2. Site2 tem dois controladores de domnio nomeados DC3 e DC4. DC3 falhar. Voc descobre que a replicao no ocorre mais entre os sites. Voc verificar a conectividade entre DC4 e os controladores de domnio em Site1. No DC4, voc corre Repadmin.exe / kcc. A replicao entre os sites continua a falhar. Voc precisa garantir que os dados do Active Directory replica entre os sites. O que voc deve fazer? A. B. C. D. De Active Directory Sites e Servios, modificar as propriedades de DC3. De Active Directory Sites e Servios, modificar as definies do site de NTDS Site2. De Active Directory Users and Computers, modificar as configuraes de localizao de DC4. De Active Directory Users and Computers, modificar as configuraes de delegao do DC4.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2 Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems. Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go. microsoft.com/fwlink/?LinkID=177813). To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-todateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest.

Repadmin /kcc
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2 Forces the Knowledge Consistency Checker (KCC) on each targeted domain controller to immediately recalculate the inbound replication topology.

By default, each domain controller performs this recalculation every 15 minutes. Run this command to troubleshoot KCC errors after you remove suspected fault conditions or to re-evaluate whether new connection objects must be created on behalf of the targeted domain controllers. Reason: Since repadmin /kcc is not finding issues with DC4, then the issue is mostly likely with DC3.

QUESTION 12 Sua rede contm um domnio do Active Directory. O nvel funcional do domnio o Windows Server 2003. O domnio contm cinco controladores de domnio que executam o Windows Server 2008 e cinco controladores de domnio que executam o Windows Server 2008 R2. Voc precisa se certificar que SYSVOL replicado usando replicao do sistema de arquivos distribudos (DFSR). O que voc deve fazer primeiro? A. B. C. D. Executar PollAD Dfsrdiag.exe. Executar dfsrmig.exe / setGlobalState 0. Atualize todos os controladores de domnio para o Windows Server 2008 R2. Elevar o nvel funcional do domnio para o Windows Server 2008.

Answer: D Section: Maintaining the AD Environment Explanation/Reference: Reason : Distributed File System (DFS) Replication is a replication service that is available for replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

QUESTION 13 A rede contm uma floresta do Active Directory. A floresta contm dois domnios chamados contoso.com e woodgrovebank.com. Voc tem um atributo personalizado chamado Attibute1 no Active Directory. Attribute1 est associada a objetos de usurio. Voc precisa se certificar que attribute1 so replicados para o catlogo global. O que voc deve fazer? A. Em Active Directory Sites e Servios, configure as configuraes NTDS. B. Em Active Directory Sites e Servios, configurar o cache de membros de grupo universal. C. A partir do esquema do Active Directory snap-in, modificar as propriedades do objeto de esquema do usurio da classe. D. A partir do esquema do Active Directory snap-in, modificar as propriedades do atributo de esquema de classe attribute1. Answer: D Section: Maintaining the AD Environment Explanation/Reference: You can also follow these steps to set the registry key discussed in the article mentioned above by way of the Schema MMC snap-in: Highlight Active Directory Schema Choose Action | Operations Master.... Click to select the box titled The Schema may be modified on this Domain Controller. Click OK.

At this point, a Schema Administrator can add additional attributes to the GC. There are several methods to add additional attributes to the GC including the Schema MMC snap-in and ADSI scripts.

To Make Modifications Using Active Directory Schema MMC Snap-In


Click the Attributes folder in the snap-in. In the right pane, scroll down to the desired attribute, right-click it, and then click Properties. Click to select the Replicate this attribute to the Global Catalog check box. Click OK.

QUESTION 14 Sua rede contm um domnio do Active Directory. O domnio contm trs controladores de domnio. Um dos controladores de domnio falhar. Sete dias depois, os relatrios de help desk que no pode mais criar contas de usurio. Voc precisa se certificar que o help desk pode criar novas contas de usurio. Quais so as operaes funo de mestre de que voc deve tomar? A. B. C. D. E. domain naming master infrastructure master primary domain controller (PDC) emulator RID master schema master

Answer: D Section: Configuring AD FSMO Roles Explanation/Reference:

RID Master
The relative identifier (RID) operations master allocates blocks of RIDs to each domain controller in the domain. Whenever a domain controller creates a new security principal, such as a user, group, or computer object, it assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which uniquely identifies each security principal created in the domain. If the RID role is unavailable, eventually security principals cannot be created because there are no more RIDs available.

QUESTION 15 Sua rede contm dois servidores autnomos chamados Server1 e Server2 que tm ativos Directory Lightweight Directory Services (AD LDS) instalado. Server1 tem uma instncia do AD LDS. Voc precisa se certificar que voc pode replicar o exemplo do Servidor1 para Server2. O que voc deve fazer em ambos os servidores? A. B. C. D. Obter um certificado de servidor. mporte o arquivo MS-User.ldf. Criar uma conta de usurio de servio para AD LDS. Registre-se o servio de localizao de registros (SRV) recurso.

Answer: C Section: Configuring AD LDS Explanation/Reference:

If you run AD LDS on a domain controller in an AD DS environment, do not use the Network Service account as the AD LDS service account. Instead, use a domain user account that does not have administrative privileges.

Create a replica AD LDS instance You can use the Active Directory Lightweight Directory Services Setup Wizard to create AD LDS service instances. In AD LDS, a "service instance" (or, simply, "instance") refers to a single running copy of AD LDS. To provide fault tolerance and load balancing, AD LDS instances can be part of a configuration set. All AD LDS instances in a configuration set replicate a common configuration directory partition and a common schema directory partition, plus any number of application directory partitions. To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance. You need to know the Domain Name System (DNS) name of the server running an AD LDS instance that belongs to the configuration set, as well as the Lightweight Directory Access Protocol (LDAP) port that was specified when the instance was created. You can also supply the distinguished names (also known as DNs) of specific application directory partitions that you want to copy from the configuration set to the AD LDS instance that you are creating. Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To create a replica AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next . On the Setup Options page, click A replica of an existing instance, and then click Next. On the Instance Name page, accept the default name instance2 (or instance1, if you are installing AD LDS on a second computer), and then click Next.

Note
AD LDS instance names have to be unique only on a given computer. On the Ports page, accept the default values of 50000 and 50001 (if you are installing onto the first computer) or 389 and 636 (if you are installing onto a second computer), and then click Next. On the Joining a Configuration Set page, in Server, type the host name or DNS name of the computer where the first AD LDS instance is installed. Then, type the LDAP port number in use by the first AD LDS instance (which is 389 by default), and then click Next.

Note
You must use a valid host name or DNS name, rather than an IP address or localhost when you specify a server on the Joining a Configuration Set page of the Active Directory Lightweight Directory Services Setup Wizard. On the Administrative Credentials for the Configuration Set page, click the account that is used

as the AD LDS administrator for your first AD LDS instance.


On the Copy Application Partition page, select the application directory partitions that you want to replicate to the new AD LDS instance. (The schema and configuration partitions will be replicated automatically.) Accept the default values on the remaining Active Directory Lightweight Directory Services Set Wizard pages by clicking Next on each page, and then click Finish on the Completing the Active Directory Application Mode Setup Wizard page. After the installation is complete, use the ADSI Edit snap-in to confirm that the selected directory partition has been replicated to your second AD LDS instance.

QUESTION 16 Sua rede contm um servidor chamado Server1 que executa o Windows Server 2008 R2. Voc cria um Active Directory Lightweight Directory Services (AD LDS) instncia no Server1. Voc precisa criar um adicional de AD LDS partio de diretrio de aplicativos na instncia existente. Qual ferramenta devo usar?

A. B. C. D.

Adaminstall Dsadd Dsmod Ldp

Answer: D Section: Powershell & Command line cmds Explanation/Reference:

Create an Application Directory Partition Applies To: Windows Server 2008, Windows Server 2008 R2 You use Ldp.exe to add a new application directory partition to an existing instance of Active Directory Lightweight Directory Services (AD LDS). Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups. To add an application directory partition to an existing AD LDS instance Open LDP, and then connect and bind to an AD LDS instance. For more information, see use Use Ldp.exe to Manage an AD LDS Instance. On the Browse menu, click Add child. In Dn, type a distinguished name for the application partition. Under Edit entry, type ObjectClass in the Attribute box and container in the Values box, and then click Enter. Under Edit entry, type instanceType in the Attribute box and 5 in the Values box, and then click Enter. Click Run. After the new application directory partition is added, the following information appears in the details pane: Added {distinguished name} where distinguished name is the distinguished name that you typed in step 3. Click Close.
http://technet.microsoft.com/en-us/library/cc755251.aspx LDP is a GUI with which you can administer an AD LDS instance.

QUESTION 17 Sua rede contm um servidor chamado Server1 que executa o Windows Server 2008 R2. No Server1, voc cria um ativo Directory Lightweight Directory Services (AD LDS) instncia nomeada Instance1. Voc se conecta a Instance1 usando ADSI Edit. Voc executar o assistente Criar objeto e voc descobre que no h nenhuma classe de objeto do usurio. Voc precisa se certificar que voc pode criar objetos de usurio no Instance1. O que voc deve fazer? A. Execute o AD LDS Setup Wizard. B. Modificar o esquema de Instance1.

C. Modificar as propriedades do servio Instance1. D. Instale as Ferramentas de Administrao de Servidor Remoto (RSAT). Answer: A Section: Maintaining the AD Environment Explanation/Reference:

Note As an alternative to using ldifde, you can import the optional AD LDS user classes during AD LDS setup. If you do not specify user credentials using the -b parameter, ldifde uses the credentials of the currently logged on user.
QUESTION 18 Sua rede contm um domnio do Active Directory. O domnio contm um servidor chamado Server1. Server1 executado no Windows Server 2008 R2. Voc precisa montar um Ativo Directory Lightweight Directory Services (AD LDS) instantneo de Server1. O que voc deve fazer? A. B. C. D. Executar ldp.exe e use a opo Bind. Executar diskpart.exe e use a opo Anexar. Executar Dsdbutil.exe e use a opo instantneo. Executar imagex.exe e especificar o parmetro / mount.

Answer: C Section: Configuring AD LDS Explanation/Reference:

snapshot Applies To: Windows Server 2008 Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server. For more information about using Dsamain, see Dsamain. This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or AD LDS server role installed. Dsdbutil is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft. com/fwlink/?LinkID=177813). To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Reason : dsdbutil is an AD LDS tool to manage LDS instances

http://technet.microsoft.com/en-us/library/cc753151%28WS.10%29.aspx ldp.exe bind / bind is authentication to lds instance only.

QUESTION 19 Sua rede contm um domnio nico diretrio Active. Active Directory Rights Management Services (AD RMS) implantado na rede. Um usurio chamado User1 um membro da AD RMS apenas o grupo Administradores de Empresas. Voc precisa se certificar que User1 pode alterar o ponto de conexo de servio (SCP) para a instalao do AD RMS. A soluo deve minimizar os direitos administrativos de User1. A que grupo voc deve adicionar User1? A. B. C. D. AD RMS Auditors AD RMS Service Group Domain Admins Schema Admins

Answer: C Section: Configuring AD Rights Mgmt Services Explanation/Reference:

Registering or changing the service connection point (SCP) Performing this task requires that the logged in user account be a member of the AD RMS Enterprise Administrators and have permission to change and create object in Active Directory Domain Services (AD DS). For example, a user who is a member of the AD RMS Enterprise Administrators group and the AD DS Enterprise Admins group would have the proper credentials to perform this task.

To administer AD RMS you must have been granted an Administration role on each server in the AD RMS cluster. For day-to-day operations there are three administration groups identified for AD RMS: AD RMS Enterprise Administrators Members of this group have access to all features in the AD RMS console. During installation of AD RMS, the installing user account is automatically added to this group. AD RMS Template Administrators Members of this group can only access rights policy template administration features in the AD RMS console. AD RMS Auditors Members of this group can only access the reports feature in the AD RMS console. http://technet.microsoft.com/en-us/library/cc731135.aspx

So according to this, domain admins may not be the correct answer, but is the closest to the correct answer.

QUESTION 20 Sua rede contm duas florestas do Active Directory chamado contoso.com e adatum.com. Active Directory Rights Management Services (AD RMS) implantado em contoso.com. Um AD RMS domnio de usurio confivel (TUD) entre contoso.com e adatum.com. A partir dos logs do AD RMS, voc descobre que alguns clientes que tm endereos IP na floresta adatum. com est autenticando como usurios de contoso.com. Voc precisa impedir que os usurios usurios contoso.com personificando. O que voc deve fazer? A. B. C. D. Configurar confiveis domnios de correio electrnico. email. Habilitar lockbox excluso na AD RMS. Criar uma confiana de floresta entre adatum.com e contoso.com. Adicionar um certificado de uma terceira parte confivel autoridade de certificao (CA).

Answer: A Section: Configuring AD Rights Mgmt Services Explanation/Reference: To specify properties of the trusted user domain If the trusted user domain is based on another AD RMS cluster's server licensor certificate, you can specify which e-mail domains within the trusted user domain are trusted. Select the certificate name in the results pane and then in the Actions pane, click Properties. Click the Trusted E-mail Domains tab, and then choose one of the following trust options: Select the Trust all e-mail domains option to trust all of the user accounts that are members of that domain. Select the Trust only specified e-mail domains option and then type the domain name to trust, such as example.com, and then click Add. This adds the domain to the Trusted e-mail domains list. To remove a name from the list, select the name, and then click Remove. Adding a domain includes all of its child domains. Select the Trust AD RMS licensing to security identifiers (SIDs) for this user domain check box, if necessary. When finished, click OK. http://technet.microsoft.com/en-us/library/cc753930.aspx

Exam H QUESTION 1 Sua rede contm um domnio do Active Directory chamado contoso.com. A rede contm computadores clientes que executam o Windows Vista ou Windows 7. Active Directory Rights Management Services (AD RMS) implantado na rede. Voc cria um novo modelo de AD RMS, que distribudo usando o AD RMS gasoduto. O modelo atualizada a cada ms. Voc precisa se certificar que todos os computadores podem usar a verso mais atualizada do modelo AD RMS. Voc quer atingir essa meta usando a quantidade mnima de esforo administrativo. O que voc deve fazer? A. Atualizar todos os computadores com Windows Vista para o Windows 7. B. Atualizar todos os computadores com Windows Vista para o Windows Vista Service Pack 2 (SP2). C. Atribuir o Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) para todos os usurios usando uma extenso de Instalao de Software de Diretiva de Grupo. D. Atribuir o Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) para todos os computadores usando uma extenso de Instalao de Software de Diretiva de Grupo. Answer: B Section: Configuring AD Rights Mgmt Services Explanation/Reference:

When you modify a rights policy template on the AD RMS server, the server updates the template in both the configuration database and the shared folder (if the AD RMS cluster is configured to specify a file location for storing copies of rights policy templates). When using AD RMS clients other than Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2, you should redeploy each rights policy template to client computers when they have been modified so that users have the most current version available. AD RMS clients running Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2 will automatically detect this change and update the rights policy templates accordingly. Templates can be redeployed several ways including login scripts and using group policies. For more information about deploying rights policy templates see AD RMS Client Deployment and Usage Considerations (http://go.microsoft.com/fwlink/?LinkID=153481). http://technet.microsoft.com/en-us/library/dd996658(v=WS.10).aspx
QUESTION 2 Active Directory Rights Management Services (AD RMS) para implantado in SUA Rede. Os usuarios Que possuem Dispositivos Windows Mobile 6 relatam Que eles nao podem Acessar OS Documentos Que estao protegidos POR AD RMS. Voce Precisa si certificar Que de Todos os usuarios podem Acessar CONTEDO Protegido POR AD RMS usando o Windows Mobile 6. O Que voce DEVE Fazer? A. B. C. D. Modificar uma Segurana faa ARQUIVO ServerCertification.asmx. Modificar a segurana do arquivo MobileDeviceCertification.asmx. Habilitar a autenticao annima para o diretrio _wmcs virtual. Habilitar a autenticao annima para o diretrio de certificao virtual.

Answer: B Section: Configuring AD Rights Mgmt Services Explanation/Reference:

Enable Certification of Mobile Devices Applies To: Windows Server 2008 R2 AD RMS can provide rights account certificates (RACs) and use licenses to AD RMSenabled applications that are running Windows Mobile 6. There are a few things that you should be aware of when configuring mobile services: Discretionary access control lists (DACLs) on the AD RMS pipelines use the most secure settings by default. You must modify the DACL when using AD RMS mobile services. Many mobile services use advanced Active Directory Domain Services (AD DS) functionality that is available only if all AD DS domain controllers are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. If you are using any mobile services, we recommend that all domain controllers are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, and that both the domain and forest Active Directory functional levels are at least at Windows Server 2003. In a default AD RMS installation, the DACL of the AD RMS mobile certification pipeline is restricted, which means an application cannot obtain certificates and licenses for their users. However, if you have an AD RMS-enabled application for these computers, you can enable them to participate in your AD RMS system by configuring the DACLs on the AD RMS mobile certification pipeline. AD RMS-enabled mobile applications can connect to the AD RMS mobile certification server by using the MobileDeviceCertification.asmx file. Note If there is more than one AD RMS server in the AD RMS cluster, the DACL on the mobile certification service must be changed on each server in the cluster. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To enable certification of mobile devices Open Windows Explorer and navigate to the folder where Internet Information Services was installed. By default, the folder path is %systemdrive%\Inetpub\wwwroot\_wmcs \Certification folder. To enable mobile devices to receive RACs, right-click the MobileDeviceCertification. asmx file, and then click Properties. On the Security tab, click Add, and then add the user account object of the AD RMSenabled mobile application and the AD RMS Service Group. In the Permissions list for the groups, select the Allow check box for both Read and Read & Execute permissions, and then click OK. Note If several servers are hosting AD RMS-enabled mobile applications, consider creating a group, adding all of the user objects to this group, and then adding the group to the ACL of the certification pipeline instead. Restart Internet Information Services by running IISRESET at a command prompt to implement the changes on the DACLs on the Web services. Do this on each server in the AD RMS cluster.

QUESTION 3 Sua rede contm um servidor chamado Server1. O Active Directory Rights Management Services (AD RMS) funo de servidor est instalado em Server1. Um administrador altera a senha da conta do usurio que utilizado pelo AD RMS. Voc precisa atualizar o AD RMS para usar a nova senha. Qual console voc deve usar? A. B. C. D. Active Directory Rights Management Services Active Directory Usurios e Computadores Servios de componentes Servios

Answer: A Section: Configuring AD Rights Mgmt Services Explanation/Reference:

Change the AD RMS Service Account Applies To: Windows Server 2008 R2 During installation, Active Directory Rights Management Services (AD RMS) creates the AD RMS Service Group on the local computer and grants it appropriate permissions on all of the resources that are required for AD RMS to operate. When you provision AD RMS on a server, you must define a domain account for use as the AD RMS service account. That account is made a member of the AD RMS Service Group, and it is granted the permissions that are associated with this group. During routine operations, AD RMS runs under the AD RMS service account. You can change the AD RMS service account at any time. When you do so, the previously specified account is automatically removed from the AD RMS Service Group, and the new account is made a member of it. If there is more than one server in the AD RMS cluster where you are changing the AD RMS service account, you must change the service account on all servers in the cluster. To run the Change Service Account wizard, you must be logged on locally on the AD RMS server with a user account that has administrative privileges to the configuration database. Important For security reasons, we highly recommend that you create a special user account to use as the AD RMS service account, and that you use this account only as the AD RMS service account and for no other purpose. In addition, you should not grant this account any additional permissions. Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. To change the AD RMS Service Account Open the Active Directory Rights Management Services console and select the AD RMS cluster. In the Actions pane, click Change Service Account. In the Change Service Account wizard, read the text on the Before Changing the AD RMS Service Account page, and then click Next. In the User name box, specify the name of the account within which AD RMS will run for

most operations. The user name should use the format domain_name\user_name. In the Password box, type the password for the associated user account. Click Next, and then click Finish. Repeat steps 15 for each server in the AD RMS cluster. http://technet.microsoft.com/en-us/library/cc754418.aspx
QUESTION 4 Sua rede contm um Active Directory Rights Management Services (AD RMS) cluster. Voc tem vrios modelos de polticas personalizadas. Os modelos de polticas personalizadas so atualizados com freqncia. Alguns usurios relatam que leva at 30 dias para receber os modelos de poltica atualizados. Voc precisa garantir que os usurios receber os modelos de poltica atualizados personalizados dentro de sete dias. O que voc deve fazer? A. B. C. D. Modificar o registro no RMS AD servidores. Modificar o registro nos computadores dos usurios. Alterar a programao do Direitos do AD RMS Gesto Template Poltica (Manual) tarefa agendada. Alterar a programao do Direitos do AD RMS Gesto Template Poltica (automatizada) tarefa agendada.

Answer: B Section: Configuring AD Rights Mgmt Services Explanation/Reference:

The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks the updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Microsoft\MSDRM\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime value, which forces the client computer to update its rights policy templates.

AD RMS Policy Template Considerations Applies To: Windows Server 2008, Windows Server 2008 R2 Rights policy templates are used to control the rights that a user or group has on a particular piece of rightsprotected content. Active Directory Rights Management Services (AD RMS) stores rights policy templates in the configuration database. Optionally, it may maintain a copy of all rights policy templates in a shared folder that you specify. When publishing protected content, the author selects the rights policy template to apply from the templates that are available on the local computer. To make rights policy templates available for offline publishing, the administrator must deploy them to client computers from a shared folder. In Windows Vista with Service Pack 1 (SP1), Windows Server 2008, Windows 7, and Windows Server 2008 R2, rights policy templates are automatically managed by the AD RMS client. A new template distribution pipeline has been created that the AD RMS client can poll for updates. If a rights policy template has been added, changed, or deleted, the client detects these changes and updates the local rights policy templates during

its next refresh. The rights policy templates are stored locally on the AD RMS client running Windows Vista with SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2 in the %localappdata% \Microsoft\DRM\templates folder. For Windows XP, Windows 2000, and Windows Server 2003, the path is %appdata%\Microsoft\DRM\templates. http://technet.microsoft.com/en-us/library/dd996658%28WS.10%29.aspx

QUESTION 5 Sua empresa tem uma sede e uma filial. A filial contm um controlador de domnio somente leitura chamada RODC1. Voc precisa garantir que um usurio chamado Admin1 pode instalar atualizaes em RODC1. A soluo deve evitar Admin1 de fazer logon em outros controladores de domnio. O que voc deve fazer? A. B. C. D. Executar ntdsutil.exe e use a opo Funes. Executar dsmgmt.exe e use a opo Funes Local. De Active Directory Sites e Servios, modifique os NTDS Site Settings. De Active Directory Users and Computers, adicione o usurio ao grupo Operadores de Servidor.

Answer: B Section: Configuring Additional AD Server Roles Explanation/Reference:

Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC. For more information about syntax and examples for using this command, see local roles (http://go.microsoft.com/fwlink/?LinkId=120147). http://technet.microsoft.com/en-us/library/cc755310(v=WS.10).aspx
-QRead only domain controllers Administrator Role Seperation: Delegate admin role to any user In dcpromo answer file Dsmgmt.exe Applies only to RODC Admin user can Install updates, drivers, Perform admin tasks

QUESTION 6 Voc instala um controlador de domnio somente leitura (RODC) chamado RODC1. Voc precisa garantir que um usurio chamado User1 pode administrar RODC1. A soluo deve minimizar o nmero de permisses atribudas a User1. Qual ferramenta devo usar? A. B. C. D. Centro Administrativo do Active Directory Active Directory Usurios e Computadores Dsadd Dsmgmt

Answer: D Section: Configuring Additional AD Server Roles Explanation/Reference:

Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC. For more information about syntax and examples for using this command, see local roles (http://go.microsoft.com/fwlink/?LinkId=120147). http://technet.microsoft.com/en-us/library/cc755310(v=WS.10).aspx
-QRead only domain controllers Administrator Role Seperation: Delegate admin role to any user In dcpromo answer file Dsmgmt.exe Applies only to RODC Admin user can Install updates, drivers, Perform admin tasks

QUESTION 7 Sua rede contm um domnio do Active Directory. O domnio contm dois locais nomeados Site1 e Site2. Site1 contm quatro controladores de domnio. Site2 contm um controlador de domnio somente leitura (RODC). Voc pode adicionar um usurio chamado User1 ao grupo de replicao admitidos RODC Password. O link WAN entre Site1 e Site2 falhar. User1 reinicia o computador e relatos de que ele incapaz de fazer logon no domnio. O link WAN restaurado e User1 relatos de que ele capaz de fazer logon no domnio. Voc precisa impedir que o problema ocorra novamente se o link WAN falhar. O que voc deve fazer? A. B. C. D. Crie uma senha objeto Configuraes (PSO) e vincular o PSO para User1 da conta de usurio. Crie uma senha objeto Configuraes (PSO) e vincular o PSO ao grupo Usurios do Domnio. Adicione a conta de computador do RODC para o Grupo de Replicao de Senha RODC Permitido. Adicione a conta de computador do User1 do computador para o Grupo de Replicao de Senha RODC Permitido.

Answer: D Section: Configuring Additional AD Server Roles Explanation/Reference:

User/Machine authentication User and machine authentication works pretty much identically. From DNS and the DCLocator process, the client figures that the RODC is the authoritative authentication source for its site (1). It requests to be authenticated by the RODC. The RODC checks its database to see whether it has already stored the users/computers credentials (2). Since this isnt the case, itll use the WAN connection (3) and forward the auth request to a writeable DC. Since the writable DC knows about the credentials in question, itll check them (4) and, if the password provided was correct, itll send back the response to the RODC (5) which will happily provide the successful auth (6) to the user/computer. By that time, the clients request is serviced but the RODC isnt happy about not being able to process the auth request on its own. In order to do better, itll request the users/ computers credentials from the writable DC - to be able to perform the authentication on

its own. The writable DC checks the Password Replication Policy to get to know whether RODC is allowed to cache that password. If so, DC replicates the credentials to RODC which happily stores them in its local database. Now, the RODC is able to authenticate the user/computer if there was a WAN outage. Before the special password replication (that doesnt take place during normal rep), RODC wouldnt be able to service the clients request if the WAN link was down. http://www.frickelsoft.net/blog/?p=232
QUESTION 8 Sua empresa tem uma sede e uma filial. A rede contm um domnio do Active Directory. O escritrio principal contm um controlador de domnio gravvel chamado DC1. A filial contm um controlador de domnio somente leitura (RODC) chamado DC2. Voc descobre que a senha de um administrador nomeado Admin1 armazenado em cache no DC2. Voc precisa impedir a senha do Admin1 de ser armazenado em cache no DC2. O que voc deve fazer? A. B. C. D. Modificar os NTDS Site Settings. Modificar as propriedades do domnio. Criar um objeto de Configurao de Senha (PSO). Modificar as propriedades da conta DC2 do computador.

