Microsoft Exam Material

Looking for Real Exam Questions for IT Certification Exams!

We guarantee you can pass any IT certification exam at your first attempt with just 10‐12
hours study of our guides.

Our study guides contain actual exam questions; accurate answers with detailed explanation
verified by experts and all graphics and drag‐n‐drop exhibits shown just as on the real test.

To test the quality of our guides, you can download the one‐fourth portion of any guide from
http://www.certificationking.com absolutely free. You can also download the guides for retired
exams that you might have taken in the past.

For pricing and placing order, please visit http://certificationking.com/order.html
We accept all major credit cards through www.paypal.com

For other payment options and any further query, feel free to mail us at
info@certificationking.com
Page No | 2
Question 1
You have a single Actve Directory domain. All domain controllers run Windows Server 2008 and are confgured as
DNS servers.
The domain contains one Actve Directory-integrated DNS zone.
You need to ensure that outdated DNS records are automatcally removed from the DNS zone.
What should you do?
A. From the propertes of the zone, modify the TTL of the SOA record.
B. From the propertes of the zone, enable scavenging.
C. From the command prompt, run ipconfg /fushdns.
D. From the propertes of the zone, disable dynamic updates.
Aoswern B
Explanatonn
htpn//technet.microsoo.com/en-us/library/cc753217.aspx
Set Aging and Scavenging Propertes for the DNS Server
The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for
performing cleanup and removal of stale resource records, which can accumulate in zone data over tme. You can use
this procedure to set the default aging and scavenging propertes for the zones on a server.
Further informatonn
Understanding Aging and Scavenging
Question 2
Your network consists of a single Actve Directory domain. All domain controllers run Windows Server 2008 R2. The
Audit account management policy setng and Audit directory services access setng are enabled for the entre
domain.
You need to ensure that changes made to Actve Directory objects can be logged. The logged changes must include
the old and new values of any atributes.
What should you do?
A. Run auditpol.exe and then confgure the Security setngs of the Domain Controllers OU.
B. From the Default Domain Controllers policy, enable the Audit directory service access setng and enable directory
service changes.
C. Enable the Audit account management policy in the Default Domain Controller Policy.
D. Run auditpol.exe and then enable the Audit directory service access setng in the Default Domain policy.
Aoswern A
Explanatonn
htpn//technet.microsoo.com/en-us/library/cc731607%28v=ws.10%29.aspx
AD DS Auditng Step-by-Step Guide
In Windows Server 2008 you can now set up AD DS auditng with a new audit subcategory to log old and new values
when changes are made to objects and their atributes.
..
________________________________________________________________________________________________
www.Certificationking.com
Page No | 3
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service
Changes. This guide provides instructons for implementng this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creatng, modifying, moving, or
undeletng an object. The new audit policy subcategory adds the following capabilites to auditng in AD DSn
When a successful modify operaton is performed on an atribute, AD DS logs the previous and current values of the
atribute. If the atribute has more than one value, only the values that change as a result of the modify operaton are
logged.
If a new object is created, values of the atributes that are populated at the tme of creaton are logged. If the user
adds atributes during the create operaton, those new atribute values are logged. In most cases, AD DS assigns
default values to atributes (such as samAccountName). The values of such system atributes are not logged.
If an object is moved, the previous and new locaton (distnguished name) is logged for moves within the domain.
When an object is moved to a diferent domain, a create event is generated on the domain controller in the target
domain.
If an object is undeleted, the locaton where the object is moved to is logged. In additon, if the user adds, modifes,
or deletes atributes while performing an undelete operaton, the values of those atributes are logged.
..
In Windows Server 2008, you implement the new auditng feature by using the following controlsn
Global audit policy
System access control list (SACL)
Schema
Global audit policy
Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You
can set this global audit policy in the Default Domain Controllers Group Policy (under Security SetngsgLocal
PoliciesgAudit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the
subcategory Directory Service Access is enabled for success events by default, the other subcategories are not
enabled by default.
You can use the command-line tool Auditpol.exe to view or set audit policy subcategories. There is no
Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories.
Further informatonn
Auditpol
Displays informaton about and performs functons to manipulate audit policies.
htpn//servergeeks.wordpress.com/2012/12/31/auditng-directory-services/
AD Scenario – Auditng Directory Services
Auditng of Directory Services depends on several controls, these aren
1. Global Audit Policy (at category level using gpmc.msc tool)
2. Individual Audit Policy (at subcategory level using auditpol.exe tool)
3. System ACLs – to specify which operatons are to be audited for a security principal.
4. Schema (optonal) – this is an additonal control in the schema that you can use to create exceptons to what is
audited.
In Windows Server 2008, you can now set up AD DS (Actve Directory Domain Services) auditng with a new audit
policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects
and their atributes. This can be done using auditpol.exe tool.
Command to check which audit policies are actve on your machinen auditpol /get /categoryn*
________________________________________________________________________________________________
Page No | 4
Command to view the audit policy categories and Subcategoriesn
How to enable the global audit policy using the Windows interface i.e. gpmc tool
Click Start, point to Administratve Tools, and then Group Policy Management or run gpmc.msc command.
In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain,
________________________________________________________________________________________________
Page No | 5
double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
Under Computer Confguraton, double-click Policies, double-click Windows Setngs, double-click Security Setngs,
double-click Local Policies, and then click Audit Policy.
________________________________________________________________________________________________
Page No | 6
In the details pane, right-click Audit directory service access, and then click Propertes.
Select the Defne these policy setngs check box.
Under Audit these atempts, select the Success, check box, and then click OK.
________________________________________________________________________________________________
Page No | 7
How to enable the change auditng policy using a command line

Click Start, right-click Command Prompt, and then click Run as administrator.
Type the following command, and then press ENTERn
auditpol /set /subcategoryn”directory service changes” /successnenable
To verify if the auditng is enabled or not for “Directory Service Changes”, you can run below commandn
auditpol /get /categoryn”DS Access”
How to set up auditng in object SACLs

Click Start, point to Administratve Tools, and then click Actve Directory Users and Computers.
Right-click the organizatonal unit (OU) (or any object) for which you want to enable auditng, and then click
Propertes.
Click the Security tab, click Advanced, and then click the Auditng tab.
________________________________________________________________________________________________
Page No | 8
Click Add, and under Enter the object name to select, type Authentcated Users (or any other security principal) and
then click OK.
In Apply onto, click Descendant User objects (or any other objects).
Under Access, select the Successful check box for Write all propertes.
Click OK
________________________________________________________________________________________________
Page No | 9
Click OK untl you exit the property sheet for the OU or other object.
To Test whether auditng is working or not, try creatng or modifying objects in Finance OU and check the Security
event logs.
I just created a new user account in Finance OU named f4.
If you check the security event logs you will fnd eventd 5137 (Create)
Noten
Once the auditng is enabled these eventds will appear in security event logsn 5136 (Modify), 5137 (Create), 5138
(Undelete), 5139 (Move).
________________________________________________________________________________________________
Page No | 10
Question 3
Your company, Contoso Ltd has a main ofce and a branch ofce. The ofces are connected by a WAN link. Contoso
has an Actve Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main ofce. DC1 is
confgured as a DNS server for the ad.contoso.com DNS zone. This zone is confgured as a standard primary zone.
You install a new domain controller named DC2 in the branch ofce. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.
What should you do?
A. Create a new stub zone named ad.contoso.com on DC2.

B. Create a new standard secondary zone named ad.contoso.com on DC2.
C. Confgure the DNS server on DC2 to forward requests to DC1.
D. Convert the ad.contoso.com zone on DC1 to an Actve Directory-integrated zone.
Aoswern D
Explanatonn
Answern Convert the ad.contoso.com zone on DC1 to an Actve Directory-integrated zone.
Explanatonn
Understanding Actve Directory Domain Services Integraton
The DNS Server service is integrated into the design and implementaton of Actve Directory Domain Services (AD DS).
AD DS provides an enterprise-level tool for organizing, managing, and locatng resources in a network.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specifed domain.
________________________________________________________________________________________________
Page No | 11
As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining
and for which you are promotng the server, and you are ofered the opton to install the DNS Server role. This opton
is provided because a DNS server is required to locate this server or other domain controllers for members of an AD
DS domain.
Benefts of AD DS integraton
For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They
provide the following beneftsn
DNS features multmaster data replicaton and enhanced security based on the capabilites of AD DS. In a standard
zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single
authoritatve DNS server for a zone is designated as the primary source for the zone. This server maintains the master
copy of the zone in a local fle. With this model, the primary server for the zone represents a single fxed point of
failure. If this server is not available, update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are
replicated to all other AD DS-integrated DNS servers by means of AD DS replicaton. In this model, any AD DS-
integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in
the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers
operatng at any domain controller for the domain. With the multmaster update model of AD DS, any of the primary
servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain
controller is available and reachable on the network.
Also, when you use directory-integrated zones, you can use access control list (ACL) editng to secure a dnsZone object
container in the directory tree. This feature provides detailed access to either the zone or a specifed resource record
in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed
only for a specifed client computer or a secure group, such as a domain administrators group. This security feature is
not available with standard primary zones.
Zones are replicated and synchronized to new domain controllers automatcally whenever a new one is added to an
AD DS domain.
By integratng storage of your DNS zone databases in AD DS, you can streamline database replicaton planning for your
network.
Directory-integrated replicaton is faster and more efcient than standard DNS replicaton.
Further informatonn
Question 4
Your company has a server that runs an instance of Actve Directory Lightweight Directory Service (AD LDS).
You need to create new organizatonal units in the AD LDS applicaton directory partton.
What should you do?
A. Use the dsmod OU <OrganizatonalUnitDNN command to create the organizatonal units.

B. Use the Actve Directory Users and Computers snap-in to create the organizatonal units on the AD LDS applicaton
directory partton.
C. Use the dsadd OU <OrganizatonalUnitDNN command to create the organizatonal units.
D. Use the ADSI Edit snap-in to create the organizatonal units on the AD LDS applicaton directory partton.
Aoswern D
Explanatonn
Answern Use the ADSI Edit snap-in to create the organizatonal units on the AD LDS applicaton directory partton.
Explanatonn
ADSI Edit (adsiedit.msc)
Actve Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you
________________________________________________________________________________________________
Page No | 12
can use to manage objects and atributes in Actve Directory. ADSI Edit (adsiedit.msc) provides a view of every object
and atribute in an Actve Directory forest. You can use ADSI Edit to query, view, and edit atributes that are not
exposed through other Actve Directory Microsoo Management Console (MMC) snap-insn Actve Directory Users and
Computers, Actve Directory Sites and Services, Actve Directory Domains and Trusts, and Actve Directory Schema.
htpn//technet.microsoo.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1
Step 4n Practce Managing AD LDS Organizatonal Units, Groups, and Users
Create an OU
To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Actve
Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol
(LDAP)–based directories, OUs are most commonly used for keeping users and groups organized.
To create an OU
1. Click Start, point to Administratve Tools, and then click ADSI Edit.
2. Connect and bind to the directory partton of the AD LDS instance to which you want to add an OU.
3. In the console tree, double-click the o=Microsoo,c=US directory partton, right-click the container to which you
want to add the OU, point to New, and then click Object.
4. In Select a class, click organizatonalUnit, and then click Next.
5. In Value, type a name for the new OU, and then click Next.
6. If you want to set values for additonal atributes, click More atributes.
Further informatonn
Step 5n Practce Working with Applicaton Directory Parttons
The Actve Directory Lightweight Directory Services (AD LDS) directory store is organized into logical directory
parttons. There are three diferent types of directory parttonsn
Confguraton directory parttons
Schema directory parttons
Applicaton directory parttons
Each AD LDS directory store must contain a single confguraton directory partton and a single schema directory
partton. The directory store can contain zero or more applicaton directory parttons.
Applicaton directory parttons hold the data that your applicatons use. You can create an applicaton directory
partton during AD LDS setup or anytme aoer installaton.
Question 5
Your company has an Actve Directory domain. The company has two domain controllers named DC1 and DC2. DC1
holds the Schema Master role.
DC1 fails. You log on to Actve Directory by using the administrator account. You are not able to transfer the Schema
Master operatons role.
You need to ensure that DC2 holds the Schema Master role.
What should you do?
A. Confgure DC2 as a bridgehead server.

B. On DC2, seize the Schema Master role.
C. Log of and log on again to Actve Directory by using an account that is a member of the Schema Administrators
group. Start the Actve Directory Schema snap-in.
D. Register the Schmmgmt.dll. Start the Actve Directory Schema snap-in.
Aoswern B
Explanatonn
Answern On DC2, seize the Schema Master role.
Explanatonn
________________________________________________________________________________________________
Page No | 13
Transfer the Schema Master
You can use this procedure to transfer the schema operatons master role if the domain controller that currently hosts
the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operatons master
(also known as fexible single master operatons or FSMO) role.
..
Noten You perform this procedure by using a Microsoo Management Console (MMC) snap-in, although you can also
transfer this role by using Ntdsutl.exe.
Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure.
Seize the AD LDS Schema Master Role
The schema master is responsible for performing updates to the Actve Directory Lightweight Directory Services (AD
LDS) schema. Each confguraton set has only one schema master. All write operatons to the AD
LDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within
its confguraton set. Those schema updates are replicated from the schema master to all other instances in the
confguraton set.
Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure.
Cautonn Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastc
step that should be considered only if the current operatons master will never be available again.
Question 6
Your company has an Actve Directory forest that runs at the functonal level of Windows Server 2008.
You implement Actve Directory Rights Management Services (AD RMS).
You install Microsoo SQL Server 2005. When you atempt to open the AD RMS administraton Web site, you receive
the following error messagen "SQL Server does not exist or access denied."
You need to open the AD RMS administraton Web site.
Which two actons should you perform? (Each correct answer presents part of the soluton.
Choose two.)
A. Restart IIS.
B. Manually delete the Service Connecton Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
Aoswern A, D
Explanatonn
RMS Administraton Issues
"SQL Server does not exist or access denied" message received when atemptng to open the RMS
Administraton Web site
If you have installed RMS by using a new installaton of SQL Server 2005 as your database server the SQL Server
Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not confgured to automatcally start
when the server is started. If you have restarted your SQL Server since installing RMS and have not confgured this
service to automatcally restart RMS will not be able to functon and only the RMS Global Administraton page will be
accessible.
Aoer you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore
RMS functonality.
________________________________________________________________________________________________
Page No | 14
Question 7
Your network consists of an Actve Directory forest that contains one domain named contoso.com. All domain
controllers run Windows Server 2008 R2 and are confgured as DNS servers. You have two Actve Directory-integrated
zonesn contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from
modifying the SOA record in the nwtraders.com zone.
What should you do?
A. From the Actve Directory Users and Computers console, run the Delegaton of Control Wizard.
B. From the Actve Directory Users and Computers console, modify the permissions of the Domain Controllers
organizatonal unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Aoswern C
Explanatonn
Answern From the DNS Manager console, modify the permissions of the contoso.com zone.
Explanatonn
Modify Security for a Directory-Integrated Zone
You can manage the discretonary access control list (DACL) on the DNS zones that are stored in Actve Directory
Domain Services (AD DS). You can use the DACL to control the permissions for the Actve Directory users and groups
that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this
procedure.
To modify security for a directory-integrated zonen
1. Open DNS Manager.
2. In the console tree, click the applicable zone.
Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Acton menu, click Propertes.
4. On the General tab, verify that the zone type is Actve Directory-integrated.
5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable
zone and reset their permissions as needed.
Further informatonn
htpn//support.microsoo.com/kb/163971
The Structure of a DNS SOA Record
The frst resource record in any Domain Name System (DNS) Zone fle should be a Start of Authority (SOA) resource
record. The SOA resource record indicates that this DNS name server is the best source of informaton for the data
within this DNS domain.
The SOA resource record contains the following informatonn
Source host - The host where the fle was created.
Contact e-mail - The e-mail address of the person responsible for administering the domain's zone fle. Note that a "."
is used instead of an "@" in the e-mail name.
Serial number - The revision number of this zone fle. Increment this number each tme the zone fle is changed. It is
important to increment this value each tme a change is made, so that the changes will be distributed to any
secondary DNS servers.
Refresh Time - The tme, in seconds, a secondary DNS server waits before querying the primary DNS server's SOA
record to check for changes. When the refresh tme expires, the secondary DNS server requests a copy of the current
________________________________________________________________________________________________
Page No | 15
SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server
compares the serial number of the primary DNS server's current SOA record and the serial number in it's own SOA
record. If they are diferent, the secondary DNS server will request a zone transfer from the primary DNS server. The
default value is 3,600.
Retry tme - The tme, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry
tme is less than the refresh tme. The default value is 600.
Expire tme - The tme, in seconds, that a secondary server will keep trying to complete a zone transfer. If this tme
expires prior to a successful zone transfer, the secondary server will expire its zone fle. This means the secondary will
stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.
Minimum TTL - The minimum tme-to-live value applies to all resource records in the zone fle. This value is supplied
in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.
Modify the start of authority (SOA) record for a zone
..
Notesn To perform this procedure, you must be a member of the Administrators group on the local computer, or you
must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain
Admins group might be able to perform this procedure. As a security best practce, consider using Run as to perform
this procedure.
Question 8
Your company has an Actve Directory domain. All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certfcate authority (CA).
You need to ensure that revoked certfcate informaton is highly available.
What should you do?
A. Implement an Online Certfcate Status Protocol (OCSP) responder by using an Internet Security and Acceleraton
Server array.
B. Publish the trusted certfcate authorites list to the domain by using a Group Policy Object (GPO).
C. Implement an Online Certfcate Status Protocol (OCSP) responder by using Network Load Balancing.
D. Create a new Group Policy Object (GPO) that allows users to trust peer certfcates. Link the GPO to the domain.
Aoswern C
Explanatonn
Answern Implement an Online Certfcate Status Protocol (OCSP) responder by using Network Load Balancing.
Explanatonn
AD CSn Online Certfcate Status Protocol Support
Certfcate revocaton is a necessary part of the process of managing certfcates issued by certfcaton authorites
(CAs). The most common means of communicatng certfcate status is by distributng certfcate revocaton lists
(CRLs). In the Windows Server® 2008 operatng system, public key infrastructures (PKIs) where the use of
conventonal CRLs is not an optmal soluton, an Online Responder based on the Online Certfcate Status Protocol
(OCSP) can be used to manage and distribute revocaton status informaton.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common
methods for conveying informaton about the validity of certfcates. Unlike CRLs, which are distributed periodically
and contain informaton about all certfcates that have been revoked or suspended, an Online Responder receives
and responds only to requests from clients for informaton about the status of a single certfcate. The amount of data
retrieved per request remains constant no mater how many revoked certfcates there might be.
In many circumstances, Online Responders can process certfcate status requests more efciently than by using CRLs.
________________________________________________________________________________________________
Page No | 16
..
Adding one or more Online Responders can signifcantly enhance the fexibility and scalability of an organizaton's PKI.
..
Further informatonn
htpn//blogs.technet.com/b/askds/archive/2009/08/20/implementng-an-ocsp-responder-part-v-highavailability.aspx
Implementng an OCSP Respondern Part V High Availability
There are two major pieces in implementng the High Availability Confguraton. The frst step is to add the OCSP
Responders to what is called an Array. When OCSP Responders are confgured in an Array, the confguraton of the
OCSP responders can be easily maintained, so that all Responders in the Array have the same confguraton. The
confguraton of the Array Controller is used as the baseline confguraton that is then applied to other members of
the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what
actually provides fault tolerance.
Question 9
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is confgured as
an enterprise root certfcaton authority (CA).
You install the Online Responder role service on Server2.
You need to confgure Server1 to support the Online Responder.
What should you do?
A. Import the enterprise root CA certfcate.

B. Confgure the Certfcate Revocaton List Distributon Point extension.
C. Confgure the Authority Informaton Access (AIA) extension.
D. Add the Server2 computer account to the CertPublishers group.
Aoswern C
Explanatonn
Confgure a CA to Support OCSP Responders
To functon properly, an Online Responder must have a valid Online Certfcate Status Protocol (OCSP)Response
Signing certfcate. This OCSP Response Signing certfcate is also needed if you are using a non-Microsoo OCSP
responder.
Confguring a certfcaton authority (CA) to support OCSP responder services includes the following stepsn
1. Confgure certfcate templates and issuance propertes for OCSP Response Signing certfcates.
2. Confgure enrollment permissions for any computers that will be hostng Online Responders.
3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certfcates.
4. Add the locaton of the Online Responder or OCSP responder to the authority informaton access extension on the
CA.
5. Enable the OCSP Response Signing certfcate template for the CA.
Question 10
Your company has an Actve Directory domain. A user atempts to log on to a computer that was turned of for twelve
weeks. The administrator receives an error message that authentcaton has failed.
You need to ensure that the user is able to log on to the computer.
What should you do?
A. Run the netsh command with the set and machine optons.
________________________________________________________________________________________________
Page No | 17
B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.
C. Run the netdom TRUST /reset command.
D. Run the Actve Directory Users and Computers console to disable, and then enable the computer account.
Aoswern B
Explanatonn
Answern Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the
domain.
Explanatonn
htpn//social.technet.microsoo.com/wiki/contents/artcles/9157.trust-relatonship-between-workstaton-andprimary-
domain-failed.aspx
Trust Relatonship between Workstaton and Primary Domain failed
What are the common causes which generates this message on client systems?
There might be multple reasons for this kind of behaviour. Below are listed a few of themn
1. Single SID has been assigned to multple computers.
2. If the Secure Channel is Broken between Domain controller and workstatons
3. If there are no SPN or DNSHost Name mentoned in the computer account atributes
4. Outdated NIC Drivers.
How to Troubleshoot this behaviour?
..
2. If the Secure Channel is Broken between Domain controller and workstatons
When a Computer account is joined to the domain, Secure Channel password is stored with computer account in
domain controller. By default this password will change every 30 days (This is an automatc process, no manual
interventon is required). Upon startng the computer, Netlogon atempts to discover a DC for the domain in which its
machine account exists. Aoer locatng the appropriate DC, the machine account password from the workstaton is
authentcated against the password on the DC.
If there are problems with system tme, DNS confguraton or other setngs, secure channel’s password between
Workstaton and DCs may not synchronize with each other.
A common cause of broken secure channel [machine account password] is that the secure channel password held by
the domain member does not match that held by the AD. Ooen, this is caused by performing a Windows System
Restore (or revertng to previous backup or snapshot) on the member machine, causing an old (previous) machine
account password to be presented to the AD.
Resolutonn
Most simple resoluton would be unjoin/disjoin the computer from the domain and rejoin the computer account back
to the domain. (this is a somewhat similar principle to performing a password reset for a user account)
Or
You can go ahead and reset the computer account using netdom.exe tool
Netdom
Enables administrators to manage Actve Directory domains and trust relatonships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if
you have the Actve Directory Domain Services (AD DS) server role installed. It is also available if you install the Actve
Directory Domain Services Tools that are part of the Remote Server Administraton Tools (RSAT).
You can use netdom ton
Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2,
Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. Manage computer
accounts for domain member workstatons and member servers. Management operatons includen
Establish one-way or two-way trust relatonships between domains, including the following kinds of trust
relatonshipsn
Verify or reset the secure channel for the following confguratonsn
________________________________________________________________________________________________
Page No | 18
* Member workstatons and servers.

* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
* Specifc Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas.
Manage trust relatonships between domains.
Syntax
NetDom <OperatonN [<ComputerN] [{/dn | /domainn} <DomainN] [<OptonsN]
Netdom reset Resets the secure connecton between a workstaton and a domain controller.
Syntax netdom reset <ComputerN {/dn | /domainn}<DomainN [{/sn | /servern}<ServerN] [{/uon | /useron}<UserN {/pon | /
passwordo}{<PasswordN|*}] [{/help | /?}]
Further informatonn
Netdom trust
Establishes, verifes, or resets a trust relatonship between domains.
Syntax netdom trust <TrustngDomainNameN {/dn | /domainn} <TrustedDomainNameN [{/udn |
/userdn}[<DomainNg]<UserN [{/pdn | /passworddn}{<PasswordN|*}] [{/uon | /useron}<UserN] [{/pon |
/passwordon}{<PasswordN|*}] [/verify] [/reset] [/passwordtn<NewRealmTrustPasswordN] [/add [/realm]] [/remove
[/force]] [/twoway] [/kerberos] [/transitve[n{YES|NO}]] [/onesiden{TRUSTED | TRUSTING}] [/force] [/quarantne[n{YES
| NO}]] [/namesufxesn<TrustNameN [/togglesufxn#]] [/EnableSIDHistory] [/ForestTRANsitve]
[/SelectveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]
Question 11
Your company has an Actve Directory forest that contains a single domain. The domain member server has an Actve
Directory Federaton Services (AD FS) role installed.
You need to confgure AD FS to ensure that AD FS tokens contain informaton from the Actve Directory domain.
What should you do?
A. Add and confgure a new account partner.

B. Add and confgure a new resource partner.
C. Add and confgure a new account store.
D. Add and confgure a Claims-aware applicaton.
Aoswern C
Explanatonn
Understanding Account Stores
Actve Directory Federaton Services (AD FS) uses account stores to log on users and extract security claims for those
users. You can confgure multple account stores for a single Federaton Service. You can also defne their priority. The
Federaton Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS
supports the following two account storesn
Actve Directory Domain Services (AD DS)
Actve Directory Lightweight Directory Services (AD LDS)
Question 12
You network consists of a single Actve Directory domain. All domain controllers run Windows Server 2008 R2.
You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.
What tool should you use?
________________________________________________________________________________________________
Page No | 19
A. Actve Directory Users and Computers snap-in

B. ntdsutl
C. Local Users and Groups snap-in
D. dsmod
Aoswern B
Explanatonn
Ntdsutl
Ntdsutl.exe is a command-line tool that provides management facilites for Actve Directory Domain Services (AD DS)
and Actve Directory Lightweight Directory Services (AD LDS). You can use the ntdsutl commands to perform database
maintenance of AD DS, manage and control single master operatons, and remove metadata leo behind by domain
controllers that were removed from the network without being properly uninstalled. This tool is intended for use by
experienced administrators.
..
Commands set DSRM password - Resets the Directory Services Restore Mode (DSRM) administrator password.
Further informatonn
Set DSRM password
Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM
Administrator Passwordn prompt, type any of the parameters listed under “Syntax.”
This is a subcommand of Ntdsutl and Dsmgmt. Ntdsutl and Dsmgmt are command-line tools that are built into
Windows Server 2008 and Windows Server 2008 R2. Ntdsutl is available if you have the Actve Directory Domain
Services (AD DS) or Actve Directory Lightweight Directory Services (AD LDS) server role installed.
Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Actve
Question 13
Your company has a main ofce and a branch ofce. You deploy a read-only domain controller (RODC) that runs
Microsoo Windows Server 2008 to the branch ofce.
You need to ensure that users at the branch ofce are able to log on to the domain by using the RODC.
What should you do?
A. Add another RODC to the branch ofce.

B. Confgure a new bridgehead server in the main ofce.
C. Decrease the replicaton interval for all connecton objects by using the Actve Directory Sites and Services console.
D. Confgure the Password Replicaton Policy on the RODC.
Aoswern D
Explanatonn
Answern Confgure the Password Replicaton Policy on the RODC.
Explanatonn
RODC Frequently Asked Questons
What new atributes support the RODC Password Replicaton Policy?
Password Replicaton Policy is the mechanism for determining whether a user or computer's credentals are allowed
________________________________________________________________________________________________
Page No | 20
to replicate from a writable domain controller to an RODC. The Password Replicaton Policy is always set on a writable
domain controller running Windows Server 2008.
What operatons fail if the WAN is ofine, but the RODC is online in the branch ofce?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following
branch ofce operatons failn
Password changes
Atempts to join a computer to a domain
Computer rename
Authentcaton atempts for accounts whose credentals are not cached on the RODC
Group Policy updates that an administrator might atempt by running the gpupdate /force command
What operatons succeed if the WAN is ofine, but the RODC is online in the branch ofce?
If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following
branch ofce operatons succeedn
Authentcaton and logon atempts, if the credentals for the resource and the requester are already cached, Local
RODC server administraton performed by a delegated RODC server administrator.
Question 14
Your company has a single Actve Directory domain named intranet.adatum.com. The domain controllers run
Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register
their DNS records.
You need to confgure the intranet.adatum.com zone to allow only domain members to dynamically register DNS
records.
What should you do?
A. Set dynamic updates to Secure Only.

B. Remove the Authentcated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Aoswern A
Explanatonn
Answern Set dynamic updates to Secure Only.
Allow Only Secure Dynamic Updates
Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their
resource records with a DNS server whenever changes occur. This reduces the need for manual administraton of zone
records, especially for clients that frequently move or change locatons and use Dynamic Host Confguraton Protocol
(DHCP) to obtain an IP address.
Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into
Actve Directory Domain Services (AD DS). Aoer you directory-integrate a zone, access control list (ACL) editng
features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specifed
zone or resource record.
Further informatonn
Understanding Dynamic Update
Question 15
________________________________________________________________________________________________
Page No | 21
Your network consists of a single Actve Directory domain. All domain controllers run Windows Server 2008 R2 and
are confgured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A
domain controller named DC2 has a standard secondary zone for contoso.com.
You need to ensure that the replicaton of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?
A. Convert the primary zone into an Actve Directory-integrated stub zone. Delete the secondary zone.
B. Convert the primary zone into an Actve Directory-integrated zone. Delete the secondary zone.
C. Confgure the zone transfer setngs of the standard primary zone. Modify the Master Servers lists on the secondary
zone.
D. On both servers, modify the interface that the DNS server listens on.
Aoswern B
Explanatonn
Answern Convert the primary zone into an Actve Directory-integrated zone. Delete the secondary zone.
Change the Zone Type
You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate
a zone with Actve Directory Domain Services (AD DS).
DNS features multmaster data replicaton and enhanced security based on the capabilites of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update model.
In this model, a single authoritatve DNS server for a zone is designated as the primary source for the zone. This server
maintains the master copy of the zone in a local fle. With this model, the primary server for the zone represents a
single fxed point of failure. If this server is not available, update requests from DNS clients are not processed for the
zone.
..
AD DS domain.
network.
htpn//technet.microsoo.com/en-us/library/ee649124%28v=ws.10%29.aspx
Deploy IPsec Policy to DNS Servers
You can deploy IPsec rules through one of the following mechanismsn
Domain Controllers organizatonal unit (OU)n If the DNS servers in your domain are Actve Directoryintegrated, you
________________________________________________________________________________________________
Page No | 22
can deploy IPsec policy setngs using the Domain Controllers OU. This opton is recommended to make confguraton
and deployment easier.
DNS Server OU or security groupn If you have DNS servers that are not domain controllers, then consider creatng a
separate OU or a security group with the computer accounts of your DNS servers.
Local frewall confguratonn Use this opton if you have DNS servers that are not domain members or if you have a
small number of DNS servers that you want to confgure locally.
Deploying Secure DNS
Protectng DNS Servers
When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is
tampered with, clients can be misdirected to unauthorized locatons without their knowledge. Aoer the clients start
communicatng with these unauthorized locatons, atempts can be made to gain access to informaton that is stored
on the client computers. Spoofng and cache polluton are examples of this type of atack. Another type of atack, the
denial-of-service atack, atempts to incapacitate a DNS server to make DNS infrastructure unavailable in an
enterprise. To protect your DNS servers from these types of atacksn
Use IPsec between DNS clients and servers.
Monitor network actvity.
Close all unused frewall ports.
Implementng IPsec Between DNS Clients and Servers
IPsec encrypts all trafc over a network connecton. Encrypton minimizes the risk that data that is sent between the
DNS clients and the DNS servers can be scanned for sensitve informaton or tampered with by anyone atemptng to
collect informaton by monitoring trafc on the network. When IPsec is enabled, both ends of a connecton are
validated before communicaton begins. A client can be certain that the DNS server with which it is communicatng is
a valid server. Also, all communicaton over the connecton is encrypted, thereby eliminatng the possibility of
tampering with client communicaton. Encrypton prevents spoofng atacks, which are false responses to DNS client
queries by unauthorized sources that act like a DNS server.
Further informatonn
Understanding Zone Types
The DNS Server service provides for three types of zonesn
Primary zone
Secondary zone
Stub zone
Noten If the DNS server is also an Actve Directory Domain Services (AD DS) domain controller, primary zones and stub
zones can be stored in AD DS.
The following sectons describe each of these zone typesn
Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for
informaton about this zone, and it stores the master copy of zone data in a local fle or in AD DS. When the zone is
stored in a fle, by default the primary zone fle is named zone_name.dns and it is located in the %
windir%gSystem32gDns folder on the server.
Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for
informaton about this zone. The zone at this server must be obtained from another remote DNS server computer that
also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with
updated informaton about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on
another server, it cannot be stored in AD DS.
Stub zone
When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for informaton about the
authoritatve name servers for this zone. The zone at this server must be obtained from another DNS server that hosts
the zone. This DNS server must have network access to the remote DNS server to copy the authoritatve name server
informaton about the zone.
You can use stub zones ton
________________________________________________________________________________________________
Page No | 23
Keep delegated zone informaton current. By updatng a stub zone for one of its child zones regularly, the DNS server
that hosts both the parent zone and the stub zone will maintain a current list of authoritatve DNS servers for the child
zone.
Improve name resoluton. Stub zones enable a DNS server to perform recursion using the stub zone's list of name
servers, without having to query the Internet or an internal root server for the DNS namespace.
Simplify DNS administraton. By using stub zones throughout your DNS infrastructure, you can distribute a list of the
authoritatve DNS servers for a zone without using secondary zones. However, stub zones do not serve the same
purpose as secondary zones, and they are not an alternatve for enhancing redundancy and load sharing.
There are two lists of DNS servers involved in the loading and maintenance of a stub zonen
The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary
or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone.
The list of the authoritatve DNS servers for a zone. This list is contained in the stub zone using name server (NS)
resource records.
When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in
diferent locatons, for the necessary resource records of the authoritatve servers for the zone
widgets.tailspintoys.com. The list of master servers may contain a single server or multple servers, and it can be
changed anytme.
htpn//social.technet.microsoo.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/
Answered what is non-standard dns secondary zone?
Qn While passing through 70-291 exam prep questons, I encountered the term "standard secondary zone".
From the context of other questons I understood that "standard", in context of primary zone, mean "non-
ADintegrated".
An Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD database and not in a text
fle.
Qn What does "standard" mean in context of DNS secondary zone?
An It means the same thing in context of a Standard Primary Zone. Simply stated, "Standard" means the zone data is
stored in a text fle, which can be found in system32gdns.
Question 16
You are decommissioning domain controllers that hold all forest-wide operatons master roles.
You need to transfer all forest-wide operatons master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the soluton. Choose two.)
A. Domain naming master

B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Aoswern A, E
Explanatonn
Answern Schema master
Domain naming master
htpn//social.technet.microsoo.com/wiki/contents/artcles/832.transferring-fsmo-roles-in-indows-server-2008.aspx
Transferring FSMO Roles in Windows Server 2008
One of any system administrator dutes, would be to upgrade a current domain controller to a new hardware server.
One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer
the FSMO roles to the new hardware server. FSMO stands for Flexible Single Master
Operatons, and in a forest there are at least fve roles.
________________________________________________________________________________________________
Page No | 24
The fve FSMO roles aren

Schema Master
Domain Naming Master
Infrastructure Master
Relatve ID (RID) Master
PDC Emulator
The frst two roles above are forest-wide, meaning there is one of each for the entre forest. The last three are
domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have fve FSMO
roles. If you have three domains in your forest, there will be 11 FSMO roles.
Question 17
Contoso, Ltd. has an Actve Directory domain named ad.contoso.com. Fabrikam, Inc. has an Actve Directory domain
named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the
Fabrikam network.
You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.
What should you do?
A. Create a new stub zone for the intranet.fabrikam.com domain.