Answer: D Section: Maintaining the AD Environment Explanation/Reference:

Not certain on this one. This is all I can find on the topic. Managing passwords and the PRP Depending on your security and service availability requirements for your RODC site, you may want to change the default PRP. The PRP acts as an access control list (ACL). It determines whether an RODC is permitted to cache a password. After the RODC receives an authenticated user or computer logon request, if it does not have the credentials cached locally, it forwards the logon request to a writable Windows Server 2008 domain controller. The writable domain controller refers to the PRP to determine whether the password for the account should be cached on the RODC. For more information about how the PRP works, see Credential caching. You can change the PRP by modifying attributes of an RODC. For more information about changing the PRP, see Administering the Password Replication Policy. Default PRP By default, all RODCs have the same Password Replication Policy (PRP). The default PRP specifies that no account passwords can be cached on any RODC, and certain accounts are explicitly denied from being cached on any RODC. The RODC PRP is determined by two multivalued Active Directory attributes that contain security principals (users, computers, and groups): msDS-Reveal-OnDemandGroup, also commonly known as the Allowed List msDS-NeverRevealGroup, also commonly known as the Denied List The msDS-Reveal-OnDemandGroup attribute specifies what security principals can

have passwords cached on an RODC. By default, this attribute has one value, which is the Allowed RODC Password Replication Group. Because this domain local group has no members by default, no account passwords can be cached on any RODC by default. The msDS-NeverRevealGroup attribute specifies what security principals are explicitly denied from having their passwords cached on an RODC. By default, this attribute has the following values: Account Operators Server Operators Backup Operators Administrators Denied RODC Password Replication Group, which is a domain local group that includes the following: Enterprise Domain Controllers Enterprise Read-Only Domain Controllers Group Policy Creator Owners Domain Admins Cert Publishers Enterprise Admins Schema Admins Domain-wide krbtgt account Modifying the PRP By using a combination of the Allowed List and the Denied List for each RODC with the domain-wide password replication groups, you have great flexibility to decide precisely which accounts can be cached on specific RODCs. The following table describes three examples of ways that you might administer the PRP to manage how passwords are cached on the RODCs that you deploy. You can customize any of these examples to best suit your needs.
QUESTION 9 Sua rede contm um domnio do Active Directory chamado contoso.com. A rede tem um site de filial que contm um controlador de domnio somente leitura (RODC) chamado RODC1. RODC1 executa o Windows Server 2008 R2. Um usurio chamado User1 faz logon em um computador no site de filial. Voc descobre que a senha do User1 no armazenado no RODC1. Voc precisa se certificar que User1 da senha armazenada em RODC1.

O que voc deve modificar? A. B. C. D. Membro de propriedades de RODC1 Membro de propriedades de User1 as propriedades de segurana de RODC1 as propriedades de segurana de User1

Answer: B Section: Configuring Additional AD Server Roles Explanation/Reference:

QUESTION 10 Sua empresa tem uma sede e uma filial. A filial tem um site do Active Directory que contm um controlador de domnio somente leitura (RODC). Um usurio da filial informa que sua conta est bloqueada. A partir de um controlador de domnio gravvel no escritrio principal, voc descobre que a conta do usurio no est bloqueada. Voc precisa se certificar que o usurio pode fazer logon no domnio. O que voc deve fazer? A. B. C. D. Modificar a Diretiva de Replicao de Senha. Redefinir a senha da conta de usurio. Execute o Knowledge Consistency Checker (KCC) no RODC. Restaurar a comunicao de rede entre a filial e a matriz.

Answer: D Section: Configuring Additional AD Server Roles Explanation/Reference: If the credentials are not cached previously to the RODC, a writable DC needs to be contacted to verify the authentication attempt.

QUESTION 11 Sua rede contm um domnio nico diretrio Active. O domnio contm cinco controladores de domnio somente leitura (RODC) e cinco controladores de domnio gravveis. Todos os servidores executam o Windows Server 2008. Voc planeja instalar um RODC nova que roda o Windows Server 2008 R2. Voc precisa se certificar que voc pode adicionar o RODC novo para o domnio. Voc quer atingir essa meta usando a quantidade mnima de esforo administrativo. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. E. No prompt de comando, execute adprep.exe / rodcprep. No prompt de comando, execute adprep.exe / forestprep. No prompt de comando, execute adprep.exe / domainprep. De domnios do Active Directory e relaes de confiana, aumentar o nvel funcional do domnio. De Active Directory Users and Computers, pr-estgio a conta de computador do RODC.

Answer: BC Section: Configuring Additional AD Server Roles

Explanation/Reference:

Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. There are different versions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2. For more information, see Running Adprep.exe (http://go.microsoft.com/fwlink/?LinkID=142597). Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows: Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema. For more information, see Prepare a Windows 2000 or Windows Server
2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2

. Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role. For more information, see Prepare a Windows 2000
or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.

If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep. For more information, see Prepare a Forest for a Read-Only Domain Controller. For more information about how to resolve possible errors when you run adprep /rodcprep, see Adprep /rodcprep can have an error if the infrastructure master for an application directory partition is not available. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. For more information, see Installing an Additional Domain Controller (http://go.microsoft.com/fwlink/?LinkID=93254). Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2. http://technet.microsoft.com/en-us/library/cc731243(v=ws.10).aspx
QUESTION 12 Voc implantar um Active Directory Federation Services (AD FS) Federao Proxy Service em um servidor chamado Server1. Voc precisar configurar o Firewall do Windows no Server1 para permitir que usurios externos se autenticar usando o AD FS. Qual porta TCP de entrada que voc deve permitir que em Server1? A. 88 B. 135 C. 443

D. 445 Answer: C Section: Configuring AD Federated Services Explanation/Reference:

Firewalls: Internal and external users will need to access the application over SSL (typically port 443) The AD FS 2.0 Proxy Server will need to access the internal AD FS server over SSL (default port 443) Internal users will need to access the internal Federation Service on its SSL port (TCP/443 by default) External users will need to access the Federation Service Proxy on its SSL port (TCP/443 by default)
QUESTION 13 Voc implanta um novo Active Directory Federation Services (AD FS) servidor de federao. Voc solicitar um novo certificado para o servidor AD FS federao. Voc precisa garantir que o AD FS federao servidor pode usar os novos certificados. Para armazenamento de certificado que voc deve importar os certificados? A. B. C. D. computador IIS Admin conta de servio de servio Administrador Local World Wide Web Publishing conta de servio de servio

Answer: A Section: Configuring AD Federated Services Explanation/Reference:

Before you install the AD FS 2.0 software on the computer that will become the federation server, make sure that both certificates are in the Local Computer personal certificate store and that the service communication certificate is assigned to the Default Web Site. For more information about the order of the tasks that are required to set up a federation server, see Checklist: Setting Up a Federation Server.
QUESTION 14 Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contm um servidor chamado Server1. Server1 tem o Active Directory Federation Services papel (AD FS) instalado. Voc tem um aplicativo chamado App1 que est configurado para usar Server1 para autenticao AD FS. Voc implantar um novo servidor chamado Server2. Server2 configurado como um servidor AD 2,0 FS. Voc precisa se certificar que App1 pode usar Server2 para autenticao. O que voc deve fazer no Server2? A. B. C. D. Adicione uma loja de atributo. Criar uma relao de confiana do partido afinao. Criar uma relao de confiana provedor de reivindicaes. Criar uma relao de confiana provedor de afinao.

Answer: B

Section: Configuring AD Federated Services Explanation/Reference:

Add a Relying Party Trust Applies To: Active Directory Federation Services (AD FS) 2.0 You can use the Add Relying Party Trust Wizard in Active Directory Federation Services (AD FS) 2.0 to add a new relying party trust and configure a new relying party. To add a new relying party trust Click Start, point to Administrative Tools, and then click AD FS 2.0. Under AD FS 2.0\Trust Relationships, right-click the Relying Party Trusts folder, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard. On the Welcome page, click Start. On the Select Data Source page, click Enter data about the relying party manually, and then click Next. Note The Select Data Source page provides three options for entering the data about the relying party. If the relying party publishes its federation metadata or can provide a file copy of it for you to use, the automatic retrieval method is recommended. It can save time, and it allows you to skip most of the remaining steps in this procedure. The third option is to enter all the configuration data for the new relying party trust manually, as described in steps 5 through 9. On the Specify Display Name page, type a name in Display name. Click Next after you enter the description details. You have the option, but you are not required, to enter details in the Notes text box. On the Choose Profile page, select the appropriate profile for your needs, and then click Next. If you know you will require interoperability with federation servers running an earlier version of AD FS, such as provided in Windows Server 2003 R2, click AD FS 1.0 and 1.1 profile. Otherwise, click AD FS 2.0 profile. On the Configure Certificate page, click Browse to browse to and locate a certificate file and add it to the list of certificates, and then click Next. On the Configure URL page, select the appropriate check boxes and specify any corresponding URLs as appropriate for the WS-Federation Passive protocol-based or Security Assertion Markup Language (SAML) 2.0 WebSSO protocol-based endpoint, and then click Next. On the Configure Identifiers page, you must specify at least one identifier for this relying party trust. Type the URI you want to use here, click Add to add it to the list, and then click Next. On the Choose Issuance Authorization Rules page, select whether you want to permit all users or restrict them, based on configuring authorization rules, and then click Next. On the Ready to Add Trust page, review your settings. When you are ready to save your settings, click Next. On the Finish page, click Close. http://technet.microsoft.com/en-us/library/adfs2-help-how-to-add-a-relying-party-trust (v=WS.10).aspx
QUESTION 15

Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contm um servidor chamado Server1. O Active Directory Federation Services (AD FS) papel est instalado no Server1. Contoso.com definido como um armazenamento de conta. A empresa parceira tem um aplicativo baseado na Web que usa autenticao AD FS. A empresa parceira planeja oferecer aos usurios do acesso contoso.com para o aplicativo da Web. Voc precisa configurar o AD FS em contoso.com para permitir que usurios Contoso.com para ser autenticada pela empresa parceira. O que voc deve criar no Server1? A. B. C. D. uma nova aplicao um parceiro de recurso um parceiro de conta uma declarao da organizao

Answer: C Section: Configuring AD Federated Services Explanation/Reference:

Account partner An account partner represents the organization in the federation trust relationship that physically stores user accounts in either an Active Directory Domain Services (AD DS) store or an Active Directory Lightweight Directory Services (AD LDS) store. The account partner is responsible for collecting and authenticating a user's credentials, building up claims for that user, and packaging the claims into security tokens. These tokens can then be presented across a federation trust for access to Web-based resources that are located in the resource partner organization. In other words, an account partner represents the organization for whose users the account-side Federation Service issues security tokens. The Federation Service in the account partner organization authenticates local users and creates security tokens that are used by the resource partner in making authorization decisions. In relation to AD DS, the account partner in AD FS is conceptually equivalent to a single AD DS forest whose accounts need access to resources that are physically located in another forest. Accounts in this example forest can access resources in the resource forest only when an external trust or forest trust relationship exists between the two forests and the resources to which the users are trying to gain access have been set with the proper authorization permissions. Resource partner A resource partner is the second organizational partner in the federation trust relationship. A resource partner is the organization where the AD FS-enabled Web servers that host one or more Web-based applications (the resources) reside. The resource partner trusts the account partner to authenticate users. Therefore, to make authorization decisions, the resource partner consumes the claims that are packaged in security tokens coming from users in the account partner. In other words, a resource partner represents the organization whose AD FS-enabled Web servers are protected by the resource-side Federation Service. The Federation Service at the resource partner uses the security tokens that are produced by the account partner to make authorization decisions for AD FS-enabled Web servers that are located in the resource partner. To function as an AD FS resource, an AD FS-enabled Web server in the resource partner organization must have the AD FS Web Agent component of AD FS installed.

Web servers that function as an AD FS resource can host either claims-aware applications or Windows NT tokenbased applications. http://technet.microsoft.com/en-us/library/cc731141.aspx
QUESTION 16 Sua rede contm dois servidores nomeados Server1 e Server2 que executam o Windows Server 2008 R2. Server1 tem o Active Directory Federation Services (AD FS) Federao servio de funo de servio instalado. Voc pretende implantar o AD FS 2.0 em Server2. Voc precisa exportar o certificado de autenticao de token de Server1, e depois importar o certificado para Server2. Qual o formato que voc usa para exportar o certificado? A. B. C. D. Base de dados de 64-X.509 codificado (. Cer) Cryptographic Message Syntax PKCS padro # 7 (. P7b) DER binrio codificado X.509 (. Cer) PKCS Informaes Pessoais Cmbio # 12 (. Pfx)

Answer: C Section: Configuring AD Federated Services Explanation/Reference:

Export the token signing certificate Use the procedure in this section to export the token signing certificate of the AD FS Server with which you want to establish a trust relationship, and then copy the certificate to a location that SharePoint Server 2010 can access. To export a token signing certificate Verify that the user account that is performing this procedure is a member of the Administrators group on the local computer. For additional information about accounts and group memberships, see Local and Domain Default Groups Open the Active Directory Federation Services (AD FS) 2.0 Management console. In the left pane, click to expand Service, and then click the Certificates folder. Under Token signing, click the primary token certificate as indicated in the Primary column. In the right pane, click View Certificate link. This displays the properties of the certificate. Click the Details tab. Click Copy to File. This starts the Certificate Export Wizard. On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, click No, do not export the private key, and then click Next. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next. On the File to Export page, type the name and location of the file you want to export, and then click Next. For example, enter C:\ADFS.cer. On the Completing the Certificate Export Wizard page, click Finish. http://technet.microsoft.com/en-us/library/hh305235.aspx

QUESTION 17 Sua rede contm dois servidores nomeados Server1 e Server2 que executam o Windows Server 2008 R2. Server1 tem Active Directory Federation Services (AD FS) 2.0 instalado. Server1 um membro de uma fazenda do AD FS. O AD FS fazenda est configurado para usar um banco de dados de configurao que armazenado em um servidor separado do servidor SQL da Microsoft. Voc instalar o AD FS 2.0 em Server2. Voc precisa adicionar Server2 para a fazenda existente AD FS. O que voc deve fazer? A. B. C. D. No Server1, execute fsconfig.exe. No Server1, execute fsconfigwizard.exe. No Server2, execute fsconfig.exe. No Server2, execute fsconfigwizard.exe.

Answer: C Section: Configuring AD Federated Services Explanation/Reference: To configure a new federation server using the command line fsconfig.exe {StandAlone|CreateFarm|CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server%28WS.10% 29.aspx

The AD FS configuration database stores all the configuration data that represents a single instance of Active Directory Federation Services (AD FS) 2.0 (that is, the Federation Service). The AD FS configuration database defines the set of parameters that a Federation Service requires to identify partners, certificates, attribute stores, claims, and various data about these associated entities. You can store this configuration data in either a Microsoft SQL Server database or the Windows Internal Database (WID) feature that is included with Windows Server 2008 and Windows Server 2008 R2.
QUESTION 18 A rede contm uma floresta do Active Directory. Voc define o Windows PowerShell poltica de execuo para permitir scripts no assinados em um controlador de domnio na rede. Voc criar um script do Windows PowerShell chamado new-users.ps1 que contm as seguintes linhas: nova-aduser user1 nova-aduser user2 nova-aduser user3 nova-aduser user4 nova-aduser user5 No controlador de domnio, voc d um duplo clique no script eo script executado. Voc descobre que o roteiro falha ao criar contas de usurio. Voc precisa garantir que o script cria as contas de usurio. Qual cmdlet que voc deve adicionar ao script? A. Import-Module

B. Register-ObjectEvent C. Set-ADDomain D. Set-ADUser Answer: A Section: Powershell & Command line cmds Explanation/Reference:

The Import-Module cmdlet adds one or more modules to the current session. A module is a package that contains members (such as cmdlets, providers, scripts, functions, variables, and other tools and files) that can be used in Windows PowerShell. After a module is imported, you can use the module members in your session. To import a module, use the Name, Assembly, or ModuleInfo parameter to identify the module to import. By default, Import-Module imports all members that the module exports, but you can use the Alias, Function, Cmdlet, and Variable parameters to restrict the members that are imported. Import-Module imports a module only into the current session. To import the module into all sessions, add an Import-Module command to your Windows PowerShell profile. For more information about profiles, see about_Profiles. For more information about modules, see about_Modules.
QUESTION 19 A rede contm uma floresta do Active Directory. O esquema de floresta contm um atributo personalizado para objetos de usurio. Voc precisa modificar o valor do atributo personalizado de 500 contas de usurio. Qual ferramenta devo usar? A. B. C. D. Csvde Dsmod Dsrm Ldifde

Answer: D Section: Powershell & Command line cmds Explanation/Reference: LDIFDE: CAN move or modify objects CSVDE: CANNOT move or modify an object

Microsoft recommends that you use the Ldifde utility for Modify or Delete operations
QUESTION 20 A rede contm uma floresta do Active Directory. O esquema de floresta contm um atributo personalizado para objetos de usurio. Voc precisa dar o departamento de recursos humanos um arquivo que contm o tempo de logon passado e os valores dos atributos personalizados para cada usurio na floresta. Que voc deve usar? A. a ferramenta Dsquery

B. o cmdlet Export-CSV C. o Get-ADUser cmdlet D. o comando do usurio Net.exe Answer: C Section: Powershell & Command line cmds Explanation/Reference:

The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects. The Identity parameter specifies the Active Directory user to get. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. You can also set the parameter to a user object variable, such as $<localUserObject> or pass a user object through the pipeline to the Identity parameter. To search for and retrieve more than one user, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter. This cmdlet retrieves a default set of user object properties. To retrieve additional properties use the Properties parameter. http://technet.microsoft.com/en-us/library/ee617241.aspx

Exam I QUESTION 1 Voc tem um script do Windows PowerShell que contm o seguinte cdigo: Import-CSV Accounts.csv | foreach {New-ADUser-Name $ _.Name-Enabled _.password $ trueAccountPassword $} Quando voc executa o script, voc receber uma mensagem de erro indicando que o formato da senha est incorreta. O script falha. Voc precisa executar um script que cria com xito as contas de usurio usando a senha contida no accounts.csv. Qual a script deve executar? A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)} B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)} C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString "Password")} D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString $_.Password)} Answer: B Section: Powershell & Command line cmds Explanation/Reference:

I believe the "Password" parameter in "A" is when you specify the actual password in the command, whereas the $_.Password parameter in "B" is a variable that would use the password in the CSV file. Need to check that, though. ConvertTo-SecureString Applies To: Windows PowerShell 2.0 Converts encrypted standard strings to secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. Syntax
Copy ConvertTo-SecureString [-Key <Byte[]>] [-String] <string> [<CommonParameters>] ConvertTo-SecureString [-AsPlainText] [-Force] [-String] <string> [<CommonParameters>] ConvertTo-SecureString [[-SecureKey] <SecureString>] [-String] <string> [<CommonParameters>]

Description The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings. It can also convert plain text to secure strings. It is used with ConvertFromSecureString and Read-Host. The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString. The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet. This enables it to be stored in a file for later use. If the standard string being converted was encrypted with ConvertFrom-SecureString using a specified key, that same key must be provided as the value of the Key or SecureKey parameter of the ConvertTo-SecureString cmdlet.

Parameters -AsPlainText Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter. Required? false Position? 2 Default Value none Accept Pipeline Input? false Accept Wildcard Characters? false -Force Confirms that you understand the implications of using the AsPlainText parameter and still want to use it. Required? false Position? 3 Default Value none Accept Pipeline Input? false Accept Wildcard Characters? false -Key <Byte[]> Specifies the encryption key to use when converting a secure string into an encrypted standard string. Valid key lengths are 16, 24, and 32 bytes. Required? false Position? named Default Value none Accept Pipeline Input? false Accept Wildcard Characters? false -SecureKey <SecureString> Specifies the encryption key to use when converting a secure string into an encrypted standard string. The key must be provided in the format of a secure string. The secure string is converted to a byte array before being used as the key. Valid key lengths are 16, 24, and 32 bytes. Required? false Position? 2 Default Value none Accept Pipeline Input? false Accept Wildcard Characters? false -String <string> Specifies the string to convert to a secure string. Required? true Position? 1 Default Value none Accept Pipeline Input? true (ByValue) Accept Wildcard Characters? false <CommonParameters> This command supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, OutBuffer, OutVariable, WarningAction, and WarningVariable. For more information, see about_CommonParameters. Inputs and Outputs The input type is the type of the objects that you can pipe to the cmdlet. The return type is the type of the objects that the cmdlet returns.

System.String You can pipe a standard encrypted string to ConvertTo-SecureString. System.Security.SecureString Outputs ConvertTo-SecureString returns a SecureString object. Example 1 Inputs
Copy C:\PS>$secure = read-host -assecurestring C:\PS> $secure System.Security.SecureString C:\PS> $encrypted = convertfrom-securestring -securestring $secure C:\PS> $encrypted 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a114d45b8dd3f4aa11ad7c0abdae98 00000000002000000000003660000a8000000100000005df63cea84bfb7d70bd6842e7 efa79820000000004800000a000000010000000f10cd0f4a99a8d5814d94e0687d7430b10000000 8bf11f1960158405b2779613e9352c6d14000000e6b7bf46a9d485ff211b9b2a2df3bd 6eb67aae41 C:\PS> $secure2 = convertto-securestring -string $encrypted C:\PS> $secure2 System.Security.SecureString

Description ----------This example shows how to create a secure string from user input, convert the secure string to an encrypted standard string, and then convert the encrypted standard string back to a secure string. The first command uses the AsSecureString parameter of the Read-Host cmdlet to create a secure string. After you enter the command, any characters that you type are converted into a secure string and then saved in the $secure variable. The second command displays the contents of the $secure variable. Because the $secure variable contains a secure string, Windows PowerShell displays only the System.Security.SecureString type. The third command uses the ConvertFrom-SecureString cmdlet to convert the secure string in the $secure variable into an encrypted standard string. It saves the result in the $encrypted variable. The fourth command displays the encrypted string in the value of the $encrypted variable. The fifth command uses the ConvertTo-SecureString cmdlet to convert the encrypted standard string in the $encrypted variable back into a secure string. It saves the result in the $secure2 variable. The sixth command displays the value of the $secure2 variable. The SecureString type indicates that the command was successful. Example 2
Copy C:\PS>$secure = read-host -assecurestring C:\PS> $encrypted = convertfrom-securestring -secureString $secure -key (1..16) C:\PS> $encrypted | set-content encrypted.txt C:\PS> $secure2 = get-content encrypted.txt | convertto-securestring -key (1..16)

Description ----------This example shows how to create a secure string from an encrypted standard string that is saved in a file. The first command uses the AsSecureString parameter of the Read-Host cmdlet to create a secure string. After you enter the command, any characters that you type are converted into a secure string and then saved in the $secure variable.

The second command uses the ConvertFrom-SecureString cmdlet to convert the secure string in the $secure variable into an encrypted standard string by using the specified key. The contents are saved in the $encrypted variable. The third command uses a pipeline operator (|) to send the value of the $encrypted variable to the Set-Content cmdlet, which saves the value in the Encrypted.txt file. The fourth command uses the Get-Content cmdlet to get the encrypted standard string in the Encrypted.txt file. The command uses a pipeline operator to send the encrypted string to the ConvertTo-SecureString cmdlet, which converts it to a secure string by using the specified key. The results are saved in the $secure2 variable. Example 3
Copy C:\PS>$secure_string_pwd = convertto-securestring "P@ssW0rD!" -asplaintext force

Description ----------This command converts the plain text string "P@ssW0rD!" into a secure string and stores the result in the $secure_string_pwd variable. To use the AsPlainText parameter, the Force parameter must also be included in the command. http://technet.microsoft.com/en-us/library/dd347656.aspx
QUESTION 2 A rede contm uma floresta do Active Directory. O nvel funcional da floresta Windows Server 2008 R2. Poltica da sua empresa de segurana corporativa afirma que a senha para cada conta de usurio deve ser mudado pelo menos a cada 45 dias. Voc tem uma conta de usurio chamada Service1. Service1 usado por um aplicativo de rede chamado Application1. A cada 45 dias, Application1 falhar. Depois de redefinir a senha para Service1, corre Application1 corretamente. Voc precisa resolver o problema que faz Application1 a falhar. A soluo deve aderir poltica de segurana corporativa. O que voc deve fazer? A. B. C. D. Execute o cmdlet Set ADAccountControl. Execute o cmdlet Set ADServiceAccount. Criar uma nova poltica de senha. Criar um novo objeto de configuraes Senha (PSO).

Answer: B Section: Powershell & Command line cmds Explanation/Reference:

Set-ADServiceAccount Modifies an Active Directory service account. Detailed Description The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID),

or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet. The Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the SetADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter, see the Instance parameter description. For more information about how the Instance concept is used in Active Directory cmdlets, see about_ActiveDirectory_Instance.

Instance Specifies a modified copy of a service account object to use to update the actual Active Directory service account object. When this parameter is used, any modifications made to the modified copy of the object are also made to the corresponding Active Directory object. The cmdlet only updates the object properties that have changed. The Instance parameter can only update service account objects that have been retrieved by using the Get-ADServiceAccount cmdlet. When you specify the Instance parameter, you cannot specify other parameters that set properties on the object. The following is an example of how to use the Get-ADServiceAccount cmdlet to retrieve an instance of the ADServiceAccount object. The object is modified by using the Windows PowerShell command line. Then the Set-ADServiceAccount cmdlet saves the changes to the Active Directory object. Step 1: Retrieve a local instance of the object. $serviceAccountInstance = Get-ADServiceAccount -Identity ADServiceAdmin Step 2: Modify one or more properties of the object instance. $serviceAccountInstance.Description = "default" Step3: Save your changes to ADServiceAdmin. Set-ADServiceAccount -Instance $serviceAccountInstance
http://technet.microsoft.com/en-us/library/ee617252.aspx

http://technet.microsoft.com/en-us/library/ee617249.aspx

QUESTION 3 A rede contm uma floresta do Active Directory. Voc pode adicionar um nome principal de utilizador adicional (UPN) sufixos para a floresta. Voc precisa modificar o sufixo UPN de todos os usurios. Voc quer atingir essa meta usando a quantidade mnima de esforo administrativo.

O que voc deve usar? A. B. C. D. os domnios do Active Directory e consola Trusts o Active Directory Usurios e Computadores do console a ferramenta Csvde a ferramenta Ldifde

Answer: D Section: Configuring Domains and Trusts Explanation/Reference: In TechNet they talk about using PowerShell scripts to do this, but of the answers here, Ldifde is the one most likely to be used to modify AD attributes for multiple users. It is not ADDT, because it would only affect the UPN for new users:

QUESTION 4 Sua rede contm um domnio nico diretrio Active. Todos os computadores clientes executam o Windows Vista Service Pack 2 (SP2). Voc precisa impedir que os usurios de executar um aplicativo chamado App1.exe. Quais configuraes de Diretiva de Grupo que voc deve configurar? A. B. C. D. Application Compatibility AppLocker Instalao de Software Diretivas de restrio de software

Answer: D Section: Maintaining the AD Environment Explanation/Reference: Reason : applocker is a Windows 2008 R2 and Windows 7 feature. Software Restriction Policies applied to

vista and earlier. http://technet.microsoft.com/en-us/library/dd759117.aspx

QUESTION 5 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Os computadores clientes executam o Windows XP Service Pack 3 (SP3) ou Windows Vista. Voc precisa assegurar que todos os computadores clientes podem aplicar as preferncias da Diretiva de Grupo. O que voc deve fazer? A. B. C. D. Atualize todos os computadores clientes do Windows XP para o Windows 7. Criar uma loja central que contm o grupo de arquivos Poltica ADMX. Instale os Group Policy extenses do cliente (CSEs) em todos os computadores clientes. Atualize todos os computadores clientes do Windows Vista para o Windows Vista Service Pack 2 (SP2).

Answer: C Section: Configuring Group Policy Explanation/Reference: Reason: Group Policy Preferences/group policy client side extensions(CSEs) enable information technology professionals to configure, deploy, and manage operating system(xp for example) and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy Preference extensions

This article discusses the Group Policy preferences that are new in Windows Server 2008 and how to enable down-level computers to process these new items. Group Policy preferences are made up of more than 20 new Group Policy client-side extensions (CSEs) that expand the range of configurable settings in a Group Policy object (GPO). These new preference extensions are included in the Group Policy Management Editor window of the Group Policy Management Console (GPMC). The kinds of preference items that can be created by using each extension are listed when New is selected for the extension. Examples of the new Group Policy preference extensions include the following: Folder Options Drive Maps Printers Scheduled Tasks Services Start Menu Updated versions of the new Windows Server 2008 Group Policy preferences client-side extensions for Windows Server 2003 and Windows XP can be downloaded by using Windows Update. http://support.microsoft.com/kb/943729
QUESTION 6 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Os computadores clientes executam o Windows 7 ou Windows Vista Service Pack 2 (SP2).