B. Confgure conditonal forwarding for the intranet.fabrikam.com domain.
C. Create a standard secondary zone for the intranet.fabrikam.com domain.
D. Create an Actve DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Aoswern B
Explanatonn
Answern Confgure conditonal forwarding for the intranet.fabrikam.com domain.
Explanatonn
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names
to DNS servers outside that network. You can also forward queries according to specifc domain names using
conditonal forwarders.
You designate a DNS server on a network as a forwarder by confguring the other DNS servers in the network to
forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name
resoluton for names outside your network, such as names on the Internet, and improve the efciency of name
resoluton for the computers in your network.
The following fgure illustrates how external name queries are directed with forwarders.
________________________________________________________________________________________________
Page No | 25
Conditonal forwarders
A conditonal forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name
in the query. For example, you can confgure a DNS server to forward all the queries that it receives for names ending
with corp.contoso.com to the IP address of a specifc DNS server or to the IP addresses of multple DNS servers.
Further informatonn
Assign a Conditonal Forwarder for a Domain Name
Confgure a DNS Server to Use Forwarders
Question 18
An Actve Directory database is installed on the C volume of a domain controller.

You need to move the Actve Directory database to a new volume.
What should you do?
A. Copy the ntds.dit fle to the new volume by using the ROBOCOPY command.
B. Move the ntds.dit fle to the new volume by using Windows Explorer.
C. Move the ntds.dit fle to the new volume by running the Move-item command in Microsoo Windows PowerShell.
D. Move the ntds.dit fle to the new volume by using the Files opton in the Ntdsutl utlity.
Aoswern D
Explanatonn
Answern Move the ntds.dit fle to the new volume by using the Files opton in the Ntdsutl utlity.
Explanatonn
Move the Directory Database and Log Files to a Local Drive
You can use this procedure to move Actve Directory database and log fles to a local drive.
When you move the fles to a folder on the local domain controller, you can move them permanently or temporarily.
Move the fles to a temporary destnaton if you need to reformat the original locaton, or move the fles to a
permanent locaton if you have additonal disk space. If you reformat the original drive, use the same procedure to
move the fles back aoer the reformat is complete. Ntdsutl.exe updates the registry when you move fles locally. Even
if you are moving the fles only temporarily, use Ntdsutl.exe so that the registry is always current.
On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in
Directory Services Restore Mode (DSRM) to move database fles. You can stop the Actve Directory Domain
Services (AD DS) service and then restart the service aoer you move the fles to their permanent locaton.
________________________________________________________________________________________________
Page No | 26
To move the directory database and log fles to a local driven

..
7. At the ntdsutl prompt, type fles, and then press ENTER.
8. To move the database fle, at the fle maintenancen prompt, use the following commandsn
....
Further informatonn
htpn//servergeeks.wordpress.com/2013/01/01/moving-actve-directory-database-and-logs/
Moving Actve Directory Database and Logs
Step 1
Start the server in Directory Services Restore Mode
Windows Server 2003/2008 Directory Service opens its fles in exclusive mode. This means that the fles cannot be
managed while the server is operatng as a domain controller. To perform any fles movement related actvites using
ntdsutl, we need to start the server in Directory Services Restore Mode.
To start the server in Directory Services Restore mode, follow these stepsn
Restart the computer.
Aoer the BIOS informaton is displayed, press F8.
Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.
Log on with your local administratve account and password. (Not Domain Administratve account)
________________________________________________________________________________________________
Page No | 27
Noten using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt
type SC query ntds
Step 2
How to Move Actve Directory Database and Logs
You can move the Ntds.dit data fle to a new folder. If you do so, the registry is updated so that Directory
Service uses the new locaton when you restart the server.
To move the data fle to another folder, follow these stepsn
Click Start, click Run, type ntdsutl in the Open box, and then press ENTER.
At the Ntdsutl command prompt, type actvate instance ntds, and then press ENTER.
________________________________________________________________________________________________
Page No | 28
At the Ntdsutl command prompt, type fles, and then press ENTER.
At the fle maintenance command prompt, type move DB to <new locatonN (where new locaton is an existng folder
that you have created for this purpose) and then press ENTER.
In this case, the new locaton for database is CngADgDatabase Now
Now to move logs , at the fle maintenance command prompt, type move logs to <new locatonN (where new locaton
is an existng folder that you have created for this purpose) and then press ENTER. In our case, the new locaton for
database is CngADgLogs
________________________________________________________________________________________________
Page No | 29
To quit fle maintenance, type quit. Again to Ntdsutl, type quit to close the prompt
Restart the computer. AD database and Logs are moved successfully to new locaton.
Question 19
Your company has fle servers located in an organizatonal unit named Payroll. The fle servers contain payroll fles
located in a folder named Payroll.
You create a GPO.
You need to track which employees access the Payroll fles on the fle servers.
What should you do?
A. Enable the Audit process tracking opton. Link the GPO to the Domain Controllers organizatonal unit. On the fle
servers, confgure Auditng for the Authentcated Users group in the Payroll folder.
B. Enable the Audit object access opton. Link the GPO to the Payroll organizatonal unit. On the fle servers, confgure
Auditng for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking opton. Link the GPO to the Payroll organizatonal unit. On the fle servers,
confgure Auditng for the Everyone group in the Payroll folder.
D. Enable the Audit object access opton. Link the GPO to the domain. On the domain controllers, confgure Auditng
for the Authentcated Users group in the Payroll folder.
Aoswern B
Explanatonn
Answern Enable the Audit object access opton. Link the GPO to the Payroll organizatonal unit. On the fle servers,
confgure Auditng for the Everyone group in the Payroll folder.
Explanatonn
htpn//technet.microsoo.com/en-us/library/dd349800%28v=ws.10%29.aspx
Audit Policy
Establishing an organizatonal computer system audit policy is an important facet of informaton security.
Confguring Audit policy setngs that monitor the creaton or modifcaton of objects gives you a way to track
potental security problems, helps to ensure user accountability, and provides evidence in the event of a security
breach.
There are nine diferent kinds of events for which you can specify Audit Policy setngs. If you audit any of these kinds
of events, Windows® records the events in the Security log, which you can fnd in Event Viewer.
________________________________________________________________________________________________
Page No | 30
..
Object access. Audit this to record when someone has used a fle, folder, printer, or other object.
..
Process tracking. Audit this to record when events such as program actvaton or a process exitng occur.
..
When you implement Audit Policy setngsn
..
If you want to audit directory service access or object access, determine which objects you want to audit access of and
what type of access you want to audit. For example, if you want to audit all atempts by users to open a partcular fle,
you can confgure audit policy setngs in the object access event category so that both successful and failed atempts
to read a fle are recorded.
Further informatonn
htpn//technet.microsoo.com/en-us/library/hh147307%28v=ws.10%29.aspx
Group Policy for Beginners
Group Policy Links
At the top level of AD DS are sites and domains. Simple implementatons will have a single site and a single domain.
Within a domain, you can create organizatonal units (OUs). OUs are like folders in Windows Explorer.
Instead of containing fles and subfolders, however, they can contain computers, users, and other objects.
For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four subfoldersn
Accountng, Engineering, Management, and Marketng. These are child OUs. Other than the
Domain Controllers OU that you see in Figure 1, nothing else in the fgure is an OU.
What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact
unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s
setngs to the computers and users in that container.
Question 20
Your company uses a Windows 2008 Enterprise certfcate authority (CA) to issue certfcates.
You need to implement key archival.
What should you do?
A. Confgure the certfcate for automatc enrollment for the computers that store encrypted fles.
B. Install an Enterprise Subordinate CA and issue a user certfcate to users of the encrypted fles.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
Aoswern D
Explanatonn
Answern Archive the private key on the server.
Explanatonn
Enable Key Archival for a CA
Before a key recovery agent can use a key recovery certfcate, the key recovery agent must have enrolled for the key
recovery certfcate and be registered as the recovery agent for the certfcaton authority (CA).
You must be a CA administrator to complete this procedure.
To enable key archival for a CAn
1. Open the Certfcaton Authority snap-in.
2. In the console tree, click the name of the CA.
4. Click the Recovery Agents tab, and then click Archive the key.
________________________________________________________________________________________________
Page No | 31
5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the
archived key.
The Number of recovery agents to use must be between one and the number of key recovery agent certfcates that
have been confgured.
6. Click Add. Then, in Key Recovery Agent Selecton, click the key recovery certfcates that are displayed, and click OK.
7. The certfcates should appear in the Key recovery agent certfcates list, but their status is listed as Not loaded.
8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the
certfcates should be listed as Valid.
Further informatonn
Key Archival and Management in Windows Server 2008
Managing Key Archival and Recovery
Question 21
Your company has an Actve Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for
Computers, an OU for Groups, and an OU for Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without afectng users and computers in the Sales OU.
What should you do?
A. Perform an authoritatve restore of the Sales OU.

B. Perform a non-authoritatve restore of the Sales OU.
C. Perform an authoritatve restore of the Groups OU.
D. Perform a non-authoritatve restore of the Groups OU.
Aoswern C
Explanatonn
Answern Perform an authoritatve restore of the Groups OU.
Explanatonn
Performing Authoritatve Restore of Actve Directory Objects
An authoritatve restore process returns a designated, deleted Actve Directory object or container of objects to its
predeleton state at the tme when it was backed up. For example, you might have to perform an authoritatve restore
if an administrator inadvertently deletes an organizatonal unit (OU) that contains a large number of users. In most
cases, there are two parts to the authoritatve restore processn a nonauthoritatve restore from backup, followed by an
authoritatve restore of the deleted objects. If you perform a nonauthoritatve restore from backup only, the deleted
OU is not restored because the restored domain controller is updated aoer the restore process to the current status of
its replicaton partners, which have deleted the OU. To recover the deleted OU, aoer you perform nonauthoritatve
restore from backup and before allowing replicaton to occur, you must perform an authoritatve restore procedure.
During the authoritatve restore procedure, you mark the OU as authoritatve and let the replicaton process restore it
to all the other domain controllers in the domain. Aoer an authoritatve restore, you also restore group memberships,
if necessary.
Question 22
Your network consists of a single Actve Directory domain. The functonal level of the forest is Windows Server 2008
R2.
________________________________________________________________________________________________
Page No | 32
You need to create multple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multple Group Policy objects.
B. From the Schema snap-in, create multple class schema objects.
C. From the ADSI Edit snap-in, create multple Password Setng objects.
D. From the Security Confguraton Wizard, create multple security policies.
Aoswern C
Explanatonn
Answern From the ADSI Edit snap-in, create multple Password Setng objects.
Explanatonn
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
..
In Windows Server 2008, you can use fne-grained password policies to specify multple password policies and apply
diferent password restrictons and account lockout policies to diferent sets of users within a single domain.
..
To store fne-grained password policies, Windows Server 2008 includes two new object classes in the Actve
Directory Domain Services (AD DS) scheman
Password Setngs Container
Password Setngs The Password Setngs Container (PSC) object class is created by default under the System container
in the domain. It stores the Password Setngs objects (PSOs) for that domain. You cannot rename, move, or delete
this container.
...
Steps to confgure fne-grained password and account lockout policies
When the group structure of your organizaton is defned and implemented, you can confgure and apply fnegrained
password and account lockout policies to users and global security groups. Confguring fne-grained password and
account lockout policies involves the following stepsn
Step 1n Create a PSO
Step 2n Apply PSOs to Users and Global Security Groups
Step 3n Manage a PSO
Step 4n View a Resultant PSO for a User or a Global Security Group
Step 1n Create a PSO
You can create Password Setngs objects (PSOs)n
Creatng a PSO using the Actve Directory module for Windows PowerShell
Creatng a PSO using ADSI Edit
Creatng a PSO using ldifde
Question 23
You have a domain controller that runs Windows Server 2008 R2 and is confgured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you confgure in the DNS Manager console?
A. Enable debug logging.

B. Enable automatc testng for simple queries.
C. Confgure event logging to log errors and warnings.
D. Enable automatc testng for recursive queries.
________________________________________________________________________________________________
Page No | 33
Aoswern A
Explanatonn
DNS Tools
Event-monitoring utlites
The Windows Server 2008 family includes two optons for monitoring DNS serversn
Default logging of DNS server event messages to the DNS server log.
DNS server event messages are separated and kept in their own system event log, the DNS server log, which you can
view using DNS Manager or Event Viewer.
The DNS server log contains events that are logged by the DNS Server service. For example, when the DNS server
starts or stops, a corresponding event message is writen to this log. Most additonal critcal DNS Server service events
are also logged here, for example, when the server starts but cannot locate initalizing data and zones or boot
informaton stored in the registry or (in some cases) Actve Directory Domain Services (AD DS).
You can use Event Viewer to view and monitor client-related DNS events. These events appear in the System log, and
they are writen by the DNS Client service at any computers running Windows (all versions).
Optonal debug optons for trace logging to a text fle on the DNS server computer.
You can also use DNS Manager to selectvely enable additonal debug logging optons for temporary trace logging to a
text-based fle of DNS server actvity. The fle that is created and used for this feature, Dns.log, is stored in the
%systemroot%gSystem32gDns folder.
Using server debug logging optons
The following DNS debug logging optons are availablen
Directon of packets
Send Packets sent by the DNS server are logged in the DNS server log fle.
Receive Packets received by the DNS server are logged in the log fle.
Further informatonn
Select and enable debug logging optons on the DNS server
Question 24
Your company has a main ofce and a branch ofce. The company has a single-domain Actve Directory forest. The
main ofce has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch ofce has
a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server role and are confgured as Actve Directory-integrated zones. The DNS
zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A. Run the Dnscmd.exe /ZoneResetType command on DC3.

B. Reinstall Actve Directory Domain Services on DC3 as a writable domain controller.
C. Create a custom applicaton directory partton on DC1. Confgure the partton to store Actve Directoryintegrated
zones.
D. Run the Ntdsutl.exe N DS Behavior commands on DC3.
Aoswern B
Explanatonn
________________________________________________________________________________________________
Page No | 34
Answern Reinstall Actve Directory Domain Services on DC3 as a writable domain controller.
Explanatonn
htpn//technet.microsoo.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS
Appendix An RODC Technical Reference Topics
DNS updates for clients that are located in an RODC site
When a client atempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain Name
System (DNS) server. Typically, clients are confgured to use the DNS server in their branch site as their preferred DNS
server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it is queried for the SOA record, it
returns the name of a writable domain controller that runs Windows Server 2008 or later and hosts the Actve
Directory–integrated zone, just as a secondary DNS server handles updates for zones that are not Actve Directory–
integrated zones. Aoer it receives the name of a writable domain controller that runs Windows Server 2008 or later,
the client is then responsible for performing the DNS record registraton against the writeable server. The RODC waits
a certain amount of tme, as explained below, and then it atempts to replicate the updated DNS object in Actve
Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operaton.
Noten
For the DNS server on the RODC to perform an RSO operaton of the DNS record update, a DNS server that runs
Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNS server must
register a name server (NS) resource record for the zone. The Windows Server 2003 Branch Ofce Guide
recommended restrictng name server (NS) resource record registraton to a subset of the available DNS servers. If
you followed those guidelines and you do not register at least one writable DNS server that runs Windows Server
2008 or later as a name server for the zone, the DNS server on the RODC atempts to perform the RSO operaton with
a DNS server that runs Windows Server 2003. That operaton fails and generates a 4015 Error in the DNS event log of
the RODC, and replicaton of the DNS record update will be delayed untl the next scheduled replicaton cycle.
Further informatonn
Plan DNS Servers for Branch Ofce Environments
This topic describes best practces for installing Domain Name System (DNS) servers to support Actve Directory
Domain Services (AD DS) in branch ofce environments.
As a best practce, use Actve Directory–integrated DNS zones, which are hosted in the applicaton directory parttons
named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumpton that you are
following this best practce.
In branch ofces that have a read-only domain controller (RODC), install a DNS server on each RODC so that client
computers in the branch ofce can stll perform DNS lookups when the wide area network (WAN) link to a DNS server
in a hub site is not available. The best practce is to install the DNS server when you install AD DS, using Dcpromo.exe.
Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS applicaton directory parttons that host Actve
Directory–integrated DNS zones.
Noten You also have to confgure the DNS client’s setng for the RODC so that it points to itself as its preferred DNS
server.
To facilitate dynamic updates for DNS clients in branch ofces that have an RODC, you should have at least one
writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which client computers in the
branch ofce are atemptng to make DNS updates. The writeable Windows Server 2008 DNS server must register
name server (NS) resource records for that zone.
By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers that are in
branch ofces that are serviced by RODCs can make dynamic updates more efciently. This is because the updates
replicate back to the RODCs in their respectve branch ofces by means of a replicate-singleobject (RSO) operaton,
rather than waitng for the next scheduled replicaton cycle.
For example, suppose that you add a new member server in a branch ofce, Branch1, which includes an RODC. The
member server hosts an applicaton that you want client computers in Branch1 to locate by using a DNS query. When
the member server atempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it
performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the
RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1
________________________________________________________________________________________________
Page No | 35
replicates the updated zone informaton as soon as possible from the writeable Windows Server 2008 DNS server.
Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1
for its IP address.
If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can stll succeed
against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate
to the RODC in Branch1 untl the next scheduled replicaton cycle, which can delay client computers that use the
RODC DNS server for name resoluton from locatng the new member server.
Question 25
Your company has an Actve Directory domain named ad.contoso.com. The domain has two domain controllers
named DC1 and DC2. Both domain controllers have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network. You confgure DC1 to forward all
unresolved name requests to DNS1.contoso.com.
You discover that the DNS forwarding opton is unavailable on DC2.
You need to confgure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.
Which two actons should you perform? (Each correct answer presents part of the soluton.
Choose two.)
A. Clear the DNS cache on DC2.

B. Confgure conditonal forwarding on DC2.
C. Confgure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Aoswern B, D
Explanatonn
Answern Delete the Root zone on DC2.
Confgure conditonal forwarding on DC2.
Explanatonn
A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external
DNS names to DNS servers outside that network. You can also confgure your server to forward queries according to
specifc domain names using conditonal forwarders.
htpn//social.technet.microsoo.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5-a342f9e169f5/
Deletng .root dns zone in 2008 DNS
Qn We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name resoluton is
not possible. I had tried to add conditonal forwarders but i get an error saying that conditonal forwarders cannot be
created on root DNS servers.
A 1n If you have a "root" zone created in your DNS, and you no longer want that confguraton, you can just simply
delete that zone. There is no reason to have a root "." zone hosted unless you want to make sure that the DNS server
is authoritatve for all queries and not allow the DNS server to go elsewhere for name resoluton.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for zones its
not authoritatve for.
A 2n That was from the old 2000 days where DCPROMO would create it if it detected no internet access while
promotng the frst DC. Jut remove it, and the Forwarders opton reappear.
Further informatonn
How To Remove the Root Zone (Dot Zone)
________________________________________________________________________________________________
Page No | 36
Reviewing DNS Concepts

Delegaton For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in
the namespace. These paths are created by means of delegaton. A delegaton is a record in a parent zone that lists a
name server that is authoritatve for the zone in the next level of the hierarchy. Delegatons make it possible for
servers in one zone to refer clients to servers in other zones. The following illustraton shows one example of
delegaton.
The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegaton to a zone in the
next level of the hierarchy, the com zone. The delegaton in the root zone tells the DNS root server that, to fnd the
com zone, it must contact the Com server. Likewise, the delegaton in the com zone tells the Com server that, to fnd
the contoso.com zone, it must contact the Contoso server.
Noten A delegaton uses two types of records. The name server (NS) resource record provides the name of an
authoritatve server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP version 6 (IPv6)
addresses of an authoritatve server.
This system of zones and delegatons creates a hierarchical tree that represents the DNS namespace. Each zone
represents a layer in the hierarchy, and each delegaton represents a branch of the tree. By using the hierarchy of
zones and delegatons, a DNS root server can fnd any name in the DNS namespace.
The root zone includes delegatons that lead directly or indirectly to all other zones in the hierarchy. Any server that
can query the DNS root server can use the informaton in the delegatons to fnd any name in the namespace.
Question 26
Your company has an organizatonal unit named Producton. The Producton organizatonal unit has a child
organizatonal unit named R&D. You create a GPO named Sooware Deployment and link it to the Producton
organizatonal unit.
You create a shadow group for the R&D organizatonal unit. You need to deploy an applicaton to users in the
Producton organizatonal unit.
You also need to ensure that the applicaton is not deployed to users in the R&D organizatonal unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete soluton. Choose two.)
A. Confgure the Block Inheritance setng on the R&D organizatonal unit.

B. Confgure the Enforce setng on the sooware deployment GPO.
C. Confgure security fltering on the Sooware Deployment GPO to Deny Apply group policy for the R&D security
________________________________________________________________________________________________
Page No | 37
group.
D. Confgure the Block Inheritance setng on the Producton organizatonal unit.
Aoswern A, C
Explanatonn
Answern Confgure the Block Inheritance setng on the R&D organizatonal unit.
Confgure security fltering on the Sooware Deployment GPO to Deny Apply group policy for the R&D security group.
Explanatonn
Managing inheritance of Group Policy
..
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizatonal unit. Using block inheritance prevents GPOs linked to
higher sites, domains, or organizatonal units from being automatcally inherited by the child-level. By default,
children inherit all GPOs from the parent, but it is sometmes useful to block inheritance. For example, if you want to
apply a single set of policies to an entre domain except for one organizatonal unit, you can link the required GPOs at
the domain level (from which all organizatonal units inherit policies by default) and then block inheritance only on
the organizatonal unit to which the policies should not be applied.
Enforcing a GPO link You can specify that the setngs in a GPO link should take precedence over the setngs of any
child object by setng that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container.
Without enforcement from above, the setngs of the GPO links at the higher level (parent) are overwriten by setngs
in GPOs linked to child organizatonal units, if the GPOs contain confictng setngs. With enforcement, the parent
GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, "enforced" was
known as "No override."
..
In additon to using GPO links to apply policies, you can also control how GPOs are applied by using security flters or
WMI flters.
Security fltering using GPMC
Security fltering Security fltering is a way of refning which users and computers will receive and apply the setngs in
a Group Policy object (GPO). Using security fltering, you can specify that only certain security principals within a
container where the GPO is linked apply the GPO. Security group fltering determines whether the GPO as a whole
applies to groups, users, or computers; it cannot be used selectvely on diferent setngs within a GPO.
..
Notesn
GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites, domains and
organizatonal units. However, by using security fltering, you can narrow the scope of a GPO so that it applies only to
a single group, user, or computer.
..
The locaton of a security group in Actve Directory is irrelevant to security group fltering and, more generally,
irrelevant to Group Policy processing.
Further informatonn
Block Inheritance
htpn//en.wikipedia.org/wiki/Actve_Directory#Shadow_groups
Actve Directory
Shadow groups
In Microsoo's Actve Directory, OUs do not confer access permissions, and objects placed within OUs are not
automatcally assigned access privileges based on their containing OU. This is a design limitaton specifc to Actve
Directory. Other competng directories such as Novell NDS are able to assign access privileges through object
________________________________________________________________________________________________
Page No | 38
placement within an OU.

Actve Directory requires a separate step for an administrator to assign an object in an OU as a member of a group
also within that OU. Relying on OU locaton alone to determine access permissions is unreliable, because the object
may not have been assigned to the group object for that OU. A common workaround for an Actve Directory
administrator is to write a custom PowerShell or Visual Basic script to automatcally create and maintain a user group
for each OU in their directory. The scripts are run periodically to update the group to match the OU's account
membership, but are unable to instantly update the security groups anytme the directory changes, as occurs in
competng directories where security is directly implemented into the directory itself. Such groups are known as
Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administratve tools.
Microsoo refers to shadow groups in the Server 2008 Reference documentaton, but does not explain how to create
them. There are no built-in server methods or console snap-ins for managing shadow groups.[5]
The division of an organizaton's informaton infrastructure into a hierarchy of one or more domains and toplevel OUs
is a key decision. Common models are by business unit, by geographical locaton, by IT Service, or by object type and
hybrids of these. OUs should be structured primarily to facilitate administratve delegaton, and secondarily, to
facilitate group policy applicaton. Although OUs form an administratve boundary, the only true security boundary is
the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]
Question 27
Your company has a branch ofce that is confgured as a separate Actve Directory site and has an Actve Directory
domain controller.
The Actve Directory site requires a local Global Catalog server to support a new applicaton.
You need to confgure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console

B. The Actve Directory Sites and Services console
C. The Dcpromo.exe utlity
D. The Computer Management console
E. The Actve Directory Domains and Trusts console
Aoswern B
Explanatonn
Answern The Actve Directory Sites and Services console
Confgure a domain controller as a global catalog server
To confgure a domain controller as a global catalog server
1. Open Actve Directory Sites and Services.
...
Further informatonn
What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partal representaton of every object in
every domain in a multdomain Actve Directory Domain Services (AD DS) forest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through multmaster
replicaton. Searches that are directed to the global catalog are faster because they do not involve referrals to
diferent domain controllers.
In additon to confguraton and schema directory partton replicas, every domain controller in a forest stores a full,
writable replica of a single domain directory partton. Therefore, a domain controller can locate only the objects in its
domain. Locatng an object in a diferent domain would require the user or applicaton to provide the domain of the
________________________________________________________________________________________________
Page No | 39
requested object.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A
global catalog server is a domain controller that, in additon to its full, writable domain directory partton replica, also
stores a partal, read-only replica of all other domain directory parttons in the forest. The additonal domain
directory parttons are partal because only a limited set of atributes is included for each object. By including only
the atributes that are most used for searching, every object in every domain in even the largest forest can be
represented in the database of a single global catalog server.
Noten A global catalog server can also store a full, writable replica of an applicaton directory partton, but objects in
applicaton directory parttons are not replicated to the global catalog as partal, read-only directory parttons.
The global catalog is built and updated automatcally by the AD DS replicaton system. The atributes that are
replicated to the global catalog are identfed in the schema as the partal atribute set (PAS) and are defned by
default by Microsoo. However, to optmize searching, you can edit the schema by adding or removing atributes that
are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronizaton (update of all atributes)
of the global catalog. Later versions of Windows Server reduce the impact of updatng the global catalog by
replicatng only the atributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not store any
partal replica. A global catalog server in a single-domain forest functons in the same manner as a nonglobal-catalog
server except for the processing of forest-wide searches.
Question 28
Your company has a main ofce and three branch ofces. The company has an Actve Directory forest that has a single
domain. Each ofce has one domain controller. Each ofce is confgured as an Actve Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replicaton latency between the domain controllers.
What should you do?
A. Decrease the replicaton schedule for the DEFAULTIPSITELINK object.

B. Decrease the replicaton interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connecton objects.
D. Decrease the replicaton interval for all connecton objects.
Aoswern B
Explanatonn
Answern Decrease the replicaton interval for the DEFAULTIPSITELINK object.
Personal commentn
All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into all sites are connected with
the frst domain controller in the forest
So the topology is star shaped.
Thus, decreasing the cost between the connecton objects will ofer no beneft.
We know we have multple sites linked and are using a DEFAULTIPSITELINK object.
Thus, the most plausible answer is to decrease the replicaton interval for DEFAULTIPSITELINK.
Explanatonn
htpn//www.informit.com/artcles/artcle.aspx?p=26866&seqNum=5
Understanding Actve Directory, Part III
Replicaton
Actve Directory replicaton between domain controllers is managed by the system administrator on a site-bysite
basis. As domain controllers are added, a replicaton path must be established. This is done by the Knowledge
Consistency Checker (KCC), coupled with Actve Directory replicaton components. The KCC is a dynamic process that
________________________________________________________________________________________________
Page No | 40
runs on all domain controllers to create and modify the replicaton topology. If a domain controller fails, the KCC
automatcally creates new paths to the remaining domain controllers. Manual interventon with the KCC will also
force a new path.
The Actve Directory replaces PDCs and BDCs with multmaster replicaton services. Each domain controller retains a
copy of the entre directory for that partcular domain. As changes are made in one domain controller, the originator
communicates these changes to the peer domain controllers. The directory data itself is stored in the ntds.dit fle.
Actve Directory replicaton uses the Remote Procedure Call (RPC) over IP to conduct replicaton within a site.
Replicaton between sites can utlize either RPC or the Simple Mail Transfer Protocol (SMTP) for data transmission.
The default intersite replicaton protocol is RPC.
Intersite and Intrasite Replicaton
There are distnct diferences in internal and intersite domain controller replicaton. In theory, the network bandwidth
within a site is sufcient to handle all network trafc associated with replicaton and other Actve Directory actvites.
By the defniton of a site, the network must be reliable and fast. A change notfcaton process is initated when
modifcatons occur on a domain controller. The domain controller waits for a confgurable period (by default, fve
minutes) before it forwards a message to its replicaton partners. During this interval, it contnues to accept changes.
Upon receiving a message, the partner domain controllers copy the modifcaton from the original domain controller.
In the event that no changes were noted during a confgurable period (six hours, by default), a replicaton sequence
ensures that all possible modifcatons are communicated. Replicaton within a site involves the transmission of
uncompressed data.
NOTE
Security-related modifcatons are replicated within a site immediately. These changes include account and individual
user lockout policies, changes to password policies, changes to computer account passwords, and modifcatons to the
Local Security Authority (LSA).
Replicaton between sites assumes that there are network-connectvity problems, including insufcient bandwidth,
reliability, and increased cost. Therefore, the Actve Directory permits the system to make decisions on the type,
frequency, and tming of intersite replicaton. All replicaton objects transmited between sites are compressed, which
may reduce trafc by 10 to 25 percent, but because this is not sufcient to guarantee proper replicaton, the system
administrator has the responsibility of scheduling intersite replicaton.
Replicaton Component Objects
Whereas the KCC represents the process elements associated with replicaton, the following comprise the Actve
Directory object componentsn
Connecton object. Domain controllers become replicaton "partners" when linked by a connecton object.
This is represented by a one-way path between two domain controller server objects. Connecton objects are created
by the KCC by default. They can also be manually created by the system administrator.
NTDS setngs object. The NTDS setngs object is a container that is automatcally created by the Actve Directory. It
contains all of the connecton objects, and is a child of the server object.
Server object. The Actve Directory represents every computer as a computer object. The domain controller is also
represented by a computer object, plus a specially created server object. The server object's parent is the site object
that defnes its IP subnet. However, in the event that the domain controller server object was created prior to site
creaton, it will be necessary to manually defne the IP subnet to properly assign the domain controller a site.
When it is necessary to link multple sites, two additonal objects are created to manage the replicaton topology.
Site link. The site link object specifes a series of values (cost, interval, and schedule) that defne the connecton
between sites. The KCC uses these values to manage replicaton and to modify the replicaton path if it detects a more
efcient one. The Actve Directory DEFAULTIPSITELINK is used by default untl the system administrator intervenes.
The cost value, ranging from 1 to 32767, is an arbitrary estmate of the actual cost of data transmission as defned
bandwidth. The interval value sets the number of tmes replicaton will occurn 15 minutes to a maximum of once a
week (or 10080 minutes) is the minimum; three hours is the default. The schedule interval establishes the tme when
replicaton should occur. Although replicaton can be at any tme by default, the system administrator may want to
schedule it only during ofpeak network hours.
Site link bridges. The site link bridge object defnes a set of links that communicate via the same protocol. By default,
all site links use the same protocol, and are transitve. Moreover, they belong to a single site link bridge. No
________________________________________________________________________________________________
Page No | 41
confguraton is necessary to the site link bridge if the IP network is fully routed. Otherwise, manual confguraton may
be necessary.
Further informatonn
What Is Actve Directory Replicaton Topology?
Replicaton of updates to Actve Directory objects are transmited between multple domain controllers to keep
replicas of directory parttons synchronized. Multple domains are common in large organizatons, as are multple
sites in disparate locatons. In additon, domain controllers for the same domain are commonly placed in more than
one site.
Therefore, replicaton must ooen occur both within sites and between sites to keep domain and forest data consistent
among domain controllers that store the same directory parttons. Site objects can be confgured to include a set of
subnets that provide local area network (LAN) network speeds. As such, replicaton within sites generally occurs at
high speeds between domain controllers that are on the same network segment. Similarly, site link objects can be
confgured to represent the wide area network (WAN) links that connect LANs.
Replicaton between sites usually occurs over these WAN links, which might be costly in terms of bandwidth.
To accommodate the diferences in distance and cost of replicaton within a site and replicaton between sites, the
intrasite replicaton topology is created to optmize speed, and the intersite replicaton topology is created to
minimize cost.
The Knowledge Consistency Checker (KCC) is a distributed applicaton that runs on every domain controller and is
responsible for creatng the connectons between domain controllers that collectvely form the replicaton topology.
The KCC uses Actve Directory data to determine where (from what source domain controller to what destnaton
domain controller) to create these connectons.
..
The following diagram shows the interacton of these technologies with the replicaton topology, which is indicated by
the two-way connectons between each set of domain controllers.
Replicaton Topology and Dependent Technologies
How Actve Directory Replicaton Topology Works
..
Replicaton Topology Physical Structure
The Actve Directory replicaton topology can use many diferent components. Some components are required and
others are not required but are available for optmizaton. The following diagram illustrates most replicaton topology
components and their place in a sample Actve Directory multsite and multdomain forest. The depicton of the
intersite topology that uses multple bridgehead servers for each domain assumes that at least one domain controller
________________________________________________________________________________________________
Page No | 42
in each site is running at least Windows Server 2003. All components of this diagram and their interactons are
explained in detail later in this secton.
Replicaton Topology Physical Structure
In the preceding diagram, all servers are domain controllers. They independently use global knowledge of
onfguraton data to generate one-way, inbound connecton objects. The KCCs in a site collectvely create an intrasite
topology for all domain controllers in the site. The ISTGs from all sites collectvely create an intersite topology. Within
sites, one-way arrows indicate the inbound connectons by which each domain controller replicates changes from its
partner in the ring. For intersite replicaton, one-way arrows represent inbound connectons that are created by the
ISTG of each site from bridgehead servers (BH) for the same domain (or from a global catalog server [GC] actng as a
bridgehead if the domain is not present in the site) in other sites that share a site link. Domains are indicated as D1,
D2, D3, and D4.
Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a site object in
Actve Directory. Heavy solid lines between sites indicate WAN links over which two-way replicaton can occur, and
each WAN link is represented in Actve Directory as a site link object. Site link objects allow connectons to be created
between bridgehead servers in each site that is connected by the site link.
Not shown in the diagram is that where TCP/IP WAN links are available, replicaton between sites uses the RPC
replicaton transport. RPC is always used within sites. The site link between Site A and Site D uses the SMTP protocol
for the replicaton transport to replicate the confguraton and schema directory parttons and global catalog partal,
read-only directory parttons. Although the SMTP transport cannot be used to replicate writable domain directory
________________________________________________________________________________________________
Page No | 43
parttons, this transport is required because a TCP/IP connecton is not available between Site A and Site D. This
confguraton is acceptable for replicaton because Site D does not host domain controllers for any domains that must
be replicated over the site link A-D.
By default, site links A-B and A-C are transitve (bridged), which means that replicaton of domain D2 is possible
between Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are
site link setngs that determine the routng preference for replicaton, which is based on the aggregated cost of
available site links. The cost of a direct connecton between Site C and Site B is the sum of costs on site links A-B and
A-C. For this reason, replicaton between Site B and Site C is automatcally routed through Site A to avoid the more
expensive, transitve route. Connectons are created between Site B and Site
C only if replicaton through Site A becomes impossible due to network or bridgehead server conditons.
...
Control Replicaton Latency and Cost
Replicaton latency is inherent in a multmaster directory service. A period of replicaton latency begins when a
directory update occurs on an originatng domain controller and ends when replicaton of the change is received on
the last domain controller in the forest that requires the change. Generally, the latency that is inherent in a WAN link
is relatve to a combinaton of the speed of the connecton and the available bandwidth.
Replicaton cost is an administratve value that can be used to indicate the latency that is associated with diferent
replicaton routes between sites. A lower-cost route is preferred by the ISTG when generatng the replicaton
topology.
Site topology is the topology as represented by the physical networkn the LANs and WANs that connect domain
controllers in a forest. The replicaton topology is built to use the site topology. The site topology is represented in
Actve Directory by site objects and site link objects. These objects infuence Actve Directory replicaton to achieve
the best balance between replicaton speed and the cost of bandwidth utlizaton by distnguishing between
replicaton that occurs within a site and replicaton that must span sites. When the KCC creates replicaton
connectons between domain controllers to generate the replicaton topology, it creates more connectons between
domain controllers in the same site than between domain controllers in diferent sites.
The results are lower replicaton latency within a site and less replicaton bandwidth utlizaton between sites.
Within sites, replicaton is optmized for speed as followsn
Connectons between domain controllers in the same site are always arranged in a ring, with possible additonal
connectons to reduce latency.
Replicaton within a site is triggered by a change notfcaton mechanism when an update occurs, moderated by a
short, confgurable delay (because groups of updates frequently occur together).
Data is sent uncompressed, and thus without the processing overhead of data compression.
Between sites, replicaton is optmized for minimal bandwidth usage (cost) as followsn
Replicaton data is compressed to minimize bandwidth consumpton over WAN links.
Store-and-forward replicaton makes efcient use of WAN links — each update crosses an expensive link only once.
Replicaton occurs at intervals that you can schedule so that use of expensive WAN links is managed.
The intersite topology is a layering of spanning trees (one intersite connecton between any two sites for each
directory partton) and generally does not contain redundant connectons.
...
Topology-Related Objects in Actve Directory
Actve Directory stores replicaton topology informaton in the confguraton directory partton. Several confguraton
objects defne the components that are required by the KCC to establish and implement the replicaton topologyn
..
Site Link Objects
For a connecton object to be created on a destnaton domain controller in one site that specifes a source domain
controller in another site, you must manually create a site link object (class siteLink ) that connects the two sites. Site
link objects identfy the transport protocol and scheduling required to replicate between two or more sites. You can
use Actve Directory Sites and Services to create the site links. The KCC uses the informaton stored in the propertes
of these site links to create the intersite topology connectons.
A site link is associated with a network transport by creatng the site link object in the appropriate transport container
________________________________________________________________________________________________
Page No | 44
(either IP or SMTP). All intersite domain replicaton must use IP site links. The Simple Mail Transfer Protocol (SMTP)
transport can be used for replicaton between sites that contain domain controllers that do not host any common
domain directory partton replicas.
Site Link Propertes
A site link specifes the followingn
Two or more sites that are permited to replicate with each other.
An administrator-defned cost value associated with that replicaton path. The cost value controls the route that
replicaton takes, and thus the remote sites that are used as sources of replicaton informaton.
A schedule during which replicaton is permited to occur.
An interval that determines how frequently replicaton occurs over this site link during the tmes when the schedule
allows replicaton.
Default Site Link
When you install Actve Directory on the frst domain controller in the forest, an object named
DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transports container).
This site link contains only one site, Default-First-Site-Name.
Question 29
Your company has two Actve Directory forests named contoso.com and fabrikam.com. Both forests run only domain
controllers that run Windows Server 2008. The domain functonal level of contoso.com is Windows Server 2008. The
domain functonal level of fabrikam.com is Windows Server 2003 Natve mode.
You confgure an external trust between contoso.com and fabrikam.com.
You need to enable the Kerberos AES encrypton opton.
What should you do?
A. Raise the forest functonal level of fabrikam.com to Windows Server 2008.

B. Raise the domain functonal level of fabrikam.com to Windows Server 2008.
C. Raise the forest functonal level of contoso.com to Windows Server 2008.
D. Create a new forest trust and enable forest-wide authentcaton.
Aoswern B
Explanatonn
Answern Raise the domain functonal level of fabrikam.com to Windows Server 2008.
Explanatonn
htpn//technet.microsoo.com/en-us/library/understanding-actve-directory-functonal-levels%28v=ws.10%29.aspx
Understanding Actve Directory Domain Services (AD DS) Functonal Levels
Functonal levels determine the available Actve Directory Domain Services (AD DS) domain or forest capabilites.
They also determine which Windows Server operatng systems you can run on domain controllers in the domain or
forest. However, functonal levels do not afect which operatng systems you can run on workstatons and member
servers that are joined to the domain or forest.
..
Features that are available at domain functonal levels
..
Windows Server 2008
All of the default AD DS features, all of the features from the Windows Server 2003 domain functonal level, and the
following features are availablen
..
* Advanced Encrypton Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for
TGTs to be issued using AES, the domain functonal level must be Windows Server 2008 or higher and the domain
password needs to be changed.
________________________________________________________________________________________________
Page No | 45
...
Further informatonn
htpn//technet.microsoo.com/en-us/library/cc749438%28WS.10%29.aspx
Kerberos Enhancements
..
Requirements
All Kerberos authentcaton requests involve three diferent partesn the client requestng a connecton, the server that
will provide the requested data, and the Kerberos KDC that provides the keys that are used to protect the various
messages.
This discussion focuses on how AES can be used to protect these Kerberos authentcaton protocol messages and data
structures that are exchanged among the three partes. Typically, when the partes are operatng systems running
Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the partes is an operatng
system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the
exchange will not use AES.
Question 30
All consultants belong to a global group named TempWorkers. You place three fle servers in a new organizatonal unit
named SecureServers. The three fle servers contain confdental data located in shared folders.
You need to record any failed atempts made by the consultants to access the confdental data.
Which two actons should you perform? (Each correct answer presents part of the soluton. Choose two.)
A. Create and link a new GPO to the SecureServers organizatonal unit. Confgure the Deny access to this computer
from the network user rights setng for the TempWorkers global group.
B. Create and link a new GPO to the SecureServers organizatonal unit. Confgure the Audit privilege use
Failure audit policy setng.
C. Create and link a new GPO to the SecureServers organizatonal unit. Confgure the Audit object access
Failure audit policy setng.
D. On each shared folder on the three fle servers, add the three servers to the Auditng tab. Confgure the Failed Full
control setng in the Auditng Entry dialog box.
E. On each shared folder on the three fle servers, add the TempWorkers global group to the Auditng tab. Confgure
the Failed Full control setng in the Auditng Entry dialog box.
Aoswern C, E
Explanatonn
Referencen
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671
Auditng Resource Access
Object access can be audited, although it is not one of the recommended setngs. Auditng object access can place a
signifcant load on the servers, so it should only be enabled when it is specifcally needed. Auditng object access is a
two-step processn Step one is enabling “Audit object access” and step two is selectng the objects to be audited. When
enabling Audit object access, you need to decide if both failure and success events will be logged. The two optons are
as followsn
Audit object access failure enables you to see if users are atemptng to access objects to which they have no rights.
This shows unauthorized atempts.
Audit object access success enables you to see usage paterns. This shows misuse of privilege.
Aoer object access auditng is enabled, you can easily monitor access to resources such as folders, fles, and printers.
Auditng Files and Folders
The network administrator can tailor the way Windows Server 2008 R2 audits fles and folders through the property
pages for those fles or folders. Keep in mind that the more fles and folders that are audited, the more events that can
________________________________________________________________________________________________
Page No | 46
be generated, which can increase administratve overhead and system resource requirements.
Therefore, choose wisely which fles and folders to audit. To audit a fle or folder, do the followingn
1. In Windows Explorer, right-click the fle or folder to audit and select Propertes.
2. Select the Security tab and then click the Advanced buton.
3. In the Advanced Security Setngs window, select the Auditng tab and click the Edit buton.
4. Click the Add buton to display the Select User or Group window.
5. Enter the name of the user or group to audit when accessing the fle or folder. Click the Check Names buton to
verify the name.
Question 31
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is confgured as
an Enterprise Root certfcaton authority (CA).
You install the Online Responder role service on Server2.
You need to confgure Server2 to issue certfcate revocaton lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the soluton. Choose two.)
A. Import the enterprise root CA certfcate.

B. Import the OCSP Response Signing certfcate.
C. Add the Server1 computer account to the CertPublishers group.
D. Set the Startup Type of the Certfcate Propagaton service to Automatc.
Aoswern A, B
Explanatonn
Further informatonn
Online Responder Installaton, Confguraton, and Troubleshootng Guide
Public key infrastructure (PKI) consists of multple components, including certfcates, certfcate revocaton lists (CRLs)
and certfcaton authorites (CAs). In most cases, applicatons that depend on X.509 certfcates, such as
Secure/Multpurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, are required to
validate the status of the certfcates used when performing authentcaton, signing, or encrypton operatons. The
certfcate status and revocaton checking is the process by which the validity of certfcates is verifed based on two
main categoriesn tme and revocaton status.
..
Although validatng the revocaton status of certfcates can be performed in multple ways, the common mechanisms
are CRLs, delta CRLs, and Online Certfcate Status Protocol (OCSP) responses.
...
Actve Directory Certfcate Services Step-by-Step Guide
htpn//blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementng-a-pki-part-i-design-
andplanning.aspx
Designing and Implementng a PKIn Part I Design and Planning
Set Up an Online Responder
Creatng a Revocaton Confguraton
Question 32
________________________________________________________________________________________________
Page No | 47
Your company has an Actve Directory forest. The forest includes organizatonal units corresponding to the following
four locatonsn
London
Chicago
New York
Madrid
Each locaton has a child organizatonal unit named Sales. The Sales organizatonal unit contains all the users and
computers from the sales department.
The ofces in London, Chicago, and New York are connected by T1 connectons. The ofce in Madrid is connected by a
256-Kbps ISDN connecton.
You need to install an applicaton on all the computers in the sales department.
A. Create a Group Policy Object (GPO) named OfceInstall that assigns the applicaton to users.
Link the GPO to each Sales organizatonal unit.
B. Disable the slow link detecton setng in the Group Policy Object (GPO).
C. Confgure the slow link detecton threshold setng to 1,544 Kbps (T1) in the Group Policy Object (GPO).
D. Create a Group Policy Object (GPO) named OfceInstall that assigns the applicaton to the computers. Link the GPO
to each Sales organizatonal unit.
Aoswern B, D
Explanatonn
Specifying Group Policy for Slow Link Detecton
Administrators can partally control which Group Policy extensions are processed over a slow link. By default, when
processing over a slow link, not all components of Group Policy are processed.
Table 2.6 shows the default setngs for processing Group Policy over slow links.
Administrators can use a Group Policy setng to defne a slow link for the purposes of applying and updatng Group
Policy. The default value defnes a rate slower than 500 Kbps as a slow link.
Assigning and Publishing Sooware
..
Assigning sooware to computers
Aoer you assign a sooware package to computers in a site, domain, or OU, the sooware is installed the next tme the
computer restarts or the user logs on.
Further informatonn
Group Policy slow link detecton
________________________________________________________________________________________________
Page No | 48
Question 33
Your company has a domain controller server that runs the Windows Server 2008 R2 operatng system. The server is a
backup server. The server has a single 500-GB hard disk that has three parttons for the operatng system,
applicatons, and dat
a. You perform daily backups of the server.
The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart the computer on
the installaton media. You select the Repair your computer opton.
You need to restore the operatng system and all fles.
What should you do?
A. Select the System Image Recovery opton.
B. Run the Imagex utlity at the command prompt.
C. Run the Wbadmin utlity at the command prompt.
D. Run the Rollback utlity at the command prompt.
Aoswern C
Explanatonn
Old answern Run the Wbadmin utlity at the command prompt.
Answern Select the System Image Recovery opton.
Explanatonn
Recover the Operatng System or Full Server
Applies Ton Windows Server 2008 R2
You can recover your server operatng system or full server by using Windows Recovery Environment and a backup
that you created earlier with Windows Server Backup.
You can access the recovery and troubleshootng tools in Windows Recovery Environment through the System
Recovery Optons dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard, use the
Windows Setup disc or start/restart the computer, press F8, and then select Repair Your Computer from the list of
startup optons.
..
To recover your operatng system or full server using a backup created earlier and Windows Setup disc
1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to recover into the
CD or DVD drive and start or restart the computer. If needed, press the required key to boot from the disc. The Install
Windows Wizard should appear.
2. In Install Windows, specify language setngs, and then click Next.
3. Click Repair your computer.
4. Setup searches the hard disk drives for an existng Windows installaton and then displays the results in System
Recovery Optons. If you are recovering the operatng system onto separate hardware, the list should be empty (there
should be no operatng system on the computer). Click Next.
5. On the System Recovery Optons page, click System Image Recovery. This opens the Re-image your computer page.
...
htpn//technet.microsoo.com/en-us/magazine/dd767786.aspx
Use the Wbadmin Backup Command Line Utlity in Windows Server 2008
Wbadmin is the command-line counterpart to Windows Server Backup. You use Wbadmin to manage all aspects of
backup confguraton that you would otherwise manage in Windows Server Backup. This means that you can typically
use either tool to manage backup and recovery.
Aoer you’ve installed the Backup Command-Line Tools feature, you can use Wbadmin to manage backup and
recovery. Wbadmin is located in the %SystemRoot%gSystem32g directory. As this directory is in your command path
by default, you do not need to add this directory to your command path.
________________________________________________________________________________________________
Page No | 49
Further informatonn
Wbadmin Enables you to back up and restore your operatng system, volumes, fles, folders, and applicatons from a
command prompt.
Remarks
The wbadmin command replaces the ntbackup command that was released with previous versions of Windows. You
cannot recover backups that you created with ntbackup by using wbadmin. However, a version of ntbackup is
available as a download for Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 users who
want to recover backups that they created using ntbackup. This downloadable version of ntbackup enables you to
perform recoveries only of legacy backups, and it cannot be used on computers running Windows Server 2008,
Windows Vista, Windows Server 2008 R2, or Windows 7 to create new backups.
Backup and Recovery Overview for Windows Server 2008 R2
Windows Server 2008 R2 contains features to help you create backups and, if needed, perform a recovery of your
operatng system, applicatons, and data. By using these features appropriately and implementng good operatonal
practces, you can improve your organizaton's ability to recover from damaged or lost data, hardware failures, and
disasters. For Windows Server 2008 R2, there are new features that expand what you can back up, where you can
store backups, and how you can perform recoveries.
..
This table summarizes the tools you can use to perform the following backup or recovery tasks for your computers
running Windows Server 2008 R2n
What is Windows Recovery Environment?

You can access the recovery and troubleshootng tools in Windows Recovery Environment through the System
Recovery Optons dialog box in the Install Windows Wizard.
In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the computer, press F8,
and then select Repair Your Computer from the list of startup optons.
Features in Windows Recovery Environment
The tools in Windows Recovery Environment includen
System Image Recovery. You can use this tool and a backup that you created earlier with Windows Server Backup to
restore your operatng system or full server.
Windows Memory Diagnostc. You can use this tool (which is a memory diagnostc schedule) to check your computer's
RAM. Doing this requires a restart. In additon, this tool requires a valid Windows Server 2008, Windows Vista,
Windows Server 2008 R2, or Windows 7 installaton to functon. Command Prompt. This opens a command prompt
window with Administrator privileges that provides full access to your fle system and volumes. In additon, certain
Wbadmin commands are only available from this command window.
________________________________________________________________________________________________
Page No | 50
Question 34
You need to remove the Actve Directory Domain Services role from a domain controller named DC1.
What should you do?
A. Run the netdom remove DC1 command.

B. Run the Dcpromo utlity. Remove the Actve Directory Domain Services role.
C. Run the nltest /remove_servern DC1 command.
D. Reset the Domain Controller computer account by using the Actve Directory Users and Computers utlity.
Aoswern B
Explanatonn
Answern Run the Dcpromo utlity. Remove the Actve Directory Domain Services role.
Explanatonn
Removing a Domain Controller from a Domain
..
To remove a domain controller by using the Windows interface
1. Click Start, click Run, type dcpromo, and then press ENTER.
...
Further informatonn
Netdom
Enables administrators to manage Actve Directory domains and trust relatonships from the command prompt.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if
you have the Actve Directory Domain Services (AD DS) server role installed. It is also available if you install the Actve
Commands
Netdom remove
..
Removes a workstaton or server from the domain.
...
Nltest Performs network administratve tasks.
Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if
you have the AD DS or the AD LDS server role installed. It is also available if you install the Actve
You can use nltest ton
Get a list of domain controllers
Force a remote shutdown
Query the status of trust
Test trust relatonships and the state of domain controller replicaton in a Windows domain
Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers
Personal comment #1n
There is no /remove_server switch for the nltest command
Personal comment #2n
Resetng the Domain Controller's computer account has nothing to do with this queston
________________________________________________________________________________________________
Page No | 51
Question 35
Your company has an Actve Directory forest. The company has branch ofces in three locatons. Each locaton has an
organizatonal unit.
You need to ensure that the branch ofce administrators are able to create and apply GPOs only to their respectve
organizatonal units.
A. Run the Delegaton of Control wizard and delegate the right to link GPOs for their branch organizatonal units to the
branch ofce administrators.
B. Add the user accounts of the branch ofce administrators to the Group Policy Creator Owners Group.
C. Modify the Managed By tab in each organizatonal unit to add the branch ofce administrators to their respectve
D. Run the Delegaton of Control wizard and delegate the right to link GPOs for the domain to the branch ofce
administrators.
Aoswern A, B
Explanatonn
Answern Run the Delegaton of Control wizard and delegate the right to link GPOs for their branch organizatonal units
to the branch ofce administrators.
Add the user accounts of the branch ofce administrators to the Group Policy Creator Owners Group.
Explanatonn
Delegate Control of an Organizatonal Unit
1. To delegate control of an organizatonal unit
2. To open Actve Directory Users and Computers, click Start , click Control Panel , double-click Administratve
Tools and then double-click Actve Directory Users and Computers .
3. In the console tree, right-click the organizatonal unit (OU) for which you want to delegate control.
Where?
Actve Directory Users and Computersg domain node g organizatonal unit
4. Click Delegate Control to start the Delegaton of Control Wizard, and then follow the instructons in the wizard.
Delegatng Administraton of Group Policy
Your Group Policy design will probably call for delegatng certain Group Policy administratve tasks.
Determining to what degree to centralize or distribute administratve control of Group Policy is one of the most
important factors to consider when assessing the needs of your organizaton. In organizatons that use a centralized
administraton model, an IT group provides services, makes decisions, and sets standards for the entre company. In
organizatons that use a distributed administraton model, each business unit manages its own IT group.
You can delegate the following Group Policy tasksn
Creatng GPOs
Managing individual GPOs (for example, grantng Edit or Read access to a GPO) etc.
...
Delegatng Creaton of GPOs
The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only
Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group
Policy objects. If the domain administrator wants a non-administrator or non-administratve group to be able to
create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatvely, you
can use the Delegaton tab on the Group Policy Objects container in GPMC to delegate creaton of GPOs. When a non-
administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the
creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group
________________________________________________________________________________________________
Page No | 52
Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to
do so on a partcular site, domain, or OU.
Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those
GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not
create.
Noten When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the
Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.
The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to
delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins
cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-
Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. Aoer a
non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated
permissions to link GPOs an a container can link the GPO as appropriate.
Creaton of GPOs can be delegated to any group or user. There are two methods of grantng a group or user this
permissionn
Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC.
Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.
You can manage this permission by using the Delegaton tab on the Group Policy objects container for a given domain
in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy
Creator Owners group. From this tab, you can modify the membership of existng groups that have this permission, or
add new groups.
Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside
the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners
facilitates delegatng GPO creaton to users outside the domain. Without GPMC, this task cannot be delegated to
members outside the domain.
If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the
domain (for example, "GPCO – External"), grant that group GPO creaton permissions in the domain, and then add
domain global groups from external domains to that group. For users and groups in the domain, you should contnue
to use the Group Policy Creator Owners group to grant GPO-creaton permissions.
Adding a user to the membership of Group Policy Creator Owners and grantng the user GPO-creaton permissions
directly using the new method available in GPMC are identcal in terms of permissions.
Question 36
Your company has an Actve Directory domain. A user atempts to log on to the domain from a client computer and
receives the following messagen "This user account has expired. Ask your administrator to reactvate the account."
You need to ensure that the user is able to log on to the domain.
What should you do?
A. Modify the propertes of the user account to set the account to never expire.
B. Modify the propertes of the user account to extend the Logon Hours setng.
C. Modify the default domain policy to decrease the account lockout duraton.
D. Modify the propertes of the user account to set the password to never expire.
Aoswern A
Explanatonn
________________________________________________________________________________________________
Page No | 53
Further informatonn
htpn//technet.microsoo.com/en-us/library/dd145547.aspx
User Propertes - Account Tab
Account expires
Sets the account expiraton policy for this user. You can select between the following optonsn
Use Never to specify that the selected account will never expire. This opton is the default for new users.
Select End of and then select a date if you want to have the user's account expire on a specifed date.
Question 37
You have an existng Actve Directory site named Site1. You create a new Actve Directory site and name it Site2.
You need to confgure Actve Directory replicaton between Site1 and Site2. You install a new domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A. Use the Actve Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain
controller object to Site2.
B. Use the Actve Directory Sites and Services console to confgure a new site link bridge object.
C. Use the Actve Directory Sites and Services console to decrease the site link cost between Site1 and Site2.
D. Use the Actve Directory Sites and Services console to confgure the new domain controller as a preferred
bridgehead server for Site1.
________________________________________________________________________________________________
Page No | 54
Aoswern A
Explanatonn
htpn//www.enterprisenetworkingplanet.com/netsysm/artcle.php/624411/Intersite-eplicaton.htm
Inter-site Replicaton
The process of creatng a custom site link has fve basic stepsn
1. Create the site link.
2. Confgure the site link's associated atributes.
3. Create site link bridges.
4. Confgure connecton objects. (This step is optonal.)
5. Designate a preferred bridgehead server. (This step is optonal)
Replicaton between sites
Question 38
Your company has an Actve Directory forest. Each branch ofce has an organizatonal unit and a child organizatonal
unit named Sales.
The Sales organizatonal unit contains all users and computers of the sales department.
You need to install an Ofce 2007 applicaton only on the computers in the Sales organizatonal unit.
You create a GPO named SalesApp GPO.
A. Confgure the GPO to assign the applicaton to the computer account. Link the SalesAPP GPO to the Sales
organizatonal unit in each locaton.
B. Confgure the GPO to assign the applicaton to the computer account. Link the SalesAPP GPO to the domain.
C. Confgure the GPO to publish the applicaton to the user account. Link the SalesAPP GPO to the Sales organizatonal
unit in each locaton.
D. Confgure the GPO to assign the applicaton to the user account. Link the SalesAPP GPO to the Sales organizatonal
unit in each locaton.
Aoswern A
Question 39
Your network consists of an Actve Directory forest that contains one domain. All domain controllers run.
Windows Server 2008 R2 and are confgured as DNS servers. You have an Actve Directory- integrated zone.
You have two Actve Directory sites. Each site contains fve domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.

B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Aoswern C
Explanatonn
________________________________________________________________________________________________
Page No | 55
Repadmin /syncall Synchronizes a specifed domain controller with all of its replicaton partners.
htpn//ivan.dretvic.com/2012/01/how-to-force-replicaton-of-domain-controllers/
How to force replicaton of Domain Controllers
From tme to tme its necessary to kick of AD replicaton to speed up a task you may be doing, or just a good too to
check the status of replicaton between DC’s.
Below is a command to replicate from a specifed DC to all other DC’s.
Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll parttons) P(ush) e(nterprise, cross
sites) d(istnguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003,
except that you did it in one step, not many.And with the beneft of seeing immediate results on how the operatons
are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
Question 40
Your company has a single Actve Directory domain named intranet.contoso.com. All domain controllers run Windows
Server 2008 R2. The domain functonal level is Windows 2000 natve and the forest functonal level is Windows 2000.
You need to ensure the UPN sufx for contoso.com is available for user accounts.
What should you do frst?
A. Raise the intranet.contoso.com forest functonal level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functonal level to Windows Server 2003 or higher.
C. Add the new UPN sufx to the forest.
D. Change the Primary DNS Sufx opton in the Default Domain Controllers Group Policy Object (GPO) to contoso.com.
Aoswern C
Explanatonn
HOW TOn Add UPN Sufxes to a Forest
Adding a UPN Sufx to a Forest
Open Actve Directory Domains and Trusts.
Right-click Actve Directory Domains and Trusts in the Tree window pane, and then click Propertes.
On the UPN Sufxes tab, type the new UPN sufx that you would like to add to the forrest.
Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN sufx to complete the user's logon name.
APPLIES TO
Microsoo Windows 2000 Server
Microsoo Windows 2000 Advanced Server
Microsoo Windows 2000 Datacenter Server
Question 41
You have a Windows Server 2008 R2 Enterprise Root C

A.
Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA.
You need to allow users to request certfcates from a Web interface. You install the Actve Directory Certfcate
Services (AD CS) server role.
A. Confgure the Online Responder Role Service on a member server.
________________________________________________________________________________________________
Page No | 56
B. Confgure the Online Responder Role Service on a domain controller.

C. Confgure the Certfcate Enrollment Web Service role service on a member server.
D. Confgure the Certfcate Enrollment Web Service role service on a domain controller.
Aoswern C
Explanatonn
Certfcate Enrollment Web Service Overview
The Certfcate Enrollment Web Service is an Actve Directory Certfcate Services (AD CS) role service that enables
users and computers to perform certfcate enrollment by using the HTTPS protocol. Together with the Certfcate
Enrollment Policy Web Service, this enables policy-based certfcate enrollment when the client computer is not a
member of a domain or when a domain member is not connected to the domain.
Personal noten
Since domain controllers are of-limits (regarding open ports), you are leo to install the Certfcate Enrollment Web
Service role service on a plain member server
Question 42
You need to relocate the existng user and computer objects in your company to diferent organizatonal units.
A. Run the move-item command in the Microsoo Windows PowerShell utlity.