Voc precisa auditar o acesso do usurio s aes administrativas nos computadores cliente. O que voc deve fazer? A. B. C. D. Implantar um script de logon que corre Icacls.exe. Implantar um script de logon que corre Auditpol.exe. Implantar hum script de logon de Que corre Auditpol.exe. Desde o Default Domain Controllers Policy, modificar a configurao da poltica avanada de Auditoria.

Answer: B Section: Powershell & Command line cmds Explanation/Reference: Auditpol Displays information about and performs functions to manipulate audit policies. For examples of how this command can be used, see the Examples section in each topic. http://technet.microsoft.com/en-us/library/cc731451(v=WS.10).aspx Reason: Not C or D: Advance audit policy is 2k8 R2 and windows 7 feature. Which Versions of Windows Support Advanced Audit Policy Configuration? 15 out of 18 rated this helpful Rate this topic All versions of Windows Server 2008 R2 and Windows 7 that can process Group Policy can be configured to use the new advanced security auditing enhancements. Versions of Windows Server 2008 R2 and Windows 7 that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions of Windows 7. http://technet.microsoft.com/en-us/library/dd692792(v=WS.10).aspx

QUESTION 7 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc precisa criar um armazenamento central para os modelos de Diretiva de Grupo Administrativo. O que voc deve fazer? A. Executar dfsrmig.exe / createglobalobjects. B. Executar adprep.exe / domainprep / gpprep. C. Copie o% SystemRoot% \ PolicyDefinitions pasta para o \\contoso.com\SYSVOL\ contoso.com pasta \Policies. D. Copie o% SystemRoot% \ System32 \ GroupPolicy para o \ \ contoso.com \ SYSVOL \ contoso.com pasta \ Policies. Answer: C Section: Configuring Group Policy Explanation/Reference: The Central Store To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain. To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies

Note

FQDN is a fully qualified domain name.

For example, to create a Central Store for the Test.Microsoft.com domain, create a PolicyDefinitions folder in the following location: \\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\PoliciesCopy all files from the PolicyDefinitions folder on a Windows Vista-based client computer to the PolicyDefinitions folder on the domain controller. The PolicyDefinitions folder on a Windows Vista-based computer resides in the same folder as Windows Vista. The PolicyDefinitions folder on the Windows Vista-based computer stores all .admx files and .adml files for all languages that are enabled on the client computer. http://support.microsoft.com/kb/929841

QUESTION 8 Voc configurar e implementar um objeto Group Policy (GPO) que contm as configuraes do AppLocker. Voc precisa identificar se um arquivo de aplicao especfica pode ser executado em um computador. Que o Windows PowerShell cmdlet voc deve usar? A. B. C. D. Get-AppLockerFileInformation Get-GPOReport Get-GPPermissions Test-AppLockerPolicy

Answer: D Section: Powershell & Command line cmds Explanation/Reference: The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run on the local computer for a specific user. http://technet.microsoft.com/en-us/library/ee460960.aspx

QUESTION 9 Voc cria um objeto de configuraes Senha (PSO). Voc precisa aplicar o PSO a um usurio de domnio chamado User1. O que voc deve fazer? A. B. C. D. Modificar as propriedades do PSO. Modificar as opes de conta da conta User1. Modificar as configuraes de segurana da conta User1. Modificar a diretiva de senha do domnio objeto de diretiva padro de Diretiva de Grupo (GPO).

Answer: A Section: Maintaining the AD Environment Explanation/Reference: To apply PSOs to users or global security groups using the Windows interface Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. On the View menu, ensure that Advanced Features is checked. In the console tree, click Password Settings Container. Where? Active Directory Users and Computers\domain node\System\Password Settings Container.

In the details pane, right-click the PSO, and then click Properties. Click the Attribute Editor tab. Select the msDS-PsoAppliesTo attribute, and then click Edit. Note If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK. http://technet.microsoft.com/en-us/library/cc731589(v=WS.10).aspx You can also use the ldifde command to apply a PSO to multiple users or global security groups quickly.

QUESTION 10 Voc precisa criar uma senha Configuraes objeto (PSO). Qual ferramenta devo usar? A. B. C. D. Active Directory Usurios e Computadores ADSI Edit Group Policy Management Console Ntdsutil

Answer: B Section: Powershell & Command line cmds Explanation/Reference: Fine-Grained Passwords [Password policies per OU, Group or user] Adsi edit, cn=system, cn=password settings container, Right Mouse, new object, msds-passwordsettings, enter name Passwordsettings, enter values ADUC adv, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group.

QUESTION 11 Sua rede contm um domnio do Active Directory. Todos os servidores rodam Windows Server 2008 R2. Voc precisa auditar a excluso de chaves de registro em cada servidor. O que voc deve fazer? A. Da Poltica Fiscal, modificar as configuraes de acesso a objetos e as configuraes de controle de processos. B. Da Poltica Fiscal, modificar Eventos configuraes do sistema e as configuraes de uso de privilgios. C. De Configurao Avanada Diretiva de Auditoria, modifique as configuraes do sistema e as configuraes de um acompanhamento detalhado. D. De Configurao Avanada Diretiva de Auditoria, modificar as configuraes de acesso a objetos e os globais objeto de configuraes de auditoria de acesso. Answer: D Section: Configuring AD Infrastructure Explanation/Reference: Reason : Advanced audit policy configuration is a W2K8 R2 feature (see sceenshot below).

Global Object Access Auditing 1 out of 1 rated this helpful Rate this topic Updated: July 15, 2010 Applies To: Windows 7, Windows Server 2008 R2 Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for either the file system or registry. The specified SACL is then automatically applied to every object of that type. Auditors will be able to prove that every resource in the system is protected by an audit policy by just viewing the contents of the Global Object Access Auditing policy settings. For example, a policy setting "track all changes made by group administrators" shows that this policy is in effect. Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access Auditing policy setting to log all the activity for a specific user and enabling the Object Access audit policy for a resource (file system, registry) to track "access denied" events can help administrators quickly identify which object in a system is denying a user access. This category includes the following subcategories:
File System (Global Object Access Auditing) Registry (Global Object Access Auditing)

Registry (Global Object Access Auditing) Applies To: Windows 7,Windows Server 2008 R2 This security policy setting allows you to configure a global system access control list (SACL) on the registry for a computer. If you select the Configure security check box, you can add a user or group to the global SACL.
QUESTION 12 Sua rede contm um domnio nico diretrio Active. O nvel funcional da floresta Windows Server 2008 R2. Voc precisa habilitar o Active Directory Lixeira. O que voc deve usar? A. a ferramenta Dsmod B. o cmdlet Enable-ADOptionalFeature C. a ferramenta Ntdsutil

D. o cmdlet Set-ADDomainMode Answer: B Section: Powershell & Command line cmds Explanation/Reference: Enabling Active Directory Recycle Bin After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe http://technet.microsoft.com/en-us/library/dd379481(v=WS.10).aspx

QUESTION 13 Sua rede contm um domnio nico diretrio Active. Voc precisa criar um Active Directory Domain instantneo Servios. O que voc deve fazer? A. B. C. D. Use a ferramenta LDP. Use a ferramenta Ntdsutil. Use a ferramenta Wbadmin. De Backup do Windows Server, execute um backup completo.

Answer: B Section: Powershell & Command line cmds Explanation/Reference: Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: A new ntdsutil snapshot operation that you can use to create, list, mount, and unmount snapshots of AD DS or AD LDS data
Note You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You can instead use a backup of the AD DS or AD LDS database or another domain controller or AD LDS server. The ntdsutil snapshot operation simply provides a convenient data input for Dsamain.exe.

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers http://technet.microsoft.com/en-us/library/cc753609(v=WS.10).aspx

QUESTION 14 Sua rede contm um domnio nico diretrio Active. Um controlador de domnio chamado DC2 falhar. Voc precisa remover DC2 do Active Directory. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.)

A. B. C. D.

No prompt de comando, execute dcdiag.exe /fix. No prompt de comando, execute netdom.exe remove dc2. a partir de Active Directory Sites and Services, delete DC2. a partir de Active Directory Users and Computers, delete DC2.

Answer: CD Section: Creating & Maintaining AD Objects Explanation/Reference: TechNet wants you to do this from the server containing the DC - using dcpromo. Have not found the procedure mentioned above.

QUESTION 15 Sua rede contm um domnio nico diretrio Active. O nvel funcional da floresta o Windows Server 2008. O nvel funcional do domnio o Windows Server 2008 R2. Todos os servidores DNS executar o Windows Server 2008. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa se certificar que voc pode habilitar o Active Directory Lixeira. O que voc deve fazer? A. B. C. D. Alterar o nvel funcional da floresta. Alterar o nvel funcional do domnio. Modificar o esquema do Active Directory. Modifique as configuraes do grupo Universal cache de membros.

Answer: A Section: Configuring AD Backup-Restore Explanation/Reference: Reason : Active directory recycle bin is a W2K8 R2 feature.

Raising the forest functional level You can enable Active Directory Recycle Bin only if the forest functional level of your environment is set to Windows Server 2008 R2. http://technet.microsoft.com/en-us/library/dd379481(v=WS.10).aspx
QUESTION 16 Sua rede contm um domnio do Active Directory. O domnio contm vrios controladores de domnio. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa restaurar o Default Domain Controllers Policy objeto Group Policy (GPO) para o Windows Server 2008 R2 configuraes padro. O que voc deve fazer? A. B. C. D. Executar dcgpofix.exe /target:dc. Executar dcgpofix.exe /target:domain. Excluir o link para o Default Domain Controllers Policy, e depois executar gpupdate.exe / sync. Excluir o link para o Default Domain Controllers Policy, e depois executar gpupdate.exe / force.

Answer: A Section: Configuring Group Policy

Explanation/Reference:

Dcgpofix restores the default Group Policy objects to their original default state after initial installation of a domain controller. The Dcgpofix tool recreates the two default Group Policy objects and creates the settings based on the operations that are performed only during Dcpromo. The Dcgpofix tool is intended for use only as a last-resort disaster-recovery tool. To run Dcgpofix Type the following at the command prompt: dcgpofix [/ignoreschema][/target: {domain | dc | both}] Where: /ignoreschema is an optional parameter. If you set this parameter, the Active Directory schema version number is ignored. /target: {domain | dc | both} is an optional parameter that specifies the target domain, domain controller, or both. If you do not specify /target, dcgpofix uses both by default.
QUESTION 17 Sua rede contm um domnio do Active Directory. O domnio contm dois sites do Active Directory chamado Site1 e Site2. Site1 contm dois controladores de domnio chamado DC1 e DC2. Site2 contm dois controlador de domnio chamado DC3 e DC4. O nvel funcional do domnio o Windows Server 2008 R2. O nvel funcional da floresta o Windows Server 2003. Replicao do Active Directory entre Site1 e Site2 ocorre 20:00-01:00 todos os dias. s 07:00, um administrador exclui uma conta de usurio enquanto ele estiver conectado ao DC1. Voc precisa restaurar a conta de usurio excluda. Voc quer atingir essa meta usando a quantidade mnima de esforo administrativo. O que voc deve fazer? A. Em DC1, execute o cmdlet Restore-ADObject. B. Em DC3, execute o cmdlet Restore-ADObject. C. Em DC1, parar de Active Directory Domain Services, restaurar o estado do sistema, e depois iniciar Active Directory Domain Services. D. Em DC3, pare de Active Directory Domain Services, executar uma restaurao autoritativa, e depois iniciar Active Directory Domain Services. Answer: D Section: AD Sites & Services Explanation/Reference:

Authoritative restore allows the administrator to recover a domain controller, restore it to a specific point in time, and mark objects in Active Directory as being authoritative with respect to their replication partners. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit containing a large number of users. If you restore the server from tape, the normal replication process would not restore the inadvertently deleted organizational unit. Authoritative restore allows you to mark the organizational unit as authoritative and force the replication process to restore it to all of the other domain controllers in the domain.
Reason : A and B are incorrect because the functional level of the forest must be win2k8 R2 to use restoreadoject cmdlet (It is an AD recycle bin feature).

QUESTION 18 Sua rede contm um domnio do Active Directory. O domnio contm dois controladores de domnio chamado DC1 e DC2. Voc executar um backup completo dos controladores de domnio, todas as noites usando o Windows Server Backup. Voc atualiza um script na pasta SYSVOL. Voc descobre que o novo script no funcionar corretamente. Voc precisa restaurar a verso anterior do script na pasta SYSVOL. A soluo deve minimizar a quantidade de tempo necessria para restaurar o script. O que voc deve fazer primeiro? A. B. C. D. Execute o cmdlet Restore-ADObject. Restaurar o estado do sistema para sua localizao original. Restaurar o estado do sistema para um local alternativo. Anexe o arquivo VHD criado por Backup do Windows Server.

Answer: D Section: Configuring AD Backup-Restore Explanation/Reference: Windows Server Backup creates VHD files. Simply mount the VHD in a compatible operating system (Disk Management) and copy the needed file.

QUESTION 19 Sua rede contm um domnio do Active Directory. Voc precisa restaurar uma conta de computador excluda do Active Recycle Bin. O que voc deve fazer? A. B. C. D. No prompt de comando, execute recover.exe. No prompt de comando, execute ntdsutil.exe. A partir do Mdulo Active Directory para o Windows PowerShell, execute o cmdlet Restore-Computador. A partir do Mdulo Active Directory para o Windows PowerShell, execute o cmdlet Restore-ADObject.

Answer: D Section: Configuring AD Backup-Restore Explanation/Reference: Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject Active Directory module for Windows PowerShell cmdlets. The recommended approach is to use the GetADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObject cmdlet. To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER: Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | RestoreADObject

http://technet.microsoft.com/en-us/library/dd379509(v=WS.10).aspx#BKMK_3

It's not Restore-Computer cmdlet, because it only Starts a system restore on the local computer.

QUESTION 20 Voc precisa fazer backup de todas as polticas de grupo em um domnio. A soluo deve minimizar o tamanho da cpia de segurana. O que voc deve usar? A. B. C. D. O Add-WBSystemState cmdlet O Group Policy Management console O Wbadmin ferramenta O Windows Server Backup feature

Answer: B Section: Configuring Group Policy Explanation/Reference: Back Up a Group Policy Object Applies To: Windows Server 2008 R2 To back up a Group Policy object In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All. In the Backup Group Policy object dialog box, in the Location box, enter the path for the location in which you want to store the GPO backups, or click Browse, locate the folder in which you want to store the GPO backups, and then click OK. In the Description box, type a description for the GPOs that you want to back up, and then click Back Up. If you are backing up multiple GPOs, the description will apply to all GPOs you back up. After the operation completes, click OK. http://technet.microsoft.com/en-us/library/cc770536.aspx

Exam J QUESTION 1 Voc tem uma empresa de raiz autoridade de certificao (CA) que executa o Windows Server 2008 R2. Voc precisa se certificar que voc pode recuperar a chave privada de um certificado emitido para um servidor web. O que voc deve fazer? A. B. C. D. A partir da CA, execute o cmdlet Get-PfxCertificate. A partir do servidor Web, execute o cmdlet Get-PfxCertificate. A partir da CA, execute a ferramenta certutil.exe e especificar o parmetro exportpfx. A partir do servidor Web, execute a ferramenta certutil.exe e especificar o -exportpfx parmetro.

Answer: D Section: Configuring AD Certificate Services Explanation/Reference: A .pfx file includes the public and private key. The correct notation is: certutil.exe -privatekey -exportpfx "MyCert" MyCert.pfx http://blogs.microsoft.co.il/blogs/applisec/archive/2008/04/08/creating-x-509-certificates-using-makecertexe.aspx The Get-PfxCertificate cmdlet gets an object representing each specified .pfx certificate file This command gets information about the .pfx certificate on the system and does NOT export it! http://technet.microsoft.com/en-us/library/dd347671.aspx

QUESTION 2 Sua empresa tem uma sede e uma filial. A rede contm um domnio nico diretrio Active. O escritrio principal contm um controlador de domnio chamado DC1. Voc precisa instalar um controlador de domnio na filial, usando uma cpia offline do banco de dados do Active Directory. O que voc deve fazer primeiro? A. B. C. D. A partir da ferramenta Ntdsutil, criar um conjunto de meios IFM. No prompt de comando, execute djoin.exe / loadfile. De Backup do Windows Server, execute um backup de estado do sistema. A partir do Windows PowerShell, execute o cmdlet get-ADDomainController.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: Create Installation Media by Using Ntdsutil This task uses the Install from Media (IFM) option. Create the media on a domain controller in the domain where you are installing one or more new domain controllers. http://technet.microsoft.com/en-us/library/cc816574%28WS.10%29.aspx

QUESTION 3

Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008. O nvel funcional do domnio o Windows Server 2003. Todos os computadores clientes executam o Windows 7. Voc instalar o Windows Server 2008 R2 em um servidor chamado Server1. Voc precisa executar uma juno de domnio offline Server1. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. E. De Server1, execute djoin.exe. De Server1, execute netdom.exe. A partir de um computador com Windows 7, execute djoin.exe. Atualizar um controlador de domnio para Windows Server 2008 R2. Elevar o nvel funcional do domnio para o Windows Server 2008.

Answer: AC Section: Maintaining the AD Environment Explanation/Reference: Reason : Requirement must be 2k8 R2 DC and Windows 7 to use djoin.exe Operating system requirements You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also be running Windows 7 or Windows Server 2008 R2. By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that is running a version of Windows Server that is earlier than Windows Server 2008 R2 1. On the provisioning server (Windows 7 client), open an elevated command prompt. Type the following command to provision the computer account: djoin /provision /downlevel /domain <domain to be joined> /machine <name of the destination computer> / savefile blob.txt Copy the blob.txt file to the client computer. 2. Command to insert the computer account metadata into the Windows directory of the destination computer. On the client computer (The new W2K8 DC), open an elevated command prompt, and then type the following command to request the domain join: djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos

http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step%28WS.10%29. aspx#BKMK_ODJRequirements

QUESTION 4 Voc tem um snapshot do Active Directory. Voc precisa ver o contedo das unidades organizacionais (OUs) no instantneo. Quais as ferramentas que voc deve correr? A. explorer.exe, netdom.exe e dsa.msc B. ntdsutil.exe, Dsamain.exe e dsa.msc C. wbadmin.msc, Dsamain.exe e netdom.exe

D. wbadmin.msc, ntdsutil.exe, e explorer.exe Answer: B Section: Powershell & Command line cmds Explanation/Reference: In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server. To start Active Directory Users and Computers focused on domain1, type: dsa.msc /domain=domain1 To start Active Directory Users and Computers focused on server1, type: dsa.msc /server=server1.domain1

QUESTION 5 Sua rede contm um controlador de domnio que executa o Windows Server 2008 R2. Voc execute o seguinte comando no controlador de domnio: Dsamain.exe dbpath c: \ $ SNAP_201006170326_VOLUMEC $ \ Windows \ NTDS \ ntds.dit ldapport 389allowNonAdminAccess O comando falha. Voc precisa garantir que o comando concludo com xito. Como voc deve modificar o comando? A. B. C. D. Inclua o caminho para DSAMAIN. Altere o valor do parmetro dbpath. Altere o valor do parmetro ldapport. Remover o-allowNonAdminAccess parmetro.

Answer: C Section: Powershell & Command line cmds Explanation/Reference: Normally when you use ntdsutil and dsamain.exe to connect a snapshot then you use a different port, because AD is allready running on the default port 389 The LDAPPort property specifies the TCP/IP port on which the domain controller listens for LDAP requests. The LDAPPort property is read-write.

QUESTION 6 Sua rede contm um domnio do Active Directory. O domnio contm cinco controladores de domnio. Um controlador de domnio chamado DC1 tem o papel de DHCP e da funo de servidor de arquivos instalado. Voc precisa mover o banco de dados do Active Directory em DC1 para um local alternativo. A soluo deve minimizar o impacto na rede durante a mudana de banco de dados. O que voc deve fazer primeiro? A. Reinicie o DC1 no Modo de Segurana. B. Reinicie o DC1 no Directory Services Restore Mode.

C. Iniciar DC1 a partir do Windows PE. D. Parar o Active Directory Domain Services no DC1. Answer: D Section: Maintaining the AD Environment Explanation/Reference: To move the directory database and log files to a local drive Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue. At the command prompt, type the following command, and then press ENTER: net stop ntds Type Y to agree to stop additional services, and then press ENTER. Continue with the procedure... http://technet.microsoft.com/en-us/library/cc816720(v=WS.10).aspx

QUESTION 7 Sua empresa tem uma sede e uma filial. A rede contm uma floresta do Active Directory. A floresta contm trs domnios. A filial contm um controlador de domnio chamado DC5. DC5 configurado como um servidor de catlogo global, um servidor DHCP e um servidor de arquivos. Voc remover o catlogo global do DC5. Voc precisa reduzir o tamanho do banco de dados do Active Directory em DC5. A soluo deve minimizar o impacto sobre todos os usurios da filial. O que voc deve fazer primeiro? A. B. C. D. Iniciar DC5 no Modo de Segurana. Iniciar DC5 no diretrio do modo de restaurao de servios. Em DC5, iniciar o servio de armazenamento protegido. Em DC5, pare o Active Directory Domain Services.

Answer: D Section: Configuring AD Backup-Restore Explanation/Reference: Only offline defragmentation can return unused disk space from the directory database to the file system. When database contents have decreased considerably through a bulk deletion (for example, you remove the global catalog from a domain controller), or if the size of the database backup is significantly increased due to the white space, use offline defragmentation to reduce the size of the Ntds.dit file.

QUESTION 8 Sua rede contm um controlador de domnio que executa o Windows Server 2008 R2. Voc precisa mudar a localizao dos arquivos de log do Active Directory. Qual ferramenta devo usar? A. Dsamain B. Dsmgmt C. Dsmove

D. Ntdsutil Answer: D Section: Powershell & Command line cmds Explanation/Reference: Start a command prompt, and then type ntdsutil.exe.NOTE: To get a list of commands that you can use at the Ntdsutil prompt, type ?. At a Ntdsutil prompt, type files. At the File Maintenance prompt, use one or both of the following procedures:

To move a database, type move db to %s, where %s is the drive and folder where you want the database moved. To move log files, type move logs to %s, where %s is the drive and folder where you want the log files moved.

QUESTION 9 Sua rede contm um domnio nico diretrio Active. Todos os servidores rodam Windows Server 2008 R2. Voc implanta um novo servidor que executa o Windows Server 2008 R2. O servidor no est ligado rede interna. Voc precisa se certificar que o novo servidor j est associado ao domnio quando se conecta pela primeira vez para a rede interna. O que voc deve fazer? A. A partir de um controlador de domnio, execute sysprep.exe e especificar o parmetro / oobe. A partir do novo servidor, executar o Sysprep.exe e especificar o parmetro / generalize. B. A partir de um controlador de domnio, execute sysprep.exe e especificar o parmetro / generalize. A partir do novo servidor, executar o Sysprep.exe e especificar o parmetro / oobe. C. A partir de um computador integrado ao domnio, execute djoin.exe e especificar o parmetro / disposio. A partir do novo servidor, execute djoin.exe e especificar o parmetro / requestodj. D. A partir de um computador integrado ao domnio, execute djoin.exe e especificar o parmetro / requestodj. A partir do novo servidor, execute djoin.exe e especificar o parmetro / disposio. Answer: C Section: Maintaining the AD Environment Explanation/Reference: Offline domain join is a new process that computers that run Windows 7 or Windows Server 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network. Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer or you can save the computer account metadata in an Unattend.xml file and then specify the Unattend.xml file during an unattended operating system installation of the destination computer. djoin /provision /domain <domain_name> /machine <destination computer> / savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/ rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>] djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-

step(v=WS.10).aspx

QUESTION 10 Sua rede contm um domnio do Active Directory. O domnio contm quatro controladores de domnio. Voc pode modificar o esquema do Active Directory. Voc precisa verificar se todos os controladores de domnio recebeu a modificao do esquema. Qual comando voc deve executar? A. B. C. D. dcdiag.exe /a netdom.exe query fsmo repadmin.exe /showrepl * sc.exe query ntds

Answer: C Section: Powershell & Command line cmds Explanation/Reference: Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions. http://technet.microsoft.com/en-us/library/cc770963(v=WS.10).aspx Reason : * means all controllers.

QUESTION 11 . Voc monitorizar remotamente vrios controladores de domnio. Voc corre winrm.exe quickconfig em cada controlador de domnio. Voc precisa criar um script WMI consulta para recuperar informaes da BIOS de cada controlador de domnio. Qual o formato que voc usa para escrever a consulta? A. B. C. D. XrML XML WQL HTML

Answer: C Section: Powershell & Command line cmds Explanation/Reference: Reason : the WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes. Queries built using WQL are used to control the WMI Service. WMI Query Language WMI Query Language (WQL) isnt so much a dialect as it is a language within a language. You use a scripting language such as VBScript to access and manipulate WMI objects, but you use WQL to retrieve the exact object or objects you want to work with.

QUESTION 12 Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contm cinco

controladores de domnio. Voc pode adicionar um script de logoff de um objeto existente Group Policy (GPO). necessrio verificar que cada controlador de domnio com xito replica a poltica de grupo atualizado. Que dois objetos que voc deve verificar em cada controlador de domnio? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol o valor para o uSNChangedCN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container o valor para o versionNumber CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container

Answer: AD Section: Configuring Group Policy Explanation/Reference: Group Policy has two configurations the computer and the user configuration. In order to track changes to each configuration, the GPO must track a version number for each configuration. With only one version number, the way two versions are tracked is to split the version number into two numbers. The top 16 bits of the version number corresponds to the user configuration version. The lower 16 bits of the version number corresponds to the computer configuration version. When looking at the version entry in the gpt.ini file what you are then seeing is: Version = [user version number top 16 bits] [computer version number lower 16 bits] This number can be found in the editor and in the gpt.ini file

QUESTION 13 Sua rede contm um domnio do Active Directory que contm cinco controladores de domnio. Voc tem um computador de gerenciamento que executa o Windows 7. A partir do computador com Windows 7, voc precisa ver todas as falhas de logon de conta que ocorrem no domnio. As informaes devem ser consolidadas em uma nica lista. Qual comando voc deve executar em cada controlador de domnio? A. B. C. D. Wecutil.exe qc Wevtutil.exe gli Winrm.exe quickconfig Winrshost.exe

Answer: C Section: Powershell & Command line cmds Explanation/Reference: Winrm.exe quickconfig must be run on the remote computers to enable the collection of events.

QUESTION 14 Voc criar um domnio novo Active Directory. O nvel funcional do domnio o Windows Server 2008 R2. O domnio contm cinco controladores de domnio. Voc precisa monitorar a replicao dos arquivos de modelo de poltica de grupo. Qual ferramenta devo usar?

A. B. C. D.

Dfsrdiag Fsutil Ntdsutil Ntfrsutl

Answer: A Section: Powershell & Command line cmds Explanation/Reference: Reason : Dfsrdiag can be used to replicate sysvol if the DC is running 2008 R2. By running DFSRDIAG.EXE you can create test files then measure their replication times in a very granular way. In Windows Server 2008 R2 the SYSVOL is replicated using DFS

QUESTION 15 Voc criar um domnio novo Active Directory. O nvel funcional do domnio o Windows Server 2003. O domnio contm cinco controladores de domnio que executam o Windows Server 2008 R2. Voc precisa monitorar a replicao dos arquivos de modelo de poltica de grupo. Qual ferramenta devo usar? A. B. C. D. Dfsrdiag Fsutil Ntdsutil Ntfrsutl

Answer: D Section: Powershell & Command line cmds Explanation/Reference: Reason: FRS will be used to replicate sysvol if the functional level is 2008 and below. Use ntfrsutl to monitor that. If you want to use DFS to replicate sysvol, the functional level must be at 2008 R2. Then you monitor using dfsrdiag.

QUESTION 16 Voc tem um controlador de domnio chamado Server1 que executa o Windows Server 2008 R2. Voc precisa determinar o tamanho do banco de dados do Active Directory em Server1. O que voc deve fazer? A. B. C. D. Execute a ferramenta Active Directory Sizer. Execute o Active Directory Diagnostics conjunto de coletores de dados. A partir do Windows Explorer, visualizar as propriedades do %systemroot% \NTDS\ ntds.dit arquivo. A partir do Windows Explorer, visualizar as propriedades do %systemroot%\sysvol\domain.

Answer: C Section: Configuring AD Backup-Restore Explanation/Reference: You can use the Search command on the Start menu to locate the database file (Ntds.dit) or the edb*.log file for the location of the database and log files, respectively. If you have set garbage collection logging to report free disk space, Event ID 1646 in the Directory Service log also reports the size of the database file: Total allocated hard disk space (megabytes):

As an alternative, you can determine the size of the database file by listing the contents of the directory that contains the files. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To determine the database size and location online On the domain controller on which you want to manage database files, open a command prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Domain Admins credentials, if required, and then click Continue. Change directories to the directory that contains the files that you want to manage. At the command prompt, type dir, and then press ENTER to examine the database size. In the following example command output, the Ntds.dit file and the log files are stored in the same directory. In the example, the files take up 58,761,256 bytes of disk space. This output is representative of a directory database to which few objects have been added. C:\Windows\NTDS>dir Volume in drive C has no label. Volume Serial Number is 003D-0E9E Directory of C:\Windows\NTDS 01/29/2008 11:04 AM <DIR> . 01/29/2008 11:04 AM <DIR> .. 01/29/2008 10:29 AM 8,192 edb.chk 01/29/2008 10:29 AM 10,485,760 edb.log 01/29/2008 10:29 AM 10,485,760 edb00001.log 01/29/2008 10:29 AM 10,485,760 edbres00001.jrs 01/29/2008 10:29 AM 10,485,760 edbres00002.jrs 01/29/2008 10:29 AM 14,696,488 ntds.dit 01/28/2008 02:54 PM 2,113,536 temp.edb 7 File(s) 58,761,256 bytes 2 Dir(s) 126,027,243,520 bytes free http://technet.microsoft.com/en-us/library/cc794802(v=ws.10).aspx

QUESTION 17 Voc precisa receber uma mensagem de e-mail sempre que uma conta de usurio de domnio est bloqueado. Qual ferramenta devo usar? A. B. C. D. Centro Administrativo do Active Directory Visualizador de Eventos monitor de recursos Security Configuration Wizard

Answer: B Section: Configuring AD Backup-Restore Explanation/Reference: When an account lockout occurs, it generates a message in the event log.

QUESTION 18 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc tem um computador de gerenciamento denominada Computer1 que executa o Windows 7.

Voc precisa de transmitir os eventos de logon de todos os controladores de domnio em contoso.com para Computer1. Todos os novos controladores de domnio devem ser adicionados dinamicamente para a inscrio. O que voc deve fazer? A. De Computer1, configurar inscries de evento de cdigo iniciado. A partir de um objeto de Diretiva de Grupo (GPO), ligado unidade de controladores de domnio organizacional (UO), configurar o n de encaminhamento de evento. B. De Computer1, configurar-coletor iniciou inscries em eventos. A partir de um objeto de Diretiva de Grupo (GPO), ligado unidade de controladores de domnio organizacional (UO), configurar o n de encaminhamento de evento. C. De Computer1, configurar inscries de evento de cdigo iniciado. Instale um certificado de autenticao do servidor no Computador1. Implementar o registro automtico para a unidade organizacional Controladores de Domnio (OU). D. De Computer1, configurar-coletor iniciou inscries em eventos. Instale um certificado de autenticao do servidor no Computador1. Implementar o registro automtico para a unidade organizacional Controladores de Domnio (OU). Answer: A Section: Maintaining the AD Environment Explanation/Reference: Subscriptions The following list describes the types of event subscriptions: Source-initiated subscriptions: allows you to define an event subscription on an event collector computer without defining the event source computers. Multiple remote event source computers can then be set up (using a group policy setting) to forward events to the event collector computer. For more information, see Setting up a Source Initiated Subscription. This subscription type is useful when you do not know or you do not want to specify all the event sources computers that will forward events. Collector-initiated subscriptions: allows you to create an event subscription if you know all the event source computers that will forward events. You specify all the event sources at the time the subscription is created. For more information, see Creating a Collector Initiated Subscription. For either of these subscription types, only computers running the following platforms are allowed to be event collectors: Windows Server 2003 R2, Windows Vista with Service Pack 1 (SP1), or Windows Server 2008. Computers that run on the following operating systems can be an event source: Windows XP with Service Pack 2 (SP2), Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), Windows Server 2003 R2, Windows Vista, Windows Vista with SP1, or Windows Server 2008. http://technet.microsoft.com/en-us/query/bb427443

QUESTION 19 Sua rede contm um domnio do Active Directory que tem dois sites. Voc precisa identificar se os scripts de logon so replicadas para todos os controladores de domnio. Qual pasta voc deve verificar? A. B. C. D. GroupPolicy NTDS SoftwareDistribution SYSVOL

Answer: D Section: Maintaining the AD Environment Explanation/Reference: The System Volume (Sysvol) is a shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain. The Sysvol folder on a domain controller contains the following items: Net Logon shares. These typically host logon scripts and policy objects for network client computers. User logon scripts for domains where the administrator uses Active Directory Users and Computers. Windows Group Policy. File replication service (FRS) staging folder and files that must be available and synchronized between domain controllers. File system junctions.

QUESTION 20 Voc instala um autnomo raiz autoridade de certificao (CA) em um servidor chamado Server1. Voc precisa garantir que cada computador na floresta tem uma cpia do certificado raiz do CA instalado no computador local armazenamento de certificados raiz fidedigna. Qual comando voc deve executar no Server1? A. B. C. D. Certreq.exe e especificar o -accept parmetro Certreq.exe e especificar o -retrieve parmetro Certreq.exe e especificar o -dspublish parmetro Certreq.exe e especificar o -importcert parmetro

Answer: C Section: Configuring AD Certificate Services Explanation/Reference:

Exam K QUESTION 1 A rede contm uma floresta do Active Directory. A floresta contm dois domnios. Voc tem um autnomo raiz autoridade de certificao (CA). Em um servidor no domnio filho, voc executar o Assistente para Adicionar Funes e descobrir que a opo de selecionar uma autoridade de certificao corporativa est desativado. Voc precisa instalar uma CA corporativa subordinada no servidor. O que voc deve usar para fazer logon para o novo servidor? A. B. C. D. uma conta que um membro do grupo Publishers Certificado no domnio filho uma conta que seja membro do grupo Editores de Certificados no domnio raiz da floresta uma conta que seja membro do grupo Administradores de Esquemas no domnio raiz da floresta uma conta que seja membro do grupo Administradores de Empresa no domnio raiz da floresta

Answer: D Section: Configuring AD Certificate Services Explanation/Reference: Reason: Enterprise administrator privileges on the DNS, Active Directory, and CA servers. This is especially important because setup modifies information in numerous places, some of which require enterprise administrator privileges.

QUESTION 2 Voc tem uma empresa autoridade de certificao subordinada (CA). Voc tem um grupo chamado Grupo 1. Voc precisa permitir que os membros do grupo 1 para publicar listas de revogao de certificado. Os membros do Grupo 1 no devem ser autorizados a revogar certificados. O que voc deve fazer? A. B. C. D. Adicionar Grupo1 ao grupo Administradores local. Adicionar Group1 para o grupo Editores de Certificados. Atribuir a permisso Gerenciar CA para Grupo1. Atribuir a Emitir e Gerenciar Certificados permisso para Grupo1.

Answer: C Section: Configuring AD Certificate Services Explanation/Reference: Reason : Only CA admin can Manage Certificate Revocation. "B" can only publish normal certificate template.

QUESTION 3 Voc tem uma empresa autoridade de certificao subordinada (CA) configurado para arquivamento de chaves. Trs certificados de agente de recuperao de chaves so emitidos. A CA est configurado para usar dois agentes de recuperao. Voc precisa se certificar que todos os certificados de agente de recuperao pode ser usado para recuperar todas as novas chaves privadas. O que voc deve fazer? A. Adicionar um agente de recuperao de dados para a Diretiva de Domnio Padro.

B. Modifique o valor do Nmero de agentes de recuperao de usar caixa. C. Revogar os atuais certificados de agente de recuperao de chaves e emitir trs novos certificados de agente de recuperao de chaves. D. Atribuir a Emitir e Gerenciar Certificados permisso para usurios que possuem os certificados de agente de recuperao de chaves. Answer: B Section: Configuring AD Certificate Services Explanation/Reference:

To identify a key recovery agent Log on to the system as a Certification Authority Administrator. Open Certification Authority. In the console tree, click the name of the certification authority (CA). Where? Certification Authority (Computer)/CA name On the Action menu, click Properties. On the Recovery Agents tab, click Archive the key. In the Number of recovery agents to use box, type the number of key recovery agents that will be used to encrypt the archived key. Click Add to add key recovery agent certificates.

QUESTION 4 Voc tem uma empresa autoridade de certificao subordinada (CA). A CA est configurado para usar um mdulo de segurana de hardware. Voc precisa fazer backup de Servios de Certificados do Active Directory no CA. Qual comando voc deve executar? A. B. C. D. certutil.exe -backup certutil.exe -backupdb certutil.exe -backupkey certutil.exe -store

Answer: A Section: Configuring AD Certificate Services Explanation/Reference: Certutil Applies To: Windows Server 2008 Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil. exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

-back up Backup Active Directory Certificate Services http://technet.microsoft.com/en-us/library/cc732443.aspx

QUESTION 5 Voc Servios Certificados do Active Directory (AD CS) implantado. Voc cria um modelo de certificado personalizado. Voc precisa se certificar de que todos os usurios no domnio automaticamente registrar um certificado baseado no modelo de certificado personalizado. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. Em um objeto Group Policy (GPO), configure as configuraes de registro automtico. B. Em um objeto Group Policy (GPO), configurar as Configuraes de solicitao automtica de certificados. C. No modelo de certificado, atribua a leitura e Registro Automtico permisso para o grupo usurios autenticados. D. No modelo de certificado, atribua o Read, Registro e Registro Automtico permisso para o grupo Usurios do Domnio. Answer: AD Section: Configuring Group Policy Explanation/Reference: Deploy User Certificates Applies To: Windows Server 2008 R2 You can use this procedure to configure the certificate template that Active Directory Certificate Services (AD CS) uses as the basis for user certificates that are enrolled to members of the domain users group. Membership in both the Enterprise Admins group and the Domain Admins group of the root domain is the minimum required to complete this procedure. To configure the certificate template and autoenrollment On the computer where Active Directory Certificate Services is installed, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In Available snap-ins, double-click Certification Authority. Select the certification authority (CA) that you want to manage, and then click Finish. The Certification Authority dialog box closes, returning to the Add or Remove Snap-ins dialog box. In Available snap-ins, double-click Certificate Templates, and then click OK. In the console tree, click Certificate Templates. All of the certificate templates are displayed in the details pane. In the details pane, click the User template. On the Action menu, click Duplicate Template. The Duplicate Template dialog box opens. Select the template version appropriate for your deployment, and then click OK. The new template properties dialog box opens. On the General tab, in Display Name, type a new name for the certificate template or keep the default name. Click the Security tab. In Group or user names, click Domain Users. In Permissions for Domain Users, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK. Double-click Certification Authority, double-click the CA name, and then click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens. Click the name of the certificate template you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of User, and then click OK.

On the computer where Active Directory Domain Services (AD DS) is installed, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. In the Add or Remove Snap-ins dialog box, in Available snap-ins, double-click Group Policy Management Editor. The Select Group Policy Object wizard opens. Click Browse, and then select Default Domain Policy. Click OK, click Finish, and then click OK again. Click Default Domain Policy. Open User Configuration, then Policies, then Windows Settings, then Security Settings, and then Public Key Policies. In the details pane, double-click Certificate Services Client - Auto-Enrollment. The Certificate Services Client - Auto-Enrollment Properties dialog box opens. In the Certificate Services Client - Auto-Enrollment Properties dialog box, in Configuration Model, select Enabled. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box. Select the Update certificates that use certificate templates check box, and then click OK.

QUESTION 6 Voc tem uma empresa autoridade de certificao subordinada (CA). Voc tem um costume modelo de certificado verso 3. Os usurios podem se inscrever para os certificados com base no modelo de certificado personalizado usando o console Certificados. O modelo de certificado est disponvel para registro na Web. Voc precisa se certificar que o modelo de certificado est disponvel nas pginas Web de inscrio. O que voc deve fazer? A. B. C. D. Executar certutil.exe -pulse. Executar certutil.exe -installcert. Alterar o modelo de certificado para um modelo de certificado verso 2. No modelo de certificado, atribua a permisso de Registro Automtico para os usurios.

Answer: C Section: Configuring AD Certificate Services Explanation/Reference:

version 3 templates cannot be requested via web enrollment using the out of box certificate web enrollment pages.
QUESTION 7 Voc tem uma empresa autoridade de certificao subordinada (CA). Voc tem um modelo de certificado personalizado que tem um comprimento de chave de 1.024 bits. O modelo est habilitado para registro automtico. Voc aumenta o comprimento da chave modelo para 2.048 bits. Voc precisa se certificar que todos os titulares de certificados atuais automaticamente registrar um certificado que usa o novo modelo. Qual console voc deve usar? A. B. C. D. Centro Administrativo do Active Directory Autoridade de Certificao Modelos de Certificado Group Policy Management

Answer: C Section: Configuring AD Certificate Services Explanation/Reference:

QUESTION 8 A rede contm uma floresta do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 Standard. O nvel funcional do domnio o Windows Server 2003. Voc tem uma autoridade de certificao (CA). Os servidores relevantes no domnio so configurados como mostrado na tabela seguinte: Nome do servidor Server1 Server2 Server3 Sistema operacional Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Funo de servidor Enterprise root CA Enterprise subordinate CA Web Server

Voc precisa se certificar que voc pode instalar os Servios de Certificados do Active Directory (AD CS) certificado de servio Web de inscrio na rede. O que voc deve fazer? A. B. C. D. Atualize Server1 para o Windows Server 2008 R2. Atualize Server2 para o Windows Server 2008 R2. Elevar o nvel funcional do domnio para o Windows Server 2008. Instalar o Windows Server 2008 R2 atualizaes do esquema do Active Directory.

Answer: D Section: Configuring AD Certificate Services Explanation/Reference: Installation requirements Before installing the certificate enrollment Web services, ensure that your environment meets these requirements: A host computer as a domain member running Windows Server 2008 R2. An Active Directory forest with a Windows Server 2008 R2 schema. See Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242). An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. If the Certificate Enrollment Web Service is configured for client certificate authentication, the CA must be running Windows Server 2008 R2 or Windows Server 2008. For enrollment across forests, the CA must be installed on a computer running Windows Server 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter. See Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries. Client computers running Windows 7 or Windows Server 2008 R2. A Server Authentication certificate installed for HTTPS.

QUESTION 9

Sua empresa tem uma floresta do Active Directory que contm vrios controladores de domnio. Os controladores de domnio executem o Windows Server 2008. Voc precisa executar uma restaurao de uma autoridade de uma unidade organizacional excludo e seus objetos filho. Que quatro aes que voc deve executar em seqncia? (Para responder, mover as quatro aes apropriadas a partir da lista de aes para a rea de resposta, e organiz-los na ordem correta.)

Answer:

Section: Maintaining the AD Environment Explanation/Reference:

Exam L QUESTION 1 Sua rede contm um domnio do Active Directory chamado contoso.com As propriedades do DNS contoso.com zona so configurados como mostrado na exposio. Voc precisa atualizar todos de servio local (SRV) para um controlador de domnio no domnio. O que voc deve fazer? Exhibit:

A. B. C. D.

Reinicie o servio Netlogon. Reinicie o servio Cliente DNS. Executar sc.exe e especificar o parmetro triggerinfo. Executar ipconfig.exe e especificar o parmetro /registerdns.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: The SRV resource records are registered by starting the Net Logon service, which enlists the records in the Netlogon.dns file under the % systemroot %\System32\config folder.

QUESTION 2 Sua rede contm um domnio do Active Directory. O domnio contm um grupo denominado Grupo1. O comprimento mnimo de senha para o domnio est definido para seis caracteres. voc precisa se certificar de que as senhas para todos os usurios no grupo 1 so pelo menos 10 caracteres. Todos os outros usurios devem ser capazes de usar senhas que so seis caracteres. O que voc deve fazer primeiro? A. B. C. D. Execute o cmdlet New-ADFineGrainedPasswordPolicy. Execute o cmdlet Add-ADFineGrainedPasswordPolicySubject. A partir da Diretiva de Domnio Padro, modificar a diretiva de senha. A partir da poltica predefinida de controlador de domnio, modifique a poltica de senha.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: Important : For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008. Instead of powershell you can also do it like this: Fine-Grained Passwords [Password policies per OU, Group or user] Adsi edit, cn=system, cn=password settings container, Right Mouse, new object, msds-passwordsettings, enter name Passwordsettings, enter values ADUC adv, create group, goto system, Passwordsettings ,msDS-PSOAppliesTo, edit, enter the group.

QUESTION 3 Sua rede contm um domnio do Active Directory. Um usurio chamado User1 tem uma licena por um ano. Voc precisa restringir o acesso conta de usurio User1 User1 enquanto est fora. O que voc deve fazer? A. A partir da Diretiva de Domnio Padro, modificar as configuraes de bloqueio de conta. B. A partir da poltica predefinida de controlador de domnio, modifique as configuraes de bloqueio de conta. C. Entre as propriedades da conta de usurio, modificar as opes de conta. D. Entre as propriedades da conta de usurio, modificar as configuraes de sesso. Answer: C Section: Maintaining the AD Environment Explanation/Reference:

Account options: check account is disabled

QUESTION 4 Sua rede contm 10 controladores de domnio que executam o Windows Server 2008 R2. A rede contm um servidor membro que estiver configurado para coletar todos os eventos que ocorrem nos controladores de domnio. Sua necessidade de assegurar que os administradores so notificados quando um evento especfico ocorre em qualquer um dos controladores de domnio. Voc quer para conseguir o objetivo, usando o mnimo esforo. O que voc deve fazer? A. B. C. D. De Visualizador de eventos no servidor membro, criar uma assinatura. De Visualizador de eventos em cada controlador de domnio, criar uma assinatura. De Visualizador de eventos no servidor membro, execute o Assistente Criar Tarefa Bsica. De Visualizador de eventos em cada controlador de domnio, execute o Assistente Criar Tarefa Bsica.

Answer: C Section: Maintaining the AD Environment Explanation/Reference: Forwarded Events will be on the collector computer - the member server.

QUESTION 5 Sua rede contm um controlador de domnio do Active Directory chamado DC1. DC1 executado no Windows Server 2008 R2. Voc precisa desfragmentar o banco de dados do Active Directory em DC1. A soluo deve minimizar o tempo parado em DC1. O que voc deve fazer primeiro? A. B. C. D. No prompt de comando, execute ntds net stop. No prompt de comando, execute net stop netlogon. Reinicie o DC1 no Modo de Segurana. Reinicie o DC1 no diretrio do modo de restaurao Services (DSRM).

Answer: A Section: Powershell & Command line cmds Explanation/Reference: The local copy of the AD database must be taken offline before the defrag.

QUESTION 6 A sua empresa usa um aplicativo que armazena os dados de um Active Directory Lightweight Directory Services (AD LDS) instncia nomeada instance1. Voc tenta criar um instantneo de Instance1 como mostrado na exposio. (Clique no boto Exibir.) Voc precisa se certificar que voc pode tirar um instantneo de Instance1. O que voc deve fazer? Exhibit:

A. B. C. D.

No prompt de comando, execute net start VSS. No prompt de comando, execute Instance1 net start. Defina o tipo de incio para o servio Instance1 para pessoas com mobilidade condicionada. Defina o tipo de incio para o Volume Shadow Copy Service (VSS) para Manual.

Answer: A Section: Configuring AD LDS Explanation/Reference: Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide Applies To: Windows Server 2008 This guide shows how you can use an improved version of Ntdsutil and a new Active Directory database mounting tool in Windows Server 2008 to create and view snapshots of data that is stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting the domain controller or AD LDS server. A snapshot is a shadow copycreated by the Volume Shadow Copy Service (VSS)of the volumes that contain the Active Directory database and log files. http://technet.microsoft.com/en-us/library/cc753609(v=WS.10).aspx

QUESTION 7 Sua rede contm um domnio do Active Directory chamado contoso.com. Todos os controladores de domnio e servidores membro executar o Windows Server 2008. Todos os computadores clientes executam o Windows 7. A partir de um computador cliente, voc cria uma diretiva de auditoria usando as avanadas configuraes de auditoria de configurao da poltica de domnio objeto de Diretiva Padro de Diretiva de Grupo (GPO). Voc descobre que a diretiva de auditoria no aplicada aos servidores membros. A diretiva de auditoria aplicada aos computadores cliente. Voc precisa garantir que a poltica de auditoria aplicada a todos os servidores membros e todos os computadores cliente. O que voc deve fazer? A. B. C. D. Adicionar um filtro WMI para a Default Domain Policy GPO Modificar as configuraes de segurana do Default Domain Policy GPO Configurar um script de inicializao que executado auditpol.exe nos servidores membros. Configurar um script de inicializao que executado auditpol.exe nos controladores de domnio.

Answer: B Section: Configuring Group Policy Explanation/Reference: Advanced audit policy is a 2k8 R2 feature. After applying the policy, make sure "apply group policy" is enable . See screenshot below.

QUESTION 8 Sua rede contm um domnio do Active Directory. O domnio contm 1.000 contas de usurios. Voc tem uma lista que contm o nmero do telefone celular de cada usurio Voc precisa adicionar o nmero do celular de cada usurio para o Active Directory. O que voc deve fazer? A. B. C. D. Crie um arquivo que contm os nmeros de telemvel, e depois executar Ldifde.exe Crie um arquivo que contm os nmeros de telemvel, e depois executar Csvde.exe De Adsiedit, selecione o continer CN = Usurios, e depois mofify as propriedades do recipiente. De Active Directory Users and Computers, selecione todos os usurios, e, em seguida, modificar as propriedades dos usurios.

Answer: A Section: Maintaining the AD Environment Explanation/Reference: LDIFDE: Used mostly for changing a lot of user properties at once. CSVDE CANNOT move or modify an object

QUESTION 9 Sua rede contm duas florestas do Active Directory chamado contoso.com e nwtraders.com. A confiana de floresta bidirecional existe entre contoso.com e nwtraders.com. A confiana de floresta configurado para usar autenticao seletiva. Contoso.com contm um servidor chamado Server1. Server1 contm uma pasta compartilhada chamada de Marketing. Nwtraders.com contm um grupo global chamado G_Marketing. A permisso de compartilhamento Mudana ea modificar as permisses NTFS para a pasta de Marketing so atribudos ao grupo G_Marketing. Membros do relatrio G_Marketing que eles no podem accesss a pasta Marketing. Voc precisa garantir que os membros G_Marketing pode accesss a pasta da rede. O que voc deve fazer? A. B. C. D. A partir do Windows Explorer, modificar as permisses NTFS da pasta A partir do Windows Explorer, alterar as permisses de compartilhamento da pasta De Active Directory Users and Computers, modificar o objeto de computador para Server1 De Active Directory Users and Computers, modificar o objeto de grupo para G_Marketing

Answer: C Section: Maintaining the AD Environment Explanation/Reference: Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest. To explicitly give authentication permissions to computer objects in the trusting forest to certain users, Administrators must grant those users the Allowed to Authenticate permission in Active Directory. For more information, see Grant the Allowed to Authenticate permission on computers in the trusting domain or forest. To grant the Allowed to Authenticate permission on computers in the trusting domain or forest Using the Windows interface 1. Open Active Directory Users and Computers. 2. In the console tree, click the Computers container or the container where your computer objects reside. 3. Right-click the computer object that you want users in the trusted domain or forest to access, and then click Properties. 4. On the Security tab, do one of the following: In Group or user names, click the user names or group names for which you want to grant access to this computer, select the Allow check box next to the Allowed to Authenticate permission, and then click OK. Click Add. In Enter the object names to select, type the name of the user object or group object for which you want to grant access to this resource computer, and then click OK. Select the Allow check box next to the Allowed to Authenticate permission, and then click OK.

QUESTION 10 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm trs servidores servers.The so configurar como mostrado na tabela a seguir. Nome do servidor de servio de funo Servidor Server1 Autoridade Certificadora (AC) Server2 certificado de servio Web de inscrio Server3 Certificate Enrollment Web Service Poltica Voc precisa garantir que os usurios podem se inscrever manualmente e renovar seus certificados usando o certificado de servio Web de inscrio. Quais duas aes voc deve executar? (Cada resposta corrent apresenta uma parte da soluo. (Escolha dois). A. Configure a definio mdulo de poltica. B. Configure os requisitos para emisso dos modelos de certificado. C. Configurar o Certificado de Cliente dos Servios - Certificado de Inscrio Poltica de configurao de Diretiva de Grupo. D. Configure a definio da delegao para a Matrcula Web conta de Servios de Certificao do pool de aplicativos. Answer: BC Section: Configuring AD Certificate Services Explanation/Reference: Configuring Group Policy to Support the Certificate Enrollment Policy Web Service Applies To: Windows Server 2008 R2 Before client computers can use the Certificate Enrollment Policy Web Service, a Group Policy setting must be configured to provide the location of Web service to domain members. A certification authority (CA) processes each certificate request by using a defined set of rules. The CA may issue some certificates with no proof of identification and require proof of identification before other types of certificates are issued. This provides different levels of assurance for different certificates. These levels of assurance are represented in certificates as issuance policies.

QUESTION 11 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm um servidor membro que executa o Windows Serever 2008 Standard. Voc precisa instalar uma empresa subordinada autoridade de certificao (CA) que suportam a chave privada de arquivamento. Voc deve atingir este objetivo usando o mnimo de esforo administrativo. O que voc faz primeiro? A. B. C. D. Inicializar o Trusted Platform Module (TPM) Atualize o servidor membro para Windows Standard Server 2008 R2. Instale o Certificado de Inscrio Poltica de Web servio de funo de servio no servidor membro. Execute o Assistente de Configurao de Segurana (ACS) e selecione os Servios Certificados do Active Directory - Autoridade de Certificao de funo de servidor caixa de seleo do modelo.

Answer: B Section: Configuring AD Certificate Services Explanation/Reference:

QUESTION 12 Sua empresa tem quatro escritrios. A rede contm um domnio nico diretrio Active. Cada escritrio tem um controlador de domnio. Cada escritrio tem uma unidade organitational (OU) que contm as contas de usurio para os usurios nesse escritrio. Em cada escritrio, tcnicos de suporte bsico para solucionar os problemas dos usurios em seus respectivos cargos. Voc precisa garantir que os tcnicos de suporte podem redefinir a senha para as contas de usurio em seu respectivo servio apenas. A soluo deve impedir que os tcnicos de criar contas de usurio. O que voc deve fazer?