B. Run the Actve Directory Users and Computers utlity.
C. Run the Dsmove utlity.
D. Run the Actve Directory Migraton Tool (ADMT).
Aoswern B, C
Explanatonn
Personal noten
You can simply drag and drop objects when using the Actve Directory Users and Computers utlity or use the dsmove
command.
Dsmove Moves a single object, within a domain, from its current locaton in the directory to a new locaton, or
renames a single object without moving it in the directory tree.
Question 43
Your network consists of an Actve Directory forest named contoso.com. All servers run Windows Server 2008 R2. All
domain controllers are confgured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Actve
Directory applicaton partton.
You have a member server that contains a standard primary DNS zone for dev.contoso.com.
You need to ensure that all domain controllers can resolve names for dev.contoso.com.
What should you do?
A. Modify the propertes of the SOA record in the contoso.com zone.

B. Create a NS record in the contoso.com zone.
C. Create a delegaton in the contoso.com zone.
D. Create a standard secondary zone on a Global Catalog server.
________________________________________________________________________________________________
Page No | 57
Aoswern C
Explanatonn
Understanding Zone Delegaton
Domain Name System (DNS) provides the opton of dividing up the namespace into one or more zones, which can
then be stored, distributed, and replicated to other DNS servers. When you are deciding whether to divide your DNS
namespace to make additonal zones, consider the following reasons to use additonal zonesn
You want to delegate management of part of your DNS namespace to another locaton or department in your
organizaton.
You want to divide one large zone into smaller zones to distribute trafc loads among multple servers, improve DNS
name resoluton performance, or create a more-fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the
opening of a new branch or site.
..
When you delegate zones within your namespace, remember that for each new zone that you create, you need
delegaton records in other zones that point to the authoritatve DNS servers for the new zone. This is necessary both
to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being
made authoritatve for the new zone.
..
Examplen Delegatng a subdomain to a new zone
As shown in the following illustraton, when a new zone for a subdomain (example.microsoo.com) is created,
delegaton from the parent zone (microsoo.com) is needed.
Question 44
Your company has a single Actve Directory domain. All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
________________________________________________________________________________________________
Page No | 58
A. On a domain controller run adprep /rodcprep.

B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Aoswern D
Explanatonn
htpn//social.technet.microsoo.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/
DC promoton and adprep/forestprep
Qn I've tried to dcpromo a new Windows 2008 server installaton to be a Domain Controller, running in an existng
domain. I am informed that, frst, I must run adprep/forestprep ("To install a domain controller into this Actve
Directory forest, you must frst perpare the forest using "adprep/forestprep". The Adprep utlity is available on the
Windows Server 2008 installaton media in the Windowsgsourcesgadprep folder"
A1n
You can run adprep from an existng Windows Server 2003 domain controller. Copy the contents of the
gsourcesgadprep folder from the Windows Server 2008 installaton DVD to the schema master role holder and run
Adprep from there.
A2n to introduce the frst W2K8 DC within an AD forest....
(1) no AD forest exists yetn
--N on the stand alone server executen DCPROMO
--N and provide the informaton needed
(2) an W2K or W2K3 AD forest already existsn
--N ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
--N ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
--N ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
--N ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
--N on the stand alone server executen DCPROMO
--N and provide the informaton needed
Question 45
Your company has a main ofce and three branch ofces. Each ofce is confgured as a separate Actve Directory site
that has its own domain controller.
You disable an account that has administratve rights.
You need to immediately replicate the disabled account informaton to all sites.
A. From the Actve Directory Sites and Services console, confgure all domain controllers as global catalog servers.
B. From the Actve Directory Sites and Services console, select the existng connecton objects and force replicaton.
C. Use Repadmin.exe to force replicaton between the site connecton objects.
D. Use Dsmod.exe to confgure all domain controllers as global catalog servers.
Aoswern B, C
Explanatonn
Repadmin /syncall Synchronizes a specifed domain controller with all of its replicaton partners.
________________________________________________________________________________________________
Page No | 59
htpn//ivan.dretvic.com/2012/01/how-to-force-replicaton-of-domain-controllers/
How to force replicaton of Domain Controllers From tme to tme its necessary to kick of AD replicaton to speed up a
task you may be doing, or just a good too to check the status of replicaton between DC’s.
Below is a command to replicate from a specifed DC to all other DC’s.
Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll parttons) P(ush) e(nterprise, cross
sites) d(istnguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003,
except that you did it in one step, not many.And with the beneft of seeing immediate results on how the operatons
are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
Force replicaton over a connecton
To force replicaton over a connecton
1. Open Actve Directory Sites and Services.
Question 46
Your network consists of a single Actve Directory domain. All domain controllers run Windows Server 2008 R2.
You need to capture all replicaton errors from all domain controllers to a central locaton.
What should you do?
A. Start the Actve Directory Diagnostcs data collector set.

B. Start the System Performance data collector set.
C. Install Network Monitor and create a new a new capture.
D. Confgure event log subscriptons.
Aoswern D
Explanatonn
Confgure Computers to Forward and Collect Events
Before you can create a subscripton to collect events on a computer, you must confgure both the collectng computer
(collector) and each computer from which events will be collected (source).
Event Subscriptons
Event Viewer enables you to view events on a single remote computer. However, troubleshootng an issue might
require you to examine a set of events stored in multple logs on multple computers.
Windows Vista includes the ability to collect copies of events from multple remote computers and store them locally.
________________________________________________________________________________________________
Page No | 60
To specify which events to collect, you create an event subscripton. Among other details, the subscripton specifes
exactly which events will be collected and in which log they will be stored locally. Once a subscripton is actve and
events are being collected, you can view and manipulate these forwarded events as you would any other locally
stored events.
Using the event collectng feature requires that you confgure both the forwarding and the collectng computers.
The functonality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector
(Wecsvc) service. Both of these services must be running on computers partcipatng in the forwarding and collectng
process.
Replicaton Issues
Question 47
Your company has an Actve Directory forest that contains client computers that run Windows Vista andMicrosoo
Windows XP.
You need to ensure that users are able to install approved applicaton updates on their computers.
A. Set up Automatc Updates through Control Panel on the client computers.

B. Create a GPO and link it to the Domain Controllers organizatonal unit. Confgure the GPO to automatcally search
for updates on the Microsoo Update site.
C. Create a GPO and link it to the domain. Confgure the GPO to direct the client computers to the Windows Server
Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Confgure the server to search for new updates on the
Internet. Approve all required updates.
Aoswern C, D
Explanatonn
Confgure Automatc Updates by Using Group Policy
When you confgure the Group Policy setngs for WSUS, use a Group Policy object (GPO) linked to an Actve Directory
container appropriate for your environment.
Question 48
Your company has an Actve Directory domain that has an organizatonal unit named Sales. The Sales organizatonal
unit contains two global security groups named sales managers and sales executves.
You need to apply desktop restrictons to the sales executves group.
You must not apply these desktop restrictons to the sales managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizatonal unit.
A. Confgure the Deny Apply Group Policy permission for Authentcated Users on the DesktopLockdown GPO.
B. Confgure the Deny Apply Group Policy permission for the sales executves on the DesktopLockdown GPO.
C. Confgure the Allow Apply Group Policy permission for Authentcated Users on the DesktopLockdown GPO.
D. Confgure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.
Aoswern D
________________________________________________________________________________________________
Page No | 61
Explanatonn
How to prevent domain Group Policies from applying to certain user or computer accounts
Typically, if you want Group Policy to apply only to specifc accounts (either user accounts, computer accounts, or
both), you can put the accounts in an organizatonal unit, and then apply Group Policy at that organizatonal unit level.
However, there may be situatons where you want to apply Group Policy to a whole domain, although you may not
want those policy setngs to also apply to administrator accounts or to other specifc users or groups.
htpn//www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
Best Practcen How to exclude individual users or computers from a Group Policy Object
One of the common queston I see on the forums from tme to tme is how to exclude a user and/or a computer from
having a Group Policy Object (GPO) applied. This is a relatvely straight forward process however I should stress this
should be used sparingly and should always be done via group membership to avoid the administratve overhead of
having to constantly update the security fltering on the GPO.
Step 1. Open the Group Policy Object that you want to apply an excepton and then click on the “Delegaton” tab and
then click on the “Advanced” buton.
Step 2. Click on the “Add” buton and select the group (recommended) that you want to exclude from having this
policy applied.
________________________________________________________________________________________________
Page No | 62
Step 3. In this example I am excluding the “Users GPO Exceptons” group for this policy. Select this group in the “Group
or user names” list and then scroll down the permission and tck the “Deny” opton against the “Apply Group Policy”
permission.
________________________________________________________________________________________________
Page No | 63
Now any members of this “User GPO Exceptons” security group will not have this Group Policy Object applied.
Having a security group to control this excepton makes it much easier to control as someone only needs to modify
the group membership of the group to makes changes to who (or what) get the policy applied. This makes the
delegaton of this task to level 1 or level 2 support much more practcal as you don’t need to grant them permission to
the Group Policy Objects.
Question 49
Your company network has an Actve Directory forest that has one parent domain and one child domain. The child
domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are
migrated to the parent domain. The child domain is scheduled to be decommissioned.
You need to remove the child domain from the Actve Directory forest.
A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the
child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relatonship
between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Actve Directory domain
services role.
D. Run the Dcpromo tool that has individual answer fles on each domain controller in the child domain.
Aoswern C, D
Explanatonn
________________________________________________________________________________________________
Page No | 64
Decommissioning a Domain Controller

To complete this task, perform the following proceduresn
1. View the current operatons master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operatons master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registraton and functonality
7. Verify communicaton with other domain controllers
8. Verify the availability of the operatons masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you remove
Actve Directory to ensure that the encrypted fles can be recovered aoer Actve Directory is removedn Export a
certfcate with the private key
10.Uninstall Actve Directory
11.If the domain controller hosts encrypted documents and you backed up the certfcate and private key before you
remove Actve Directory, perform the following procedure to re-import the certfcate to the servern
Import a certfcate
12. Determine whether a Server object has child objects
13. Delete a Server object from a site
Uninstall Actve Directory
To uninstall Actve Directory
1. Click Start, click Run, type dcpromo and then click OK.
Question 50
Your network consists of a single Actve Directory domain. The domain contains 10 domain controllers. The domain
controllers run Windows Server 2008 R2 and are confgured as DNS servers.
You plan to create a new Actve Directory-integrated zone.
You need to ensure that the new zone is only replicated to four of your domain controllers.
A. From the command prompt, run dnscmd and specify the /createdirectorypartton parameter.
B. Create a new delegaton in the ForestDnsZones applicaton directory partton.
C. From the command prompt, run dnscmd and specify the /enlistdirectorypartton parameter.
D. Create a new delegaton in the DomainDnsZones applicaton directory partton.
Aoswern A
Explanatonn
Practcally the same queston as D/Q25 and K/Q17, diferent set of answers.
To control which servers get a copy of the zone we have to store the zone in an applicaton directory partton.
That applicaton directory partton must be created before we create the zone, otherwise it won't work. So that's
what we have to do frst. Directory parttons are also called naming contexts and we can create one using ntdsutl.
Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partton I wanted to use did not
exist yet. To fx that I used ntdsutl to create the directory partton dc=venomous,dc=contoso,dc=com.
Note that aoer creatng it a new naming context had been added. Then, aoer a minute or two, I tried to create the
new zone again, and this tme it worked.
________________________________________________________________________________________________
Page No | 65
Reference 1n
Store Data in an AD DS Applicaton Partton
You can store Domain Name System (DNS) zones in the domain or applicaton directory parttons of Actve Directory
Domain Services (AD DS). An applicaton directory partton is a data structure in AD DS that distnguishes data for
diferent replicaton purposes. When you store a DNS zone in an applicaton directory partton, you can control the
zone replicaton scope by controlling the replicaton scope of the applicaton directory partton.
Reference 2n
Partton management
Manages directory parttons for Actve Directory Domain Services (AD DS) or Actve Directory Lightweight Directory
Services (AD LDS).
This is a subcommand of Ntdsutl and Dsmgmt.
Examples To create an applicaton directory partton named AppPartton in the contoso.com domain, complete the
following stepsn
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick
________________________________________________________________________________________________
Page No | 66
Command Prompt, and then click Run as administrator.

2. Typen ntdsutl
3. Typen Ac in ntds
4. Typen partton management
5. Typen connectons
6. Typen Connect to server DC_Name
7. Typen quit
8. Typen list
The following parttons will be listedn
0 CN=Confguraton,DC=Contoso,DC=com
1 DC=Contoso,DC=com
2 CN=Schema,CN=Confguraton,DC=Contoso,DC=com
3 DC=DomainDnsZones,DC=Contoso,DC=com
4 DC=ForestDnsZones,DC=Contoso,DC=com
9. At the partton management prompt, typen create nc dc=AppPartton,dc=contoso,dc=com
ConDc1.contoso.com
10. Run the list command again to refresh the list of parttons.
Question 51
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is confgured as a DNS Server for
contoso.com.
You install the DNS Server role on a member server named Server1 and then you create a standard secondary zone for
contoso.com.
You confgure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?
A. On DC1, modify the permissions of contoso.com zone.

B. On Server1, add a conditonal forwarder.
C. On DC1, modify the zone transfer setngs for the contoso.com zone.
D. Add the Server1 computer account to the DNSUpdateProxy group.
Aoswern C
Explanatonn
Referencen
Modify Zone Transfer Setngs
You can use the following procedure to control whether a zone will be transferred to other servers and which servers
can receive the zone transfer.
To modify zone transfer setngs using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Propertes.
3. On the Zone Transfers tab, do one of the followingn
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the followingn
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on
the Name Servers tab.
________________________________________________________________________________________________
Page No | 67
To allow zone transfers only to specifc DNS servers, click Only to the following servers, and then add the IP address of
one or more DNS servers.
Question 52
Your company has an Actve Directory domain. All servers run Windows Server 2008 R2. Your company runs an
Enterprise Root certfcaton authority (CA).
You need to ensure that only administrators can sign code.
A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers.
B. Modify the security setngs on the template to allow only administrators to request code signing certfcates.
C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certfcates and allow only
administrators to apply the policy.
D. Publish the code signing template.
Aoswern B, D
Explanatonn
htpn//techblog.mirabito.net.au/?p=297
Generatng and working with code signing certfcates
A code signing certfcate is a security measure designed to assist in the preventon of malicious code executon. The
intenton is that code must be “signed” with a certfcate that is trusted by the machine on which the code is
executed. The trust is verifed by contactng the certfcaton authority for the certfcate, which could be either a local
(on the machine itself, such as a self-signed certfcate), internal (on the domain, such as an enterprise certfcaton
authority) or external certfcaton authority (third party, such as Verisign or Thawte).
For an Actve Directory domain with an enterprise root certfcaton authority, the enterprise root certfcaton
authority infrastructure is trusted by all machines that are a member of the Actve Directory domain, and therefore
any certfcates issued by this certfcaton authority are automatcally trusted.
In the case of code signing, it may be necessary also for the issued certfcate to be in the “Trusted Publishers” store of
the local machine in order to avoid any prompts upon executng code, even if the certfcate was issued by a trusted
certfcaton authority. Therefore, it is required to ensure that certfcates are added to this store where user
interacton is unavailable, such as running automated processes that call signed code.
A certfcate can be assigned to a user or a computer, which will then be the “publisher” of the code in queston.
Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of
the development team in your organisaton will probably each have their own code signing certfcate, which would
all be added to the “Trusted Publishers” store on the domain machines. Alternatvely, a special domain account might
exist specifcally for signing code, although one of the advantages of code signing is to be able to determine the
person who signed it.
Question 53
Your company has an Actve Directory forest.

You plan to install an Enterprise certfcaton authority (CA) on a dedicated stand-alone server.
When you atempt to add the Actve Directory Certfcate Services (AD CS) role, you fnd that the Enterprise CA opton
is not available.
You need to install the AD CS role as an Enterprise CA.
A. Add the DNS Server role.
________________________________________________________________________________________________
Page No | 68
B. Add the Actve Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Aoswern D
Explanatonn
Actve Directory Certfcate Services Step-by-Step Guide
htpn//kazmierczak.eu/itblog/2012/09/23/enterprise-ca-opton-is-greyed-out-unavailable/
Enterprise CA opton is greyed out / unavailable
Many tmes, administrators ask me what to do when installing Actve Directory Certfcate Services they cannot
choose to install Enterprise Certfcaton Authority, because it’s unavailable as in following picturen
Well, you need to fulfll basic requirementsn

Server machine has to be a member server (domain joined).
You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Editon. The diference is the
number of ADCS features and components that can be enabled. To get full functonality, you need to run on
Enterprise or Data Center Windows Server 2008 /R2/ Editons. It includes functonality like Role separaton, Certfcate
manager restrictons, Delegated enrollment agent restrictons, Certfcate enrollment across forests, Online
Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either
Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nestng).
If issue stll persists, there is probably a problem with getng correct credentals of your account. There are many
thing that can cause it (network blockage, domain setngs, server confguraton, and other issues). In all cases I got,
this troubleshootng helped perfectlyn
First of all, carefully check all above requirements.
________________________________________________________________________________________________
Page No | 69
Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA.
Check network setngs on the CA Server. If there is no DNS setng, Certfcate
Authority Server cannot resolve and fnd domain.
Sufcient privileges for writng the Enterprise CA confguraton informaton in AD confguraton partton are required.
Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about
the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise
Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups.
You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server
Manager, but stll needs to be checked.
View Cngwindowsgcertocm.log fle. There you can fnd helpful details on problems with group membership. For
example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships
are not correct.
Don’t forget to check event viewer on CA Server side and look for red lines.
Verify that network devices or sooware&hardware frewalls are not blocking access from/to server and Domain
Controllers. If so, Certfcate Authority Server may not be communicatng correctly with the domain. To check that,
simply run nltest /sc_verifynDomainName
Check also whether Server CA is connected to a writable Domain Controller.
Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows
– maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context
and frst of all check if CN=Public Key
Service,CN=Services,CN=Confguraton,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions
for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main
subcontainers to verify are Certfcate Templates, OID, KRA containers.
If no above tps help, disjoin the server from domain and join again. Ultmately reinstall operaton system on CA
Server.
Question 54
Your company has an Actve Directory domain named contoso.com. The company network has two DNS servers
named DNS1 and DNS2.
The DNS servers are confgured as shown in the following table.
Domain users, who are confgured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web
sites.
You need to enable Internet name resoluton for all client computers.
What should you do?
A. Update the list of root hints servers on DNS2.

B. Create a copy of the .(root) zone on DNS1.
C. Delete the .(root) zone from DNS2. Confgure conditonal forwarding on DNS2.
D. Update the Cache.dns fle on DNS2. Confgure conditonal forwarding on DNS1.
Aoswern C
Explanatonn
How To Remove the Root Zone (Dot Zone)
When you install DNS on a Windows 2000 server that does not have a connecton to the Internet, the zone for the
________________________________________________________________________________________________
Page No | 70
domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the
Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are
listed with DNS, and you cannot confgure forwarders or root hint servers. For these reasons, you may have to remove
the root zone.
Question 55
Your network consists of a single Actve Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to confgure the Actve Directory environment to support the applicaton of multple password policies.
What should you do?
A. Raise the functonal level of the domain to Windows Server 2008.

B. On one domain controller, run dcpromo /adv.
C. Create multple Actve Directory sites.
D. On all domain controllers, run dcpromo /adv.
Aoswern A
Explanatonn
This step-by-step guide provides instructons for confguring and applying fne-grained password and account lockout
policies for diferent sets of users in Windows Server® 2008 domains.
In Microsoo® Windows® 2000 and Windows Server 2003 Actve Directory domains, you could apply only one
password and account lockout policy, which is specifed in the domain's Default Domain Policy, to all users in the
domain. As a result, if you wanted diferent password and account lockout setngs for diferent sets of users, you had
to either create a password flter or deploy multple domains. Both optons were costly for diferent reasons.
In Windows Server 2008, you can use fne-grained password policies to specify multple password policies and apply
diferent password restrictons and account lockout policies to diferent sets of users within a single domain.
Requirements and special consideratons for fne-grained password and account lockout policies
Domain functonal leveln The domain functonal level must be set to Windows Server 2008 or higher.
Question 56
Your company has two Actve Directory forests named contoso.com and fabrikam.com.
The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are confgured as
shown in the following table.
All computers that belong to the fabrikam.com domain have DNS3 confgured as the preferred DNS server. All other
computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Confgure conditonal forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
________________________________________________________________________________________________
Page No | 71
D. Confgure conditonal forwarding on DNS3 to forward contoso.com queries to DNS1.
Aoswern D
Explanatonn
Question 57
Your company, Contoso Ltd, has ofces in North America and Europe. Contoso has an Actve Directory forest that has
three domains.
You need to reduce the tme required to authentcate users from the labs.eu.contoso.com domain when they access
resources in the eng.na.contoso.com domain.
What should you do?
A. Decrease the replicaton interval for all Connecton objects.

B. Decrease the replicaton interval for the DEFAULTIPSITELINK site link.
C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Aoswern C
Explanatonn
________________________________________________________________________________________________
Page No | 72
Understanding When to Create a Shortcut Trust

When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitve trusts that administrators can use to optmize the authentcaton
process.
Authentcaton requests must frst travel a trust path between domain trees. In a complex forest this can take tme,
which you can reduce with shortcut trusts. A trust path is the series of domain trust relatonships that authentcaton
requests must traverse between any two domains. Shortcut trusts efectvely shorten the path that authentcaton
requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustraton as an example, you can form a shortcut trust between domain B and domain D,
between domain A and domain 1, and so on.
Using one-way trusts

A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the tme that
is necessary to fulfll authentcaton requests—but in only one directon. For example, when a oneway, shortcut trust
is established between domain A and domain B, authentcaton requests that are made in domain A to domain B can
use the new one-way trust path. However, authentcaton requests that are made in domain B to domain A must stll
travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the tme that is
necessary to fulfll authentcaton requests that originate in either domain. For example, when a two-way trust is
established between domain A and domain B, authentcaton requests that are made from either domain to the other
domain can use the new, two-way trust path.
Question 58
Your company purchases a new applicaton to deploy on 200 computers. The applicaton requires that you modify the
registry on each target computer before you install the applicaton.
The registry modifcatons are in a fle that has an .adm extension.
You need to prepare the target computers for the applicaton.
What should you do?
A. Import the .adm fle into a new Group Policy Object (GPO). Edit the GPO and link it to an organizatonal unit that
contains the target computers.
B. Create a Microsoo Windows PowerShell script to copy the .adm fle to each computer. Run the REDIRUsr
CONTAINER-DN command on each target computer.
C. Create a Microsoo Windows PowerShell script to copy the .adm fle to the startup folder of each target computer.
D. Create a Microsoo Windows PowerShell script to copy the .adm fle to each computer. Run the REDIRCmp
CONTAINER-DN command on each target computer.
Aoswern A
Explanatonn
htpn//www.petri.co.il/adding_new_administratve_templates_to_gpo.htm
________________________________________________________________________________________________
Page No | 73
Adding New Administratve Templates to a GPO

Adding .ADM fles to the Administratve Templates in a GPO
In order to add additonal .ADM fles to the existng Administratve Templates secton in GPO please follow the next
stepsn
1. Open the Group Policy Management Console (or GPMC) from the Administratve Tools folder in the Stat menu, or
by typing gpmc.msc in the Run command.
2. Right-click an existng GPO (or create an new GPO, then right-click on it) and select Edit.
Question 59
Your company has an Actve Directory forest that contains eight linked Group Policy Objects (GPOs). One of these
GPOs publishes applicatons to user objects. A user reports that the applicaton is not available for installaton.
You need to identfy whether the GPO has been applied.
What should you do?
A. Run the Group Policy Results utlity for the user.

B. Run the GPRESULT /S <system nameN /Z command at the command prompt.
C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
D. Run the Group Policy Results utlity for the computer.
Aoswern A
Explanatonn
Personal noten
You run the utlity for the user and not for the computer because the applicaton publishes to user objects
htpn//technet.microsoo.com/en-us/library/bb456989.aspx
How to Use the Group Policy Results (GPResult.exe) Command Line Tool
Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifes all policy setngs in
efect for a specifc user or computer. Administrators can run GPResult on any remote computer within their scope of
management. By default, GPResult returns setngs in efect on the computer on which
GPResult is run.
To run GPResult on your own computern
1. Click Start, Run, and enter cmd to open a command window.
2. Type gpresult and redirect the output to a text fle as shown in Figure 1 belown
3. Enter notepad gp.txt to open the fle. Results appear as shown in the fgure below.
________________________________________________________________________________________________
Page No | 74
Question 60
Your company has an Actve Directory domain.

You plan to install the Actve Directory Certfcate Services (AD CS) server role on a member server that runs Windows
Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard credentals.They should
not be able to revoke certfcates.
Which three actons should you perform? (Each correct answer presents part of the soluton. Choose three.)
A. Create an Enrollment Agent certfcate.

B. Create a Smartcard logon certfcate.
C. Restrict enrollment agents for the Smartcard logon certfcate to the Account Operator group.
D. Install the AD CS role and confgure it as an Enterprise Root CA.
E. Install the AD CS role and confgure it as a Standalone CA.
F. Restrict certfcate managers for the Smartcard logon certfcate to the Account Operator group.
Aoswern B, C, D
Explanatonn
AD CSn Restricted Enrollment Agent
The restricted enrollment agent is a new functonality in the Windows Server® 2008 Enterprise operatng system that
allows limitng the permissions that users designated as enrollment agents have for enrolling smart card certfcates
on behalf of other users.
What does the restricted enrollment agent do?
Enrollment agents are one or more authorized individuals within an organizaton. The enrollment agent needs to be
issued an enrollment agent certfcate, which enables the agent to enroll for smart card certfcates on behalf of users.
Enrollment agents are typically members of the corporate security, Informaton Technology (IT) security, or help desk
teams because these individuals have already been trusted with safeguarding valuable resources. In some
organizatons, such as banks that have many branches, help desk and security workers might not be conveniently
located to perform this task. In this case, designatng a branch manager or other trusted employee to act as an
________________________________________________________________________________________________
Page No | 75
enrollment agent is required to enable smart card credentals to be issued from multple locatons.
On a Windows Server 2008 Enterprise-based certfcaton authority (CA), the restricted enrollment agent features
allow an enrollment agent to be used for one or many certfcate templates. For each certfcate template, you can
choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an
enrollment agent based on a certain Actve Directory® organizatonal unit (OU) or container; you must use security
groups instead. The restricted enrollment agent is not available on a Windows
Enterprise certfcaton authorites
The Enterprise Administrator can install Certfcate Services to create an enterprise certfcaton authority (CA).
Enterprise CAs can issue certfcates for purposes such as digital signatures, secure e-mail using S/MIME (Secure
Multpurpose Internet Mail Extensions), authentcaton to a secure Web server using Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card.
An enterprise CA has the following featuresn
An enterprise CA requires the Actve Directory directory service.
When you install an enterprise root CA, it uses Group Policy to propagate its certfcate to the Trusted Root
Certfcaton Authorites certfcate store for all users and computers in the domain. You must be a Domain
Administrator or be an administrator with write access to Actve Directory to install an enterprise root CA.
Certfcates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise
exit module publishes user certfcates and the certfcate revocaton list (CRL) to Actve Directory. In order to publish
certfcates to Actve Directory, the server that the CA is installed on must be a member of the Certfcate Publishers
group. This is automatc for the domain the server is in, but the server must be delegated the proper security
permissions to publish certfcates in other domains. For more informaton about the exit module, see Policy and exit
modules.
An enterprise CA uses certfcate types, which are based on a certfcate template. The following functonality is
possible when you use certfcate templatesn
Enterprise CAs enforce credental checks on users during certfcate enrollment. Each certfcate template has a
security permission set in Actve Directory that determines whether the certfcate requester is authorized to receive
the type of certfcate they have requested.
The certfcate subject name can be generated automatcally from the informaton in Actve Directory or supplied
explicitly by the requestor.
The policy module adds a predefned list of certfcate extensions to the issued certfcate. The extensions are defned
by the certfcate template. This reduces the amount of informaton a certfcate requester has to provide about the
certfcate and its intended use.
Stand-alone certfcaton authorites
You can install Certfcate Services to create a stand-alone certfcaton authority (CA). Stand-alone CAs can issue
certfcates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multpurpose
Internet Mail Extensions) and authentcaton to a secure Web server using Secure Sockets Layer (SSL) or Transport
Layer Security (TLS).
A stand-alone CA has the following characteristcsn
Unlike an enterprise CA, a stand-alone CA does not require the use of the Actve Directory directory service. Stand-
alone CAs are primarily intended to be used as Trusted Ofine Root CAs in a CA hierarchy or when extranets and the
Internet are involved. Additonally, if you want to use a custom policy module for a CA, you would frst install a stand-
alone CA and then replace the stand-alone policy module with your custom policy module.
When submitng a certfcate request to a stand-alone CA, a certfcate requester must explicitly supply all identfying
informaton about themselves and the type of certfcate that is wanted in the certfcate request. (This does not need
to be done when submitng a request to an enterprise CA, since the enterprise user's informaton is already in Actve
Directory and the certfcate type is described by a certfcate template). The authentcaton informaton for requests
is obtained from the local computer's Security Accounts Manager database.
By default, all certfcate requests sent to the stand-alone CA are set to Pending untl the administrator of the stand-
alone CA verifes the identty of the requester and approves the request. This is done for security reasons, because the
________________________________________________________________________________________________
Page No | 76
certfcate requester's credentals are not verifed by the stand-alone CA. Certfcate templates are not used.
No certfcates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other
types of certfcates can be issued and stored on a smart card.
The administrator has to explicitly distribute the stand-alone CA's certfcate to the domain user's trusted root store or
users must perform that task themselves.
When a stand-alone CA uses Actve Directory, it has these additonal featuresn
If a member of the Domain Administrators group or an administrator with write access to Actve Directory, installs a
stand-alone root CA, it is automatcally added to the Trusted Root Certfcaton Authorites certfcate store for all
users and computers in the domain. For this reason, if you install a stand-alone root CA in an Actve Directory domain,
you should not change the default acton of the CA upon receiving certfcate requests (which marks requests as
Pending). Otherwise, you will have a trusted root CA that automatcally issues certfcates without verifying the
identty of the certfcate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the
enterprise, or by an administrator with write access to Actve Directory, then the stand-alone CA will publish its CA
certfcate and the certfcate revocaton list (CRL) to Actve Directory.
Question 61
You create 200 new user accounts. The users are located in six diferent sites. New users report that they receive the
following error message when they try to log onn "The username or password is incorrect." You confrm that the user
accounts exist and are enabled. You also confrm that the user name and password informaton supplied are correct.
You need to identfy the cause of the failure. You also need to ensure that the new users are able to log on.
Which utlity should you run?
A. Actve Directory Domains and Trusts

B. Repadmin
C. Rstools
D. Rsdiag
Aoswern B
Repadmin allows us to check the replicaton status and also allows us to force a replicaton between domain
controllers.
Referencen
Repadmin /replsummary
Identfes domain controllers that are failing inbound replicaton or outbound replicaton, and summarizes the results
in a report.
Repadmin /showrepl
Displays the replicaton status when the specifed domain controller last atempted to perform inbound replicaton on
Actve Directory parttons.
Repadmin /syncall Synchronizes a specifed domain controller with all replicaton partners.
Question 62
Your network contains an Actve Directory forest. All domain controllers run Windows Server 2008 R2 and are
confgured as DNS servers.
You have an Actve Directory-integrated zone for contoso.com.
You have a Unix-based DNS server.
You need to confgure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to
________________________________________________________________________________________________
Page No | 77
the Unix-based DNS server.