A. Quatro OU cada, execute o Assistente para delegao de controle. B. Para o domnio, execute o Assistente para delegao de controle. C. Para cada escritrio, criar um grupo do Active Directory, e em seguida, modificar a configurao de segurana para cada grupo. D. Para cada escritrio, criar um grupo do Active Directory, e modifique os ControlAccessRights atribuir para cada grupo. Answer: A Section: Maintaining the AD Environment Explanation/Reference:

Active Directory Object Type Applies To: Windows Server 2008, Windows Server 2008 R2 Control Details This folder, existing objects Select this option if you want to delegate full control of in this folder, and creation this folder and all its existing object contents, as well as of new objects in this folder any future objects that it might contain. Select this option if you want to delegate control of only selected types of objects in this folder. The types of Only the following objects inobjects that are available are determined by the Active Directory schema. For more information about specific the folder object types, see Active Directory Domain Services Reference (http://go.microsoft.com/fwlink/?LinkId=80181). Create selected objects in Select this check box to create objects of the types that are selected in the object type list. this folder check box Delete selected objects in Select this check box to remove objects of the types that are selected in the object type list. this folder check box

QUESTION 13 Voc precisa compactar um banco de dados do Active Directory em um controlador de domnio que executa o Windows Server 2008 R2. O que voc deve fazer? A. B. C. D. Executar defrag.exe /a /c. Executar defrag.exe /c /u. Ntdsutil forma, use a opo Arquivos. De Ntdsutil, use a opo de limpeza de metadados.

Answer: C

Section: Configuring AD Backup-Restore Explanation/Reference: At the command prompt, type the following command, and then press ENTER: net stop ntds Type Y to agree to stop additional services, and then press ENTER. At the command prompt, type ntdsutil, and then press ENTER. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. At the ntdsutil prompt, type files, and then press ENTER. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER.

QUESTION 14 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm dois controladores de domnio. Os controladores de domnio so configurados como mostrado na tabela a seguir. ------------------------------------------------------------------------------------------------------------------------------------Server Server IP Address Server site ------------------------------------------------------------------------------------------------------------------------------------DC1 10.1.1.1/16 Default-First-Site-Name DC2 10.1.1.2/16 Default-First-Site-Name ------------------------------------------------------------------------------------------------------------------------------------Todos os computadores clientes tm endereos IP no 10.1.2.1 a 10.1.2.240 Voc precisa minimizar o nmero de pedidos de autenticao de cliente enviar para o DC2. O que voc deve fazer? A. Criar um novo site chamado Site1. Criar um objeto de sub-rede novo que tem atribuir a sub-rede para Site1. Mova DC1 para Site1. B. Criar um novo site chamado Site1. Criar um objeto de sub-rede novo que tem atribuir a sub-rede para Site1. Mova DC1 para Site1. C. Criar um novo site chamado Site1. Criar um objeto de sub-rede novo que tem atribuir a sub-rede para Site1. Mova DC2 para Site1. D. Criar um novo site chamado Site1. Criar um objeto de sub-rede novo que tem atribuir a sub-rede para Site1. Mova DC2 para Site1. Answer: C Section: AD Sites & Services Explanation/Reference: This effectively isolates DC2 in its own site as far as Sites, Subnets, and Clients are concerned. o prefixo 10.1.1.0/24 e o prefixo 10.1.1.1/32 e o prefixo 10.1.1.2/32 e o prefixo 10.1.2.0/24 e

QUESTION 15 A rede contm uma floresta do Active Directory. A floresta contm dois domnios chamados contoso.com e eu.contoso.com. Todos os controladores de domnio so servidores DNS. Os controladores de domnio em contoso.com hospedar a regio para contoso.com. Os controladores de domnio em eu.contoso.com hospedar a regio para eu.contoso.com A zona de DNS para contoso.com est configurado como mostra a exposio. (Clique no boto Exibir.) Voc precisa se certificar que todos os controladores de domnio na floresta hospedar uma cpia gravvel _msdsc.contoso.com Quais duas aes voc deve executar? (Cada resposta correta apresenta parte da soluo. Escolha dois.) Exhibit:

A. B. C. D.

Criar um registro de delegao de zona em zona contoso.com Criar um registro de delegao de zona em zona eu.contoso.com Crie uma zona integrada ao Active Directory para _msdsc.contoso.com Crie uma zona secundria chamado _msdsc.contoso.com em eu.contoso.com

Answer: AC Section: Configuring AD DNS Explanation/Reference:

QUESTION 16 Sua rede contm trs floresta do Active Directory chamado Forest1, Forest2 e Forest3. Cada floresta

contm trs domnios. A confiana de floresta bidirecional existe entre Forest1 e Forest2. A confiana de floresta bidirecional existe entre Forest2 e Forest3. Voc precisar configurar a floresta para atender aos seguintes requisitos Usurios em Forest3 deve ser capaz de acessar os recursos em Forest1. Usurios em Forest1 deve ser capaz de acessar os recursos em Forest3. O nmero de relaes de confiana deve ser minimizado. O que voc deve fazer? A. B. C. D. E. Em Forest2, modificar as configuraes de roteamento de sufixos de nomes. Em Forest1 e Forest3, configurar a autenticao seletiva. Em Forest1 e Forest3, modificar as configuraes de roteamento de sufixos de nomes. Criar uma confiana de floresta bidirecional entre Forest1 e Forest3. Criar uma relao de confiana de atalho em Forest1 e uma confiana de atalho em Forest3.

Answer: D Section: Configuring Domains and Trusts Explanation/Reference: Two Forest Trusts Between Three Windows Server 2003 Forests

In this example, a two-way transitive forest trust exists between the forest root domains in Forest 1 and Forest 2, and another two-way transitive forest trust exists between the forest root domains in Forest 3 and Forest 2. This configuration allows: Users in Forest 2 to access resources in any domain in either Forest 1 or Forest 3 Users in Forest 3 to access resources in any domain in Forest 2 Users in Forest 1 to access resources in any domain in Forest 2 This configuration does not allow users in Forest 1 to access resources in Forest 3 or vice versa. To allow users in both Forest 1 and Forest 3 to share resources, a two-way transitive trust must be created between the two forests. http://technet.microsoft.com/en-us/library/cc773178(v=WS.10).aspx

QUESTION 17 A rede contm uma floresta do Active Directory. A floresta contm dois controladores de domnio. Os controladores de domnio so configurados como mostrado na tabela seguinte.

Server name Server configuration -------------------------------------------------------------------------------------------------Global catalog server DC1 Schema master Domain naming master

-------------------------------------------------------------------------------------------------Primary domain controller (PDC) emulator DC2 RID master Infrastructure master -------------------------------------------------------------------------------------------------Todos os computadores clientes executam o Windows 7. Voc precisa se certificar que todos os computadores cliente no domnio manter o mesmo tempo que um servidor de horrio externo. O que voc deve fazer? A. B. C. D. De DC1, execute o comando time. De DC2, execute o comando time. De DC1, execute o comando W32tm.exe. De DC2, execute o comando W32tm.exe.

Answer: D Section: Configuring AD FSMO Roles Explanation/Reference: This has to be run on PDC emulator.

Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source.
QUESTION 18 Sua rede contm um domnio nico diretrio ativo chamado contoso.com. Um administrador acidentalmente exclui da zona _msdsc.contoso.com. Voc recriar a zona _msdsc.contoso.com. Voc precisa garantir que a zona _msdsc.contoso.com contm todos os registros necessrios DNS. O que voc deve fazer em cada controlador de domnio? A. B. C. D. Reinicie o servio Netlogon. Reinicie o servio do servidor DNS. Executar dcdiag.exe /fix. Executar ipconfig.exe /registerdns.

Answer: A Section: Powershell & Command line cmds Explanation/Reference:

QUESTION 19 Active Directory Rights Management Services (AD RMS) for implantado em sua rede. Voc precisa configurar o AD RMS para usar a autenticao Kerberos.

Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. Registrar um nome principal de servio (SPN) para AD RMS. Secretrio hum nomo diretor de Servio (SPN) n AD RMS. Configure a definio da identidade do pool de aplicativos _DRMSAppPool1. Configure o atributo useAppPoolCredentials no Internet Information Services (IIS) da metabase.

Answer: AD Section: Configuring AD Rights Mgmt Services Explanation/Reference: Enable support for Kerberos authentication Applies To: Windows Server 2008 R2 If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures: Set the Internet Information Services (IIS) useAppPoolCredentials variable to True Set the Service Principal Names (SPN) value for the AD RMS service account http://technet.microsoft.com/en-us/library/dd759186.aspx

QUESTION 20 A rede contm uma floresta do Active Directory. A floresta contm um site Diretrio acitve para um escritrio remoto. O site remoto contm um controlador de domnio somente leitura (RODC). Voc precisar configurar o RODC para armazenar somente a senha de usurios no site remoto. O que voc deve fazer? A. Criar um senha Configuraes objeto (PSO). B. Modifique o atributo parcial-Attribute Set-da floresta. C. Adicione as contas de usurios dos usurios do site remoto para o Grupo de Replicao de Senha RODC Permitido. D. Adicione as contas de usurios de usurios que no esto no site remoto para o grupo de replicao negado RODC Password. Answer: C Section: Maintaining the AD Environment Explanation/Reference: When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

QUESTION 21 Sua rede contm um domnio do Active Directory. Todo o controlador de domnio executar o Windows Server 2003. Voc substitui todos os controladores de domnio com controladores de domnio que executam o Windows Server 2008 R2. Voc elevar o nvel funcional do domnio para o Windows Server 2008 R2. Voc precisa minimizar a quantidade de trfego de replicao SYSVOL na rede. O que voc deve fazer? A. B. C. D. Elevar o nvel funcional da floresta para o Windows Server 2008 R2. Modificar o caminho da pasta SYSVOL em todos os controladores de domnio. Em um servidor de catlogo global, execute Repadmin.exe e especificar o parmetro KCC. No controlador de domnio que contm o controlador de domnio primrio (PDC) emulador FSMO, executar dfsrmig.exe.

Answer: D Section: Configuring AD FSMO Roles Explanation/Reference: Reason: Windows Server 2008 includes a command line tool called dfsrmig.exe which can be used by administrators to control the process of migrating replication of the SYSVOL share from FRS to the DFS Replication service. Windows Server 2008 ships a command line tool called dfsrmig.exe which can be used by an administrator to initiate migration of SYSVOL replication from FRS to the DFS Replication service. This tool essentially sets migration related directives in Active Directory. Thereafter, on each of the domain controllers in the domain, when the DFS Replication service running polls Active Directory for configuration information, it notices this migration directive and takes steps to migrate replication of SYSVOL to the DFS Replication service. The following section explains the various migration states that are possible during this migration process in more detail. Thus migration directives are set only once (globally) and all domain controllers in the domain notice this directive and automatically take steps to attain the selected migration state, thus resulting in migration of SYSVOL replication from FRS to the DFS Replication service. http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-thesysvol-migration-process.aspx

Exam M QUESTION 1 Sua rede contm duas florestas do Active Directory chamado contoso.com e nwtraders.com. Direitos do Active Directory Gerncias Servios (AD RMS) implantado em cada floresta. Voc precisa garantir que os usurios da floresta nwtraders.com pode acessar o contedo protegido AD RMS na floresta contoso.com O que voc deve fazer? A. B. C. D. Criar uma relao de confiana externa de contoso.com para nwtraders.com. Criar uma relao de confiana externa de nwtraders.com para contoso.com Adicionar um domnio de usurio confivel para o cluster AD RMS no domnio contoso.com Adicionar um domnio de usurio confivel para o cluster AD RMS no domnio nwtraders.com.

Answer: C Section: Configuring AD Rights Mgmt Services Explanation/Reference: Trusted User Domain Applies To: Windows Server 2008, Windows Server 2008 R2 By default, Active Directory Rights Management Services does not service requests from users whose RACs were issued by a different AD RMS cluster. However, you can add AD RMS domains to a list of trusted user domains in an AD RMS cluster. This allows Active Directory Rights Management Services to process such requests. A trusted user domain, often referred as a TUD, is a trust between AD RMS clusters that instructs a licensing server to accept rights account certificates (the certificates identifying users) from another AD RMS server in a different Active Directory forest. An AD RMS trust is not the same as an Active Directory trust, but it is similar in that it refers to the ability of one environment to accept identities from another environment as valid subjects. As a TUD is a trust between AD RMS infrastructures, it requires that each forest (whether in the same company or in different companies) has its own AD RMS infrastructure. Using trusted user domains, AD RMS can process requests for use licenses from users whose rights account certificates were issued by an AD RMS installation in a different Active Directory forest; in other words, from a different certification cluster. Trusted user domains are added by importing the server licensor certificate, of the AD RMS installation to trust, to the trusting AD RMS installation. http://technet.microsoft.com/en-us/library/dd983944(v=WS.10).aspx

QUESTION 2 Voc precisa limpar a lista de contas de usurio que foram autenticadas em um controlador de domnio somente leitura (RODC) O que voc deve fazer? A. De Active Directory Users and Computers, modificar as propriedades do objeto de computador do RODC B. Execute o comando Repadmin.exe uma especificar o parmetro /prp C. Execute o comando dsrm.exe e especificar o parmetro -u D. A partir do Active Directory Sites e servios do, modificar as propriedades do objeto de computador do RODC Answer: B Section: Maintaining the AD Environment Explanation/Reference: repadmin /prp

You can use this command to view or modify the PRP for an RODC. The PRP determines which account passwords are allowed to be cached on an RODC and which account are denied from being cached. http://technet.microsoft.com/en-us/library/administer-prp-for-rodc-with-repadmin.exe%28WS.10%29. aspx#BKMK_PRP

To clear the authenticated accounts list Open an elevated Command Prompt window using the credentials of a Domain Admin. To do this, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain. To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all . Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER. http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy (v=WS.10).aspx

QUESTION 3 Sua rede contm um domnio do Active Directory. Voc precisa fazer backup de todos os objetos de Diretiva de Grupo (GPOs) permisses de Diretiva de Grupo, e links de Diretiva de Grupo para o domnio. O que voc deve fazer? A. B. C. D. A partir do Windows PowerShell, execute o cmdlet Backup-GPO. De Backup do Windows Server, execute um backup de estado do sistema A partir do Windows Explorer, copiar o contedo do %systemroot% \SYSVOL. De Group Policy Management Console (GPMC), faa backup do GPOs

Answer: A Section: Configuring Group Policy Explanation/Reference: http://technet.microsoft.com/en-us/library/ee461052.aspx Detailed Description The Backup-GPO cmdlet backs up a specified GPO or all the GPOs in a domain to a backup directory http://www.petri.co.il/backing-up-group-policy-objects.htm You can also choose answer D, but in the answer it does not state "Back Up All" from Group Policy Objects!

QUESTION 4 A rede contm uma floresta do Active Directory. A floresta contm um domnio. O domnio contm dois controladores de domnio chamado DC1 e DC2 que executam o Windows Server 2008 R2. DC1 DC2 foi instalado antes. DC1 no Voc precisa se certificar que voc pode adicionar 1.000 novas contas de usurio para o domnio. O que voc deve fazer? A. B. C. D. Aproveite o mestre de esquema funo FSMO. Configurar DC2 como um servidor de catlogo global. Aproveite o RID master FSMO papel Modificar as permisses da conta do computador DC2

Answer: C Section: Configuring AD FSMO Roles Explanation/Reference: RID master The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object. http://technet.microsoft.com/en-us/library/cc773108(v=WS.10).aspx

QUESTION 5

Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm dois locais nomeados Site1 e Site2. Site1 contm um controlador de domnio chamado DC1. Em Site1, voc instalar um novo controlador de domnio chamado DC2. Voc enviar DC2 para Site2. Voc descobre que determinados usurios em Site2 autenticar DC1. Voc precisa garantir que os usurios em Site2 sempre attemp para authentcate para DC2 primeiro. O que voc deve fazer? A. De Sites do Active dirctory e Servios, mova o objeto de servidor DC2. B. De Active Directory Users and Computers, modificar as configuraes de localizao do objeto de computador DC2. C. De Active Directory Sites e Servios, modifique o atributo Location para Site2. D. De Active Directory Usurios e Computadores, mova o objeto de computador DC2. Answer: A Section: AD Sites & Services Explanation/Reference: Servers (especially DCs) need to be in the correct site to accomplish this goal.

QUESTION 6 Sua empresa tem um escritrio central e quatro filiais. Um site do Active Directory existe para cada escritrio. Cada site contm um controlador de domnio. Cada site de filial tem um link de site para o site do escritrio principal. Voc descobre que os controladores de domnio nas filiais, por vezes, replicam diretamente uns aos outros. Voc precisa assegurar que os controladores de domnio nas filiais apenas se replicar para o controlador de domnio no escritrio principal. O que voc deve fazer? A. B. C. D. Desabilite o Knowledge Consistency Checker (KCC) para cada site de filial. Modificar as configuraes de firewall para o site do escritrio principal Modificar as configuraes de segurana para o site do escritrio principal Desabilitar link do site de transio

Answer: D Section: Maintaining the AD Environment Explanation/Reference: Controlling replication failover If your organization has a hub-and-spoke network topology, you generally do not want the satellite sites to create replication connections to other satellite sites if all domain controllers in the hub site fail. In such scenarios, you must disable Bridge all site links and create site link bridges so that replication connections are created between the satellite site and another hub site that is just one or two hops away from the satellite site. http://technet.microsoft.com/en-us/library/cc753638(v=WS.10).aspx

QUESTION 7 Sua rede contm um domnio nico diretrio Active. Os computadores clientes executam o Windows XP Service Pack 3 (SPP ) ou Windows 7. Todas as contas de computador para os computadores clientes esto localizados em uma unidade organizacional (OU) chamado OU1.

Voc ligar um novo objeto de Diretiva de Grupo (GPO) chamado GPO10 para OU1. Voc precisa se certificar que GPO10 aplicada apenas aos computadores clientes que executam o Windows 7. O que voc deve fazer? A. B. C. D. Habilitar herana bloco em OU1. Criar uma nova OU em OU1. Mova as contas do Windows Xp computador para a nova OU Modificar as permisses de OU1. riar um filtro WMI e atribuir o filtro para GPO10

Answer: D Section: Configuring Group Policy Explanation/Reference: Creating WMI and Group Filters Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista When the network includes client computers that run a variety of Windows operating systems, two computers in the same OU might require different settings to achieve the same configuration. For example, a computer that is running Windows XP might require a different setting than a computer that is running Windows 7 or Windows Vista. Two GPOs would be required in that case, one to apply to computers that are running Windows XP, and one to apply to computers that are running the later versions of Windows. There are also times when you cannot rearrange the computers in your AD OU hierarchy to let you link a GPO to OUs that contain only the computers to which you want the GPO to apply. So Group Policy also supports using access control lists (ACLs) to prevent the GPO from applying to any computer or user account that is not granted permissions to the GPO. There are two frequently used techniques used to make sure that GPOs only apply to the correct computers: Add a Windows Management Instrumentation (WMI) filter to the GPO. A WMI filter enables you to specify criteria that must be matched before the linked GPO is applied to a computer. By letting you filter the computers to which the GPO applies, this reduces the need to further subdivide your OUs in Active Directory. This technique is dynamic, in that the filter is evaluated when the computer attempts to apply the policy. So if you are filtering based on the version of Windows then upgrading the computer from Windows XP to Windows 7 requires no changes to your GPO, because the filter will automatically recognize the change and filter the computers access to the GPO accordingly. Grant or deny the Apply Policy security permission in the ACL for the GPO. If you put your computers in security groups, you can then grant the Apply Policy permission to only the groups that should use the GPO. http://technet.microsoft.com/en-us/library/cc754488(v=WS.10).aspx

QUESTION 8 A rede contm uma floresta do Active Directory. Todos os computadores clientes executam o Windows 7. A rede contm um alto volume de autoridade de certificao (CA). Voc precisa minimizar a quantidade de largura de banda de rede necessria para validar um certificado. O que voc deve fazer? A. Configurar uma Certificao Online Status Protocol (OSCP) responder B. Configurar um ponto de publicao LDAP para a lista de certificados revogados (CRL).

C. Replicar a lista de certificados revogados (CRL) usando o sistema de arquivos distribudos (DFS) D. Modificar as configuraes da lista de revogao de certificado delta (CRL) Answer: A Section: Configuring AD LDS Explanation/Reference: CRLs A CRL is a file, created and signed by a CA, that contains serial numbers of certificates that have been issued by that CA and are revoked. In addition to the serial number for the revoked certificates, the CRL also contains the revocation reason for each certificate and the time the certificate was revoked. Currently, two types of CRLs exist: base CRLs and delta CRLs. Base CRLs maintain a complete list of revoked certificates while delta CRLs maintain only those certificates that have been revoked since the last publication of a base CRL. The major drawback of CRLs is their potentially large size, which limits the scalability of the CRL approach. The large size adds significant bandwidth and storage burdens to the CA and relying party, and therefore limits the ability of the system to distribute the CRL. Bandwidth, storage space, and CA processing capacity can also be negatively affected if the publishing frequency gets too high. Numerous attempts have been made to solve the CRL size issue through the introduction of partitioned CRLs, delta CRLs, and indirect CRLs. All these approaches have added complexity and cost to the system without providing an ideal solution to the underlying problem. Another drawback of CRLs is latency; because the CRL publishing period is predefined, information in the CRL might be out of date until a new CRL or delta CRL is published. OCSP OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. This returns a definitive, digitally signed response indicating the certificate status. The amount of data retrieved per request is constant regardless of the number of revoked certificates in the CA. Most OCSP responders get their data from published CRLs and are therefore reliant on the publishing frequency of the CA. Some OCSP responders can, however, receive data directly from the CA's certificate status database and consequently provide near real-time status. Scalability is the major drawback of the OCSP approach. Since it is an online process and is designed to respond to single certificate status requests, it results in more server hits, requiring multiple and sometimes geographically dispersed servers to balance the load. The response signing and signature verification processes also take time, which can adversely affect the overall response time at the relying party. Finally, since the integrity of the signed response depends on the integrity of the OCSP responder's signing key, the validity of this key must also be verified after a response is validated by the client. http://technet.microsoft.com/en-us/library/cc770413(v=WS.10).aspx

QUESTION 9 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm um servidor membro que executa o Windows Server 2008 R2 Standard. Voc precisa criar uma empresa subordinada autoridade de certificao (CA) que pode emitir certificados com base em modelos de certificado da verso 3. Voc deve atingir este objetivo, usando a quantidade mnima de esforo administrativo. O que voc deve fazer primeiro? A. B. C. D. Atualize o servidor membro para o Windows Server 2008 R2 Enterprise. Separar o servidor membro do domnio. Executar certutil.exe -addenrollmentserver. Instalar os Servios de Certificado do Active Directory papel (AD CS) no servidor membro.

Answer: A Section: Maintaining the AD Environment

Explanation/Reference: It appears there is a problem with this question. If the server was running 2008 (not R2) the answer would be correct. Version 3 certificate templates In addition to version 2 template features and autoenrollment, version 3 certificate templates provide support for Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information. Template availability Windows Server 2008 R2, all editions Windows Server 2008, Enterprise and Datacenter editions

QUESTION 10 Sua rede contm um domnio do Active Directory. Voc criar e montar um instantneo do Active Directory. Voc execute o seguinte comando no controlador de domnio: Dsamain.exe dbpath C: \ Windows \ NTDS \ ntds.dit ldapport 54321-allowNonAdminAccess eo comando falhar, como mostrado na exposio. (Clique no boto Anexo). Voc precisa se certificar que voc pode navegar pelo contedo de instantneo do Active Directory. O que voc deve fazer?

Exhibit:

A. B. C. D.

Altere o valor do parmetro ldapport e execute novamente o Dsamain.exe. Pare de Active Directory Domain Services (AD DS), e execute novamente o Dsamain.exe. Reinicie o Volume Shadow Copy Service (VSS), e execute novamente o Dsamain.exe. Altere o valor do parmetro dbpath e execute novamente o Dsamain.exe.

Answer: D Section: Powershell & Command line cmds Explanation/Reference: NOTE: THE COMPLETE COMMAND THAT YOU WILL SEE IN THE EXHIBIT (in the exam) IS : dsamain.exe -dbpath C:\Windows\NTDS\ntds.dit -ldapport 54321 allowNonAdminAccess Now Take a look : To create a snapshot of the Active Directory database: ** Ntdsutil snapshot ** Command to mount (make active) a database snapshot. You can mount multiple snapshots. ** Ntdsutil mount ** Run the ** Dsamain.exe ** command to expose a snapshot as an LDAP server. This step allows you to connect to and view the snapshot. With *Dsamain.exe*, you specify the path to the snapshot, along with a port number that will be used to connect to the snapshot. But in the EXHIBIT , the path is the real Active Directory database path , not the snapshot path . Finally ,, Run the ** Ldp ** tool or Active Directory Users and Computers using the specified port to view the snapshot data.

QUESTION 11 Sua rede contm um domnio do Active Directory chamado contoso.com. Voc precisa auditar alteraes em uma conta de servio. Que definio de poltica de segurana que voc deve configurar? A. B. C. D. Auditar uso de privilgios Sensitive. Auditoria Alteraes servio de diretrio. Auditoria de Gesto de Conta de Usurio. Auditar Eventos de gerenciamento de contas.

Answer: C Section: Maintaining the AD Environment Explanation/Reference: Audit User Account Management This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed: * A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. * A user account password is set or changed. * Security identifier (SID) history is added to a user account. * The Directory Services Restore Mode password is set. * Permissions on accounts that are members of administrators groups are changed. * Credential Manager credentials are backed up or restored. This policy setting is essential for tracking events that involve provisioning and managing user accounts.

http://technet.microsoft.com/en-us/library/dd772693(v=WS.10).aspx

QUESTION 12 Sua rede contm um domnio do Active Directory chamado contoso.com. Os exclui Adminisrator uma OU chamada OU1 acidentalmente. Voc precisa restaurar OU1. Qual cmdlet que voc deve usar? A. B. C. D. Set-ADObject cmdlet Set-ADOrganizationalUnit cmdlet Set-ADUser cmdlet Set-ADGroup cmdlet

Answer: A Section: Powershell & Command line cmds Explanation/Reference: Set-ADObject Modifies an Active Directory object. http://technet.microsoft.com/en-us/library/ee617254.aspx Restore-ADObject Restores an Active Directory object. http://technet.microsoft.com/en-us/library/ee617262.aspx But you can use Get_ADObject with Restore-ADObject! Get-ADObject -Filter 'samaccountname -eq "kimabercrombie"' -IncludeDeletedObjects | Restore-ADObject

QUESTION 13 Sua rede contm um domnio do Active Directory. Voc tem cinco unidades organizacionais (UOs) nomeados Finanas, RH, Marketing, Vendas e dev. Voc vincular um objeto Group Policy chamado GPO1 ao domnio, como mostrado na exposio. Voc precisa se certificar que GPO1 aplicada a usurios em Finanas, RH, Marketing e Vendas UOs. A soluo deve evitar GPO1 de ser aplicada aos usurios na OU Dev. O que voc deve fazer? Exhibit:

A. B. C. D.

Fazer a ligao GPO1 ou Finanas. Modificar as configuraes de segurana do OU Finanas. Enforce GPO1. Modificar as configuraes de segurana da OU Dev

Answer: A Section: Configuring Group Policy Explanation/Reference:

the idea here is that the ! icon on the Finance OU is letting us know that inheritance of GPO1 is blocked. You would need to either remove the block (which makes more sense than the answer in this question) or establish a specific link to the policy to accomplish the goal of the question.

Lets tackle Block Inheritance first. Weve seen that, from a directory tree perspective, down the tree to the target objects, all GPOs are applied and settings configured there are cumulated where settings contradict, the last writers win. There may be situations you dont want that. Thats what Block Inheritance is for. For example, we dont want the IT-OU apply domain-level GPOs. We go right-click the IT-OU in GPMC and choose Block Inheritance from the context menu. Voil! You see a blue exclamation mark on the OU icon. From now on, IT objects wont be bugged with domain-level GPOs. GPOs from levels higher than IT-OU will simply be ignored. Even GPOs from the same level, such as OULevel2-GPO, will. Weve cut up-level administrators off.

http://blogs.technet.com/b/grouppolicy/archive/2010/01/07/tales-from-the-communityenforced-vs-block-inheritance.aspx

Exam N QUESTION 1 Sua rede contm um domnio do Active Directory. Todos os servidores DNS so controladores de domnio. Voc ver as propriedades da zona DNS, como mostrado na exposio. (Clique no boto Exibir.)

Voc precisa garantir que os membros do domnio s pode registrar registros de DNS na zona. O que voc deve fazer primeiro? Exhibit:

A. B. C. D.

Modificar o tipo de zona. Criar uma ncora de confiana. Modificar as propriedades avanadas do servidor DNS. Modificar a configurao atualizaes dinmicas.

Answer: A Section: Cooper Exam D Explanation/Reference: Secure dynamic updates For Windows Server 2008, DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record. By default, dynamic update security for Windows Server 2008based DNS servers and clients is handled in the following manner: 1. Windows Server 2008based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update.

Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security. 2. By default, after a zone becomes Active Directory-integrated, Windows Server 2008based DNS servers enable only secure dynamic updates. By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates.

QUESTION 2 Sua empresa tem uma floresta nico diretrio ativo com um nico domnio. Consultores em diferentes departamentos da empresa precisam de acesso a recursos de rede diferentes. Os consultores pertencem a um grupo global chamado TempWorkers. Trs servidores de arquivos so colocados em uma nova unidade organizacional chamada SecureServers. Os servidores de arquivos contm dados confidenciais em pastas compartilhadas. Voc precisa impedir que os consultores de acessar os dados confidenciais. O que voc deve fazer? A. Criar um objeto de Diretiva de Grupo (GPO) e vincul-lo unidade SecureServers organizacional. Atribuir Negar acesso a este computador do usurio de rede direito ao grupo TempWorkers global. B. Criar um objeto de Diretiva de Grupo (GPO) e vincul-lo ao domnio. Atribuir Negar acesso a este computador do usurio de rede direito ao grupo TempWorkers global. C. Nas trs servidores de arquivos, crie um compartilhamento na raiz de cada disco rgido. Configurar a permisso Negar Controle total para o grupo TempWorkers global sobre o compartilhamento. D. Criar um objeto de Diretiva de Grupo (GPO) e vincul-lo ao domnio. Atribuir o Negar logon local direito de usurio para o grupo TempWorkers global. E. Criar um objeto de Diretiva de Grupo (GPO) e vincul-lo unidade SecureServers organizacional. Atribuir o Negar logon local direito de usurio para o grupo TempWorkers global. Answer: A Section: Cooper Exam D Explanation/Reference: You would want to do this at the OU level using a GPO rather than at the domain level.

QUESTION 3 Sua rede contm duas florestas do Active Directory chamado contoso.com e nwtraders.com. O nvel funcional de ambas as florestas o Windows Server 2003. Contoso.com contm um domnio. Nwtraders. com contm dois domnios. Voc precisa garantir que os usurios em contoso.com pode acessar os recursos em todos os domnios. A soluo deve exigir o nmero mnimo de relaes de confiana. Que tipo de confiana que voc deve criar? A. B. C. D. external floresta realm shortcut

Answer: B Section: Cooper Exam D Explanation/Reference: Explanation: Well the right answer for this question is B.

A is wrong because need to create a trust where contoso.com domain users can access all the resources and External trust doesn't provide transitivity. C is wrong because we donot have to establish trust between any non-Windows Kerberos V5 realm and a Windows Server 2008 domain. D is wrong because shortcut trust are used within a forest to speed up inter-domain authentication.

Trust Types You can use the New Trust Wizard or the Netdom command-line tool to create four types of trusts: external trusts, realm trusts, forest trusts, and shortcut trusts. The following table describes these trust types. Directio Trust Transitivity Description n type Use external trusts to provide access to resources that are located on a One-way Exter Windows NT 4.0 domain or a domain that is located in a separate forest that Nontransitive or twonal is not joined by a forest trust. For more information, see Understanding way When to Create an External Trust. Use realm trusts to form a trust relationship between a non-Windows One-way Real Transitive or Kerberos realm and a Windows Server 2008 or a Windows Server 2008 R2 or twom nontransitive domain. For more information, see Understanding When to Create a Realm way Trust. Use forest trusts to share resources between forests. If a forest trust is a One-way Fores two-way trust, authentication requests that are made in either forest can or twoTransitive t reach the other forest. For more information, see Understanding When to way Create a Forest Trust. Use shortcut trusts to improve user logon times between two domains within One-way a Windows Server 2008 or a Windows Server 2008 R2 forest. This is useful Short Transitive or two- when two domains are separated by two domain trees. For more cut way information, see Understanding When to Create a Shortcut Trust. When you create external trusts, shortcut trusts, realm trusts, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously. If you choose to create each side of the trust separately, you must run the New Trust Wizard twiceonce for each domain. When you create trusts using the method, you must supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords. For more information, see Strong passwords (http://go.microsoft.com/fwlink/?LinkId=92697). If you choose to create both sides of the trust simultaneously, you run the New Trust Wizard once. When you choose this option, a strong trust password is automatically generated for you. You must have the appropriate administrative credentials for the domains between which you are creating the trust. http://technet.microsoft.com/en-us/library/cc730798.aspx

QUESTION 4 Voc instala um domnio do Active Directory em um ambiente de teste. Voc precisa redefinir as senhas de todas as contas de usurio no domnio de um controlador de domnio. Quais os dois comandos do Windows PowerShell que voc deve correr? (Cada resposta correta representa parte da soluo, escolha dois.) A. B. C. D. E. F. $ newPassword = * Import-Module ActiveDirectory Import-Module WebAdministration Get- AdUser -filter * | Set- ADAccountPassword - NewPassword $ newPassword - Reset Set- ADAccountPossword - NewPassword - Reset $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )

G. Import-Module ServerManager Answer: DF Section: Cooper Exam D Explanation/Reference: Explanation:

QUESTION 5 Sua rede contm duas florestas nomeados adatum.com e litwareinc.com. O nvel funcional de todos os domnios o Windows Server 2003. O nvel funcional de ambas as florestas o Windows 2000. Voc precisa criar uma confiana de floresta entre adatum.com e litwareinc.com. O que voc deve fazer primeiro? A. B. C. D. Criar uma relao de confiana externa. Elevar o nvel funcional de ambas as florestas. Configurar a filtragem SID. Elevar o nvel funcional de todos os domnios.

Answer: B Section: Cooper Exam D Explanation/Reference: Explanation: Forest trusts can be established when the forest and domain functional levels are set to Windows 2003.

QUESTION 6 A rede contm uma floresta do Active Directory chamado adatum.com. Todos os computadores clientes usados pelo departamento de marketing esto em uma unidade organizacional (OU) chamado Computadores Marketing. Todas as contas de usurio para o departamento de marketing esto em uma OU chamada usurios de Marketing. Voc compra um novo pedido. Voc precisa se certificar que todos os usurios no domnio que faz logon em um computador departamento de marketing pode usar o aplicativo. O aplicativo deve estar disponvel apenas a partir dos computadores do departamento de marketing. O que voc deve fazer? A. Criar e vincular um objeto Group Policy (GPO) para a unidade organizacional Usurios Marketing. Copie o pacote de instalao para uma pasta compartilhada na rede. Atribuir a aplicao. B. Criar e vincular um objeto Group Policy (GPO) para a OU Computadores Marketing. Copie o pacote de instalao para uma pasta compartilhada na rede. Atribuir a aplicao. C. Criar e vincular um objeto Group Policy (GPO) para a OU Computadores Marketing. Copie o pacote de instalao para uma unidade local em cada computador departamento de marketing. Publicar o aplicativo. D. Criar e vincular um objeto Group Policy (GPO) para a unidade organizacional Usurios Marketing. Copie o pacote de instalao para uma pasta em cada computador departamento de marketing. Publicar o aplicativo. Answer: B Section: Cooper Exam D Explanation/Reference: Explanation: Has to be done with a GPO assigned to the Marketing Computers. The GPO must point to a

shared location where the users/computers have permissions.

QUESTION 7 A rede contm uma floresta do Active Directory chamado adatum.com. Voc precisa criar um Active Directory Rights Management Services (AD RMS) licenciamento somente cluster. O que voc deve instalar antes de criar o cluster raiz do AD RMS? A. B. C. D. E. O recurso de cluster de failover Os Servios de Certificados do Active Directory papel (AD CS) Microsoft Exchange Server 2010 Microsoft SharePoint Server 2010 Microsoft SQL Server 2008

Answer: E Section: Cooper Exam D Explanation/Reference:

Deploying an AD RMS Licensing-only Cluster in a Test Environment We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document. Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure with an AD RMS licensing-only cluster. You can then test and verify AD RMS functionality as follows: Restrict permissions on a Microsoft Office Word 2007 document Have an authorized user open and work with the document. Have an unauthorized user attempt to open and work with the document. Licensing-only clusters are optional and are most often deployed to address specific licensing requirements, such as supporting unique rights management requirements of a department. For instance, a group within your organization may require specific rights policy templates that no other department can access. The test environment described in this guide includes six computers connected to a private network and using the following operating systems, applications, and services: Compu ter Operating System Applications and Services Name AD RMS, Internet Information Services (IIS) ADRM Windows Server 2008 7.0, World Wide Web Publishing Service, and S-SRV Message Queuing Windows Server 2008 or CPAND Active Directory Domain Services or Active Windows Server 2003 with L-DC Directory, Domain Name System (DNS) Service Pack 2 (SP2) ADRM Microsoft SQL Server 2005 Standard Edition Windows Server 2003 with SP2 S-DB with Service Pack 2 (SP2)

ADRM SWindows Vista Microsoft Office Word 2007 Enterprise Edition CLNT CPAND AD RMS, Internet Information Services (IIS) L7.0, World Wide Web Publishing Service, and Windows Server 2008 ADRM Message Queuing SLIC CPAND Microsoft SQL Server 2005 Standard LWindows Server 2003 with SP2 Edition with Service Pack 2 (SP2) LICDB

QUESTION 8 Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contoso.com contm um controlador de domnio chamado DC1. Voc cria um Active Directory-integrado zona GlobalNames. Voc pode adicionar um registro de recurso de alias (CNAME) chamado Server1 para a zona. O host de destino do registro server2.contoso.com. Quando voc executa ping Server1, voc descobre que o nome no resolve. Voc capaz de executar ping server2.contoso.com. Voc precisa se certificar que voc pode resolver nomes usando a zona GlobalNames. Qual comando voc deve executar? A. B. C. D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest DnscmdDCl.contoso.com/config/Enableglobalnamessupport 1 Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

Answer: C Section: Cooper Exam D Explanation/Reference: Deploying a GlobalNames zone The specific steps for deploying a GlobalNames zone can vary somewhat, depending on the AD DS topology of your network. Step 1: Create the GlobalNames zone The first step in deploying a GlobalNames zone is to create the zone on a DNS server that is a domain controller running Windows Server 2008. The GlobalNames zone is not a special zone type; rather, it is simply an AD DS-integrated forward lookup zone that is called GlobalNames. For information about creating a primary forward lookup zone, see Add a Forward Lookup Zone. Step 2: Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd <ServerName> /config /enableglobalnamessupport 1

QUESTION 9 Sua rede contm um domnio do Active Directory chamado contoso.com. A rede tem um site de filial que contm um controlador de domnio somente leitura (RODC) chamado R0DC1. R0DC1 executa o Windows Server 2008 R2. Um usurio faz logon em um computador no site de filial.

Voc descobre que a senha do usurio no armazenada em R0DC1. Voc precisa se certificar que a senha do usurio armazenado no RODC1 quando ele fizer logon em um computador local filial. O que voc deve fazer? A. Modificar a poltica do RODC s replicao de senha, removendo a entrada para o Grupo de Replicao de Senha RODC Permitido. B. Modificar a poltica do RODC replicao de senha, adicionando R0DC1 conta de computador para a lista de usurios permitidos, grupos e computadores. C. Adicionar a conta do usurio do usurio para o built-in Grupo de Replicao de Senha RODC Permitido em R0DC1. D. Adicionar R0DC1 conta do computador para o built-in Grupo de Replicao de Senha RODC Permitido em R0DC1. Answer: C Section: Cooper Exam D Explanation/Reference: To cache a user password on the RODC server, the user must be on the Allowed list.

QUESTION 10 Voc implantar um Active Directory Federation Services (AD FS) Federao Proxy Service em um servidor chamado Server1. Voc precisar configurar o Firewall do Windows no Server1 para permitir que usurios externos se autenticar usando o AD FS. Qual o protocolo que voc deve permitir que em Server1? A. B. C. D. Kerberos SSL SMB RPC

Answer: B Section: Cooper Exam D Explanation/Reference: Uses port 443

QUESTION 11 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm um servidor membro que executa o Windows Server 2008 R2 Standard. Voc precisa criar uma empresa subordinada autoridade de certificao (CA) que pode emitir certificados com base em modelos de certificado da verso 3. Voc deve atingir este objetivo usando o mnimo de esforo administrativo. O que voc deve fazer primeiro? A. B. C. D. Execute o certutil.exe comando -addenrollmentserver. Instalar os Servios de Certificado do Active Directory papel (AD CS) no servidor membro. Atualize o servidor membro para o Windows Server 2008 R2 Enterprise. Execute o certutil.exe comando -installdefaulttemplates.

Answer: C Section: Cooper Exam D Explanation/Reference: Duplicate: The server must run 2008 Enterprise or DataCenter or any 2008R2 version.

QUESTION 12 Sua rede contm um servidor chamado Server1. O Active Directory Rights Management Services (AD RMS) funo de servidor est instalado em Server1. Um administrador altera a senha da conta do usurio que utilizado pelo AD RMS. Voc precisa atualizar o AD RMS para usar a nova senha. Qual console voc deve usar? A. B. C. D. Active Directory Rights Management Services Active Directory Users and Computers Usurios e Grupos Locais Servios

Answer: A Section: Cooper Exam D Explanation/Reference: Duplicate

QUESTION 13 Sua empresa, a Contoso, Ltd., tem uma sede e uma filial. Os escritrios esto conectados por um link WAN. Contoso tem uma floresta do Active Directory que contm um nico domnio chamado ad.contoso. com. O domnio ad.contoso.com contm um controlador de domnio chamado DC1 que est localizado no escritrio principal. DC1 configurado como um servidor DNS para o DNS ad.contoso.com zona. Esta zona configurado como uma zona padro primrio. Voc instala um novo controlador de domnio chamado DC2 na filial. Voc instalar o DNS no DC2. Voc precisa garantir que o servio DNS pode atualizar os registros e resolver consultas DNS no caso de um link WAN falhar. O que voc deve fazer? A. B. C. D. Criar uma nova zona secundria chamado ad.contoso.com em DC2. Criar uma zona de stub novo nomeado ad.contoso.com em DC2. Configurar o servidor DNS no DC2 para encaminhar solicitaes para DC1. Converter a zona ad.contoso.com em DC1 para uma zona integrada ao Active Directory.

Answer: D Section: Cooper Exam D Explanation/Reference: Duplicate - if you want to update records in the branch office as well, this needs to be an AD-integrated zone.

QUESTION 14 A rede contm uma autoridade de certificao (CA) que executa o Windows Server 2008 R2 Enterprise. Voc permitir o arquivamento de chaves da CA. A CA est configurado para usar modelos de certificados

personalizados para Encrypted File System (EFS) certificados. Voc precisa arquivar a chave privada para todos os novos certificados EFS. Que presso em voc deve usar? A. B. C. D. E. F. G. H. I. Active Directory Usurios e Computadores Gerenciador de Autorizao Group Policy Management Enterprise PKI Security Templates TPM Management Certificados Autoridade de Certificao Modelos de Certificado

Answer: H Section: Cooper Exam D Explanation/Reference: Enable Key Archival for a CA Applies To: Windows Server 2008 R2 Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA). You must be a CA administrator to complete this procedure. For more information, see Implement RoleBased Administration. To enable key archival for a CA 1. Open the Certification Authority snap-in.

QUESTION 15 HOTSPOT Sua rede contm um domnio do Active Directory chamado contoso.com. Voc precisa garantir que os endereos IP podem ser resolvidos para nomes de domnio totalmente qualificado (FQDN). Em que n no DNS snap-in que voc deve adicionar uma zona? Para responder, selecione o n apropriado na rea de resposta.

Answer:

Section: Cooper Exam D Explanation/Reference: IP Address to FQDN resolution requires a Reverse Lookup Zone.

QUESTION 16 HOTSPOT A rede contm uma floresta do Active Directory. A infra-estrutura DNS falha. Voc reconstruir a infra-estrutura de DNS. Voc precisa forar o registro do Active Directory Service Locator (SRV) no DNS. Qual servio voc deve reiniciar os controladores de domnio? Para responder, selecione o servio apropriado na rea de resposta.

Answer:

Section: Cooper Exam D Explanation/Reference: The Netlogon service would be involved with this.

QUESTION 17 HOTSPOT A rede contm uma floresta do Active Directory chamado contoso.com. A poltica de senha da floresta requer que as senhas para todas as contas de usurios devem ser alteradas a cada 30 dias. Voc precisa criar contas de usurios que sero utilizados pelos servios. As senhas para essas contas devem ser alterada automaticamente a cada 30 dias. Qual ferramenta que voc deve usar para criar essas contas? Para responder, selecionar a ferramenta adequada na rea da resposta.

Answer:

Section: Cooper Exam D Explanation/Reference: Creating a Managed Service Account Applies To: Windows Server 2008 R2 This topic explains how to use the Active Directory module for Windows PowerShell to create a managed service account. Managed service accounts are used to run various services for applications that are operating in your domain environment. Example 1 The following example demonstrates how to create a service account, SQL-SRV1, in the container Managed Service Accounts in the Fabrikam.com domain: New-ADServiceAccount -Name SQL-SRV1 -Path "CN=Managed Service Accounts,DC=FABRIKAM, DC=COM"

QUESTION 18 HOTSPOT Voc precisa modificar a Diretiva de Replicao de Senha de um controlador de domnio somente leitura

(RODC). Qual ferramenta devo usar? Para responder, selecionar a ferramenta adequada na rea da resposta.

Answer:

Section: Cooper Exam D Explanation/Reference: To view the PRP using Active Directory Users and Computers Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties. Click the Password Replication Policy tab.

QUESTION 19

Arrastar e soltar A rede contm uma floresta do Active Directory chamado adatum.com. A floresta contm quatro domnios filho chamados europe.adatum.com, northamerica.adatum.com, asia.adatum.com e africa.adatum.com. Voc precisa criar quatro novos grupos no domnio raiz da floresta. Os grupos deve ser configurado como mostrado na tabela a seguir.

O que voc deve fazer? Para responder, arrastar o tipo de grupo apropriado para o nome correto do grupo na rea de resposta.

Answer:

Section: Cooper Exam D Explanation/Reference:

Gro up Group can include as Group can be assigned sco members permissions in pe Accounts from any domain within the forest in which this Universal Group resides Global groups from any domain within the forest in Univ which this Universal Group Any domain or forest ersal resides Universal groups from any domain within the forest in which this Universal Group resides Accounts from the same domain as the parent global group Global groups from the same domain as the parent global group

Group scope can be converted to

Domain local Global (as long as no other universal groups exist as members)

Glob al

Member permissions can be assigned in any domain

Universal (as long as it is not a member of any other global groups)

Accounts from any domain Global groups from any domain Dom Universal groups from any ain domain local Domain local groups but only from the same domain as the parent domain local group Member permissions can be assigned only within the same domain as the parent domain local group Universal (as long as no other domain local groups exist as members)

QUESTION 20 HOTSPOT Sua rede contm um domnio do Active Directory. Voc precisa criar um link de site novo entre dois locais nomeados Site1 e Site3. O link do site deve suportar a replicao de objetos de domnio. Em que n no Active Directory Sites e Servios voc deve criar o link do site? Para responder, selecione o n apropriado na rea de resposta

Answer:

Section: Cooper Exam D Explanation/Reference: To create a site link Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services. In the console tree, right-click the intersite transport protocol that you want the site link to use. Where? Active Directory Sites and Services\Sites\Inter-Site Transports\IP or SMTP Click New Site Link. In Name, type the name for the site link. In Sites not in this site link, click a site to add to the site link, and then click Add. Repeat to add more sites to the site link. To remove a site from the site link, in Sites in this link, click the site, and then click Remove . When you have added the sites that you want to be connected by this site link, click OK.

QUESTION 21 Arrastar e soltar A rede contm uma floresta do Active Directory chamado contoso.com. A floresta contm um controlador de domnio chamado DC1 que executa o Windows Server 2008 R2 Enterprise e um servidor membro nomeado Server1 que executa o Windows Server Standard 2008 R2. Voc tem um computador chamado Computer1 que executa o Windows 7. Computer1 no est ligado rede. Voc precisa se juntar Computer1 ao domnio contoso.com. O que voc deve fazer? Para responder, mover as aes apropriadas da lista de aes possveis para a rea de aes necessrias e organiz-los na ordem correta.

Answer:

Section: Cooper Exam D Explanation/Reference: Performing an offline domain join using different physical computers To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller, one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain. On the provisioning server, open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

Type the following command to provision the computer account: djoin /provision /domain <domain to be joined> /machine <name of the destination computer> /savefile blob.txt Copy the blob.txt file to the client computer. On the client computer, open an elevated command prompt, and then type the following command to request the domain join: djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos

QUESTION 22 HOTSPOT Sua rede contm um domnio do Active Directory chamado contoso.com. O domnio contm um controlador de domnio chamado Server1. Server1 tem um endereo IP de 192.168.200.100. Voc precisa ver o ponteiro do registro (PTR) para Server1. Que zona que voc deve abrir no DNS snap-in para visualizar o registro? Para responder, selecione a zona apropriada na rea de resposta.

Answer:

Section: Cooper Exam D

Explanation/Reference: the corresponding in-addr.arpa zone would be 200.168.192, assuming a default subnet of /24s

Exam O QUESTION 1 Sua rede contm um domnio do Active Directory. Voc precisa fazer backup de todos os objetos de Diretiva de Grupo (GPOs), as permisses de Diretiva de Grupo, e links de Diretiva de Grupo para o domnio. O que voc deve fazer? A. B. C. D. De Group Policy Management Console (GPMC), volta a GPOs. A partir do Windows Explorer, copiar o contedo do %systemroot% \SYSVOL. De Backup do Windows Server, execute um backup de estado do sistema. A partir do Windows PowerShell, execute o cmdlet Backup-GPO.

Answer: C Section: Cooper Exam D Explanation/Reference: There is quite a bit of discussion regarding this question. It seems A is incorrect as that back-up does not include the links. Many think D is correct, but others do not think this backup would have any more information than the GPMC backup. Found one blog entry that thinks that only the system state backup would include all of the required parameters.

QUESTION 2 Sua rede contm um controlador de domnio que executa o Windows Server 2008 R2. Voc precisa reiniciar o Directory Services Restore Mode senha (DSRM) no controlador de domnio. Qual ferramenta devo usar? A. B. C. D. Ntdsutil Dsamain Active Directory Users and Computers Local Users and Groups

Answer: A Section: Cooper Exam D Explanation/Reference: set DSRM password Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008 Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM Administrator Password: prompt, type any of the parameters listed under Syntax. This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the AD LDS server role installed. Reset Password on server %s http://technet.microsoft.com/en-us/library/cc754363(v=WS.10).aspx

QUESTION 3 A rede contm uma floresta do Active Directory. Todos os computadores clientes executam o Windows 7. A rede contm um alto volume de autoridade de certificao (CA).

Voc precisa minimizar a quantidade de largura de banda de rede necessria para validar um certificado. O que voc deve fazer? A. B. C. D. Configurar um ponto de publicao LDAP para a lista de certificados revogados (CRL). Configurar uma Certificao Online Status Protocol (OCSP) responder. Modificar as configuraes da lista de revogao de certificado delta (CRL). Replicar a lista de certificados revogados (CRL) usando o sistema de arquivos distribudos (DFS).

Answer: B Section: Cooper Exam D Explanation/Reference: Duplicate OSPF does this.

QUESTION 4 Sua rede contm um domnio do Active Directory. Voc tem cinco unidades organizacionais (UOs) nomeados Finanas, RH, Marketing, Vendas, e dev. Voc vincular um objeto Group Policy chamado GPO1 ao domnio, como mostrado na exposio. (Clique no boto Exibir.)

Voc precisa se certificar que GPO1 aplicada aos usurios do Finanas, RH, Marketing, Vendas e unidades organizacionais. A soluo deve evitar GPO1 de ser aplicada aos usurios na OU Dev. O que voc deve fazer? A. B. C. D. Enforce GPO1. Modificar as configuraes de segurana da OU Dev. Fazer a ligao GPO1 OU Finanas. Modificar as configuraes de segurana do OU Finanas.

Answer: C

Section: Cooper Exam D Explanation/Reference: Duplicate - the idea here is that the ! icon on the Finance OU is letting us know that inheritance of GPO1 is blocked. You would need to either remove the block (which makes more sense than the answer in this question) or establish a specific link to the policy to accomplish the goal of the question.

Lets tackle Block Inheritance first. Weve seen that, from a directory tree perspective, down the tree to the target objects, all GPOs are applied and settings configured there are cumulated where settings contradict, the last writers win. There may be situations you dont want that. Thats what Block Inheritance is for. For example, we dont want the IT-OU apply domain-level GPOs. We go right-click the IT-OU in GPMC and choose Block Inheritance from the context menu. Voil! You see a blue exclamation mark on the OU icon. From now on, IT objects wont be bugged with domain-level GPOs. GPOs from levels higher than IT-OU will simply be ignored. Even GPOs from the same level, such as OULevel2-GPO, will. Weve cut up-level administrators off.

http://blogs.technet.com/b/grouppolicy/archive/2010/01/07/tales-from-the-communityenforced-vs-block-inheritance.aspx
QUESTION 5 Sua rede contm um domnio do Active Directory. O domnio contm uma unidade organizacional (OU) chamado OU1. OU1 contm todas as contas de servios gerenciados no domnio. Voc precisa impedir que as contas de servios gerenciados de serem apagados acidentalmente a partir de OU1. Qual cmdlet que voc deve usar? A. B. C. D. Set-ADUser Set-ADOrganizationalUnit Set-ADServiceAccount Set-ADObject

Answer: D Section: Cooper Exam D Explanation/Reference: Set-ADObject Modifies an Active Directory object. Syntax Copy Set-ADObject [-Identity] <ADObject> [-Add <hashtable>] [-Clear <string[]>] [Description <string>] [-DisplayName <string>] [-ProtectedFromAccidentalDeletion <System.Nullable[bool]>] [-Remove <hashtable>] [-Replace <hashtable>] [AuthType {<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [-PassThru <switch>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>] ProtectedFromAccidentalDeletion

QUESTION 6 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm um

controlador de domnio gravvel chamado DC1 e um controlador de domnio somente leitura (RODC) chamado DC2. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa instalar um novo controlador de domnio gravvel chamado DC3 em um site remoto. A soluo deve minimizar a quantidade de trfego de replicao que ocorre durante a instalao do Active Directory Domain Services (AD DS) no DC3. O que voc deve fazer primeiro? A. B. C. D. Executar dcpromo.exe /createdcaccount on DC3. Executar ntdsutil.exe on DC2. Executar dcpromo.exe /adv em DC3. Executar ntdsutil.exe on DC1.