What should you do in the DNS Manager console?
A. Enable BIND secondaries

B. Create a stub zone
C. Disable recursion
D. Create a secondary zone
Aoswern A
Explanatonn
htpn//skibbz.com/understanding-of-advance-propertes-setngs-in-window-server-2003-and-2008-dns-serverbind-
secondaries/
Understanding Of Advance Propertes Setngs In Window Server 2003 And 2008 DNS Server (BIND Secondaries)
BIND Secondaries controls the zone transfer between diferent vendor DNS server. It help verifes the type of format
used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of BIND is Berkeley Internet Name
domain (BIND). BIND is a based on UNIX operatng system.
Two window servers do not required BIND. BIND is only required when transfer dns zone between two diferent dns
server vendors (UNIX and Microsoo Window). If you are using only Window server for dns and zone transfer you will
have to disable this opton in the window dns server. However if you want the server to perform a slow zone transfer
and uncompressed data transfer then you will have to enable BIND in the dns server.
To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server.
BIND is understood to have been introduced in window server to support UNIX.
System admin will normally disable this opton if they want the data in their dns zone transfer to between primary
and secondary dns server to be transfer faster in order to improve dns queries efciency within their network
environment
Bind is used in a DNS window server, when the needs to confgured zone transfer between window server and UNIX
server or operatve system.
Bind is enabled when a window server is confgured as a primary dns server and a UNIX computer is confgured as a
secondary dns server for zone transfer.
BIND Secondaries need to be confgured to mitgate, the problem of interoperability between the two server
operatng system since they are from diferent vendors.
Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format.
However, BIND in window server 2008 and later has improved this problem. This is because it was noted that
BIND in window server 2008 and later uses faster, compressed format during zone transfer between primary and
secondary DNS server confgured in for diferent server operatng system (UNIX and Window server).
Question 63
Your company has an Actve Directory domain.

You log on to the domain controller. The Actve Directory Schema snap-in is not available in the Microsoo
Management Console (MMC).
You need to access the Actve Directory Schema snap-in.
What should you do?
A. Add the Actve Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server
Manager.
B. Log of and log on again by using an account that is a member of the Schema Administrators group.
C. Use the Ntdsutl.exe command to connect to the Schema Master operatons master and open the schema for
writng.
D. Register Schmmgmt.dll.
________________________________________________________________________________________________
Page No | 78
Aoswern D
Explanatonn
Install the Actve Directory Schema Snap-In
You can use this procedure to frst register the dynamic-link library (DLL) that is required for the Actve Directory
Schema snap-in. You can then add the snap-in to Microsoo Management Console (MMC).
To install the Actve Directory Schema snap-in
1. To open an elevated command prompt, click Start, type command prompt and then right-click Command
Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK.
To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click
Run as administrator.
2. Type the following command, and then press ENTERn
regsvr32 schmmgmt.dll
3. Click Start, click Run, type mmc and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. Under Available snap-ins, click Actve Directory Schema, click Add and then click OK.
6. To save this console, on the File menu, click Save.
7. In the Save As dialog box, do one of the followingn
* To place the snap-in in the Administratve Tools folder, in File name, type a name for the snap-in, and then click
Save.
* To save the snap-in to a locaton other than the Administratve Tools folder, in Save in navigate to a locaton for the
snap-in. In File name, type a name for the snap-in, and then click Save
Question 64
Your company has a server that runs Windows Server 2008 R2. Actve Directory Certfcate Services (AD CS) is
confgured as a standalone Certfcaton Authority (CA) on the server.
You need to audit changes to the CA confguraton setngs and the CA security setngs.
A. Confgure auditng in the Certfcaton Authority snap-in.

B. Enable auditng of successful and failed atempts to change permissions on fles in the %SYSTEM32%
gCertSrv directory.
C. Enable auditng of successful and failed atempts to write to fles in the %SYSTEM32%gCertLog directory.
D. Enable the Audit object access setng in the Local Security Policy for the Actve Directory Certfcate Services (AD
CS) server.
Aoswern A, D
Explanatonn
Confgure CA Event Auditng
You can audit a variety of events relatng to the management and actvites of a certfcaton authority (CA)n
Back up and restore the CA database.
Change the CA confguraton.
Change CA security setngs.
Issue and manage certfcate requests.
Revoke certfcates and publish certfcate revocaton lists (CRLs).
________________________________________________________________________________________________
Page No | 79
Store and retrieve archived keys.

Start and stop Actve Directory Certfcate Services (AD CS).
To confgure CA event auditng
1. Open the Certfcaton Authority snap-in.
2. In the console tree, click the name of the CA.
4. On the Auditng tab, click the events that you want to audit, and then click OK.
5. On the Acton menu, point to All Tasks, and then click Stop Service.
6. On the Acton menu, point to All Tasks, and then click Start Service.
Additonal consideratons
To audit events, the computer must also be confgured for auditng of object access. Audit policy optons can be
viewed and managed in local or domain Group Policy under Computer ConfguratongWindows SetngsgSecurity
SetngsgLocal Policies.
Question 65
Your company has a single-domain Actve Directory forest. The functonal level of the domain is Windows Server
2008.
You perform the following actvitesn
Create a global distributon group.
Add users to the global distributon group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distributon group in a domain local group that has access to the shared folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distributon group to the Domain Administrators group.

B. Change the group type of the global distributon group to a security group.
C. Change the scope of the global distributon group to a Universal distributon group.
D. Raise the forest functonal level to Windows Server 2008.
Aoswern B
Explanatonn
htpn//kb.iu.edu/data/ajlt.html
In Microsoo Actve Directory, what are security and distributon groups?
In Microsoo Actve Directory, when you create a new group, you must select a group type. The two group types,
security and distributon, are described belown
Securityn Security groups allow you to manage user and computer access to shared resources. You can also control
who receives group policy setngs. This simplifes administraton by allowing you to set permissions once on multple
computers, then to change the membership of the group as your needs change. The change in group membership
automatcally takes efect everywhere. You can also use these groups as email distributon lists.
Distributonn Distributon groups are intended to be used solely as email distributon lists. These lists are for use with
email applicatons such as Microsoo Exchange or Outlook. You can add and remove contacts from the list so that they
will or will not receive email sent to the distributon group. You can't use distributon groups to assign permissions on
any objects, and you can't use them to flter group policy setngs.
Group types
Question 66
________________________________________________________________________________________________
Page No | 80
Your company hires 10 new employees.

You want the new employees to connect to the main ofce through a VPN connecton.
You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to
shared resources in the main ofce.
The new employees are unable to access shared resources in the main ofce.
You need to ensure that users are able to establish a VPN connecton to the main ofce.
What should you do?
A. Grant the new employees the Allow Access Dial-in permission.

B. Grant the new employees the Allow Full control permission.
C. Add the new employees to the Remote Desktop Users security group.
D. Add the new employees to the Windows Authorizaton Access security group.
Aoswern A
Explanatonn
Dial-in propertes of a user account
The dial-in propertes for a user account aren
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, or determined through
remote access policies. In all cases, remote access policies are used to authorize the connecton atempt. If access is
explicitly allowed, remote access policy conditons, user account propertes, or profle propertes can stll deny the
connecton atempt.
Question 67
You need to identfy the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of
available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.

B. Review the Hardware Events log in the Event Viewer.
C. Run the Actve Directory Diagnostcs Data Collector Set. Review the Actve Directory Diagnostcs report.
D. Run the LAN Diagnostcs Data Collector Set. Review the LAN Diagnostcs report.
Aoswern C
Explanatonn
htpn//servergeeks.wordpress.com/2012/12/31/actve-directory-diagnostcs/
Actve Directory Diagnostcs
Prior to Windows Server 2008, troubleshootng Actve Directory performance issues ooen required the installaton of
SPA. SPA is helpful because the Actve Directory data set collects performance data and it generates XML based
diagnostc reports that make analyzing AD performance issues easier by identfying the IP addresses of the highest
volume callers and the type of network trafc that is placing the most loads on the CPU.
Download SPA tooln htpn//www.microsoo.com/en-us/download/details.aspx?id=15506
Now the same functonality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t
have to install SPA anymore.
________________________________________________________________________________________________
Page No | 81
This performance feature is located in the Server Manager snap-in under the Diagnostcs node and when the Actve
Directory Domain Services Role is installed the Actve Directory Diagnostcs data collector set is automatcally created
under System as shown here.
When you will check the propertes of the collector you will notce that the data is stored under %systemdrive
%gperfogs, only now it is under the gADDS folder and when a data collecton is run it creates a new subfolder called
YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Actve Directory
Diagnostcs data collector set runs for a default of 5 minutes. This duraton period cannot be modifed for the built-in
collector. However, the collecton can be stopped manually by clicking the Stop buton or from the command line.
________________________________________________________________________________________________
Page No | 82
To start the data collector set, you just have to right click on Actve Directory Diagnostcs data collector set and select
Start. Data will be stored at %systemdrive%gperfogs locaton.
Once you’ve gathered your data, you will have these interestng and useful reports under Report secton, to aid in
your troubleshootng and server performance trending.
________________________________________________________________________________________________
Page No | 83
Further informatonn
Monitoring Your Branch Ofce Environment
htpn//blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-
andbeyond.aspx
Son of SPAn AD Data Collector Sets in Win2008 and beyond
Question 68
Your company has an Actve Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Actve Directory domain to install Windows Server 2008 R2 domain controllers.
A. Run the adprep /domainprep command.

B. Raise the forest functonal level to Windows Server 2008.
C. Raise the domain functonal level to Windows Server 2008.
D. Run the adprep /forestprep command.
Aoswern A, D
Explanatonn
htpn//www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm
Prepare your Domain for the Windows Server 2008 R2 Domain Controller
Before installing the frst Windows Server 2008 R2 domain controller (DC) into an existng Windows 2000, Windows
Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a
tool called ADPREP.
ADPREP extends the Actve Directory schema and updates permissions as necessary to prepare a forest and domain
for a domain controller that runs the Windows Server 2008 R2 operatng system.
Noten You may remember that ADPREP was used on previous operatng systems such as Windows Server 2003,
________________________________________________________________________________________________
Page No | 84
Windows Server 2003 R2 and Windows Server 2008. This artcle focuses on Windows Server 2008 R2.
What does ADPREP do? ADPREP has parameters that perform a variety of operatons that help prepare an existng
Actve Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP
perform the same operatons, but generally the diferent types of operatons that ADPREP can perform include the
followingn
Updatng the Actve Directory schema
Updatng security descriptors
Modifying access control lists (ACLs) on Actve Directory objects and on fles in the SYSVOL shared folder
Creatng new objects, as needed
Creatng new containers, as needed
To prepare the forest and domain for the installaton of the frst Windows Server 2008 R2 domain controller please
perform these tasksn
Lamer noten The following tasks are required ONLY before adding the frst Windows Server 2008 R2 domain controller.
If you plan on simply joining a Windows Server 2008 R2 Server to the domain and confguring as a regular member
server, none of the following tasks are required.
Another lamer noten Please make sure you read the system requirements for Windows Server 2008 R2. For example,
you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it partcipate as a domain
controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be
running Service Pack 4 (SP4).
First, you should review and understand the schema updates and other changes that ADPREP makes as part of the
schema management process in Actve Directory Domain Services (AD DS). You should test the ADPREP schema
updates in a lab environment to ensure that they will not confict with any applicatons that run in your environment.
You must make a system state backup for your domain controllers, including the schema master and at least one other
domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log
on to the schema master with an account that has sufcient credentals to run adprep /forestprep. You must be a
member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain
that hosts the schema master, which is, by default, the forest root domain.
Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media
handy, you may use the evaluaton version that is available to download from Microsoo's website.
If you only have the ISO fle and do not want to or cannot actually burn it to a physical DVD media, you can mount it by
using a virtual ISO mountng tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO fle, ISO/BIN
converter/extractor/editor).
Browse to the Xngsupportgadprep folder, where Xn is the drive leter of your DVD drive. Find a fle called adprep.exe or
adprep32.exe.
Noten Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installaton media to get the
right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-
bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).
________________________________________________________________________________________________
Page No | 85
To perform this procedure, you must use an account that has membership in all of the following groupsn
Enterprise Admins
Schema Admins
Domain Admins for the domain that contains the schema master
Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu.
Drag the adprep.exe fle from the Windows Explorer window to the Command Prompt window. Naturally, if you want,
you can always manually type the path of the fle in the Command Prompt window if that makes you feel beter...
Noten You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click
Start, right-click Command Prompt, and then click Run as administrator.
Noten If your existng DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not
work, as that feature was intentonally disabled in windows Server 2008 and Windows Vista.
In the Command Prompt window, type the following commandn adprep /forestprep
You will be prompted to type the leter "c" and then press ENTER. Aoer doing so, process will begin.
________________________________________________________________________________________________
Page No | 86
ADPREP will take several minutes to complete. During that tme, several LDF fles will be imported into the AD
Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
When completed, you will receive a success message.
________________________________________________________________________________________________
Page No | 87
Noten As mentoned above, ADPREP should only be run on an existng DC. When trying to run it from a non-DC, you
will get this errorn
Adprep cannot run on this platorm because it is not an Actve Directory Domain Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Acton]
Run Adprep on a Actve Directory Domain Controller.
Allow the operaton to complete, and then allow the changes to replicate throughout the forest before you prepare
any domains for a domain controller that runs Windows Server 2008 R2.
In the Command Prompt window, type the following commandn adprep /domainprep
Process will take less than a second.
ADPREP must only be run in a Windows 2000 Natve Mode or higher. If you atempt to run in Mixed Mode you will get
this errorn
________________________________________________________________________________________________
Page No | 88
Adprep detected that the domain is not in natve mode

[Status/Consequence]
Adprep has stopped without making changes.
[User Acton]
Confgure the domain to run in natve mode and re-run domainprep
If you're running a Windows 2008 Actve Directory domain, that's it, no additonal tasks are needed.
If you're running a Windows 2000 Actve Directory domain, you must also the following commandn adprep
/domainprep /gpprep
If you're running a Windows 2003 Actve Directory domain, that's it, no additonal tasks are needed. However, if
you're planing to run Read Only Domain controllers (RODCs), you must also type the following commandn adprep
/rodcprep
If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008
R2.
Process will complete in less than a second.
To verify that adprep /forestprep completed successfully please perform these stepsn
1. Log on to an administratve workstaton that has ADSIEdit installed. ADSIEdit is installed by default on domain
controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the
Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Acton, and then click Connect to.
4. Click Select a well known Naming Context, select Confguraton in the list of available naming contexts, and then
click OK.
5. Double-click Confguraton, and then double-click CN=Confguraton, DC=forest_root_domain where
forest_root_domain is the distnguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActveDirectoryUpdate, and then click Propertes.
________________________________________________________________________________________________
Page No | 89
8. If you ran adprep /forestprep for Windows Server 2008 R2, confrm that the Revision atribute value is 5, and then
click OK.
9. Click ADSI Edit, click Acton, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click
OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Confguraton,DC=forest_root_domain, and then click Propertes.
________________________________________________________________________________________________
Page No | 90
13. If you ran adprep /forestprep for Windows Server 2008 R2, confrm that the objectVersion atribute value is set to
47, and then click OK.
Question 69
You need to identfy all failed logon atempts on the domain controllers.
What should you do?
A. View the Netlogon.log fle.

B. View the Security tab on the domain controller computer object.
C. Run Event Viewer.
D. Run the Security and Confguraton Wizard.
________________________________________________________________________________________________
Page No | 91
Aoswern C
Explanatonn
Security Event Descriptons
This artcle contains descriptons of various security-related and auditng- related events, and tps for
interpretng them.
These events will all appear in the Security event log and will be logged with a source of "Security."
Event IDn 529
Typen Failure Audit
Descriptonn Logon Failuren
Reasonn Unknown user name or bad password
User Namen %1 Domainn %2
Logon Typen %3 Logon Processn %4
Authentcaton Packagen %5 Workstaton Namen %6
Event IDn 530
Typen Failure Audit
Reasonn Account logon tme restricton violaton
Event IDn 531
Typen Failure Audit
Reasonn Account currently disabled
Event IDn 532
Typen Failure Audit
Reasonn The specifed user account has expired
Event IDn 533
Typen Failure Audit
Reasonn User not allowed to logon at this computer
Event IDn 534
Typen Failure Audit
Reasonn The user has not been granted the requested logon
type at this machine
________________________________________________________________________________________________
Page No | 92

Event IDn 535
Typen Failure Audit
Reasonn The specifed account's password has expired
Event IDn 536
Typen Failure Audit
Reasonn The NetLogon component is not actve
Event IDn 537
Typen Failure Audit
Reasonn An unexpected error occurred during logon
Question 70
Your company has a DNS server that has 10 Actve Directory integrated zones.
You need to provide copies of the zone fles of the DNS server to the security department.
What should you do?
A. Run the dnscmd /ZoneInfo command.

B. Run the ipconfg /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutl N Partton Management N List commands.
Aoswern C
Explanatonn
htpn//servergeeks.wordpress.com/2012/12/31/dns-zone-export/
DNS Zone Export
In Non-AD Integrated DNS Zones
DNS zone fle informaton is stored by default in the %systemroot%gwindowsgsystem32gdns folder. When the DNS
Server service starts it loads zones from these fles. This behavior is limited to any primary and secondary zones that
are not AD integrated. The fles will be named as <ZoneFQDNN.dns.
________________________________________________________________________________________________
Page No | 93
In AD Integrated DNS Zones

AD-integrated zones are stored in the directory they do not have corresponding zone fles i.e. they are not stored as
.dns fles. This makes sense because the zones are stored in, and loaded from, the directory. Now it is important task
for us to take a backup of these AD integrated zones before making any changes to DNS infrastructure. Dnscmd.exe
can be used to export the zone to a fle. The syntax of the command isn
DnsCmd <ServerNameN /ZoneExport <ZoneNameN <ZoneExportFileN
<ZoneNameN — FQDN of zone to export
/Cache to export cache
As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The command to export
the fle would ben
Dnscmd server1 /ZoneExport habib.local habib.local.bak
________________________________________________________________________________________________
Page No | 94
You can refer to a complete artcle on DNSCMD in Microsoo TechNet website

htpn//technet.microsoo.com/en-us/library/cc772069(v=ws.10).aspx
Question 71
Your company has an Actve Directory forest. The company has three locatons. Each locaton has an organizatonal
unit and a child organizatonal unit named Sales.
The Sales organizatonal unit contains all users and computers of the sales department.
The company plans to deploy a Microsoo Ofce 2007 applicaton on all computers within the three Sales
You need to ensure that the Ofce 2007 applicaton is installed only on the computers in the Sales organizatonal
units.
What should you do?
A. Create a Group Policy Object (GPO) named SalesAPP GPO. Confgure the GPO to assign the applicaton to the
computer account. Link the SalesAPP GPO to the domain.
B. Create a Group Policy Object (GPO) named SalesAPP GPO. Confgure the GPO to assign the applicaton to the user
account. Link the SalesAPP GPO to the Sales organizatonal unit in each locaton.
C. Create a Group Policy Object (GPO) named SalesAPP GPO. Confgure the GPO to assign the applicaton to the
computer account. Link the SalesAPP GPO to the Sales organizatonal unit in each locaton.
D. Create a Group Policy Object (GPO) named SalesAPP GPO. Confgure the GPO to publish the applicaton to the user
account. Link the SalesAPP GPO to the Sales organizatonal unit in each locaton.
Aoswern C
Question 72
Your company has a main ofce and 10 branch ofces. Each branch ofce has an Actve Directory site that contains
one domain controller. Only domain controllers in the main ofce are confgured as Global Catalog servers.
You need to deactvate the Universal Group Membership Caching (UGMC) opton on the domain controllers in the
branch ofces.
At which level should you deactvate UGMC?
A. Server
B. Connecton object
C. Domain
D. Site
________________________________________________________________________________________________
Page No | 95
Aoswern D
Explanatonn
htpn//www.ntweekly.com/?p=788
Question:iw Ti
Eoable
Or Disable Universal Group Membership Caching Windows Server 2008
Aoswern Uoiversal
Griup Membership
Cachiog eoables us ti
alliw users ti lig io
ti the oetwir
without contactng a Global Catalog server, this is recommended to use in remote sites without global a catalog
server. To enable or disable Universal Group Membership Caching follow the steps belown Open Actve Directory Sites
And Service -N Go to the site you need to enable or disable the feature -N Right click on the NTDS Site Setngs and
Click on Propertes
Tick the Box next to Enable Universal Group Membership Caching to Enable or Disable.
________________________________________________________________________________________________
Page No | 96
htpn//gallery.technet.microsoo.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91
Script to Disable Universal Group Membership Caching in all Sites
How to Disable Universal Group Membership Caching in all Sites using a Script
Startng with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a
user’s membership in Universal Groups on domain controllers authentcatng the user. This feature allows a domain
controller to have knowledge of Universal Groups a user is member of rather than contactng a Global Catalog.
Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in
a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the
Windows 2000 natve domain functonal level or higher, the Global Catalog provides Universal Group membership
informaton for the user’s account at the tme the user logs on to the domain to the authentcatng domain controller.
UGMC is generally a good idea for multple domain forests whenn
1. Universal Group membership does not change frequently.
2. Low WAN bandwidth between Domain Controllers in diferent sites.
It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.
Question 73
Your network consists of a single Actve Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008 R2.
You need to ensure that the Sysvol share replicates by using DFS Replicaton (DFS-R).
What should you do?
A. From the command prompt, run dfsutl /addrootnsysvol.

B. From the command prompt, run netdom /reset.
C. From the command prompt, run dcpromo /unatendnunatendfle.xml.
________________________________________________________________________________________________
Page No | 97
D. Raise the functonal level of the domain to Windows Server 2008 R2.
Aoswern D
Explanatonn
Introducton to Administering DFS-Replicated SYSVOL
SYSVOL is a collecton of folders that contain a copy of the domain’s public fles, including system policies, logon
scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be present and the
appropriate subdirectories must be shared on a server before the server can advertse itself on the network as a
domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domain controller in the domain.
Noten
For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replicaton. The
Group Policy container (GPC), which is stored in the domain, is replicated through Actve Directory replicaton. For
Group Policy to be efectve, both parts must be available on a domain controller.
Using DFS Replicaton for replicatng SYSVOL in Windows Server 2008
Distributed File System (DFS) Replicaton is a replicaton service that is available for replicatng
SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functonal level. DFS
Replicaton was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows
Server 2003 R2, SYSVOL replicaton is performed by the File Replicaton Service (FRS).
Question 74
Your company has a main ofce and a branch ofce that are confgured as a single Actve Directory forest. The
functonal level of the Actve Directory forest is Windows Server 2003. There are four Windows Server 2003 domain
controllers in the main ofce.
You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch ofce.
A. Raise the functonal level of the forest to Windows Server 2008.

B. Deploy a Windows Server 2008 domain controller at the main ofce.
C. Raise the functonal level of the domain to Windows Server 2008.
D. Run the adprep/rodcprep command.
Aoswern B, D
Explanatonn
Prerequisites for Deploying an RODC
Complete the following prerequisites before you deploy a read-only domain controller (RODC)n
Ensure that the forest functonal level is Windows Server 2003 or higher
Run Adprep.exe commands to prepare your existng forest and domains for domain controllers that run Windows
Server 2008 or Windows Server 2008 R2. The adprep commands extend the Actve Directory schema and update
security descriptors so that you can add the new domain controllers. There are diferent versions of Adprep.exe for
Windows Server 2008 and Windows Server 2008 R2.
1. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate
throughout the forest. Run the three commands as followsn
* Prepare the forest by running adprep /forestprep on the server that holds the schema master operatons master
(also known as fexible single master operatons or FSMO) role to update the schema.
* Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operatons
________________________________________________________________________________________________
Page No | 98
master role.
* If you are installing an RODC in an existng Windows Server 2003 domain, you must also run adprep /rodcprep.
2. Install Actve Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an
answer fle.
Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same
domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name
server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable
domain controller running Windows Server 2008 or Windows Server 2008 R2.
Question 75
Your company has an Actve Directory forest that contains Windows Server 2008 R2 domain controllers and DNS
servers. All client computers run Windows XP SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX fles that are stored in the
ADMX central store.
What should you do?
A. Add your account to the Domain Admins group.

B. Upgrade your client computers to Windows 7.
C. Install .NET Framework 3.0 on your client computers.
D. Create a folder on PDC emulator for the domain in the PolicyDefnitons path. Copy the ADMX fles to the
PolicyDefnitons folder.
Aoswern B
Explanatonn
Managing Group Policy ADMX Files Step-by-Step Guide
Microsoo Windows Vista® and Windows Server 2008 introduce a new format for displaying registry-based
policy setngs. Registry-based policy setngs (located under the Administratve Templates category in the
Group Policy Object Editor) are defned using a standards-based, XML fle format known as ADMX fles. These
new fles replace ADM fles, which used their own markup language. The Group Policy tools —Group Policy
Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situatons,
you will not notce the presence of ADMX fles during your day-to-day Group Policy administraton tasks.
htpn//blogs.technet.com/b/grouppolicy/archive/2008/12/17/questons-on-admx-in-windows-xp-and-windows2003-
environments.aspx
Questons on ADMX in Windows XP and Windows 2003 environments
We had a queston a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003
environments. Essentally the queston wasn
“…What’s the supported or recommended way of getng W2k8 ADMX templates applying in a W2k3 domain with or
with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3
DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and
it seems to work just fne. Is this the right way to do it?…”
The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with
the policy fle that’s created. Its just used to create the policy by the administratve tool itself. In the case of GPMC on
Windows XP and Windows Server 2003 and previous – this tool used the ADM fle format. These ADM fles were
copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was
one of the areas that caused major problems with an issue called SYSVOL bloat.
In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML
based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a
central or local store of these templates (Note that even in the newer tools you can stll import custom ADM fles for
________________________________________________________________________________________________
Page No | 99
stuf like Ofce etc).

In the queston above, the person wanted to know if copying the local store, located under cn/windows/
policydefnitons, could be copied into a Windows Server 2003 domain environment as the central store and
referenced by the newer admin tools. Again the domain functonal mode has litle to do with Group Policy. I talked
about that one before. The things that we care about are the administratve tools and the client support for the policy
functons. So of course it can.
Here’s the confusion-reducing scoop – Group Policy as a platorm only relies on two main factors. Actve Directory to
store metadata about the policy objects and to allow client discoverability for the locaton of the policy fles. The other
is the SYSVOL to store the policy fles. So at its core that’s LDAP and SMB fle shares.
Specifc extensions on top of the policy platorm may require certain domain functonality but that’s very specifc to
that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema
updates – not GP itself. So if you don't currently use them then you don't have to update schema.
So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all
the benefts to manage downlevel clients. That means eliminatng SYSVOL bloat. That means all the joys of Group
Policy Preferences. Honestly – it amazes us the amount of IT Pros that stll haven’t discovered GPP…especially with
the power it has to practcally eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing
an updated GPMC version for Windows XP to support all the new stuf. The answer is that we are not producing any
updated GPMC versions for Windows XP and Server 2003. All the new administratve work is being done on the
newer platorms. So get moving ahead! There are some really good benefts in the newer tools and very low impact
to your current environment. You only need a single Windows Vista SP1 machine to start!
Question 76
Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup
features installed.
You need to perform a non-authoritatve restore of the doman controller using an existng backup fle.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critcal volume
B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critcal
volume
C. Restart the domain controller in Safe Mode and use wbadmin to restore critcal volume
D. Restart the domain controller in Safe Mode and use the backup snap-in to restore critcal volume
Aoswern A
Explanatonn
Almost identcal to B42
Performing Nonauthoritatve Restore of Actve Directory Domain Services
A nonauthoritatve restore is the method for restoring Actve Directory Domain Services (AD DS) from a system state,
critcal-volumes, or full server backup. A nonauthoritatve restore returns the domain controller to its state at the tme
of backup and then allows normal replicaton to overwrite that state with any changes that occurred aoer the backup
was taken. Aoer you restore AD DS from backup, the domain controller queries its replicaton partners. Replicaton
partners use the standard replicaton protocols to update AD DS and associated informaton, including the SYSVOL
shared folder, on the restored domain controller.
You can use a nonauthoritatve restore to restore the directory service on a domain controller without reintroducing
or changing objects that have been modifed since the backup. The most common use of a nonauthoritatve restore is
to reinstate a domain controller, ooen aoer catastrophic or debilitatng hardware failures. In the case of data
corrupton, do not use nonauthoritatve restore unless you have confrmed that the problem is with AD DS.
Nonauthoritatve Restore Requirements You can perform a nonauthoritatve restore from backup on a Windows
________________________________________________________________________________________________
Page No | 100
Server 2008 system that is a standalone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore,
in Windows Server 2008, performing ofine defragmentaton and other database management tasks does not require
restartng the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a
nonauthoritatve restore aoer simply stopping the AD DS service in regular startup mode. You must be able to start
the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in
DSRM, you must frst reinstall the operatng system.
To perform a nonauthoritatve restore, you need one of the following types of backup for your backup sourcen
System state backupn Use this type of backup to restore AD DS. If you have reinstalled the operatng system, you must
use a critcal-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start
systemstaterecovery command.
Critcal-volumes backupn A critcal-volumes backup includes all data on all volumes that contain operatng system and
registry fles, boot fles, SYSVOL fles, or Actve Directory fles. Use this type of backup if you want to restore more than
the system state. To restore a critcal-volumes backup, use the wbadmin start recovery command.
Full server backupn Use this type of backup only if you cannot start the server or you do not have a system state or
critcal-volumes backup. A full server backup is generally larger than a critcal-volumes backup.
Restoring a full server backup not only rolls back data in AD DS to the tme of backup, but it also rolls back all data in
all other volumes. Rolling back this additonal data is not necessary to achieve nonauthoritatve restore of AD DS.
Question 77
Your company has an Actve Directory domain. All servers run Windows Server.
You deploy a Certfcaton Authority (CA) server.
You create a new global security group named CertIssuers.
You need to ensure that members of the CertIssuers group can issue, approve, and revoke certfcates.
What should you do?
A. Assign the Certfcate Manager role to the CertIssuers group

B. Place CertIssuers group in the Certfcate Publisher group
C. Run the certsrv -add CertIssuers command promt of the certfcate server
D. Run the add -member-membertype memberset CertIssuers command by using Microsoo Windows Powershell
Aoswern A
Explanatonn
Role-based administraton
Role explanaton
Role-based administraton involves CA roles, users, and groups. To assign a role to a user or group, you must assign
the role's corresponding security permissions, group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distnguish which users have which roles.
The following table describes the CA roles of role-based administraton and the groups relevant to role-based
administraton.
________________________________________________________________________________________________
Page No | 101
Certfcate Managern
Delete multple rows in database (bulk deleton)
Issue and approve certfcates
Deny certfcates
Revoke certfcates
Reactvate certfcates placed on hold
Renew certfcates
Recover archived key
Read CA database
Read CA confguraton informaton
Question 78
Your company has an Actve Directory domain. The company has purchased 100 new computers. You want to deploy
the computers as members of the domain.
You need to create the computer accounts in an OU.
What should you do?
A. Run the csvde -f computers.csv command

B. Run the ldifde -f computers.ldf command
C. Run the dsadd computer <computerdnN command
D. Run the dsmod computer <computerdnN command
Aoswern C
Explanatonn
Dsadd computer
Syntaxn dsadd computer <ComputerDNN [-samid <SAMNameN] [-desc <DescriptonN] [-loc <LocatonN] [-memberof
<GroupDN ...N] [{-s <ServerN | -d <DomainN}] [-u <UserNameN] [-p {<PasswordN | *}] [-q] [{-uc | -uco | -uci}]
Personal commentn you use ldifde and csvde to import and export directory objects to Actve Directory
Question 79
Your network consists of a single Actve Directory domain. You have a domain controller and a member server that
run Windows Server 2008 R2. Both servers are confgured as DNS servers. Client computers run either Windows XP
Service Pack 3 or Windows 7.
You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone.
________________________________________________________________________________________________
Page No | 102
You need to ensure that only authentcated users are allowed to update host (A) records in the DNS zone.
A. On the member server, add a conditonal forwarder.

B. On the member server, install Actve Directory Domain Services.
C. Add all computer accounts to the DNS UpdateProxy group.
D. Convert the standard primary zone to an Actve Directory-integrated zone.
Aoswern D
Explanatonn
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specifed domain.
As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining
and for which you are promotng the server, and you are ofered the opton to install the DNS Server role. This opton
is provided because a DNS server is required to locate this server or other domain controllers for members of an AD
DS domain.
DNS features multmaster data replicaton and enhanced security based on the capabilites of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model,
a single authoritatve DNS server for a zone is designated as the primary source for the zone. This server maintains the
master copy of the zone in a local fle. With this model, the primary server for the zone represents a single fxed point
of failure. If this server is not available, update requests from DNS clients are not processed for the zone.
Also, when you use directory-integrated zones, you can use access control list (ACL) editng to secure a dnsZone object
container in the directory tree. This feature provides detailed access to either the zone or a specifed resource record
in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed
only for a specifed client computer or a secure group, such as a domain administrators group. This security feature is
not available with standard primary zones.
AD DS domain.
network.
Question 80
Your company has two domain controllers that are confgured as internal DNS servers. All zones on the DNS servers
are Actve Directory-integrated zones. The zones allow all dynamic updates.
________________________________________________________________________________________________
Page No | 103
You discover that the contoso.com zone has multple entries for the host names of computers that do not exist.
You need to confgure the contoso.com zone to automatcally remove expired records.
What should you do?
A. Enable only secure updates on the contoso.com zone,

B. Enable scavenging and confgure the refresh interval on the contoso.com zone.
C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.
D. From the Start of Authority tab, increase the default expiraton interval on the contoso.com zone
Aoswern B
Explanatonn
htpn//www.it-support.com.au/confgure-aging-and-scavenging-of-a-dns-server/2012/12/
Confgure aging and scavenging of a DNS Server
Resource records that are either outdated or decayed from DNS zone data are removed through the use of the Server
aging and scavenging feature in Windows Server 2008. Issues develop if decayed resource records are not dealt with,
such asn
Zone transfers take longer as the DNS server disk space contains a large number of stale records
The accumulaton of stale records degrades the DNS server performance and response tme
Potental conficts can occur, if an IP address in a dynamic DNS environment is assigned to a diferent host. By default,
the aging and scavenging feature is disabled. In order to use this partcular feature, the user is required to enable the
operatons on the zone and at the DNS server.
In additon, a user is able to manually enable individual resource records to be aged and scavenged. This process
involves permitng the records to use the current (non-zero) tmestamp value.
The aging and scavenging operaton fgures out when the records should be cleared by reviewing their tmestamps.
The DNS Server uses a simple equaton when setng a tme value on a recordn current server tme + refresh interval.
Proceduren
Navigate to Start - Administratve Tools – DNS Manager. Right click the relevant DNS server and select Set
Aging/Scavenging for All Zones from the drop down list.
The Server Aging/Scavenging Propertes dialog box opens. Tick the opton Scavenge stale resource records.
Under the No-refresh interval heading, specify the duraton for which the server must not refresh its records.
Confguring this setng reduces replicaton trafc as unnecessary updates to existng records are prevented.
Under the Refresh interval heading, specify the duraton for which the server must refresh its records. The fresh
interval is the tme required between when a no-refresh interval expires and when a record is considered stale.
________________________________________________________________________________________________
Page No | 104
When you have confgured these setngs, click OK to contnue.
A confrmaton box appears showing a summary of your setngs. Tick the Apply these setngs to the existng Actve
Directory-integrated zones opton and click OK.
The Aging and Scavenging intervals have now been confgured for all zones managed by the DNS server.
htpn//blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-bepatent.aspx
Don't be afraid of DNS Scavenging. Just be patent.
htpn//social.technet.microsoo.com/Forums/en-US/winserverNIS/thread/bb556cf-3217-4dcf-af4f-460366faa1b8
Answered Best Practces confguraton for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.)
Question 81
You have an Actve Directory domain that runs Windows Server 2008 R2.
You need to implement a certfcaton authority (CA) server that meets the following requirementsn
Allows the certfcaton authority to automatcally issue certfcates
Integrates with Actve Directory Domain Services
What should you do?
A. Install and confgure the Actve Directory Certfcate Services server role as a Standalone Root CA.
________________________________________________________________________________________________
Page No | 105
B. Install and confgure the Actve Directory Certfcate Services server role as an Enterprise Root CA.
C. Purchase a certfcate from a third-party certfcaton authority, Install and confgure the Actve Directory
Certfcate Services server role as a Standalone Subordinate CA.
D. Purchase a certfcate from a third-party certfcaton authority, Import the certfcate into the computer store of the
schema master.
Aoswern B
Explanatonn
Enterprise certfcaton authorites
The Enterprise Administrator can install Certfcate Services to create an enterprise certfcaton authority (CA).
Enterprise CAs can issue certfcates for purposes such as digital signatures, secure e-mail using S/MIME
(Secure Multpurpose Internet Mail Extensions), authentcaton to a secure Web server using Secure Sockets
Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using
a smart card.
An enterprise CA has the following featuresn
An enterprise CA requires the Actve Directory directory service.
When you install an enterprise root CA, it uses Group Policy to propagate its certfcate to the Trusted
Root Certfcaton Authorites certfcate store for all users and computers in the domain. You must be a
Domain Administrator or be an administrator with write access to Actve Directory to install an enterprise root
CA.
Certfcates can be issued for logging on to a Windows Server 2003 family domain using smart cards.
The enterprise exit module publishes user certfcates and the certfcate revocaton list (CRL) to Actve
Directory. In order to publish certfcates to Actve Directory, the server that the CA is installed on must be a
member of the Certfcate Publishers group. This is automatc for the domain the server is in, but the server
must be delegated the proper security permissions to publish certfcates in other domains. For more
informaton about the exit module, see Policy and exit modules.
An enterprise CA uses certfcate types, which are based on a certfcate template. The following functonality is
possible when you use certfcate templatesn
Enterprise CAs enforce credental checks on users during certfcate enrollment. Each certfcate template
has a security permission set in Actve Directory that determines whether the certfcate requester is
authorized to receive the type of certfcate they have requested.
The certfcate subject name can be generated automatcally from the informaton in Actve Directory or
supplied explicitly by the requestor.
The policy module adds a predefned list of certfcate extensions to the issued certfcate. The extensions
are defned by the certfcate template. This reduces the amount of informaton a certfcate requester has to
provide about the certfcate and its intended use.
Stand-alone certfcaton authorites
You can install Certfcate Services to create a stand-alone certfcaton authority (CA). Stand-alone CAs can
issue certfcates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multpurpose
Internet Mail Extensions) and authentcaton to a secure Web server using Secure Sockets Layer (SSL) or
Transport Layer Security (TLS).
A stand-alone CA has the following characteristcsn
Unlike an enterprise CA, a stand-alone CA does not require the use of the Actve Directory directory service. Stand-
alone CAs are primarily intended to be used as Trusted Ofine Root CAs in a CA hierarchy or when extranets and the
Internet are involved. Additonally, if you want to use a custom policy module for a CA, you would frst install a stand-
alone CA and then replace the stand-alone policy module with your custom policy module.
When submitng a certfcate request to a stand-alone CA, a certfcate requester must explicitly supply all identfying
informaton about themselves and the type of certfcate that is wanted in the certfcate request. (This does not need
________________________________________________________________________________________________
Page No | 106
to be done when submitng a request to an enterprise CA, since the enterprise user's informaton is already in Actve
Directory and the certfcate type is described by a certfcate template). The authentcaton informaton for requests
is obtained from the local computer's Security Accounts Manager database.
By default, all certfcate requests sent to the stand-alone CA are set to Pending untl the administrator of the stand-
alone CA verifes the identty of the requester and approves the request. This is done for security reasons, because the
certfcate requester's credentals are not verifed by the stand-alone CA.
Certfcate templates are not used.
No certfcates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other
types of certfcates can be issued and stored on a smart card.
The administrator has to explicitly distribute the stand-alone CA's certfcate to the domain user's trusted root store or
users must perform that task themselves.
When a stand-alone CA uses Actve Directory, it has these additonal featuresn
If a member of the Domain Administrators group or an administrator with write access to Actve Directory, installs a
stand-alone root CA, it is automatcally added to the Trusted Root Certfcaton Authorites certfcate store for all
users and computers in the domain. For this reason, if you install a stand-alone root
CA in an Actve Directory domain, you should not change the default acton of the CA upon receiving certfcate
requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatcally issues
certfcates without verifying the identty of the certfcate requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the
enterprise, or by an administrator with write access to Actve Directory, then the stand-alone CA will publish its CA
certfcate and the certfcate revocaton list (CRL) to Actve Directory.
Question 82
You have a Windows Server 2008 R2 Enterprise Root certfcaton authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic EFS certfcates.
You grant the Account Operators group the Issue and Manage Certfcates permission on the CA.
Which three tasks should you perform next? (Each correct answer presents part of the soluton.
Choose three.)
A. Enable the Restrict Enrollment Agents opton on the CA.

B. Enable the Restrict Certfcate Managers opton on the CA.
C. Add the Basic EFS certfcate template for the Account Operators group.
D. Grant the Account Operators group the Manage CA permission on the CA.
E. Remove all unnecessary certfcate templates that are assigned to the Account Operators group.
Aoswern B, C, E
Explanatonn
Role-based administraton
Role explanaton
Role-based administraton involves CA roles, users, and groups. To assign a role to a user or group, you must assign
the role's corresponding security permissions, group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distnguish which users have which roles.
The following table describes the CA roles of role-based administraton and the groups relevant to role-based
administraton.
________________________________________________________________________________________________
Page No | 107
Certfcate Managern
Delete multple rows in database (bulk deleton)
Issue and approve certfcates
Deny certfcates
Revoke certfcates
Reactvate certfcates placed on hold
Renew certfcates
Recover archived key
Read CA database
Read CA confguraton informaton
...
Restrict Certfcate Managers
A certfcate manager can approve certfcate enrollment and revocaton requests, issue certfcates, and manage
certfcates. This role can be confgured by assigning a user or group the Issue and Manage Certfcatespermission.
When you assign this permission to a user or group, you can further refne their ability to manage certfcates by
group and by certfcate template. For example, you might want to implement a restricton that they can only approve
requests or revoke smart card logon certfcates for users in a certain ofce or organizatonal unit that is the basis for a
security group.
This restricton is based on a subset of the certfcate templates enabled for the certfcaton authority (CA) and the
user groups that have Enroll permissions for that certfcate template from that CA.
..
To confgure certfcate manager restrictons for a CAn
1. Open the Certfcaton Authority snap-in, and right-click the name of the CA.
2. Click Propertes, and then click the Security tab.
3. Verify that the user or group that you have selected has Issue and Manage Certfcates permission. If they do not
yet have this permission, select the Allow check box, and then click Apply.
4. Click the Certfcate Managers tab.
5. Click Restrict certfcate managers, and verify that the name of the group or user is displayed.
6. Under Certfcate Templates, click Add, select the template for the certfcates that you want this user or group to
manage, and then click OK. Repeat this step untl you have selected all certfcate templates that you want to allow
this certfcate manager to manage.
7. Under Permissions, click Add, type the name of the client for whom you want the certfcate manager to manage
the defned certfcate types, and then click OK.
8. If you want to block the certfcate manager from managing certfcates for a specifc user, computer, or group,
under Permissions, select this user, computer, or group, and click Deny.
9. When you are fnished confguring certfcate manager restrictons, click OK or Apply.
Question 83
Your company has an Actve Directory domain. You have a two-ter PKI infrastructure that contains an ofine root CA
________________________________________________________________________________________________
Page No | 108
and an online issuing C

A. The Enterprise certfcaton authority is running Windows Server 2008 R2.
You need to ensure users are able to enroll new certfcates.
What should you do?
A. Renew the Certfcate Revocaton List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA.
B. Renew the Certfcate Revocaton List (CRL) on the issuing CA, Copy the CRL to the SysternCertfcates folder in the
users' profle.
C. Import the root CA certfcate into the Trusted Root Certfcaton Authorites store on all client workstatons.
D. Import the issuing CA certfcate into the Intermediate Certfcaton Authorites store on all client workstatons.
Aoswern A
Explanatonn
htpn//social.technet.microsoo.com/wiki/contents/artcles/2900.ofine-root-certfcaton-authority-ca.aspx
Ofine Root Certfcaton Authority (CA)
A root certfcaton authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certfcate.
This means that the root CA is validatng itself (self-validatng). This root CA could then have subordinate CAs that
efectvely trust it. The subordinate CAs receive a certfcate signed by the root CA, so the subordinate CAs can issue
certfcates that are validated by the root CA. This establishes a CA hierarchy and trust path.
CA Compromise
If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious
person), then all of the certfcates that were issued by that CA are also compromised. Since certfcates are used for
data protecton, identfcaton, and authorizaton, the compromise of a CA could compromise the security of an entre
organizatonal network. For that reason, many organizatons that run internal PKIs install their root CA ofine. That is,
the CA is never connected to the company network, which makes the root CA an ofine root CA. Make sure that you
keep all CAs in secure areas with limited access.
To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be
ofine. A non-issuing CA is one that is not expected to provide certfcates to client computers, network devices, and
so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the
certfcates that were issued by the CA.
How Do Ofine CAs issue certfcates?
Ofine root CAs can issue certfcates to removable media devices (e.g. foppy disk, USB drive, CD/DVD) and then
physically transported to the subordinate CAs that need the certfcate in order to perform their tasks. If the
subordinate CA is a non-issuing intermediate that is ofine, then it will also be used to generate a certfcate and that
certfcate will be placed on removable media. Each CA receives its authorizaton to issue certfcates from the CA
directly above it in the CA hierarchy. However, you can have multple CAs at the same level of the CA hierarchy.
Issuing CAs are typically online and used to issue certfcates to client computers, network
devices, mobile devices, and so on. Do not join ofine CAs to an Actve Directory Domain Services domain Since
ofine CAs should not be connected to a network, it does not make sense to join them to an Actve Directory Domain
Services (AD DS) domain, even with the Ofine Domain Join [This link is external to TechNet Wiki. It will open in a new
window.] opton introduced with Windows 7 and Windows Server 2008 R2.
Furthermore, installing an ofine CA on a server that is a member of a domain can cause problems with a secure
channel when you bring the CA back online aoer a long ofine period. This is because the computer account password
changes every 30 days. You can get around this by problem and beter protect your CA by making it a member of a
workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not atempt to install
an ofine CA as a Windows Server Enterprise CA.
Renewing a certfcaton authority
A certfcaton authority may need to be renewed for either of the following reasonsn
Change in the policy of certfcates issued by the CA
Expiraton of the CA's issuing certfcate
________________________________________________________________________________________________
Page No | 109
Question 84
Your company has an Actve Directory domain. All servers run Windows Server 2008 R2. Your company uses an
Enterprise Root certfcaton authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certfcate expires.
You need to deploy a new Enterprise Intermediate CA certfcate to all computers in the domain.
What should you do?
A. Import the new certfcate into the Intermediate Certfcaton Store on the Enterprise Root CA server.
B. Import the new certfcate into the Intermediate Certfcaton Store on the Enterprise Intermediate CA server.
C. Import the new certfcate into the Intermediate Certfcaton Store in the Default Domain Controllers group policy
object.
D. Import the new certfcate into the Intermediate Certfcaton Store in the Default Domain group policy object.
Aoswern B
Explanatonn
Certfcaton Authority Trust Model
Certfcaton Authority Hierarchies
The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certfcaton hierarchy,
to provide scalability, ease of administraton, and compatbility with a growing number of commercial third-party CA
services and public key-aware products. In its simplest form, a certfcaton hierarchy consists of a single CA. However,
the hierarchy usually contains multple CAs that have clearly defned parent-child relatonships. Figure 16.5 shows
some possible CA hierarchies.
You can deploy multple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a root CA .
Root CAs are self-certfed by using a self-signed CA certfcate. Root CAs are the most trusted CAs in the organizaton
and it is recommended that they have the highest security of all. There is no requirement that all CAs in an enterprise
share a common top-level CA parent or root. Although trust for CAs depends on each domain's CA trust policy, each
CA in the hierarchy can be in a diferent domain.
________________________________________________________________________________________________
Page No | 110
Child CAs are called subordinate CAs. Subordinate CAs are certfed by the parent CAs. A parent CA certfes the
subordinate CA by issuing and signing the subordinate CA certfcate. A subordinate CA can be either an intermediate
or an issuing CA. An intermediate CA issues certfcates only to subordinate CAs. An issuing CA issues certfcates to
users, computers, or services.
htpn//social.technet.microsoo.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002-
c08b9c7d4149
Forum FAQn How to import certfcate into Intermediate Certfcaton Authorites store?
Question
How to
import certfcate into Intermediate Certfcaton Authorites store?
Aoswern
In Windows Server 2008 or Windows Server 2008 R2 domain, we can import intermediate CA certfcates using group
policyn
Computer ConfguratongPoliciesgWindows SetngsgSecurity SetngsgPublic Key PoliciesgIntermediate Certfcaton
AUthorites
The policy is not available in Windows Server 2003. For Windows 2003 domain, you can write a script that uses the
following command to push out the intermediate CA certfcate via group policy. The server will have to be rebooted
for this to take efect.
Certutl –f –addstore CA <intermediate CA nameN.crt
Noten CA is the programmatc name of the Intermediate Certfcaton Authorites store.
Question 85
Your company has recently acquired a new subsidiary company in Quebec. The Actve Directory administrators of the
subsidiary company must use the French-language version of the administratve templates.
You create a folder on the PDC emulator for the subsidiary domain in the path
%systemroot%gSYSVOLgdomaingPoliciesgPolicyDefnitonsgFR.
You need to ensure that the French-language version of the templates is available.
What should you do?
A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm fles from the Microsoo Web site. Copy the
ADM fles to the FR folder.
B. Copy the ADML fles from the French local installaton media for Windows Server 2008 R2 to the FR folder on the
subsidiary PDC emulator.
C. Copy the Install.WIM fle from the French local installaton media for Windows Server 2008 R2 to the FR folder on
the subsidiary PDC emulator.
D. Copy the ADMX fles from the French local installaton media for Windows Server 2008 R2 to the FR folder on the
subsidiary PDC emulator.
Aoswern B
Explanatonn
.admx and .adml File Structure
In order to support the multlingual display of policy setngs, the ADMX fle structure must be broken into two types
of flesn
A language-neutral fle, .admx, describing the structure of the categories and Administratve template policy setngs
displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor.
A set of language-dependent fles, .adml, providing the localized portons displayed in the GPMC or Local
Group Policy Editor. Each .adml fle represents a single language you wish to support.
Language-neutral fle (.admx) structure
________________________________________________________________________________________________
Page No | 111
..
Language resource fle (.adml) structure
The language resource fles, .adml, provide the language specifc informaton needed by the language neutral fle. The
language neutral fle will then reference specifc sectons of the language resource fle in order for the GPMC or Local
Group Policy Editor to display a policy setng in the correct language.
Question 86
A user in a branch ofce of your company atempts to join a computer to the domain, but the atempt fails.
You need to enable the user to join a single computer to the domain.
You must ensure that the user is denied any additonal rights beyond those required to complete the task.
What should you do?
A. Prestage the computer account in the Actve Directory domain.

B. Add the user to the Domain Administrators group for one day.
C. Add the user to the Server Operators group in the Actve Directory domain.
D. Grant the user the right to log on locally by using a Group Policy Object (GPO).
Aoswern A
Explanatonn
Prestaging Client Computers
Benefts of Prestaging Client Computers
Prestaging clients provides three main beneftsn
An additonal layer of security. You can confgure Windows Deployment Services to answer only prestaged clients,
therefore ensuring that clients that are not prestaged will not be able to boot from the network. Additonal fexibility.
Prestaging clients increases fexibility by enabling you to control the following. For instructons on performing these
tasks, see the “Prestage Computers” secton of How to Manage Client Computers.
* The computer account name and locaton within AD DS.
* Which server the client should network boot from.
* Which network boot program the client should receive.
* Other advanced optons — for example, what boot image a client will receive or what Windows Deployment
Services client unatend fle the client should use.
The ability for multple Windows Deployment Services servers to service the same network segment. You can do this
by restrictng the server to answer only a partcular set of clients. Note that the prestaged client must be in the same
forest as the Windows Deployment Services server (trusted forests do not work).
Further informatonn
htpn//www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/how can I
PRESTAGE a computer for WDS?
Question 87
The default domain GPO in your company is confgured by using the following account policy setngsn
Minimum password lengthn 8 characters
Maximum password agen 30 days
Enforce password historyn 12 passwords remembered
Account lockout thresholdn 3 invalid logon atempts
Account lockout duratonn 30 minutes
You install Microsoo SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQL Server
________________________________________________________________________________________________
Page No | 112
applicaton uses a service account named SQLSrv. The SQLSrv account has domain user rights.
The SQL Server computer fails aoer running successfully for several weeks. The SQLSrv user account is not locked out.
You need to resolve the server failure and prevent recurrence of the failure. Which two actons should you perform?
(Each correct answer presents part of the soluton. Choose two.)
A. Reset the password of the SQLSrv user account.

B. Confgure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user account.
C. Confgure the propertes of the SQLSrv account to Password never expires.
D. Confgure the propertes of the SQLSrv account to User cannot change password.
E. Confgure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon locally
user right.
Aoswern A, C
Explanatonn
Personal commentn
Maximum password agen 30 days
The most probable cause for the malfuncton is that the password has expired.
You need to reset the password and set it to never expire.
Question 88
________________________________________________________________________________________________
Page No | 113
Your company has two Actve Directory forests named Forest1 and Forest2, The forest functonal level and the domain
functonal level of Forest1 are set to Windows Server 2008.
The forest functonal level of Forest2 is set to Windows 2000, and the domain functonal levels in Forest2 are set to
Windows Server 2003.
You need to set up a transitve forest trust between Forest1 and Forest2.
A. Raise the forest functonal level of Forest2 to Windows Server 2003 Interim mode.
B. Raise the forest functonal level of Forest2 to Windows Server 2003.
C. Upgrade the domain controllers in Forest2 to Windows Server 2008.
D. Upgrade the domain controllers in Forest2 to Windows Server 2003.
Aoswern B
Explanatonn
Referencen
Creatng Forest Trusts
You can link two disjoined Actve Directory Domain Services (AD DS) forests together to form a one-way or two-way,
transitve trust relatonship.
The following are required to create forest trusts successfullyn
You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests,
between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008
forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server
2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest.
To create a forest trust, the minimum forest functonal level for the forests that are involved in the trust relatonship is
Windows Server 2003.
Question 89
Your company has an Actve Directory forest that contains two domains, The forest has universal groups that contain
members from each domain. A branch ofce has a domain controller named DC1, Users at the branch ofce report
that the logon process takes too long.
You need to decrease the amount of tme it takes for the branch ofce users to logon.
What should you do?
A. Confgure DC1 as a Global Catalog server.

B. Confgure DC1 as a bridgehead server for the branch ofce site.
C. Decrease the replicaton interval on the site link that connects the branch ofce to the corporate network.
D. Increase the replicaton interval on the site link that connects the branch ofce to the corporate network.
Aoswern A
Explanatonn
What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partal representaton of every object in
every domain in a multdomain Actve Directory Domain Services (AD DS) forest. The global catalog is stored on
domain controllers that have been designated as global catalog servers and is distributed through multmaster
________________________________________________________________________________________________
Page No | 114
replicaton. Searches that are directed to the global catalog are faster because they do not involve referrals to
diferent domain controllers.
In additon to confguraton and schema directory partton replicas, every domain controller in a forest stores a full,
writable replica of a single domain directory partton. Therefore, a domain controller can locate only the objects in its
domain. Locatng an object in a diferent domain would require the user or applicaton to provide the domain of the
requested object.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A
global catalog server is a domain controller that, in additon to its full, writable domain directory partton replica, also
stores a partal, read-only replica of all other domain directory parttons in the forest. The additonal domain
directory parttons are partal because only a limited set of atributes is included for each object. By including only
the atributes that are most used for searching, every object in every domain in even the largest forest can be
represented in the database of a single global catalog server.
Question 90
Your company has an Actve Directory domain. The main ofce has a DNS server named DNS1 that is confgured with
Actve Directory-integrated DNS. The branch ofce has a DNS server named DNS2 that contains a secondary copy of
the zone from DNS1. The two ofces are connected with an unreliable WAN link.
You add a new server to the main ofce.
Five minutes aoer adding the server, a user from the branch ofce reports that he is unable to connect to the new
server.
You need to ensure that the user is able to connect to the new server.
What should you do?
A. Clear the cache on DNS2.

B. Reload the zone on DNS1.
C. Refresh the zone on DNS2.
D. Export the zone from DNS1 and import the zone to DNS2.
Aoswern C
Explanatonn
Old answern Refresh the zone on DNS2.
Adjust the Refresh Interval for a Zone
You can use this procedure to adjust the refresh interval for a Domain Name System (DNS) zone. The refresh interval
determines how ooen other DNS servers that load and host the zone must atempt to renew the zone.
By default, the refresh interval for each zone is set to 15 minutes.
htpn//blog.ijun.org/2008/11/diference-between-dnscmd-clearcache.html diference between dnscmd /clearcache
and ipconfg /fushdns
Qn Do "dnscmd /clearcache" and "ipconfg /fushdns" the exact same thing, on a windows 2003 server? What is the
diference, if any?
An Ipconfg /fushdns will fush the local computer cache. And dnscmd /clearcache will clear the dns server cache.
Meaning that with the frst you will clear the "local" cache of the server you work on. (Even if it is the dns server. It will
NOT clear the dns server cache.) While with dnscmd you will clear the dns server cache.
Question 91
You need to validate whether Actve Directory successfully replicated between two domain controllers.What should
you do?
________________________________________________________________________________________________
Page No | 115
A. Run the DSget command.

B. Run the Dsquery command.
C. Run the RepAdmin command.
D. Run the Windows System Resource Manager.
Aoswern C
Explanatonn
You can use the repadmin /showrepl command to verify successful replicaton to a specifc domain controller.
Question 92
You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on
the domain controller.
You need to perform a non-authoritatve restore of the domain controller by using an existng backup fle.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a
critcal volume restore.
B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to
perform a critcal volume restore.
C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critcal volume
restore.
D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critcal volume restore.
Aoswern A
Explanatonn
Almost identcal to B26
Performing Nonauthoritatve Restore of Actve Directory Domain Services
A nonauthoritatve restore is the method for restoring Actve Directory Domain Services (AD DS) from a system state,
critcal-volumes, or full server backup. A nonauthoritatve restore returns the domain controller to its state at the tme
of backup and then allows normal replicaton to overwrite that state with any changes that occurred aoer the backup
was taken. Aoer you restore AD DS from backup, the domain controller queries its replicaton partners. Replicaton
partners use the standard replicaton protocols to update AD DS and associated informaton, including the SYSVOL
shared folder, on the restored domain controller.
You can use a nonauthoritatve restore to restore the directory service on a domain controller without reintroducing
or changing objects that have been modifed since the backup. The most common use of a nonauthoritatve restore is
to reinstate a domain controller, ooen aoer catastrophic or debilitatng hardware failures. In the case of data
corrupton, do not use nonauthoritatve restore unless you have confrmed that the problem is with AD DS.
Nonauthoritatve Restore Requirements
You can perform a nonauthoritatve restore from backup on a Windows Server 2008 system that is a standalone
server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service.
Therefore, in Windows Server 2008, performing ofine defragmentaton and other database management tasks does
not require restartng the domain controller in Directory Services Restore Mode (DSRM). However, you cannot
perform a nonauthoritatve restore aoer simply stopping the AD DS service in regular startup mode. You must be able
________________________________________________________________________________________________
Page No | 116
to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started
in DSRM, you must frst reinstall the operatng system.
To perform a nonauthoritatve restore, you need one of the following types of backup for your backup sourcen
System state backupn Use this type of backup to restore AD DS. If you have reinstalled the operatng system, you must
use a critcal-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start
systemstaterecovery command.
Critcal-volumes backupn A critcal-volumes backup includes all data on all volumes that contain operatng system and
registry fles, boot fles, SYSVOL fles, or Actve Directory fles. Use this type of backup if you want to restore more than
the system state. To restore a critcal-volumes backup, use the wbadmin start recovery command.
Full server backupn Use this type of backup only if you cannot start the server or you do not have a system state or
critcal-volumes backup. A full server backup is generally larger than a critcal-volumes backup. Restoring a full server
backup not only rolls back data in AD DS to the tme of backup, but it also rolls back all data in all other volumes.
Rolling back this additonal data is not necessary to achieve nonauthoritatve restore of AD DS.
Question 93
Your company has an Actve Directory forest. Not all domain controllers in the forest are confgured as Global Catalog
Servers. Your domain structure contains one root domain and one child domain.
You modify the folder permissions on a fle server that is in the child domain. You discover that some Access Control
entries start with S-1-5-21 and that no account name is listed.
You need to list the account names.
What should you do?
A. Move the RID master role in the child domain to a domain controller that holds the Global Catalog.
B. Modify the schema to enable replicaton of the friendlynames atribute to the Global Catalog.
C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.
D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global
Catalog.
Aoswern D
Explanatonn
Security identfers
Security identfers (SIDs) are numeric values that identfy a user or group. For each access control entry (ACE), there
exists a SID that identfes the user or group for whom access is allowed, denied, or audited. Well-known security
identfers (special identtes)n
Network (S-1-5-2) Includes all users who are logged on through a network connecton. Access tokens for interactve
users do not contain the Network SID.
Operatons master roles Actve Directory supports multmaster replicaton of the directory data store between all
domain controllers (DC) in the domain, so all domain controllers in a domain are essentally peers. However, some
changes are impractcal to perform in using multmaster replicaton, so, for each of these types of changes, one
domain controller, called the operatons master, accepts requests for such changes.
In every forest, there are at least fve operatons master roles that are assigned to one or more domain controllers.
Forest-wide operatons master roles must appear only once in every forest. Domain-wide operatons master roles
must appear once in every domain in the forest.
Domain-wide operatons master roles
Every domain in the forest must have the following rolesn
Relatve ID (RID) master
Primary domain controller (PDC) emulator master
________________________________________________________________________________________________
Page No | 117
Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master,
PDC emulator master, and infrastructure master.
...
Infrastructure master
At any tme, there can be only one domain controller actng as the infrastructure master in each domain.
The infrastructure master is responsible for updatng references from objects in its domain to objects in other
domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular
updates for objects in all domains through replicaton, so the global catalog data will always be up to date. If the
infrastructure master fnds data that is out of date, it requests the updated data from a global catalog. The
infrastructure master then replicates that updated data to the other domain controllers in the domain.
Important
Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the
domain controller that is hostng the global catalog. If the infrastructure master and global catalog are on the same
domain controller, the infrastructure master will not functon. The infrastructure master will never fnd data that is out
of date, so it will never replicate any changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also hostng the global catalog, all of the domain
controllers will have the current data and it does not mater which domain controller holds the infrastructure master
role.
The infrastructure master is also responsible for updatng the group-to-user references whenever the members of
groups are renamed or changed. When you rename or move a member of a group (and that member resides in a
diferent domain from the group), the group may temporarily appear not to contain that member.
The infrastructure master of the group's domain is responsible for updatng the group so it knows the new name or
locaton of the member. This prevents the loss of group memberships associated with a user account when the user
account is renamed or moved. The infrastructure master distributes the update via multmaster replicaton.
There is no compromise to security during the tme between the member rename and the group update. Only an
administrator looking at that partcular group membership would notce the temporary inconsistency.
Question 94
Your company security policy requires complex passwords.

You have a comma delimited fle named import.csv that contains user account informaton.
You need to create user account in the domain by using the import.csv fle.
You also need to ensure that the new user accounts are set to use default passwords and are disabled.
What should you do?
A. Modify the userAccountControl atribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD
utlity to set default passwords for the user accounts.
B. Modify the userAccountControl atribute to accounts disabled. Run the csvde -f import.csv command. Run the
DSMOD utlity to set default passwords for the user accounts.
C. Modify the userAccountControl atribute to disabled. Run the wscript import.csv command. Run the DSADD utlity
to set default passwords for the imported user accounts.
D. Modify the userAccountControl atribute to disabled. Run ldifde -i -f import.csv command. Run the DSADD utlity to
set passwords for the imported user accounts.
Aoswern A
Explanatonn
Personal noten
The correct command should ben
csvde - i -k -f import.csv
________________________________________________________________________________________________
Page No | 118
How to use the UserAccountControl fags to manipulate user account propertes
When you open the propertes for a user account, click the Account tab, and then either select or clear the check
boxes in the Account optons dialog box, numerical values are assigned to the UserAccountControl atribute. The
value that is assigned to the atribute tells Windows which optons have been enabled.
You can view and edit these atributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists possible fags that you can assign. You cannot set some of the values on a user or computer
object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in
hexadecimal. Adsiedit.msc displays the values in decimal. The fags are cumulatve. To disable a user's account, set the
UserAccountControl atribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
Csvde
Imports and exports data from Actve Directory Domain Services (AD DS) using fles that store data in the comma-
separated value (CSV) format. You can also support batch operatons based on the CSV fle format standard.
Syntaxn
Csvde [-i] [-f <FileNameN] [-s <ServerNameN] [-c <String1N <String2N] [-v] [-j <PathN] [-t <PortNumberN] [-d
<BaseDNN] [-r <LDAPFilterN] [-p <Scope] [-l <LDAPAtributeListN] [-o <LDAPAtributeListN] [-g] [-m] [-n] [-k] [-a
<UserDistnguishedNameN {<PasswordN | *}] [-b <UserNameN <DomainN {<PasswordN | *}]
Parameters
-i
Specifes import mode. If not specifed, the default mode is export.
-f <FileNameN Identfes the import or export fle name.
-k
Ignores errors during an import operaton and contnues processing.
Dsmod user Modifes atributes of one or more existng users in the directory.
Syntaxn
dsmod user <UserDNN ... [-upn <UPNN] [-fn <FirstNameN] [-mi <InitalN] [-ln <LastNameN] [-display<DisplayNameN] [-
empid <EmployeeIDN] [-pwd (<PasswordN | *)] [-desc <DescriptonN] [-ofce <OfceN] [-tel
<PhoneNumberN] [-email <E-mailAddressN] [-hometel <HomePhoneNumberN] [-pager <PagerNumberN] [-mobile
<CellPhoneNumberN] [-fax <FaxNumberN] [-iptel <IPPhoneNumberN] [-webpg <WebPageN] [-ttle
<TitleN] [-dept <DepartmentN] [-company <CompanyN] [-mgr <ManagerN] [-hmdir <HomeDirectoryN] [-hmdrv
<DriveLeterNn] [-profle <ProflePathN] [-loscr <ScriptPathN] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-
reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDaysN] [-disabled {yes | no}] [{-s
<ServerN | -d <DomainN}] [-u <UserNameN] [-p {<PasswordN | *}][-c] [-q] [{-uc | -uco | -uci}]
Parameters
<UserDNNRequired. Specifes the distnguished names of the users that you want to modify. If values are omited,
they are obtained through standard input (stdin) to support piping of output from another command to input of this
command.
..
-pwd {<PasswordN | *}
Resets the passwords for the users that you want to modify as Password or an asterisk (*). If you type *, AD
DS prompts you for a user password.
Question 95
You are installing an applicaton on a computer that runs Windows Server 2008 R2.
During installaton, the applicaton will need to install new atributes and classes to the Actve Directory database.
You need to ensure that you can install the applicaton.
What should you do?
________________________________________________________________________________________________
Page No | 119
A. Change the functonal level of the forest to Windows Server 2008 R2.
B. Log on by using an account that has Server Operator rights.
C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the
applicaton.
D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the
applicaton.
Aoswern C
Explanatonn
Default groups
Default groups, such as the Domain Admins group, are security groups that are created automatcally when you create
an Actve Directory domain. You can use these predefned groups to help control access to shared resources and
delegate specifc domain-wide administratve roles.
..
Groups in the Builtn container
The following table provides descriptons of the default groups located in the Builtn container and lists the assigned
user rights for each group.
Groups in the Users container

The following table provides a descripton of the default groups located in the Users container and lists the assigned
user rights for each group.
Question 96
Your company has an Actve Directory forest. The company has servers that run Windows Server 2008 R2 and client
computers that run Windows 7. The domain uses a set of GPO administratve templates that have been approved to
support regulatory compliance requirements.
Your partner company has an Actve Directory forest that contains a single domain. The company has servers that run
Windows Server 2008 R2 and client computers that run Windows 7.
You need to confgure your partner company's domain to use the approved set of administratve templates.
What should you do?
A. Use the Group Policy Management Console (GPMC) utlity to back up the GPO to a fle. In each site, import the GPO
________________________________________________________________________________________________
Page No | 120
to the default domain policy.

B. Copy the ADMX fles from your company's PDC emulator to the PolicyDefnitons folder on the partner company's
PDC emulator.
C. Copy the ADML fles from your company's PDC emulator to the PolicyDefnitons folder on the partner company's
PDC emulator.
D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm fles from the Microsoo Updates Web site. Copy
the ADM fles to the PolicyDefnitons folder on thr partner company's emulator.
Aoswern B
Explanatonn
How to create the Central Store for Group Policy Administratve Template fles in Windows Vista Windows Vista uses a
new format to display registry-based policy setngs. These registry-based policy setngs appear under Administratve
Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy setngs are defned by
standards-based XML fles that have an .admx fle name extension. The .admx fle format replaces the legacy .adm fle
format. The .adm fle format uses a proprietary markup language.
In Windows Vista, Administratve Template fles are divided into .admx fles and language-specifc .adml fles that are
available to Group Policy administrators.
..
Administratve Template fle storage
In earlier operatng systems, all the default Administratve Template fles are added to the ADM folder of a Group
Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is
automatcally replicated to other domain controllers in the same domain. A policy fle uses approximately 2
megabytes (MB) of hard disk space. Because each domain controller stores a distnct version of a policy, replicaton
trafc is increased.
Windows Vista uses a Central Store to store Administratve Template fles. In Windows Vista, the ADM folder is not
created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant
copies of .adm fles.
The Central Store
To take advantage of the benefts of .admx fles, you must create a Central Store in the SYSVOL folder on a domain
controller. The Central Store is a fle locaton that is checked by the Group Policy tools. The Group Policy tools use any
.admx fles that are in the Central Store. The fles that are in the Central Store are later replicated to all domain
controllers in the domain.
To create a Central Store for .admx and .adml fles, create a folder that is named PolicyDefnitons in the following
locatonn
ggFQDNgSYSVOLgFQDNgpolicies
Noten FQDN is a fully qualifed domain name.
...
htpn//www.frickelsoo.net/blog/?p=31
How can I export local Group Policy setngs made in gpedit.msc?
Mark Heitbrink, MVP for Group PolicyÃ‚Â came up with a good soluton on how you can “export” the Group
Policy and SecurityÃ‚Â setngs you made in on a machine with the Local Group Policy Editor (gpedit.msc) to other
machines prety easyn
Normal setngs can be copied like thisn
1.) Open %systemroot%gsystem32ggrouppolicyg
Within this folder, there are two folders - “machine” and “user”. Copy these to folders to the “%systemroot%
gsystem32ggrouppolicy - folder on the target machine. All it needs now is a reboot or a “gpupdate /force”.
Noten If you cannot see the “grouppolicy” folder on either the source or the target machine, be sure to have your
explorer folder optons set to “Show hidden fles and folders”…
For security setngsn
________________________________________________________________________________________________
Page No | 121
1.) Open MMC and add the Snapin “Security Templates”.

2.) Create your own customized template and save it as an “*inf” fle.
3.) Copy the fle to the target machine and import it via command line tool “secedit”n secedit /confgure /db
%temp%gtemp.sdb /cfg yourcreated.inf
Further informaton on secedit can be found heren htpn//www.microsoo.com/resources/documentaton/
windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
If you’re building custom installatons, you can prety easy script the “overwritng” of the “machine”/”user”- folders or
the import via secedit by copying these fle to a share and copy and execute them with a script.
Question 97
You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5
minutes.
Which three actons should you perform? (Each correct answer presents part of the soluton.
Choose three.)
A. Set the Minimum password age setng to one day.

B. Set the Maximum password age setng to one day.
C. Set the Account lockout duraton setng to 5 minutes.
D. Set the Reset account lockout counter aoer setng to 5 minutes.
E. Set the Account lockout threshold setng to 3 invalid logon atempts.
F. Set the Enforce password history setng to 3 passswords remembered.
Aoswern C, D, E
Explanatonn
Question 98
Your company has an Actve Directory domain and an organizatonal unit. The organizatonal unit is named Web.
You confgure and test new security setngs for Internet Informaton Service (IIS) Servers on a server named
IISServerA.
You need to deploy the new security setngs only on the IIS servers that are members of the Web organizatonal unit.
What should you do?
________________________________________________________________________________________________
Page No | 122
A. Run secedit /confgure /db iis.inf from the command prompt on IISServerA, then run secedit /confgure /db
webou.inf from the comand prompt.
B. Export the setngs on IISServerA to create a security template. Import the security template into a GPO and link
the GPO to the Web organizatonal unit.
C. Export the setngs on IISServerA to create a security template. Run secedit /confgure /db webou.inf from the
comand prompt.
D. Import the hisecws.inf fle template into a GPO and link the GPO to the Web organizatonal unit.
Aoswern B
Explanatonn
htpn//www.itninja.com/blog/view/using-secedit-to-apply-security-templates
Using Secedit To Apply Security Templates
Secedit /confgure /db secedit.sdb /cfg"cngtempgcustom.inf" /silent Nnul
This command imports a security template fle, “custom.inf” into the workstaton’s or server’s local security database.
/db must be specifed. When specifying the default secuirty database (secedit.sdb,) I found that providing no path
worked best. The /cfg opton informs Secedit that it is to import the .inf fle into the specifed database, appending it
to any existng .inf fles that have already been imported to this system. You can optonally include an /overwrite
switch to overwrite all previous confguratons for this machine. The /silent opton supresses any pop-ups and the
Nnul hides the command line output statng success or failure of the acton.
Question 99
Your network consists of an Actve Directory forest that contains two domains. All servers run Windows Server 2008
R2. All domain controllers are confgured as DNS Servers.
You have a standard primary zone for dev.contoso.com that is stored on a member server.
You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.
What should you do?
A. On the member server, create a stub zone.

B. On the member server, create a NS record for each domain controller.
C. On one domain controller, create a conditonal forwarder. Confgure the conditonal forwarder to replicate to all
DNS servers in the forest.
D. On one domain controller, create a conditonal forwarder. Confgure the conditonal forwarder to replicate to all
DNS servers in the domain.
Aoswern C
Explanatonn
________________________________________________________________________________________________
Page No | 123
Further informatonn
Assign a Conditonal Forwarder for a Domain Name
Question 100
Your company has an Actve Directory domain. You install a new domain controller in the domain. Twenty users report
that they are unable to log on to the domain.
You need to register the SRV records.
Which command should you run on the new domain controller?
A. Run the netsh interface reset command.

B. Run the ipconfg /fushdns command.
C. Run the dnscmd /EnlistDirectoryPartton command.
D. Run the sc stop netlogon command followed by the sc start netlogon command.
Aoswern D
Explanatonn
MCTS 70-640 Cert Guiden Windows Server 2008 Actve Directory, Confguring (Pearson IT Certfcaton, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller.
The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted.
You can also re-register a domain controller’s SRV resource records by restartng this service from the Services branch
of Server Manager or by typing net start netlogon. An exam
Queston might ask you how to troubleshoot the nonregistraton of SRV resource records.
Question 101
You have a Windows Server 2008 R2 that has the Actve Directory Certfcate Services server role installed.
You need to minimize the amount of tme it takes for client computers to download a certfcate revocaton list (CRL).
What should you do?
________________________________________________________________________________________________
Page No | 124
A. Install and confgure an Online Responder.

B. Import the Issuing CA certfcate into the Trusted Root Certfcaton Authorites store on all client workstatons.
C. Install and confgure an additonal domain controller.
D. Import the Root CA certfcate into the Trusted Root Certfcaton Authorites store on all client workstatons.
Aoswern A
Explanatonn
What Is an Online Responder?
An Online Responder is a trusted server that receives and responds to individual client requests for informaton about
the status of a certfcate.
The use of Online Responders is one of two common methods for conveying informaton about the validity of
certfcates. Unlike certfcate revocaton lists (CRLs), which are distributed periodically and contain informaton about
all certfcates that have been revoked or suspended, an Online Responder receives and responds only to individual
requests from clients for informaton about the status of a certfcate. The amount of data retrieved per request
remains constant no mater how many revoked certfcates there might be.
In many circumstances, Online Responders can process certfcate status requests more efciently than by using CRLs.
Question 102
You want users to log on to Actve Directory by using a new Principal Name (UPN).
You need to modify the UPN sufx for all user accounts.
Which tool should you use?
A. Dsmod
B. Netdom
C. Redirusr
D. Actve Directory Domains and Trusts
Aoswern A
Explanatonn
Dsmod user dsmod user -upn <UPNN
Specifes the user principal names (UPNs) of the users that you want to modify, for example,
Linda@widgets.contoso.com.
Question 103
Auditng is confgured to log changes made to the Managed By atribute on group objects in an organizatonal unit
named OU1.
You need to log changes made to the Descripton atribute on all group objects in OU1 only.
What should you do?
A. Run auditpol.exe.
B. Modify the auditng entry for OU1.
C. Modify the auditng entry for the domain.
________________________________________________________________________________________________
Page No | 125
D. Create a new Group Policy Object (GPO). Enable Audit account management policy setng. Link the GPO to OU1.
Aoswern B
Explanatonn
htpn//ithompson.wordpress.com/tag/organizatonal-unit-move/
Do you need to track who/where/when for actvites done against the OU’s in your AD?
With Windows 2003 those were difcult questons to answer, we could get some very basic informaton from
Directory Services Auditng; but it was limited and you had to read through several cryptc events (id 566).
With the advanced auditng setngs with Windows 2008 R2 you can get some beter informaton (you can do this
same thing with Windows 2008 but it has to be done via command line and applied every tme servers restart).
I don’t want to bore you with Windows 2003 auditng or the command line optons for Windows 2008 Domains (if you
need them, I will get you the informaton). So let’s just jump right to using Windows 2008 R2, because we can now
apply the advanced auditng setngs via Group Policy.
Now when you turn on the Advanced Audit Policy Confguraton you are turning OFF the basic or standard Audit
Policies. The Advanced Audit Policy Confguraton allows you to control what AD will audit at a more granular level.
Now for the focus of this discussion we are only going to talk about setng up auditng for actvity on our Domain
Controllers, the other systems in your environment will be a diferent discussion.
So where do we start so that we can answer our queston at the top of this discussion?
First, turn on the correct auditng. Open up Group Policy Management Editor and drill down as seen in Fig 1.
For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory
Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking
changes to Actve Directory objects that have object level auditng enabled. These events not only tell you what object
and property was changed and by whom but also the new value of the afected propertes.
________________________________________________________________________________________________
Page No | 126
Now that we have step 1 completed, setng up AD for auditng, it’s tme to confgure WHAT we want to audit.
This next step is done via Actve Directory Users and Computers. Open up the propertes of your AD and drill down to
setup the auditng for Create and Delete Organizatonal Unit objects as seen in Fig 3.
________________________________________________________________________________________________
Page No | 127
Now we need to add more granularity so we need to do this process 1 more tme and this tme instead of checking
boxes on the Object tab we are going to check 2 boxes on the Propertes tab, see Fig 4.
________________________________________________________________________________________________
Page No | 128
Now that our auditng is setup what type of events can we expect to see?
Here are a few examplesn
In this example (Fig 5), id 5137, we see an OU being created by the Administrator.
________________________________________________________________________________________________
Page No | 129
Figure 6 shows a Sub OU being created.
Figure 7 shows id 5139, an OU being moved.
________________________________________________________________________________________________
Page No | 130
Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136.
Figure 8 shows the frst part of the rename process.
Figure 9 shows the second part of the rename process.
________________________________________________________________________________________________
Page No | 131
Now let’s contrast all of this with an event that is part of the good old standard auditng. Let’s take moving an OU;
with the Advanced Auditng we get id 5139 (fg 7), nice and easy to read and understand. Now here is id 4662 that you
would get for the same thing with standard auditng, fg 10.
________________________________________________________________________________________________
Page No | 132
With standard auditng some of the other items that we looked at would be next to impossible with auditng, such as
tracking when an OU is renamed and as you can see from fg 10 hard to read and understand if you did get an event.
Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditng.
Question 104
Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One
of the shared folders contains confdental data.
________________________________________________________________________________________________
Page No | 133
You need to ensure that unauthorized users are not able to access the shared folder that contains confdental data.
What should you do?
A. Enable the Do not trust this computer for delegaton property on all the computers of unauthorized users by using
the Dsmod utlity.
B. Instruct the unauthorized users to log on by using the Guest account. Confgure the Deny Full control permission on
the shared folders that hold the confdental data for the Guest account.
C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny
DLG group. Confgure the Allow Full control permission on the shared folder that hold the confdental data for the
Deny DLG group.
D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to
the Deny DLG group. Confgure the Deny Full control permission on the shared folder that hold the confdental data
for the Deny DLG group.
Aoswern D
Explanatonn
________________________________________________________________________________________________
Page No | 134
Any group, whether it is a security group or a distributon group, is characterized by a scope that identfes the extent
to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is also
determined by the domain functonal level setng of the domain in which it resides. There are three group scopesn
universal, global, and domain local.
The following table describes the diferences between the scopes of each group.
When to use groups with domain local scope
________________________________________________________________________________________________
Page No | 135
Groups with domain local scope help you defne and manage access to resources within a single domain. For example,
to give fve users access to a partcular printer, you can add all fve user accounts in the printer permissions list. If,
however, you later want to give the fve users access to a new printer, you must again specify all fve accounts in the
permissions list for the new printer.
Question 105
Your company has an Actve Directory domain. You install an Enterprise Root certfcaton authority (CA) on a member
server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certfcates that are supplied by Server1.
What should you do?
A. Remove the Request Certfcates permission from the Domain Users group.
B. Remove the Request Certfcated permission from the Authentcated Users group.
C. Assign the Allow - Manage CA permission to only the Security Manager user Account.
D. Assign the Allow - Issue and Manage Certfcates permission to only the Security Manger user account
Aoswern D
Explanatonn
Referencen
Implement Role-Based Administraton
You can use role-based administraton to organize certfcaton authority (CA) administrators into separate, predefned
CA roles, each with its own set of tasks. Roles are assigned by using each user's security setngs.
You assign a role to a user by assigning that user the specifc security setngs that are associated with the role. A user
that has one type of permission, such as Manage CA permission, can perform specifc CA tasks that a user with
another type of permission, such as Issue and Manage Certfcates permission, cannot perform.
The following table describes the roles, users, and groups that can be used to implement role-based administraton.
Roles and groups
Certfcate manager
Security permission
Issue and Manage Certfcates
Descripton
Approve certfcate enrollment and revocaton requests. This is a CA role. This role is sometmes referred to as CA
ofcer. These permissions are assigned by using the Certfcaton Authority snap-in.
Question 106
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
What is the minimal forest functonal level that you should use?
A. Windows Server 2008 R2

B. Windows Server 2008
C. Windows Server 2003
D. Windows 2000
Aoswern C
Explanatonn
________________________________________________________________________________________________
Page No | 136
Referencen
Prerequisites for Deploying an RODC
Complete the following prerequisites before you deploy a read-only domain controller (RODC)n
Ensure that the forest functonal level is Windows Server 2003 or higher, so that linked-valuereplicaton (LVR) is
available.
Question 107
Your company has three Actve Directory domains in a single forest. You install a new Actve Directory enabled
applicaton. The applicaton ads new user atributes to the Actve Directory schema.
You discover that the Actve Directory replicaton trafc to the Global Catalogs has increased.
You need to prevent the new atributes from being replicated to the Global Catalog.
You must achieve this goal without afectng applicaton functonality.
What should you do?
A. Change the replicaton interval for the DEFAULTIPSITELINK object to 9990.

B. Change the cost for the DEFAULTIPSITELINK object to 9990.
C. Make the new atributes in the Actve Directory as defunct.
D. Modify the propertes in the Actve Directory schema for the new atributes.
Aoswern D
Explanatonn
How to Modify Atributes That Replicate to the Global Catalog
The Global Catalog (GC) contains a partal replica of every object in the enterprise. This artcle discusses how to
manipulate the atributes which make up the set values replicated to the GC. Deciding which atributes will replicate
(in additon to the default atributes) requires careful planning with consideraton for network trafc and necessary
disk space.
Before describing how to set an atribute to replicate in the GC, it is important to note the efects this has on network
replicaton trafc.
Aoer an atributeSchema object is created, marking an additonal atribute to replicate to the GC causes a full
replicaton (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on the
versions of Windows 2000 listed in this artcle.
Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the
forest are held as read-only, partal copies. "Partal" means that only a subset of the atributes is kept.
When an atribute is added to the GC, it is added to the partal copy subset (partal atribute set). This causes the GC
to perform a "full sync" of all the read-only copies again to repopulate itself with only the partal atributes that it
needs to hold. This full sync occurs even if the atribute property isMemberOfPartalAtributeSet is set to "True." Thus,
it only does a full sync on the read-only partal copy domains and not its own write-able domain, the confguraton
directory partton or schema directory partton.
In order to modify the atributes that replicate to the Actve Directory GC, you must modify the schema. To modify the
schema, an administrator must be made a member of the "Schema Admins" group. In additon to being a member of
this group, a registry key must be set on the Schema master.
Question 108
:OTSPOT
Your network contains an Actve Directory forest named contoso.com. The forest contains two sites named Seatle
________________________________________________________________________________________________
Page No | 137
and Montreal. The Seatle site contains two domain controllers. The domain controllers are confgured as shown in
the following table.
The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.
You need to confgure DC2 as a global catalog server.
Which object's propertes should you modify? To answer, select the appropriate object in the answer area.
Aoswern <map><m
x1="109" x2="229"
y1="267" y2="283"
ss="0" a="0"
/></map>
________________________________________________________________________________________________
Page No | 138
Explanatonn
Referencen
To designate a domain controller to be a global catalog server
1. Click Start, point to Administratve Tools, and then click Actve Directory Sites and Services.
2. In the console tree, expand the Sites container, and then expand the site in which you are designatng a global
catalog server.
3. Expand the Servers container, and then expand the Server object for the domain controller that you want to
designate as a global catalog server.
4. Right-click the NTDS Setngs object for the target server, and then click Propertes.
5. Select the Global Catalog check box, and then click OK.
Question 109
:OTSPOT
Your network contains an Actve Directory forest named contoso.com. The forest contains two Actve Directory sites
named Seatle and Montreal. The Montreal site is a branch ofce that contains only a single read-only domain
controller (RODC).
You accidentally delete the site link between the two sites.
You recreate the site link while you are connected to a domain controller in Seatle.
You need to replicate the change to the RODC in Montreal.
Which node in Actve Directory Sites and Services should you use?To answer, select the appropriate node in the
answer area.
________________________________________________________________________________________________
Page No | 139
Aoswern <map><m
x1="107" x2="217"
y1="199" y2="218"
ss="0" a="0"
/></map>
Explanatonn
Reference 1n
htpn//blogs.technet.com/b/ashleymcglone/archive/2011/06/29/report-and-edit-ad-site-links-from-powershellturbo-
your-ad-replicaton.aspx
Site links are stored in the Confguraton partton of the AD database.
Reference 2n
To use Actve Directory Sites and Services to force replicaton of the confguraton partton to an RODC
1. Open the Actve Directory Sites and Services snap-in (Dssite.msc).
2. Double-click Sites, double-click the name of the site that has the RODC, double-click Servers, double-click the name
of the RODC, right-click NTDS Setngs, and then click Replicate confguraton to the selected DC.
3. Click OK to close the message indicatng that AD DS has replicated the connectons.
________________________________________________________________________________________________
Page No | 140
Question 110
:OTSPOT
Your network contains an Actve Directory forest named contoso.com. The forest contains two sites named Seatle
and Montreal. The Seatle site contains two domain controllers. The domain controllers are confgured as shown in
You need to enable universal group membership caching in the Seatle site.
Which object's propertes should you modify?
To answer, select the appropriate object in the answer area.
Aoswern <map><m
x1="313" x2="524"
y1="113" y2="132"
ss="0" a="0"
/></map>
________________________________________________________________________________________________
Page No | 141
Explanatonn
Referencen
htpn//htpn//technet.microsoo.com/en-us/magazine/f797984.aspx
Confgure Universal Group Membership Caching in Actve Directory
You can enable or disable universal group membership caching by following these stepsn
1. In Actve Directory Sites And Services, expand and then select the site you want to work with.
2. In the details pane, right-click NTDS Site Setngs, and then click Propertes.
3. To enable universal group membership caching, select the Enable Universal Group Membership Caching check box
on the Site Setngs tab. Then, in the Refresh Cache From list, choose a site from which to cache universal group
memberships. The selected site must have a working global catalog server.
4. To disable universal group membership caching, clear the Enable Universal Group Membership Caching check box
on the Site Setngs tab.
5. Click OK.
Question 111
You are decommissioning one of the domain controllers in a child domain.
You need to transfer all domain operatons master roles within the child domain to a newly installed domain
controller in the same child domain.
Which three domain operatons master roles should you transfer? (Each correct answer presents part of the soluton.
Choose three.)
A. RID master
B. PDC emulator
C. Schema master
D. Infrastructure master
E. Domain naming master
Aoswern A, B, D
Explanatonn
Transferring operatons master roles
Transferring an operatons master role means moving it from one domain controller to another with the cooperaton
________________________________________________________________________________________________
Page No | 142
of the original role holder. Depending upon the operatons master role to be transferred, you perform the role
transfer using one of the three Actve Directory consoles in Microsoo Management Console (MMC).
Question 112
There are 100 servers and 2000 computers present at your company's headquarters.
The DHCP service is installed on a two-node Microsoo failover cluster named CKMFO to ensure the high availability of
the service.
The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity.
A 200GB single volume is confgured on the shared disk.
Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.
The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creatng the WINS service group on cluster available on CKMFON1 node.
The wizard shows an error "no disks are available" during confguraton.
Which acton should you perform to confgure storage volumes on CKMFON1 to successfully add the WINS Service
group to CKMFON1?
A. Backup all data on the single volume on CKMFON1 and confgure the disk with GUID partton table and create two
volumes. Restore the backed up data on one of the volumes and use the other for WINS service group
B. Add a new physical shared disk to the CKMFON1 cluster and confgure a new volume on it. Use this volume to fx
the error in the wizard.
C. Add new physical shared disks to CKMFON1 and EMBFON2. Confgure the volumes onthese disk and direct
CKMOFONI to use CKMFON2 volume for the WINS service group
D. Add and confgure a new volume on the existng shared disk which has 400GB of space. Use this volume to fx the
error in the wizard
E. None of the above
Aoswern B
Explanatonn
htpn//class10e.com/Microsoo/which-acton-should-you-perform-to-confgure-storage-volumes-on-ckmfon1-
tosuccessfully-add-the-wins-service-group-to-ckmfon1/
To confgure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1, you need to add
a new physical shared disk to the CKMFON1 cluster and confgure a new volume on it.
Use this volume to fx the error in the wizard.
This is because a cluster does not use shared storage.
A cluster must use a hardware soluton based either on shared storage or on replicaton between nodes.
Question 113
Exhibitn
________________________________________________________________________________________________
Page No | 143
Company servers run Windows Server 2008. It has a single Actve Directory domain. A server called S4 has fle
services role installed. You install some disk for additonal storage. The disks are confgured as shown in the exhibit.
To support data stripping with parity, you have to create a new drive volume.
What should you do to achieve this objectve?
A. Build a new spanned volume by combining Disk0 and Disk1

B. Create a new Raid-5 volume by adding another disk.
C. Create a new virtual volume by combining Disk 1 and Disk 2
D. Build a new striped volume by combining Disk0 and Disk 2
Aoswern B
Explanatonn
htpsn//sort.symantec.com/public/documents/sf/5.0/solaris/html/vxvm_admin/ag_ch_intro_vm17.html
Question 114
Your company asks you to implement Windows Cardspace in the domain.

You want to use Windows Cardspace at your home.
Your home and ofce computers run Windows Vista Ultmate.
What should you do to create a backup copy of Windows Cardspace cards to be used at home?
A. Log on with your administrator account and copy gWindowsgServiceProfles folder to your USB drive
B. Backup gWindowsgGlobalizaton folder by using backup status and save the folder on your USB drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ Windows Cardspace applicaton to backup the data on your USB drive.
E. Reformat the Cn Drive
F. None of the above
________________________________________________________________________________________________
Page No | 144
Aoswern D
Explanatonn
htpn//windows.microsoo.com/en-us/windows7/windows-cardspace-for-itpros#
BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer
Windows CardSpace for IT pros
Microsoo Windows CardSpace™ is a system for creatng relatonships with websites and online services.
Windows CardSpace provides a consistent way forn
Sites to request informaton from you.
You to review the identty of a site.
You to manage your informaton by using Informaton Cards.
You to review card informaton before you send it.
Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites
and online services.
15. How do I back up my cards or transfer them to another computer?
Cards are stored on your computer in an encrypted format. To save a backup fle containing some or all of your cards
or to use a card on a diferent computer, you can save cards to a backup card fle.
To back up your cardsn
1. Start Windows CardSpace.
2. View all your cards.
3. In the pane on the right of your screen, click Back up cards.
4. Select the cards that you want to back up.
5. Browse to the folder where you want to save the backup card fle, and then give it a name.
When you complete these steps, you save a fle containing some or all of your cards. You can copy the backup card fle
to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup
card fle on this computer or on another computer.
To restore your cards
1. Save the backup card fle to the computer.
2. Browse to the locaton of the fle on the computer.
3. Double-click the fle, and then follow the instructons to restore the cards.
Question 115
Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.
Actve Directory services are running on a domain controller named CKDC1.
You have to perform critcal updates of Windows Server 2008 on CKDC1 without rebootng the server.
What should you do to perform ofine critcal updates on CKDC1 without rebootng the server?
A. Start the Actve Directory Domain Services on CKDC1

B. Disconnect from the network and start the Windows update feature
C. Stop the Actve Directory domain services and install the updates. Start the Actve Directory domain services aoer
installing the updates.
D. Stop Actve Directory domain services and install updates. Disconnect from the network and then connect again.
Aoswern C
Explanatonn
Personal commentn I don't believe you can avoid restartng the server when installing some (not all) updates
________________________________________________________________________________________________
Page No | 145
htpn//class10e.com/Microsoo/what-should-you-do-to-perform-ofine-critcal-updates-on-ckdc1-withoutrebootng-
the-server/
To perform ofine critcal updates on CKDC1 without rebootng the server, you should stop the Actve Directory
domain services and install the updates. Start the Actve Directory domain services aoer installing the updates.
By stopping the Actve Directory domain services, you don’t need to reboot the server.
The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Actve Directory domain
services and start it again aoer the installaton of the updates, the Server will perform in a normal way.
Question 116
One of the remote branch ofces is running a Windows Server 2008 read only domain controller (RODC). For security
reasons you don't want some critcal credentals like (passwords, encrypton keys) to be stored on RODC.
What should you do so that these credentals are not replicated to any RODC's in the forest? (Select 2)
A. Confgure RODC fltered atribute set on the server

B. Confgure RODC fltered set on the server that holds Schema Operatons Master role.
C. Delegate local administratve permissions for an RODC to any domain user without grantng that user any user
rights for the domain
D. Confgure forest functonal level server for Windows server 2008 to confgure fltered atribute set.
Aoswern B, D
Explanatonn
Adding atributes to the RODC fltered atribute set
The RODC fltered atribute set is a dynamic set of atributes that is not replicated to any RODCs in the forest. You can
confgure the RODC fltered atribute set on a schema master that runs Windows Server
2008. When the atributes are prevented from replicatng to RODCs, that data cannot be exposed unnecessarily if an
RODC is stolen or compromised.
A malicious user who compromises an RODC can atempt to confgure it in such a way that it tries to replicate
atributes that are defned in the RODC fltered atribute set. If the RODC tries to replicate those atributes from a
domain controller that is running Windows Server 2008, the replicaton request is denied. However, if the RODC tries
to replicate those atributes from a domain controller that is running Windows Server 2003, the replicaton request
could succeed.
Therefore, as a security precauton, ensure that forest functonal level is Windows Server 2008 if you plan to confgure
the RODC fltered atribute set. When the forest functonal level is Windows Server 2008, an RODC that is
compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003
are not allowed in the forest.
Question 117
Company has a server with Actve Directory Rights Management Services (AD RMS) server installed. Users have
computers with Windows Vista installed on them with an Actve Directory domain installed at Windows Server 2003
functonal level.
As an administrator at Company, you discover that the users are unable to beneft from AD RMS to protect their
documents.
You need to confgure AD RMS to enable users to use it and protect their documents.
What should you do to achieve this functonality?
________________________________________________________________________________________________
Page No | 146
A. Confgure an email account in Actve Directory Domain Services (AD DS) for each user.
B. Add and confgure ADRMSADMIN account in local administrators group on the user computers
C. Add and confgure the ADRMSSRVC account in AD RMS server's local administrator group
D. Reinstall the Actve Directory domain on user computers
E. All of the above
Aoswern A
Explanatonn
AD RMS Step-by-Step Guide
For each user account and group that you confgure with AD RMS, you need to add an e-mail address and then assign
the users to groups.
Question 118
Company has an actve directory forest on a single domain.

Company needs a distributed applicaton that employs a custom applicaton. The applicaton is directory partton
sooware named PARDAT.
You need to implement this applicaton for data replicaton.
Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete
soluton)
A. Dnscmd.
B. Ntdsutl.
C. Ipconfg
D. Dnsutl
E. All of the above
Aoswern A, B
Explanatonn
How to create and apply a custom applicaton directory partton on an Actve Directory integrated DNS zone in
Windows Server 2003
You can create a custom Actve Directory partton by using the DnsCmd command.
If the new naming context that you created does not appear in the Repadmin output, you can verify the state of this
naming context by using the Ntdsutl command.
Question 119
Company has an Actve Directory forest with six domains. The company has 5 sites. The company requires a new
distributed applicaton that uses a custom applicaton directory partton named ResData for data replicaton.
The applicaton is installed on one member server in fve sites.
You need to confgure the fve member servers to receive the ResData applicaton directory partton for data
replicaton.
What should you do?
A. Run the Dcpromo utlity on the fve member servers.

B. Run the Regsvr32 command on the fve member servers
________________________________________________________________________________________________
Page No | 147
C. Run the Webadmin command on the fve member servers

D. Run the RacAgent utlity on the fve member servers
Aoswern A
Explanatonn
Dcpromo Syntax dcpromo [/answer[n<flenameN] | /unatend[n<flenameN] | /unatend | /adv] /uninstallBinaries
[/CreateDCAccount | /UseExistngAccountnAtach] /? /?[n{Promoton | CreateDCAccount | UseExistngAccount
|Demoton}]dcpromo Promoton operaton parametersn
ApplicatonParttonsToReplicaten""
Specifes the applicaton directory parttons that dcpromo will replicate. Use the following formatn "partton1"
"partton2" "parttonN"
Use * to replicate all applicaton directory parttons.
Question 120
As an administrator at Company, you have installed an Actve Directory forest that has a single domain.
You have installed an Actve Directory Federaton services (AD FS) on the domain member server.
What should you do to confgure AD FS to make sure that AD FS token contains informaton from the actve directory
domain?
A. Add a new account store and confgure it.

B. Add a new resource partner and confgure it
C. Add a new resource store and confgure it
D. Add a new administrator account on AD FS and confgure it
Aoswern A
Explanatonn
Step 3n Installing and Confguring AD FS
Now that you have confgured the computers that will be used as federaton servers, you are ready to install Actve
Directory Federaton Services (AD FS) components on each of the computers. This secton includes the following
proceduresn
Install the Federaton Service on ADFS-RESOURCE and ADFS-ACCOUNT
Confgure ADFS-ACCOUNT to work with AD RMS
Confgure ADFS-RESOURCE to Work with AD RMS
Question 121
Company runs Window Server 2008 on all of its servers. It has a single Actve Directory domain and it uses Enterprise
Certfcate Authority. The security policy at ABC.com makes it necessary to examine revoked certfcate informaton.
You need to make sure that the revoked certfcate informaton is available at all tmes.
What should you do to achieve that?
A. Add and confgure a new GPO (Group Policy Object) that enables users to accept peer certfcates and link the GPO
to the domain.
B. Confgure and use a GPO to publish a list of trusted certfcate authorites to the domain
________________________________________________________________________________________________
Page No | 148
C. Confgure and publish an OCSP (Online certfcate status protocol) responder through ISAS (Internet Security and
Acceleraton Server) array.
D. Use network load balancing and publish an OCSP responder.
Aoswern D
Explanatonn
How Certfcate Revocaton Works
Question 122
As the Company administrator you had installed a read-only domain controller (RODC) server at remote locaton.
The remote locaton doesn't provide enough physical security for the server.
What should you do to allow administratve accounts to replicate authentcaton informaton to Read-Only Domain
Controllers?
A. Remove any administratve accounts from RODC's group

B. Add administratve accounts to the domain Allowed RODC Password Replicaton group
C. Set the Deny on Receive as permission for administratve accounts on the RODC computer account
Security tab for the Group Policy Object (GPO)
D. Confgure a new Group Policy Object (GPO) with the Account Lockout setngs enabled. Link the GPO to the remote
locaton. Actvate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security
tab for the GPO.
Aoswern B
Explanatonn
________________________________________________________________________________________________
Page No | 149
Password Replicaton Policy
When you initally deploy an RODC, you must confgure the Password Replicaton Policy on the writable domain
controller that will be its replicaton partner.
The Password Replicaton Policy acts as an access control list (ACL). It determines if an RODC should be permited to
cache a password. Aoer the RODC receives an authentcated user or computer logon request, it refers to the
Password Replicaton Policy to determine if the password for the account should be cached. The same account can
then perform subsequent logons more efciently.
The Password Replicaton Policy lists the accounts that are permited to be cached, and accounts that are explicitly
denied from being cached. The list of user and computer accounts that are permited to be cached does not imply
that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in
advance any accounts that an RODC will cache. This way, the RODC can authentcate those accounts, even if the WAN
link to the hub site is ofine.
..
Password Replicaton Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Actve Directory domains to support RODC
operatons. These are the Allowed RODC Password Replicaton Group and Denied RODC Password Replicaton Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replicaton Policy. By
default, the two groups are respectvely added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup
Actve Directory atributes mentoned earlier.
By default, the Allowed RODC Password Replicaton Group has no members. Also by default, the Allowed List
atribute contains only the Allowed RODC Password Replicaton Group.
By default, the Denied RODC Password Replicaton Group contains the following membersn
________________________________________________________________________________________________
Page No | 150
Enterprise Domain Controllers

Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain-wide krbtgt account
By default, the Denied List atribute contains the following security principals, all of which are built-in groupsn
Denied RODC Password Replicaton Group
Account Operators
Server Operators
Backup Operators
Administrators
The combinaton of the Allowed List and Denied List atributes for each RODC and the domain-wide Denied
RODC Password Replicaton Group and Allowed RODC Password Replicaton Group give administrators great fexibility.
They can decide precisely which accounts can be cached on specifc RODCs.
The following table summarizes the three possible administratve models for the Password Replicaton Policy.
Question 123
ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster
is to provide load balancing and high availability of the intranet website only.
With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network
Neighborhood and they can use it to connect to various services by using the name web.CK1.com.
You also discover that there is only one port rule confgured for Network Load Balancing cluster. You have to confgure
web.CK1.com NLB cluster to accept HTTP trafc only.
Which two actons should you perform to achieve this objectve? (Choose two answers. Each answer is part of the
complete soluton)
A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
B. Run the wlbs disable command on the cluster nodes
C. Assign a unique port rule for NLB cluster by using the NLB Cluster console
D. Delete the default port rules through Network Load Balancing Cluster console
Aoswern A, D
Explanatonn
Create a new Network Load Balancing Port Rule
Port rules control how a Network Load Balancing (NLB) cluster functons. To maximize control of various types of
TCP/IP trafc, you can set up port rules to control how each port's cluster-network trafc is handled. The method by
________________________________________________________________________________________________
Page No | 151
which a port's network trafc is handled is called its fltering mode. There are three possible fltering modesn Multple
hosts, Single host, and Disabled.
You can also specify that a fltering mode apply to a numerical range of ports. You do this by defning a port rule with a
set of confguraton parameters that defne the fltering mode. Each rule consists of the following confguraton
parametersn
The virtual IP address that the rule should apply to
The TCP or UDP port range that this rule should apply to
The protocols that this rule should apply to, including TCP, UDP, or both
The fltering mode that specifes how the cluster handles trafc, which is described by the port range and the
protocols
In additon, you can select one of three optons for client afnityn None, Single, or Network. Single and Network are
used to ensure that all network trafc from a partcular client is directed to the same cluster host.
To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for your
protocol setng. As an extension to the Single and Network optons, you can confgure a tme-out setng to preserve
client afnity when the confguraton of an NLB cluster is changed. This extension also allows clients to keep afnity to
a cluster host even if there are no actve, existng connectons from the client to the host.
Question 124
ABC.com has a main ofce and a branch ofce. ABC.com's network consists of a single Actve Directory forest.
Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.
You are the administrator at ABC.com. You have installed Actve Directory Domain Services (AD DS) on a computer
that runs Windows Server 2008. The branch ofce is located in a physically insecure place. It has no IT personnel
onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the
Server Core installaton computer in the branch ofce.
What should you do to setup RODC on the computer in branch ofce?
A. Execute an atended installaton of AD DS

B. Execute an unatended installaton of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above
Aoswern B
Explanatonn
Referencen
Install an RODC on a Server Core installaton
To install an RODC on a Server Core installaton of Windows Server 2008, you must perform an unatended installaton
of AD DS.
Question 125
You had installed an Actve Directory Federaton Services (AD FS) role on a Windows server 2008 in your organizaton.
Now you need to test the connectvity of clients in the network to ensure that they can successfully reach the new
Federaton server and Federaton server is operatonal.
What should you do? (Select all that apply)
A. Go to Services tab, and check if Actve Directory Federaton Services is running
________________________________________________________________________________________________
Page No | 152
B. In the event viewer, Applicatons, Event ID column look for event ID 674.
C. Open a browser window, and then type the Federaton Service URL for the new federaton server.
D. None of the above
Aoswern B, C
Explanatonn
Referencen
Verify
Verify that a specifc event (ID 674) was generated on the federaton server proxy computer. This event is generated
when the federaton server proxy is able to successfully communicate with the Federaton Service.
To perform this procedure, you must be a member of the local Administrators group, or you must have been
delegated the appropriate authority.
1. Log on to a client computer with Internet access.
2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federaton Service endpoint,
along with the path to the clientlogon.aspx page that is stored on the federaton server proxy.
3. Press ENTER.
Note -At this point your browser should display the error Server Error in '/adfs' Applicaton. This step is necessary to
generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by
Internet Informaton Services (IIS).
4. Log on to the federaton server proxy.
5. Click Start, point to Administratve Tools, and then click Event Viewer.
6. In the details pane, double-click Applicaton.
7. In the Event column, look for event ID 674.
Question 126
ABC.com has purchased laptop computers that will be used to connect to a wireless network.
You create a laptop organizatonal unit and create a Group Policy Object (GPO) and confgure user profles by utlizing
the names of approved wireless networks.
You link the GPO to the laptop organizatonal unit. The new laptop users complain to you that they cannot connect to
a wireless network.
What should you do to enforce the group policy wireless setngs to the laptop computers?
A. Execute gpupdate/targetncomputer command at the command prompt on laptop computers

B. Execute Add a network command and leave the SSID (service set identfer) blank
C. Execute gpupdate/boot command at the command prompt on laptops computers
D. Connect each laptop computer to a wired network and log of the laptop computer and then login again.
Aoswern D
Question 127
The Company has a Windows 2008 domain controller server. This server is routnely backed up over the network from
a dedicated backup server that is running Windows 2003 OS.
You need to prepare the domain controller for disaster recovery apart from the routne backup procedures.
You are unable to launch the backup utlity while atemptng to back up the system state data for the data controller.
You need to backup system state data from the Windows Server 2008 domain controller server.
________________________________________________________________________________________________
Page No | 153
What should you do?
A. Add your user account to the local Backup Operators group

B. Install the Windows Server backup feature using the Server Manager feature.
C. Install the Removable Storage Manager feature using the Server Manager feature
D. Deactvatng the backup job that is confgured to backup Windows 2008 server domain controller on the Windows
2003 server.
Aoswern B
Explanatonn
Windows Server Backup Step-by-Step Guide for Windows Server 2008
The Windows Server Backup feature provides a basic backup and recovery soluton for computers running the
Windows Server® 2008 operatng system. Windows Server Backup introduces new backup and recovery technology
and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the
Windows operatng system.
What is Windows Server Backup?
The Windows Server Backup feature in Windows Server 2008 consists of a Microsoo Management Console (MMC)
snap-in and command-line tools that provide a complete soluton for your day-to-day backup and recovery needs. You
can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to
back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, fles,
certain applicatons, and the system state. And, in case of disasters like hard disk failures, you can perform a system
recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the
Windows Recovery Environment.
You can use Windows Server Backup to create and manage backups for the local computer or a remote computer. You
can also schedule backups to run automatcally and you can perform one-tme backups to augment the scheduled
backups.
Question 128
You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote locaton.
The remote locaton doesn't have proper physical security.
You need to actvate nonadministratve accounts passwords on that RODC server.
Which of the following acton should be considered to populate the RODC server with non-administratve accounts
passwords?
A. Delete all administratve accounts from the RODC's group

B. Confgure the permission to Deny on Receive for administratve accounts on the security tab for Group Policy
Object (GPO)
C. Confgure the administratve accounts to be added in the Domain RODC Password Replicaton Denied group
D. Add a new GPO and enable Account Lockout setngs. Link it to the remote RODC server and on the security tab on
GPO, check the Read Allow and the Apply group policy permissions for the administrators.
Aoswern C
Explanatonn
________________________________________________________________________________________________
Page No | 154
Advantages That an RODC Can Provide to an Existng Deployment Branch ofce server administraton. RODCs provide
Administrator Role Separaton (ARS), which you can use to delegate administraton of an RODC to a nonadministratve
user or group. This means that it is not necessary for a highly privileged administrator to log on to the domain
controller in the branch ofce to perform routne server maintenance.
Password Replicaton Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008
Actve Directory domains to support RODC operatons. These are the Allowed RODC Password Replicaton Group and
Denied RODC Password Replicaton Group.
The combinaton of the Allowed List and Denied List atributes for each RODC and the domain-wide Denied RODC
Password Replicaton Group and Allowed RODC Password Replicaton Group give administrators great fexibility. They
________________________________________________________________________________________________
Page No | 155
can decide precisely which accounts can be cached on specifc RODCs.
Question 129
ABC.com has a network that is comprise of a single Actve Directory Domain.

As an administrator at ABC.com, you install Actve Directory Lightweight Directory Services (AD LDS) on a server that
runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connectons to the AD LDS server, you install
certfcates from a trusted Certfcaton Authority (CA) on the AD LDS server and client computers.
Which tool should you use to test the certfcate with AD LDS?
A. Ldp.exe
B. Actve Directory Domain services
C. ntdsutl.exe
D. Lds.exe
E. wsamain.exe
F. None of the above
Aoswern A
Explanatonn
Appendix An Confguring LDAP over SSL Requirements for AD LDS
The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Actve Directory
Lightweight Directory Services (AD LDS). By default, LDAP trafc is not transmited securely. You can make LDAP trafc
confdental and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology.
Step 3n Connect to the AD LDS instance over LDAPS using Ldp.exe
________________________________________________________________________________________________
Page No | 156
To test your server authentcaton certfcate, you can open Ldp.exe on the computer that is running the AD LDS
instance and then connect to this AD LDS instance that has the SSL opton enabled.
Question 130
ABC.com boasts a main ofce and 20 branch ofces. Confgured as a separate site, each branch ofce has a Read-Only
Domain Controller (RODC) server installed.
Users in remote ofces complain that they are unable to log on to their accounts. What should you do to make sure
that the cached credentals for user accounts are only stored in their local branch ofce RODC server?
A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that
are unable to log on to their accounts
B. Add a password replicaton policy to the main Domain RODC and add user accounts in the security group
C. Confgure a unique security group for each branch ofce and add user accounts to the respectve security group.
Add the security groups to the password replicaton allowed group on the main RODC server
D. Confgure and add a separate password replicaton policy on each RODC computer account
Aoswern D
Explanatonn
Question 131
The corporate network of Company consists of a Windows Server 2008 single Actve Directory domain. The domain
has two servers named Company 1 and Company 2.
To ensure central monitoring of events you decided to collect all the events on one server, to collect events from
Company, and transfer them to Company 1.
You confgure the required event subscriptons.
You selected the Normal opton for the Event delivery optmizaton setng by using the HTTP protocol.
However, you discovered that none of the subscriptons work.
Which of the following actons would you perform to confgure the event collecton and event forwarding on the two
servers? (Select three. Each answer is a part of the complete soluton).
A. Run window execute the winrm quickconfg command on Company 2.

B. Run window execute the wecutl qc command on Company 2.
C. Add the Company 1 account to the Administrators group on Company 2.
D. Run window execute the winrm quickconfg command on Company 1.
________________________________________________________________________________________________
Page No | 157
E. Add the Company 2 account to the Administrators group on Company 1.

F. Run window execute the wecutl qc command on Company 1.
Aoswern A, C, F
Explanatonn
We need to do three thingsn
1 - run winrm quickconfg on the source computer (Company 2)
2 - run wecutl qc on the collector computer (Company 1)
3 - add the computer account of the collector computer to the local Administrators group on the source computer
Had the Event delivery optmizaton setng been set to Minimize Bandwidth or Minimize Latency, then we would
need to run winrm quickconfg on the collector computer too. Because it's set to Normal we can skip that step.
If the HTTPS protocol had been used we also would have had to confgure Windows Firewall exceptons for port 443.
But it's not, and it's not even listed, so that's cool.
Referencen
To confgure computers in a domain to forward and collect events
1. Log on to all collector and source computers. It is a best practce to use a domain account with administratve
privileges.
2. On each source computer, type the following at an elevated command promptn winrm quickconfg
Note
If you intend to specify an event delivery optmizaton of Minimize Bandwidth or Minimize Latency, then you must
also run the above command on the collector computer.
3. On the collector computer, type the following at an elevated command promptn wecutl qc
4. Add the computer account of the collector computer to the local Administrators group on each of the source
computers.
5. The computers are now confgured to forward and collect events. Follow the steps in Create a New
Subscripton to specify the events you want to have forwarded to the collector.
Question 132
Your company has a main ofce and 40 branch ofces. Each branch ofce is confgured as a separate Actve Directory
site that has a dedicated read-only domain controller (RODC).
An RODC server is stolen from one of the branch ofces.
You need to identfy the user accounts that were cached on the stolen RODC server.
Which utlity should you use?
A. Dsmod.exe
B. Ntdsutl.exe
C. Actve Directory Sites and Services
D. Actve Directory Users and Computers
Aoswern D
Explanatonn
Securing Accounts Aoer an RODC Is Stolen
________________________________________________________________________________________________
Page No | 158
If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act
quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current
passwords are stored on the RODC.
An efcient tool for removing the RODC computer account and resetng all the passwords for the accounts that were
authentcated to it is the Actve Directory Users and Computers snap-in.
Question 133
ABC.com has a sooware evaluaton lab. There is a server in the evaluaton lab named as CKT. CKT runs Windows
Server 2008 and Microsoo Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment
to evaluate sooware. To connect to the internet, it uses physical network interface card.
ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IP address
space used by sooware evaluaton lab must not be used by other networks. Similarly, it states the IP address space
used by other networks should not be used by the evaluaton lab network.
As an administrator you fnd you that the applicatons tested in the sooware evaluaton lab need to access normal
network to connect to the vendors update servers on the internet.
You need to confgure all virtual servers on the CKT server to access the internet. You also need to comply with
company's security policy.
Which two actons should you perform to achieve this task? (Choose two answers. Each answer is a part of the
complete soluton)
A. Trigger the Virtual DHCP server for the external virtual network and run ipconfg/renew command on each virtual
server
B. On CKT's physical network interface, actvate the Internet Connecton Sharing (ICS)
C. Use ABC.com intranet IP addresses on all virtual servers on CKT.
D. Add and install a Microsoo Loopback Adapter network interface on CKT. Use a new network interface and create a
new virtual network.
Aoswern A, D
Explanatonn
htpn//class10e.com/Microsoo/which-two-actons-should-you-perform-to-achieve-this-task-choose-two-answers/
To confgure all virtual servers on the CKT server to access the internet and comply with company’s security policy,
you should trigger the virtual DHCP server for the external virtual network and run ipconfg/renew command on each
virtual server. Then add and install Microsoo Loopback adapter network interface on CKT.
Create a virtual network using the new interface.
When you confgure the Virtual DHCP server for the external virtual network, a set of IP addresses are assigned to the
virtual servers on CKT server. By running ipconfg/renew command, the new IP addresses will be renewed. The
Microsoo Loopback adapter network interface will ensure that the IP address space used by other networks are not
been used by the virtual servers on CKT server. You create a new virtual network on the new network interface which
will enable you to access internet.
Question 134
You are an administrator at ABC.com. Company has a network of 5 member servers actng as fle servers. It has an
Actve Directory domain.
You have installed a sooware applicaton on the servers. As soon as the applicaton is installed, one of the member
servers shuts down itself. To trace and rectfy the problem, you create a Group Policy Object (GPO).
You need to change the domain security setngs to trace the shutdowns and identfy the cause of it.
________________________________________________________________________________________________
Page No | 159
What should you do to perform this task?
A. Link the GPO to the domain and enable System Events opton
B. Link the GPO to the domain and enable Audit Object Access opton
C. Link the GPO to the Domain Controllers and enable Audit Object Access opton
D. Link the GPO to the Domain Controllers and enable Audit Process tracking opton
E. Perform all of the above actons
Aoswern A
Explanatonn
htpn//msdn.microsoo.com/en-us/library/ms813610.aspx
Audit system events
Computer ConfguratongWindows SetngsgSecurity SetngsgLocal PoliciesgAudit Policy
Descripton Determines whether to audit when a user restarts or shuts down the computer; or an event has occurred
that afects either the system security or the security log.
By default, this value is set to No auditng in the Default Domain Controller Group Policy object (GPO) and in the local
policies of workstatons and servers.
If you defne this policy setng, you can specify whether to audit successes, audit failures, or not to audit the event
type at all. Success audits generate an audit entry when a system event is successfully executed. Failure audits
generate an audit entry when a system event is unsuccessfully atempted. You can select No auditng by defning the
policy setng and unchecking Success and Failure.
Question 135
ABC.com has a network that consists of a single Actve Directory domain. A technician has accidently deleted an
Organizatonal unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the
OU.
You need to execute a non-authoritatve restore before an authoritatve restore of the OU.
Which backup should you use to perform nonauthoritatve restore of Actve Directory Domain Services (AD DS)
without disturbing other data stored on domain controller?
A. Critcal volume backup

B. Backup of all the volumes
C. Backup of the volume that hosts Operatng system
D. Backup of AD DS folders
E. all of the above
Aoswern A
Explanatonn
Performing a Nonauthoritatve Restore of AD DS
To perform a nonauthoritatve restore of Actve Directory Domain Services (AD DS), you need at least a system state
backup.
To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic
uses the wbadmin start systemstaterecovery command.
You can also use a critcal-volume backup to perform a nonauthoritatve restore, or a full server backup if you do not
have a system state or critcal-volume backup. A full server backup is generally larger than a critcal-volume backup or
system state backup. Restoring a full server backup not only rolls back data in AD DS to the tme of backup, but it also
________________________________________________________________________________________________
Page No | 160
rolls back all data in other volumes. Rolling back this additonal data is not necessary to achieve nonauthoritatve
restore of AD DS. To restore a critcal-volume backup or full server backup, use the wbadmin start recovery command.
Question 136
ABC.com has a network that consists of a single Actve Directory domain.Windows Server 2008 is installed on all
domain controllers in the network.
You are instructed to capture all replicaton errors from all domain controllers to a central locaton.
What should you do to achieve this task?
A. Initate the Actve Directory Diagnostcs data collector set

B. Set event log subscriptons and confgure it
C. Initate the System Performance data collector set
D. Create a new capture in the Network Monitor
Aoswern B
Explanatonn
Event Subscriptons
Event Viewer enables you to view events on a single remote computer. However, troubleshootng an issue might
require you to examine a set of events stored in multple logs on multple computers.
Windows Vista includes the ability to collect copies of events from multple remote computers and store them locally.
To specify which events to collect, you create an event subscripton. Among other details, the subscripton specifes
exactly which events will be collected and in which log they will be stored locally. Once a subscripton is actve and
events are being collected, you can view and manipulate these forwarded events as you would any other locally
stored events.
Using the event collectng feature requires that you confgure both the forwarding and the collectng computers.
The functonality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector
(Wecsvc) service. Both of these services must be running on computers partcipatng in the forwarding and collectng
process.
Replicaton Issues
Question 137
Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client
computers running Windows XP and Windows Vist
a. All domain controllers are running Windows server 2008.
You need to deploy Actve Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and
to provide user authentcaton.
What do you need to confgure, in order to complete the deployment of AD RMS?
________________________________________________________________________________________________
Page No | 161
A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1
B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install
AD RMS on domain controller Company _DC1
C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install
AD RMS on domain controller Company _SRV5
Aoswern D
Explanatonn
AD RMS Client Requirements
Windows AD RMS Client
Windows 7, all editons
Windows Server 2008 R2, all editons except Core Editons
Windows Vista, all editons
Windows Server 2008, all editons except Core Editons
Windows XP SP3 32-bit Editon
Windows XP SP3 64-bit Editon
Windows Server 2003 with SP1 32-bit Editon
Windows Server 2003 with SP1 64-bit Editon
Windows Server 2003 for Itanium-based systems with SP1
Windows Server 2003 R2 32-bit Editon
Windows Server 2003 R2 64-bit Editon
Windows Server 2003 R2 for Itanium-based systems
Windows Small Business Server 2003 32-bit Editon
Windows Server 2000 SP4 32-bit Editon
AD RMS Prerequisites
Before you install AD RMS
Before you install Actve Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the frst
tme, there are several requirements that must be met.
Install the AD RMS server as a member server in the same Actve Directory Domain Services (AD DS) forest as the user
accounts that will be using rights-protected content.
Question 138
You are formulatng the backup strategy for Actve Directory Lightweight Directory Services (AD LDS) to ensure that
data and log fles are backed up regularly. This will also ensure the contnued availability of data to applicatons and
users in the event of a system failure.
Because you have limited media resources, you decided to backup only specifc ADLDS instance instead of taking
backup of the entre volume.
What should you do to accomplish this task?
A. Use Windows Server backup utlity and enable checkbox to take only backup of database and log fles of AD LDS
B. Use Dsdbutl.exe tool to create installaton media that corresponds only to the ADLDS instance
C. Move AD LDS database and log fles on a separate volume and use windows server backup utlity
D. None of the above
________________________________________________________________________________________________
Page No | 162
Aoswern B
Explanatonn
Referencen
Backing up AD LDS instance data with Dsdbutl.exe
With the Dsdbutl.exe tool, you can create installaton media that corresponds only to the AD LDS instance that you
want to back up, as opposed to backing up entre volumes that contain the AD LDS instance.
Question 139
You had installed Windows Server 2008 on a computer and confgured it as a fle server, named FileSrv1. The FileSrv1
computer contains four hard disks, which are confgured as basic disks.
For fault tolerance and performance you want to confgure Redundant Array of Independent Disks (RAID) 0 +1 on
FileSrv1.
Which utlity you will use to convert basic disks to dynamic disks on FileSrv1?
A. Diskpart.exe
B. Chkdsk.exe
C. Fsutl.exe
D. Fdisk.exe
Aoswern A
Explanatonn
Referencen
[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.
Question 140
ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boasts 40 Windows Vista
client machines.
As an administrator at ABC.com, you want to deploy Actve Directory Certfcate service (AD CS) to authorize the
network users by issuing digital certfcates.
What should you do to manage certfcate setngs on all machines in a domain from one main locaton?
A. Confgure Enterprise CA certfcate setngs

B. Confgure Enterprise trust certfcate setngs
C. Confgure Advance CA certfcate setngs
D. Confgure Group Policy certfcate setngs
E. All of the above
Aoswern D
Explanatonn
Referencen
AD CSn Policy Setngs
________________________________________________________________________________________________
Page No | 163
In the Windows Server® 2008 operatng system, certfcate-related Group Policy setngs enable administrators to
manage certfcate validaton setngs according to the security needs of the organizaton.
What are certfcate setngs in Group Policy?
Certfcate setngs in Group Policy enable administrators to manage the certfcate setngs on all the computers in
the domain from a central locaton.
Question 141
A domain controller named DC12 runs critcal services. Restructuring of the organizatonal unit hierarchy for the
domain has been completed and unnecessary objects have been deleted.
You need to perform an ofine defragmentaton of the Actve Directory database on DC12. You also need to ensure
that the critcal services remain online.
What should you do?
A. Start the domain controller in the Directory Services restore mode. Run the Defrag utlity.
B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutl utlity.
C. Stop the Domain Controller service in the Services (local) Microsoo Management Console (MMC). Run the Defrag
utlity.
D. Stop the Domain Controller service in the Services (local) Microsoo Management Console (MMC). Run the Ntdsutl
utlity.
Aoswern D
Explanatonn
Performing ofine defragmentaton of the Actve Directory database
Actve Directory automatcally performs online defragmentaton of the database at certain intervals (by default, every
12 hours) as part of the Garbage Collecton process. Online defragmentaton does not reduce the size of the database
fle (Ntds.dit), but instead optmizes data storage in the database and reclaims space in the directory for new objects.
Performing an ofine defragmentaton creates a new, compacted version of the database fle. Depending on how
fragmented the original database fle was, the new fle may be considerably smaller.
htpn//rickardnobel.se/when-to-ofine-defrag-ntds-dit/
When to ofine defrag the Actve Directory database
This artcle will show a simple way to determine if there is any gain to do an ofine defrag of your Actve Directory
database.
During normal operatons the Actve Directory service will do an online defragmentaton of the Actve Directory
database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optmal way internal in
the ntds.dit, however the fle size will never shrink, sometmes even grow. During the years of operatons of the
ntds.dit the fle size will increase as user accounts, organizatonal units, groups, computers, dns records and more are
added and later removed. When deleted objects are fnally removed (aoer the so called tombstone lifetme, typically
180 days) the space they have occupied will unfortunately not decrease.
The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this
example around 575 MB. Note that Actve Directory does not use a fle level replicaton, so the fle could be of various
________________________________________________________________________________________________
Page No | 164
size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services ofine on one
DC and then do an ofine defragmentaton of ntds.dit. This would both arrange all pages the best possible way, and
also to reclaim any empty space inside the database, which could make backup and restore faster and also possible
increase AD performance.
The ofine defrag means “ofine” from an Actve Directory perspectve. This means that on Windows 2000 and 2003
you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the
AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but stll
something that you do not want to do if not necessary.
There are numerous artcle on the web how to do the actual ofine defrag, so we will not cover that part here.
However, we will see the perhaps most important informaton and that is to be able to see in advance the amount of
space that we could reclaim. With this informaton we could make our decision based on fact and not guesses. This
has been possible since at least Windows 2003, but is not well documented.
To enable this you will have to alter a registry value on the Domain Controller you will investgate the reclaimable
MBs. Use regedit and fnd the following keyn
HKEY_LOCAL_MACHINE g System g CurrentControlSet g Services g NTDS g Diagnostcs
Change the value “6 Garbage Collecton” from 0 to 1. This will increase the logging from the Garbage Collecton
process which runs together with the online defrag. So now wait for the next online defragmentaton which runs
twice a day and then study the Directory Service log in Event Viewer.
Search for event id 1646, usually together with event ids 700 and 701.
________________________________________________________________________________________________
Page No | 165
Here we can note the amount of space that would be reclaimed from an ofine defrag. The top value is the number of
MB that the ofine defrag would recover, here almost half the database size. If the amount is negligible then do not
worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the
ofine defrag.
Note that both the change of registry key and the actual ofine defrag has to be done on each domain controller,
since neither does replicate.
As noted above we will not look at the commands for the ofine defragmentaton here, since they are well
documented already.
Question 142
Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActveDirectory
Lightweight Directory Services (AD LDS).
You need to replicate the AD LDS instance on a test computer that is located on the network.
What should you do?
A. Run the repadmin /kcc <servernameN command on the test computer.

B. Create a naming context by running the Dsmgmt command on the test computer.
C. Create a new directory partton by running the Dsmgmt command on the test computer.
D. Create and install a replica by running the AD LDS Setup wizard on the test computer.
Aoswern D
Explanatonn
Referencen
Create a Replica AD LDS Instance
To create an AD LDS instance and join it to an existng confguraton set, use the Actve Directory Lightweight
Directory Services Set Wizard to create a replica AD LDS instance.
To create a replica AD LDS instance
1. Click Start, point to Administratve Tools, and then click Actve Directory Lightweight Directory Services Setup
Wizard.
2. On the Welcome to the Actve Directory Lightweight Directory Services Setup Wizard page, click Next.
3. On the Setup Optons page, click A replica of an existng instance, and then click Next.
4. Finish creatng the new instance by following the wizard instructons.
Question 143
Your network contains an Actve Directory domain. The relevant servers in the domain are confgured as shown in the
following table.
________________________________________________________________________________________________
Page No | 166
You need to ensure that all device certfcate requests use the MD5 hash algorithm.
What should you do?
A. On Server2, run the Certutl tool.

B. On Server1, update the CEP Encrypton certfcate template.
C. On Server1, update the Exchange Enrollment Agent (Ofine Request) template.