Answer: C Section: Cooper Exam D Explanation/Reference: Active Directory Installation Wizard You can run the Active Directory Installation Wizard from the command line, or from the Configure Your Server Wizard. You can also install Active Directory using an unattended setup script called an answer file. When running the wizard from the command line, you can append the /adv switch to the dcpromo command to populate the directory using a backup of system state data from another domain controller in the same domain. Installing from backup media reduces the amount of data that must be replicated over the network, thus reducing the time required to install Active Directory.

QUESTION 7 A rede contm uma floresta do Active Directory. A floresta contm 10 domnios. Todos os controladores de domnio so configurados como servidores de catlogo global. Voc remover a funo de catlogo global de um controlador de domnio chamado DC5. Voc precisa recuperar o espao no disco rgido usado pelo catlogo global em DC5. O que voc deve fazer? A. B. C. D. De Active Directory Sites e Servios, execute o Knowledge Consistency Checker (KCC). De Active Directory Sites e Servios, modificar as propriedades gerais de DC5. De Ntdsutil, use a opo de anlise semntica do banco de dados. De Ntdsutil, use a opo Arquivos.

Answer: D Section: Cooper Exam D Explanation/Reference: Use the ntdsutil files compact command to perform an offline defragmentation of the Active Directory database

QUESTION 8 A rede corporativa inclui uma zona integrada ao Active Directory. Todos os servidores DNS que hospedam a zona so controladores de domnio. Voc pode adicionar vrios registros de DNS para a zona. Voc precisa assegurar que os novos registros esto disponveis em todos os servidores DNS, logo que possvel. Qual ferramenta devo usar? A. Ldp B. Repadmin

C. D. E. F. G. H.

Ntdsutil Nslookup Active Directory Sites And Services console Active Directory Domains And Trusts console Dnslint Dnscmd

Answer: H Section: Cooper Exam D Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc778513(WS.10).aspx Dnscmd.exe: DNS Server Troubleshooting Tool This command-line tool assists administrators in Domain Name System (DNS) management. DNSCmd displays and changes the properties of DNS servers, zones, and resource records. It manually modifies these properties, creates and deletes zones and resource records, and forces replication events between DNS server physical memory and DNS databases and data files. Some operations of this tool work at the DNS server level while others work at the zone level.

QUESTION 9 Voc tem uma zona de DNS que so armazenados em uma partio de aplicativo personalizado. Voc precisa adicionar um controlador de domnio para o escopo de replicao da partio de aplicativo personalizado. Qual ferramenta devo usar? A. B. C. D. DNScmd DNS Manager Server Manager Dsmod

Answer: A Section: Cooper Exam D Explanation/Reference: To change zone replication scope using the command line Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. At a command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /ZoneChangeDirectoryPartition <ZoneName> <NewPartitionName>

QUESTION 10 Sua rede contm um servidor chamado Server1 que executa o Windows Server Standard 2008 R2. Server1 tem os Servios de Certificados do Active Directory papel (AD CS) instalado. Voc pode configurar um modelo de certificado para registro automtico chamado Template1. Voc descobre que os certificados no esto sendo emitidos para todos os computadores cliente. Os logs de eventos nos computadores cliente no contm erros de registro automtico. Voc precisa se certificar de que todos os computadores cliente receber automaticamente os certificados com base template1. O que voc deve fazer? A. B. C. D. Modificar a Default Domain Policy objeto de Diretiva de Grupo (GPO). Modificar o padro Domain Controllers Policy objeto Group Policy (GPO). Atualize Server1 para o Windows Server 2008 R2 Enterprise. Reinicie os Servios de Certificado em Server1.

Answer: A Section: Cooper Exam D

Explanation/Reference: Use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate template. To automatically enroll client computers for certificates in a domain environment, you must: Configure an autoenrollment policy for the domain. Configure certificate templates for autoenrollment. Configure an enterprise CA.

QUESTION 11 Sua rede contm um servidor que tem o Active Directory Lightweight Directory Services (AD LDS) papel instaladas. Voc precisa executar uma instalao automatizada de uma instncia do AD LDS. Qual ferramenta devo usar? A. B. C. D. Dism.exe Servermanagercmd.exe Adaminstall.exe Ocsetup.exe

Answer: C Section: Cooper Exam D Explanation/Reference: At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM\adaminstall.exe /answer:drive:\<pathname>\<filename>.txt" Where drive:\<pathname>\<filename>.txt represents the drive, path, and file name of your answer file. (The command requires the quotation marks.)

QUESTION 12 Sua rede contm um domnio do Active Directory chamado contoso.com. A empresa parceira tem um domnio do Active Directory chamado nwtraders.com. As redes de contoso.com e nwtraders.com conectar uns aos outros por meio de um link WAN. Voc precisa garantir que os usurios em contoso.com podem acessar recursos no nwtraders.com e recursos na Internet. O que voc deve fazer primeiro? A. B. C. D. Modificar Certificao Raiz Confiveis loja Autoridades. Modifique o Intermediate Certification loja Autoridades. Criar encaminhadores condicionais. Adicionar uma dica de raiz para o servidor DNS.

Answer: C Section: Cooper Exam D Explanation/Reference: Conditional forwarder will allow for the resolution of DNS records between the two domains.

QUESTION 13 A rede contm uma floresta do Active Directory. A floresta contm vrios domnios. Voc precisa garantir que os usurios no departamento de recursos humanos pode procurar por funcionrios usando o atributo employeeNumber. O que voc deve fazer? A. De Active Directory Sites e Servios, modificar as propriedades de cada servidor de catlogo global. B. A partir do esquema do Active Directory snap-in, modificar as propriedades da classe de objeto do usurio. C. De Active Directory Sites e Servios, modificar o NTDS Configuraes objectof cada servidor de catlogo global. D. A partir do esquema do Active Directory snap-in, modificar as propriedades do atributo employeeNumber. Answer: D Section: Cooper Exam D Explanation/Reference: Indexed attributes Directory searches for attributes that are indexed are more efficient than searches for attributes that are not indexed. Attributes are indexed when the least significant bit in their searchFlags attribute is set to the value 1. Changing the value of the bit to 1 dynamically builds an index; changing the value to 0 or deleting it removes an index for the attribute in question. The index is built automatically by a background thread on the directory server. The values for indexed attributes are stored in a sorted list. This makes searching much more efficient because the system needs to search only until it locates the area in the list where the value should be, based on the sort. If the value is not there, the system can assume it will not find the value anywhere else in the list, and it can terminate the search. When attributes are not indexed, the entire list must be searched to determine whether or not a particular value actually exists. Indexing requires more storage to maintain the lists, but it makes searching more efficient. Nonindexed attributes are less efficient to search, but they require less storage to maintain. With this in mind, only attributes that are frequently referenced should be indexed. Ideally, indexed attributes are single-value attributes with unique values that are evenly distributed across the set of instances. Multivalue attributes can be indexed, but building the index requires more storage and updating.

searchFlags The searchFlags property of each propertys attributeSchema object defines whether a property is indexed and other behavior. The seven currently defined bits for this attribute are: 1 = Index over attribute only 2 = Index over container and attribute 4 = Add this attribute to the ambiguous name resolution (ANR) set (should be used in conjunction with 1) 8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones) 16 = Include this attribute when copying a user object 32 = Create a Tuple index for the attribute to improve medial searches 64 = Reserved for future use; value should be 0. 128 = Available in Windows Server 2003 Service Pack 1 (SP1) only. Mark the attribute confidential (CONTROL_ACCESS is required to read it).

QUESTION 14 Sua rede contm um domnio nico diretrio Active. O domnio contm uma autoridade de certificao (CA). Voc precisa se certificar que as chaves de criptografia para e-mail certificados podem ser recuperados do

banco de dados CA. Voc pode modificar o modelo de certificado de e-mail para apoiar o arquivamento de chaves. O que voc deve fazer a seguir? A. B. C. D. Emitir a chave de recuperao modelo de certificado de agente. Executar certutil.exe -recoverkey. Executar certreq.exe poltica. Modificar o local do Acesso a Informaes da Autoridade (AIA) ponto de distribuio.

Answer: A Section: Cooper Exam D Explanation/Reference: Microsoft 70-640 Exam -recoverkey as this recovers archived keys but e-mail certificate Explanation: Not certutil.exe template does not have key archival by default.

QUESTION 15 Sua rede contm um Active Directory-integrado zona DNS chamada contoso.com. Voc descobre que a zona inclui registros de DNS para computadores que foram removidos da rede. Voc precisa assegurar que os registros DNS so excludos automaticamente da zona. O que voc deve fazer? A. B. C. D. No Gerenciador de DNS, defina as propriedades de envelhecimento. Crie uma tarefa agendada que executa dnslint.exe / v / d contoso.com. No Gerenciador de DNS, modificar o intervalo de atualizao do registro de incio de autoridade (SOA). Crie uma tarefa agendada que executa ipconfig.exe /flushdns.

Answer: A Section: Cooper Exam D Explanation/Reference: To enable the aging and scavenging features, you perform the following steps to configure the applicable server and any of its zones that are integrated with Active Directory Domain Services (AD DS): Enable aging and scavenging for the DNS server. These settings determine the effect of zone-level properties for any zones that are integrated with AD DS and loaded at the server. Enable aging and scavenging for specified zones on the DNS server. When you set zone-level properties for a specified zone, these settings apply only to that zone and its resource records. Unless you otherwise configure these zone-level properties, they inherit their default settings from comparable settings that AD DS maintains in the aging and scavenging properties for the DNS server.

QUESTION 16 Sua rede contm um controlador de domnio que executa o Windows Server 2008 R2. Voc execute o seguinte comando no controlador de domnio: Dsamain.exe C dbpath c:\$ SNAP_201006170326_VOLUMEC $\Windows\NTDS\ntds.dit C ldapport 389 allowNonAdminAccess O comando falha. Voc precisa garantir que o comando concludo com xito.

Como voc deve modificar o comando? A. B. C. D. Altere o valor do parmetro -dbpath. Inclua o caminho para DSAMAIN. Altere o valor do parmetro -ldapport. Remover o parmetro CallowNonAdminAccess.

Answer: C Section: Cooper Exam D Explanation/Reference: The ldapport parameter has to be set to a different value as this is on of the default ports used by AD DS on the DC. Since dsamain.exe exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server, it cannot use the port that is already in use.

QUESTION 17 Sua rede contm um domnio do Active Directory. O domnio contm 10 controladores de domnio que executam o Windows Server 2008 R2. Voc precisa monitorar as seguintes informaes sobre os controladores de domnio durante os prximos cinco dias: - O uso de memria - O uso do processador - O nmero de consultas LDAP O que voc deve fazer? A. B. C. D. Criar um User Defined Data Collector Set (DCS) que usa o modelo de Active Directory Diagnostics. Use o sistema de desempenho Conjunto de Coletores de Dados (DCS). Criar um User Defined Data Collector Set (DCS) que usa o modelo de desempenho do sistema. Use o Active Directory Diagnostics Conjunto de Coletores de Dados (DCS).

Answer: A Section: Cooper Exam D Explanation/Reference: Creating a data collector set to monitor the 10 DCs AD properties from the same location would be efficient.

QUESTION 18 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm um controlador de domnio chamado DC1 e um controlador de domnio somente leitura (RODC) chamado RODC1. Voc precisa ver as contas de usurio mais recentes autenticados por RODC1. O que voc deve fazer primeiro? A. De Active Directory Sites e Servios, clique com o objeto de conexo para DC1, e clique em Duplicar agora. B. De Active Directory Sites e Servios, clique com o objeto de conexo para DC2, e clique em Duplicar agora. C. De Active Directory Users and Computers, clique com o boto direito contoso.com, clique em Alterar DomainController, e depois conectar a DC1.

D. De Active Directory Users and Computers, clique com o boto direito contoso.com, clique em Alterar controlador de domnio, e depois conectar a RODC1. Answer: C Section: Cooper Exam D Explanation/Reference: Unless the user passwords are cached on the RODC, authentication takes place through the the DC.

QUESTION 19 Sua rede contm um domnio do Active Directory. O domnio contm 3.000 computadores clientes. Todos os computadores clientes executam o Windows 7. Usurios fazem logon em seus computadores cliente usando contas de usurio padro. Voc planeja implantar um novo aplicativo chamado App1. O vendedor de App1 fornece um arquivo Setup.exe para instalar App1. Setup.exe requer direitos administrativos para executar. Voc precisa implantar App1 para todos os computadores clientes. A soluo deve atender aos seguintes requisitos: - App1 deve detectar automaticamente e substituir os arquivos do aplicativo corruptos. - App1 deve estar disponvel a partir do menu Iniciar em cada computador cliente. O que voc deve fazer primeiro? A. B. C. D. Criar um script de logon que chama Setup.exe para App1. Crie um arquivo. Zap. Criar um script de inicializao que chama Setup.exe para App1. Remontar App1 como um pacote do Windows Installer.

Answer: D Section: Cooper Exam D Explanation/Reference: Repackaging Applications for Windows Installer When you cannot reauthor a package to use Windows Installer, you might want to repackage it. Repackaging an application for Windows Installer involves taking a snapshot of a clean computer (including the registry settings, files, and system settings), installing the software, and then taking a post-installation snapshot of the computer. The repackaging software detects the difference between the two snapshots, and then creates the necessary instructions to reproduce the installation. If any registry changes, files changes, or system setting changes occur during the capture process, they are included in the installation. You use repackaging when you do not have control over DLL files, source code, and registry entries, or for applications about which you do not have in-depth knowledge. Use this method only as a last resort when you need to repackage an application into an .msi. It is easy to underestimate the cost of repackaging in terms of labor hours. Also, users often set their expectations too high for the reliability of repackaged applications. Repackaging requires a thorough knowledge of the applications installation program and of the Windows Installer setup on the Windows platform. Success with repackaging is affected by the state of the computer where you perform the repackaging. For best results, always perform a repackaging by using a clean computer. For the purpose of repackaging, a clean computer is defined as a computer that has only the operating system and operating system service packs installed before you run the repackaging software. Because of this limitation, and other issues, repackaging is not recommended.

QUESTION 20 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm dois locais nomeados Site1 e Site2. Site1 contm um controlador de domnio chamado DC1. Em Site1, voc instalar um novo controlador de domnio chamado DC2. Voc enviar DC2 para Site2. Voc descobre que determinados usurios em Site2 autenticar DC1. Voc precisa garantir que os usurios em Site2 sempre tentar autenticar DC2 primeiro. O que voc deve fazer? A. De Active Directory Users and Computers, modificar as configuraes de localizao do objeto de computador DC2. B. De Active Directory Sites e Servios, modifique o atributo Location para Site2. C. De Active Directory Sites e Servios, mova o objeto de servidor DC2. D. De Active Directory Usurios e Computadores, mova o objeto de computador DC2. Answer: C Section: Cooper Exam D Explanation/Reference: Need to change DC2 to site 2 in AD Sites and Services.

QUESTION 21 Sua rede contm um domnio do Active Directory chamado contoso.com. Contoso.com contm um servidor chamado Server2. Voc abre as propriedades do sistema no Server2, como mostrado na exposio. (Clique no boto Exibir.)

Quando voc tenta configurar Server2 como uma empresa subordinada autoridade de certificao (CA), voc descobre que a empresa CA subordinada opo no est disponvel. Voc precisar configurar Server2 como uma empresa CA subordinada. O que voc deve fazer primeiro? A. B. C. D. Atualize Server2 para o Windows Server 2008 R2 Enterprise. Entrar como administrador e Server Manager execuo. Importe o certificado da CA raiz. Junte-se Server2 para o domnio.

Answer: D Section: Cooper Exam D Explanation/Reference: To be an Enterprise CA (even a subordinate) the server must be joined to the domain, at least as a member server.

QUESTION 22 Sua rede contm um domnio do Active Directory. O domnio contm uma autoridade de certificao (CA). Voc precisa garantir que apenas os membros de um grupo chamado Admin1 pode criar modelos de certificado. Que ferramenta deve ser usada para atribuir permisses para Admin1? A. O console da Autoridade de Certificao

B. Active Directory Usurios e Computadores C. OS snap-in Certificados D. Sites do Active Directory e Servios Answer: A Section: Cooper Exam D Explanation/Reference: The rest of these options do not have the ability to do this.

Exam P QUESTION 1 A rede contm uma autoridade de certificao (CA) que executa o Windows Server 2008 R2 Enterprise. Voc precisa se certificar de que todos os membros de um grupo chamado Grupo 1 pode visualizar as entradas do log de eventos para os Servios de certificados. Que presso em voc deve usar? A. B. C. D. E. F. G. H. I. Modelos de Certificado Autoridade de Certificao Gerenciador de Autorizao Active Directory Usuarios e Computadores TPM Management Modelos de Segurana Group Policy Management Enterprise PKI Certificados

Answer: D Section: Cooper Exam D Explanation/Reference: There is mention of an Event Log Reader Group. Membership should be able to be configured in AD Users and Groups. Check this answer.

QUESTION 2 A rede contm uma autoridade de certificao (CA) que executa o Windows Server 2008 R2 Enterprise. Voc precisa garantir que os usurios podem se inscrever para os certificados que usam o modelo de certificado IPSEC (solicitao off-line) Que presso em voc deve usar? A. B. C. D. E. F. G. H. I. Enterprise PKI TPM Management Certificados Active Directory Usurios e Computadores Gerenciador de Autorizao Autoridade de Certificao Group Policy Management Modelos de Segurana Modelos de Certificado

Answer: I Section: Cooper Exam D Explanation/Reference: Templates can be configured with such permissions.

QUESTION 3 A rede contm uma autoridade de certificao (CA) que executa o Windows Server 2008 R2 Enterprise. Voc tem um modelo de certificado personalizado chamado Modelo 1. Template1 publicado para o CA.

Voc precisa se certificar de que todos os membros de um grupo chamado Grupo 1 podem se inscrever para os certificados que utilizam template1. Que presso em voc deve usar? A. B. C. D. E. F. G. H. I. Security Templates Enterprise PKI Autoridade de Certificao Modelos de Certificado Certificados TPM Management Gerenciador de Autorizao Group Policy Management Active Directory Usurios e Computadores

Answer: D Section: Cooper Exam D Explanation/Reference: Explanation:

QUESTION 4 A rede contm uma autoridade de certificao (CA) que executa o Windows Server 2008 R2 Enterprise. Voc precisa aprovar uma solicitao de certificado pendente. Que presso em voc deve usar? A. B. C. D. E. F. G. H. I. Active Directory Users and Computers Gerenciador de Autorizao Autoridade de Certificao Group Policy Management Modelos de Certificado TPM Management certificados Enterprise PKI Modelos de Segurana

Answer: C Section: Cooper Exam D Explanation/Reference: Explanation:

QUESTION 5 Sua rede contm um domnio do Active Directory chamado adatum.com. Voc precisa garantir que os endereos IP podem ser resolvidos para nomes de domnio totalmente qualificado (FQDN). Em que n no DNS snap-in que voc deve adicionar uma zona? A. Zonas de pesquisa inversa B. adatum.com C. Forward Lookup Zones

D. Encaminhadores condicionais E. _msdcs.adatum.com Answer: A Section: Cooper Exam D Explanation/Reference: Explanation:

QUESTION 6 Sua rede contm um domnio do Active Directory chamado adatum.com. O domnio contm um controlador de domnio chamado DC1. DC1 tem um endereo IP de 192.168.200.100. Voc precisa identificar a zona que contm o ponteiro do registro (PTR) para 0C1. Qual zona voc deve identificar? A. B. C. D. adatum.com _msdcs.adatum.com 100.168.192.in-addr.arpa 200.168.192.in-addr.arpa

Answer: D Section: Cooper Exam D Explanation/Reference: Explanation:

QUESTION 7 A rede contm uma floresta do Active Directory chamado adatum.com. A infra-estrutura DNS falha. Voc reconstruir a infra-estrutura de DNS. Voc precisa forar o registro do Active Directory Service Locator (SRV) no DNS. Qual servio voc deve reiniciar os controladores de domnio? A. B. C. D. E. Netlogon DNS Server Network Location Awareness Network Store Interface Service Online Responder Service

Answer: A Section: Cooper Exam D Explanation/Reference: Duplicate

QUESTION 8 Sua rede contm um domnio do Active Directory chamado adatum.com. A diretiva de senha do domnio requer que as senhas para todas as contas de usurios devem ser trocados a cada 50 dias.

Voc precisa criar vrias contas de usurio que sero utilizados pelos servios. As senhas para essas contas devem ser alterada automaticamente a cada 50 dias. Qual ferramenta que voc deve usar para criar as contas? A. B. C. D. E. Centro Administrativo do Active Directory Active Directory Usurios e Computadores Mdulo do Active Directory para o Windows PowerShell ADSI Edit Active Directory Domains and Trusts

Answer: C Section: Cooper Exam D Explanation/Reference: PowerShell should be able to set such attributes.

QUESTION 9 Sua rede contm um domnio do Active Directory. O domnio contm vrios controladores de domnio. Voc precisa modificar a Diretiva de Replicao de Senha de um controlador de domnio somente leitura (RODC). Qual ferramenta devo usar? A. B. C. D. E. Group Policy Management Active Directory Domains and Trusts Active Directory Users and Computers Computer Management Security Configuration Wizard

Answer: C Section: Cooper Exam D Explanation/Reference: To view the PRP using Active Directory Users and Computers Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties. Click the Password Replication Policy tab.

QUESTION 10 A rede contm uma floresta do Active Directory. A floresta contm controladores de domnio que executam o Windows Server 2008 R2. O nvel funcional da floresta o Windows Server 2003. O nvel funcional do domnio o Windows Server 2008. A partir de um controlador de domnio, voc precisa executar uma restaurao autoritativa de uma unidade organizacional (OU). O que voc deve fazer primeiro? A. Elevar o nvel funcional da floresta B. Modificar o tempo de desativao da floresta. C. Restore the system state.

D. Elevar o nvel funcional do domnio. Answer: C Section: Cooper Exam D Explanation/Reference: The first task is to backup the current state of the DC (just in case everything blows up during this procedure). After that restore the back of the system state before the deletion.

QUESTION 11 A rede contm uma floresta do Active Directory. A floresta contm dois domnios chamados contoso.com e woodgrovebank.com. Voc tem um atributo personalizado chamado Atributo 1 no Active Directory. Atributo 1 est associada a objetos de usurio. necessrio assegurar que attribute1 est includo no catlogo global. O que voc deve fazer? A. A partir do esquema do Active Directory snap-in, modificar as propriedades do objeto Atributo 1 attribute Schema. B. Em Active Directory Usurios e computadores, configurar as permisses no atributo Atributo 1 para objetos do usurio. C. A partir do esquema do Active Directory snap-in, modificar as propriedades do objeto Usurio classSchema. D. Em Active Directory Sites e Servios, configurar as definies de catlogo global para todos os controladores de domnio na floresta. Answer: A Section: Cooper Exam D Explanation/Reference: To Make Modifications Using Active Directory Schema MMC Snap-In Click the Attributes folder in the snap-in. In the right pane, scroll down to the desired attribute, right-click it, and then click Properties. Click to select the Replicate this attribute to the Global Catalog check box. Click OK.

QUESTION 12 Sua rede contm um servidor chamado Server1. Server1 executado no Windows Server 2008 R2 e tem o Active Directory Lightweight Directory Services (AD LDS) papel instaladas. Server1 hospeda duas instncias do AD LDS nomeados Instance1 e Instance2. Voc precisa remover Instance2 de Server1 sem afetar Instance1. Qual ferramenta devo usar? A. B. C. D. NTDSUtil Dsdbutil Programas e Recursos no Painel de Controle Server Manager

Answer: C Section: Cooper Exam D Explanation/Reference: Remove an AD LDS Instance

Applies To: Windows Server 2008 You can use this procedure to remove an Active Directory Lightweight Directory Services (AD LDS) instance. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To remove an AD LDS instance To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features. Locate and click the AD LDS instance that you want to remove. Click Uninstall. http://technet.microsoft.com/en-us/library/cc794886(v=WS.10).aspx

QUESTION 13 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa compactar o banco de dados do Active Directory. O que voc deve fazer? A. B. C. D. E. F. G. H. I. J. Execute o cmdlet Get-ADForest. Configure assinaturas de Visualizador de eventos. Execute o comando eventcreate.exe. Configure the Active Directory Diagnostics Data Collector Set (OCS). Criar um Conjunto de Coletores de Dados (DCS). Execute o comando Repadmin.exe. Execute o comando ntdsutil.exe. Execute o comando Dsquery.exe. Execute o comando Dsamain.exe. Criar exibies personalizadas de Visualizador de eventos.

Answer: G Section: Cooper Exam D Explanation/Reference: At the command prompt, type the following command, and then press ENTER: net stop ntds Type Y to agree to stop additional services, and then press ENTER. At the command prompt, type ntdsutil, and then press ENTER. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. At the ntdsutil prompt, type files, and then press ENTER. If you are compacting the database to a local drive, at the file maintenance: prompt, type compact to <drive>:\ <LocalDirectoryPath> (where <drive>:\ <LocalDirectoryPath> is the path to a location on the local computer), and then press ENTER.

QUESTION 14 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa coletar todos os servios do diretrio de eventos de todos os controladores de domnio e armazenar os eventos em um nico computador central. O que voc deve fazer?

A. B. C. D. E. F. G. H. I. J.

Execute o comando ntdsutil.exe. Execute o comando repodmin.exe. Execute o cmdlet Get-ADForest. Execute o comando Dsamain.exe. Criar exibies personalizadas de Visualizador de eventos. Execute o comando Dsquery.exe. Configurar o Active Directory Diagnostics Conjunto de Coletores de Dados (DCS). Configure assinaturas de Visualizador de eventos. Configurar o comando subscRun eventcreate.exe. Criar um Conjunto de Coletores de Dados (DCS).

Answer: H Section: Cooper Exam D Explanation/Reference: Event Viewer subscription would be correct.

QUESTION 15 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa receber uma notificao quando mais de 100 objetos do Active Directory so excludos por segundo. O que voc deve fazer? A. B. C. D. E. F. G. H. I. J. Criar exibies personalizadas de Visualizador de eventos. Execute o cmdlet Get-ADForest. Execute o comando ntdsutil.exe. Configurar o Active Directory Diagnostics Conjunto de Coletores de Dados (DCS). Criar um Conjunto de Coletores de Dados (DCS). Execute o comando Dsamain.exe. Execute o comando Dsquery.exe. Execute o comando Repadmin.exe. Configure assinaturas de Visualizador de eventos. Execute o comando eventcreate.exe.

Answer: E Section: Cooper Exam D Explanation/Reference: Creating a collector set would work.

QUESTION 16 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc precisa criar um instantneo do Active Directory. O que voc deve fazer? A. B. C. D. YoRun o comando Dsquery.exe. Execute o comando Dsamain.exe. Criar exibies personalizadas de Visualizador de eventos. Configure assinaturas de Visualizador de eventos.

E. F. G. H. I. J.

Criar um Conjunto de Coletores de Dados (DCS). Configurar o Active Directory Diagnostics Conjunto de Coletores de Dados (DCS). Execute o comando Repadmin.exe. Execute o comando ntdsutil.exe. Execute o cmdlet Get-ADForest. Execute o comando eventcreate.exe.

Answer: H Section: Cooper Exam D Explanation/Reference: Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide Applies To: Windows Server 2008 This guide shows how you can use an improved version of Ntdsutil and a new Active Directory database mounting tool in Windows Server 2008 to create and view snapshots of data that is stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting the domain controller or AD LDS server. A snapshot is a shadow copycreated by the Volume Shadow Copy Service (VSS)of the volumes that contain the Active Directory database and log files.

QUESTION 17 Sua rede contm um domnio do Active Directory. Todos os controladores de domnio executem o Windows Server 2008 R2. Voc monta um instantneo do Active Directory. Voc precisa se certificar que voc pode consultar o snapshot usando LDAP. O que voc deve fazer? A. B. C. D. E. F. G. H. I. J. Execute o comando Dsamain.exe. Criar exibies personalizadas de Visualizador de eventos. Execute o comando ntdsutil.exe. Configure assinaturas de Visualizador de eventos. Execute o cmdlet Get-ADForest. Criar um Conjunto de Coletores de Dados (DCS). Execute o comando eventcreate.exe. Configurar o Active Directory Diagnostics Conjunto de Coletores de Dados (DCS). Execute o comando Repadmin.exe. Execute o comando Dsquery.exe.

Answer: A Section: Cooper Exam D Explanation/Reference: The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain

QUESTION 18 Arrastar e soltar Sua rede contm um domnio do Active Directory chamado adatum.com.

Voc precisa usar diretivas de grupo para implantar os aplicativos de linha de negcios apresentados na tabela a seguir.

O que voc deve fazer? Para responder, arraste o mtodo de implantao adequada para a correcta aplicao na rea de resposta.

Answer:

Section: Cooper Exam D Explanation/Reference: You can use Group Policy to distribute computer programs by using the following methods: Assigning Software You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is finalized. Publishing Software You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.

QUESTION 19 HOTSPOT A rede contm uma floresta do Active Directory chamado contoso.com. Todos os computadores clientes executam o Windows 7 Enterprise. Voc precisa automaticamente para criar um grupo local chamado PowerManagers em cada computador cliente que contm uma bateria. A soluo deve minimizar a quantidade de esforo administrativo. Que n no Editor de Gesto de Polticas voc deve usar? Para responder, selecione o n apropriado na rea de resposta.

Answer:

Section: Cooper Exam D Explanation/Reference: Would be a GPO applied to a computer.

QUESTION 20 Arrastar e soltar Sua rede contm duas florestas nomeados contoso.com e fabrikam.com. O nvel funcional de todos os domnios o Windows Server 2003. O nvel funcional de ambas as florestas o Windows 2000. Voc precisa criar uma relao de confiana entre contoso.com e fabrikam.com. A soluo deve garantir que os usurios de contoso.com s pode acessar os servidores em fabrikam.com que a permisso para autenticar conjunto de permisses. O que voc deve fazer? Para responder, mover as aes apropriadas da lista de aes possveis para a rea de aes necessrias e organiz-los na ordem correta.

Answer:

Section: Cooper Exam D Explanation/Reference: In this case the forest functional levels need to be at 2003 or higher, and a forest trust should be established. Selective authentication would also be needed. External trusts are usually for NT domains or LDAP connections.

QUESTION 21 Arrastar e soltar A rede contm uma floresta do Active Directory chamado contoso.com. Voc precisa criar um Active Directory Rights Management Services (AD RMS) licenciamento somente cluster.

O que voc deve fazer? Para responder, mover as aes apropriadas da lista de aes possveis para a rea de aes necessrias e organiz-los na ordem correta.

Answer:

Section: Cooper Exam D Explanation/Reference:

QUESTION 22 Arrastar e soltar Sua empresa tem uma sede e uma filial. Todos os servidores esto localizados no escritrio principal. A rede contm uma floresta do Active Directory chamado adatum.com. A floresta contm um controlador de domnio chamado MainDC que executa o Windows Server 2008 R2 Enterprise e um servidor membro nomeado FileServer que executa o Windows Server Standard 2008 R2. Voc tem um computador quiosque chamado Public_Computer que executa o Windows 7. Public_Computer no est ligado rede. Voc precisa se juntar Public_Computer ao domnio adatum.com. O que voc deve fazer? Para responder, mover as aes apropriadas da lista de aes possveis para a rea de aes necessrias e organiz-los na ordem correta.

Answer:

Section: Cooper Exam D Explanation/Reference: These are the steps for to pre-join a computer to the domain.

Exam Q QUESTION 1 Empresa tem servidores na rede principal que executa o Windows Server 2008. Tambm tem dois controladores de domnio. Servios do Active Directory esto sendo executados em um controlador de domnio chamado CKDC1. Voc tem que executar as atualizaes crticas do Windows Server 2008 em CKDC1 sem reiniciar o servidor. O que voc deve fazer para realizar off-line atualizaes crticas sobre CKDC1 sem reiniciar o servidor? A. Inicie os Servios de Domnio do Active Directory em CKDC1 B. Desconectar da rede e iniciar o Windows recurso de atualizao C. Pare os servios de domnio Active Directory e instalar as atualizaes. Inicie os servios do domnio do Active Directory depois de instalar as atualizaes. D. Pare de Active Directory Domain Services e atualizaes de instalao. Desconectar da rede e, em seguida, conectar novamente E. Nenhum dos acima Answer: C Section: Configuring AD Infrastructure Explanation/Reference:

QUESTION 2 A sua empresa lhe pede para implementar o Windows Cardspace no domnio. Voc quer usar o Windows Cardspace em sua casa. Sua casa e computadores de escritrio executar o Windows Vista Ultimate. O que voc deve fazer tocreate uma cpia de backup de cartes Windows CardSpace para ser usado em casa? A. Faa logon com a conta de administrador e \ copy pasta Windows\ServiceProfiles para o seu disco USB B. Backup \Windows\Globalization usando status de backup e salvar a pasta onyour drive USB C. Faa backup dos dados do estado do sistema usando a ferramenta de status de backup em seu drive USB D. Empregar aplicativo do Windows CardSpace para o backup dos dados em seu disco USB. E. Reformatar o drive C: F. Nenhum dos acima Answer: D Section: Cooper Exam D Explanation/Reference:

QUESTION 3 A empresa possui uma floresta do Active Directory em um nico domnio. Empresa precisa de uma aplicao distribuda que implanta um aplicativo personalizado. A aplicao um software de partio de diretrio chamado PARDAT. Voc precisa implementar esta aplicao para replicao de dados. Quais so as duas ferramentas que voc deve usar para realizar esta tarefa? (Escolha duas resposta answers.Each uma parte de uma soluo completa) A. B. C. D. E. Dnscmd Ntdsutil Ipconfig Dnsutil Todos o acima

Answer: AB

Section: Powershell & Command line cmds Explanation/Reference:

QUESTION 4 A empresa possui uma floresta do Active Directory com seis domnios. A empresa tem 5 sites. A empresa exige uma nova aplicao distribuda que usa uma partio de diretrio de aplicativo personalizado chamado ResData para replicao de dados. O aplicativo instalado em um servidor membro em cinco sites. Voc precisar configurar os servidores membro cinco para receber o ResData partio de diretrio de aplicativos para replicao de dados. O que voc deve fazer? A. B. C. D. Execute o utilitrio Dcpromo sobre os cinco servidores membros. Execute o comando Regsvr32 sobre os cinco servidores membros Execute o comando Webadmin nos cinco servidores membros Execute o RacAgent utilityon os cinco servidores membros

Answer: A Section: Configuring AD Infrastructure Explanation/Reference:

QUESTION 5 Sua empresa tem um escritrio principal e trs filiais. Cada escritrio configurado como um site Active Directory separado que tem seu controlador de domnio prprio. Voc desativar uma conta que tenha direitos administrativos. Voc precisa imediatamente replicar as informaes de conta desabilitada para todos os sites. Quais so as duas maneiras de alcanar essa meta? (Cada resposta correta apresenta uma soluo completa. Escolha dois.) A. A partir dos sites do Active Directory e consola Services, configurar todos os controladores de domnio como servidores de catlogo global. B. A partir das Active Directory Sites e Servios do console, selecione os objetos de conexo existentes e replicao fora. C. Use Repadmin.exe para forar a replicao entre os objetos de conexo do site. D. UseDsmod.exe para configurar todos os controladores de domnio como servidores de catlogo global. Answer: BC Section: AD Sites & Services Explanation/Reference:

QUESTION 6 ABC.com tem uma rede que consiste de um domnio de Directrio activo nico. Um tcnico foi excludo acidentalmente uma unidade organizacional (OU) no controlador de domnio. Como administrador da ABC. com, voc est em processo de restaurao da OU. Voc precisa executar uma restaurao noautorizada antes de uma restaurao autoritativa do OU. Qual backup voc deve utilizar para realizar restaurao no autoritativa do Active Directory Domain Services (AD DS), sem perturbar outros dados armazenados no controlador de domnio? A. B. C. D. E. Backup de volume crtico Backup de todos os volumes Backup do volume que hospeda sistema operacional Backup de pastas do AD DS Nenhum dos acima

Answer: A Section: Configuring AD Backup-Restore Explanation/Reference:

QUESTION 7 Voc est a formulao da estratgia de backup para Active Directory Lightweight Directory Services (AD LDS) para garantir que os dados e arquivos de log so apoiadas regularmente. Isso tambm ir garantir a disponibilidade contnua de dados para aplicativos e usurios em caso de falha do sistema. Porque voc tem recursos limitados de mdia, voc decidiu fazer o backup apenas uma instncia ADLDS especfico em vez de tomar backup de todo o volume. O que voc deve fazer para realizar essa tarefa? A. Use o Windows utilitrio de backup do servidor e permitir caixa de seleo para levar apenas o backup de banco de dados e arquivos de log do AD LDS B. Use a ferramenta Dsdbutil.exe para criar mdia de instalao que corresponde somente instncia ADLDS C. Mova AD LDS banco de dados e arquivos de log em um volume separado e usar janelas utilitrio de backup do servidor D. Nenhum dos acima Answer: B Section: Configuring AD LDS Explanation/Reference:

Exam R QUESTION 1 Sua rede contm um servidor chamado Server1 que executa o Windows Server 2008 R2. Server1 configurado como um Active Directory Federation Services (AD FS) 2,0 servidor independente. Voc planeja adicionar um certificado de autenticao de token novo Server1. Voc pode importar o certificado para o servidor, como mostrado na exposio. (Clique no boto Exibir.) Quando voc executar o assistente Add Certificado de token, voc descobre que o novo certificado no est disponvel. Voc precisa se certificar que voc pode usar o novo certificado para AD FS. O que voc deve fazer? Exhibit:

A. B. C. D.

A partir das propriedades do certificado, modificar o Certificado Policy configurao OIDs. Importe o certificado para o 2,0 FS AD Windows Service armazenamento de certificados pessoais. A partir das propriedades do certificado, modificar o Certificado de configurao fins. Importe o certificado para o local armazenamento de certificados do computador pessoal.

Answer: D Section: Configuring AD Federated Services Explanation/Reference:

QUESTION 2 Sua empresa tem duas florestas do Active Directory chamado contoso.com e fabrikam.com. A rede da empresa tem trs servidores DNS DNS1 e DNS2 nomeados e DNS3. Os servidores de DNS so configurados como mostrado na tabela a seguir.

Todos os computadores que pertencem ao domnio fabrikam.com ter DNS3 configurado como servidor DNS thepreferred. Todos os outros computadores usam DNS1 como servidor DNS preferencial. Usurios do domnio fabrikam.com so incapazes de se conectar aos servidores que pertencem ao domnio

contoso.com. Voc precisa garantir que os usurios do domnio fabrikam.com so capazes toresolve todas as consultas contoso.com. O que voc deve fazer? A. Configurar o encaminhamento condicional no DNS1 e DNS2 para frente fabrikam.com consultas para DNS3. B. Configurar o encaminhamento condicional no DNS1 e DNS2 para frente fabrikam.com consultas para DNS3. C. Criar uma cpia da zona fabrikam.com no servidor DNS1 eo servidor DNS2. D. Configurar o encaminhamento condicional no DNS3 para encaminhar consultas Contoso.com para DNS1. Answer: D Section: Configuring AD DNS Explanation/Reference:

QUESTION 3 Voc tinha instalado o Windows Server 2008 em um computador andconfigured-lo como um servidor de arquivos, chamado FileSrv1. O computador FileSrv1 contm quatro discos rgidos, que so configuradas como discos bsicos. Para tolerncia a falhas e desempenho que voc deseja configurar Redundant Array of Independent Disks (RAID) 0 +1 em FileSrv1. Qual utilidade que voc vai usar para converter discos bsicos em discos dinmicos em FileSrv1? A. B. C. D. E. Diskpart.exe Chkdsk.exe Fsutil.exe Fdisk.exe None of the above

Answer: A Section: Configuring AD Infrastructure Explanation/Reference:

QUESTION 4 A rede corporativa da empresa consiste em um domnio Directory do Windows Server 2008 nico ativo. O domnio tem dois servidores nomeados Empresa 1 e Empresa 2. Para assegurar a central de monitoramento de eventos que voc decidiu recolher todos os eventos em um servidor, a empresa 1. Para coletar eventos de Empresa 2. e transferi-los para a Empresa 1, voc configurou as inscries em eventos necessrios. Voc selecionou a opo Normal para a configurao de otimizao evento de entrega usando o protocolo HTTP. No entanto, voc descobriu que nenhum dos trabalhos assinaturas. Qual das seguintes aes que voc executar para configurar a coleta de eventos e encaminhamento de eventos sobre os dois servidores? (Escolha trs. Cada resposta uma parte da soluo completa). A. B. C. D. E. F. Atravs da janela Executar executar o comando winrm quickconfig na Empresa 2. Atravs da janela Executar executar o comando qc wecutil na Empresa 2. Adicionar a Empresa 1 conta com o Groupon Administradores 2 Empre Atravs da janela Executar executar o comando winrm quickconfig na Empresa 1. Adicione o Company 2 conta ao grupo Administradores da Empresa 1. Atravs da janela Executar executar o comando qc wecutil na Empresa 1.

Answer: ACF Section: Maintaining the AD Environment

Explanation/Reference:

QUESTION 5 Exhibit:

Servidores da empresa executar o Windows Server 2008. Ele tem domnio do Directrio asingle Active. Um servidor chamado S4 tem papel arquivo de servios instalado. Voc instalar algum disco para armazenamento adicional. Os discos so configurados como mostrado na exposio acima. Para suportar dados de esgoto, com paridade, voc tem que criar uma nova unidade de volume. O que voc deve fazer para alcanar este objectivo? A. B. C. D. Construir um novo volume gerado por combinar Disk0 e Disk1 Criar um volume RAID-5 novo, adicionando um outro disco. Criar um novo volume virtual, combinando o disco 1 e disco 2 Construir um novo volume listrado combinando Disk0 e disco 2

Answer: B Section: Configuring AD Infrastructure Explanation/Reference:

QUESTION 6 ABC.com tem um laboratrio de avaliao do software. Existe um servidor no laboratrio de avaliao nomeado como CKT. CKT executa o Windows Server 2008 e Microsoft Virtual Server 2005 R2. CKT tem 200 servidores virtuais rodando em um segmento isolado virtual para avaliar software. Para se conectar internet, ele usa placa de interface de rede fsica. ABC.com exige que cada servidor da empresa para acessar Internet. ABC.com poltica de segurana determina que o espao de endereo IP utilizado pelo laboratrio de avaliao de software no devem ser utilizados por outras redes. Mesma forma, afirma o espao de endereo IP utilizados por outras redes no deve ser utilizado pelo laboratrio de avaliao network.As um administrador voc achar que voc que os aplicativos testados no laboratrio de avaliao de software precisam acessar rede normal para se conectar aos vendedores atualizar os servidores em a internet. Voc precisar configurar todos os servidores virtuais no servidor CKT para acessar a internet. Voc tambm precisa cumprir com a poltica de segurana da empresa. Quais duas aes voc deve realizar para atingir essa tarefa? (Escolha duas respostas. Cada resposta uma parte da soluo completa) A. Acionar o servidor DHCP virtual para a rede virtual externa e execute ipconfig /renew comando em cada servidor virtual B. Na interface do CKT da rede fsica, ativar o Internet Connection Sharing (ICS)

C. Use endereos IP ABC.com intranet em todos os servidores virtuais no CKT. D. Adicionar e instale o Microsoft Loopback Adaptador de interface de rede em CKT. Use uma nova interface de rede e criar uma nova rede virtual. E. Nenhum dos acima Answer: AD Section: Maintaining the AD Environment Explanation/Reference:

QUESTION 7 Sua empresa tem um domnio do Active Directory. A empresa adquiriu 100 novos computadores. Voc deseja implantar os computadores como membros do domnio. Voc precisa criar as contas de computador em um OU.What voc deve fazer? A. B. C. D. Execute o comando csvde -f computers.csv Execute o comando ldifde -f computers.ldf Execute o comando <computerdn> dsadd computador Execute o comando <computerdn> dsmod computador

Answer: C Section: Powershell & Command line cmds Explanation/Reference: The -f switch creates an export file. Dsmod will not create computer accounts.

QUESTION 8 A rede contm uma zona integrada ao Active Directory. Todos os servidores DNS que hospedam a zona so controladores de domnio. Voc pode adicionar vrios registros de DNS para a zona. Voc precisa assegurar que os registros so replicados para todos os servidores DNS. Qual ferramenta devo usar? A. B. C. D. Dnslint Ldp Nslookup Repadmin

Answer: A Section: Configuring AD DNS Explanation/Reference:

QUESTION 9 Voc um administrador no ABC.com. Empresa tem um servidor (somente leitura controlador de domnio) RODC em um local remoto. O local remoto no tem segurana fsica adequada. Voc precisa ativar senhas de contas no administrativas no servidor RODC. Qual das seguintes medidas devem ser considerados para preencher o servidor RODC com senhas de contas no administrativas? A. Apagar todas as contas administrativas do grupo do RODC B. Configurar a permisso de Negar em receber contas administrativas na guia de segurana para o Grupo Objeto de Diretiva (GPO)

C. Configure as contas administrativas que devem ser adicionados na Replicao de Senha RODC Negado Domnio grupo D. Adicionar um novo GPO e ativar as configuraes de bloqueio de conta. Vincul-lo ao servidor remoto RODC e, na guia de segurana no GPO, verifique a leitura Permitir e Aplicar permisses de grupo de poltica para os administradores. E. Nenhum dos acima Answer: C Section: Maintaining the AD Environment Explanation/Reference:

QUESTION 10 Sua empresa tem uma floresta do Active Directory que contm dois domnios, a floresta tem grupos universais que contm membros de cada domnio, A filial tem um controlador de domnio chamado DC1, usurios no relatrio da sucursal que o processo de logon leva muito tempo, voc precisa para diminuir a quantidade de tempo que leva para os usurios de filiais de logon, que voc deve fazer? A. B. C. D. Configurar DC1 como um servidor de catlogo global, Configurar DC1 como um servidor de ponte para o site da filial, Diminua o intervalo de replicao no link de site que se conecta a filial para a rede corporativa, Aumentar a replicationinterval no link de site que se conecta a filial para a rede corporativa.

Answer: A Section: Configuring AD Infrastructure Explanation/Reference:

QUESTION 11 A Companhia possui um servidor Windows 2008 controlador de domnio. Este servidor rotineiramente apoiado sobre a rede de um servidor de backup dedicado que est executando o Windows 2003 OS. Voc precisa preparar o controlador de domnio para recuperao de desastres para alm dos procedimentos de backup de rotina. Voc incapaz de lanar o utilitrio de backup ao tentar fazer backup dos dados do estado do sistema para o tratamento dos dados. Voc precisa fazer backup de dados do estado do sistema do servidor do Windows 2008 controlador de domnio. O que voc deve fazer? A. Adicionar sua conta de usurio ao grupo local Operadores de Backup B. Instale o Windows recurso de backup do servidor usando o recurso do Server Manager. C. Instale o recurso Gerenciador de armazenamento removvel usando o recurso do Gerenciador de Servidores D. Desactivar o trabalho de backup que est configurado para backup do Windows 2008 controlador de domnio do servidor no servidor Windows 2003. E. Nenhum dos acima Answer: B Section: Configuring AD Backup-Restore Explanation/Reference:

QUESTION 12 Sua empresa tem um domnio nico diretrio ativo chamado intranet.adatum.com. Os controladores de domnio executem o Windows Server 2008 e da funo de servidor DNS. Todos os computadores, incluindo no membros do domnio, registrar dinamicamente seus registros de DNS. Voc precisa

configurar a zona intranet.adatum.com para permitir que os membros do domnio apenas para registrar dinamicamente registros DNS. O que voc deve fazer? A. B. C. D. Definir as atualizaes dinmicas para proteger Only. Remover o grupo Usurios autenticados. Permitir transferncias de zona para servidores de nome. Negar o grupo Todos a permisso Criar Todos Criana objetos.

Answer: A Section: Configuring AD DNS Explanation/Reference:

QUESTION 13 Sua empresa tem uma sede e uma filial que so configurados como uma floresta nico diretrio Active. O nvel funcional da floresta do Active Directory o Windows Server 2003. H quatro do Windows Server 2003 controladores de domnio no escritrio principal. Voc precisa se certificar que voc capaz de implantar um controlador de domnio somente leitura (RODC) na filial. Quais duas aes voc deve executar? (Cada resposta correta representa parte da soluo. Escolha dois.) A. B. C. D. Elevar o nvel funcional da floresta para o Windows Server 2008. Implantar um controlador de domnio do Windows Server 2008, no escritrio central. Elevar o nvel funcional do domnio para o Windows Server 2008. Execute o comando adprep /rodcprep.

Answer: BD Section: Configuring Additional AD Server Roles Explanation/Reference:

QUESTION 14 Sua empresa, a Contoso, Ltd., tem escritrios na Amrica do Norte e Europa. Contoso tem uma floresta do Active Directory que tem trs domnios. Voc precisa reduzir o tempo necessrio para autenticar os usurios do domnio labs.eu.contoso.com quando acessar recursos no domnio a.contoso.com eng.n. O que voc deve fazer? A. B. C. D. Diminua o intervalo de replicao para todos os objetos de conexo. Diminua o intervalo de replicao para o link do site DEFAULTIPSITELINK. Configurar uma confiana de atalho one-way de eng.na.contoso.com para labs.eu.contoso.com. Configurar uma confiana de atalho one-way de labs.eu.contoso.com para eng.na.contoso.com.

Answer: C Section: Configuring AD Infrastructure Explanation/Reference:

QUESTION 15 Sua empresa usa pastas compartilhadas. Os usurios tm acesso s pastas compartilhadas usando grupos de domnio local. Uma das pastas compartilhadas contm dados confidenciais. Voc precisa garantir que usurios no autorizados no so capazes de acessar a pasta compartilhada que contm dados confidenciais. O que voc deve fazer?

A. Ative o No confiar neste propriedade fordelegation computador em todos os computadores de usurios no autorizados usando o utilitrio Dsmod. B. Instrua os usurios no autorizados a fazer logon usando a conta de convidado. Configurar a permisso Negar Controle total sobre as pastas compartilhadas que seguram a confidentialdata para a conta de convidado. C. Criar um grupo global chamado Negar DLG. Coloque o grupo global que contm os usurios noautorizados para o grupo DLG Negar. Configurar a permisso Permitir controle total sobre a pasta compartilhada que mantenha o forthe dados confidenciais Negar DLG grupo. D. Criar um grupo local de domnio chamado Negar DLG. Coloque o grupo global que contm os usurios no-autorizados para o grupo DLG Negar. Configurar a permisso Negar Controle total sobre a pasta compartilhada que manter os dados confidenciais para o grupo DLG Negar. Answer: D Section: Creating & Maintaining AD Objects Explanation/Reference:

QUESTION 16 Voc um administrador no ABC.com. Empresa tem uma rede de 5 servidores membros atuando como servidores de arquivos. Ele tem um domnio do Active Directory. Voc instalou um aplicativo de software nos servidores. Assim que o aplicativo instalado, um dos servidores membros desliga-se. Para rastrear e corrigir o problema, voc cria um objeto de Diretiva de Grupo (GPO). Voc precisa mudar as configuraes de segurana de domnio para traar as paradas e identificar a causa do mesmo. O que voc deve fazer para executar essa tarefa? A. B. C. D. E. Link the GPO to the domain and enable System Events option Vincular o GPO ao domnio e permitir Auditoria opo Object Access Vincular o GPO para os controladores de domnio e permitir Auditoria opo Object Access Vincular o GPO para os controladores de domnio e permitir Auditoria opo Controle de processos Executar todas as aes acima

Answer: A Section: Configuring Group Policy Explanation/Reference:

QUESTION 17 Sua empresa tem um domnio do Active Directory. Todos os servidores rodam Windows Server. Voc implantar uma Autoridade de Certificao do servidor (CA). Voc criar um novo grupo de segurana global chamada CertIssuers. Voc precisa assegurar que os membros do grupo CertIssuers pode emitir, aprovar e revogar certificados. O que voc deve fazer? A. B. C. D. Atribua a funo Gerenciador de Certificados ao grupo CertIssuers CertIssuers Grupo locais sem certificado de editor de Grupo Execute o certsrv -add promt comando CertIssuers do servidor de certificao Execute o add -membro -MemberType MemberSet comando CertIssuers por usingMicrosoft Windows PowerShell

Answer: A Section: Configuring AD Certificate Services Explanation/Reference:

QUESTION 18 Voc precisa remover o Active Directory Domain Services de um papel controlador de domnio chamado DC1. O que voc deve fazer? A. B. C. D. Execute o netdom remover DC1 comando. Execute o utilitrio Dcpromo. Remover o Active Directory Domain funo de servios. Executar nltest /remove_server: DC1 comando. Redefinir a conta de computador controlador de domnio usando o Active Directory Usurios e Computadores utilidade.

Answer: B Section: Configuring Additional AD Server Roles Explanation/Reference:

QUESTION 19 Uma das filiais remotas do ramo Companhia est executando um Servidor Windows 2008 com controlador de domnio pronto s (RODC) instalado. Por motivos de segurana voc no quer que alguns crticos, como as credenciais (senhas, chaves de criptografia) para ser armazenado no RODC. O que voc deve fazer para que essas credenciais no so replicadas para qualquer do RODC na floresta? (Select 2) A. Configurar conjunto de atributos filtrados do RODC no servidor B. Configurar RODC filtrada definida no servidor que mantm esquema funo de mestre de operaes. C. Delegar permisses administrativas locais para um RODC para qualquer usurio do domnio sem conceder esse usurio nenhum direito de usurio para o domnio D. Configurar servidor de nvel funcional da floresta para o Windows Server 2008 para configurar conjunto de atributos filtrados. E. Nenhum dos acima Answer: BD Section: Maintaining the AD Environment Explanation/Reference:

QUESTION 20 Empresa tem um domnio de rede nica com o Windows 2000, Windows 2003 e Windows 2008 servidores. Os computadores clientes que executam o Windows XP e Windows Vista. Todos os controladores de domnio estiver executando o Windows Server 2008. Anexo B Servidores ----------------------- sistema operacional ------------------- Papel Company_DC1 ------------ Windows Server 2008 -------------- controlador de domnio Empresa _DC2 ----------- Windows Server 2008 -------------- controlador de domnio Empresa _SRV5 --------- Windows Server 2008 -------------- arquivos e servidor de impresso Voc precisa implantar Active Directory Rights Management System (AD RMS) a proteger todos os documentos, planilhas e para fornecer autenticao de usurio. O que voc precisa para configurar, de modo a concluir a implantao do AD RMS? A. Atualize todos os computadores cliente para o Windows Vista. Instalar o AD RMS no domnio da empresa controladora _DC1 B. Assegurar que todos os computadores com Windows XP tem o service pack mais recente e instalar o cliente RMS em todos os sistemas. Instalar o AD RMS no domnio da empresa controladora _DC1

C. Atualize todos os computadores cliente para o Windows Vista. Instalar o AD RMS em Empresa _SRV5 D. Assegurar que todos os computadores com Windows XP tem o service pack mais recente e instalar o cliente RMS em todos os sistemas. Instalar o AD RMS no domnio da empresa controladora _SRV5 E. Nenhum dos acima Answer: D Section: Maintaining the AD Environment Explanation/Reference: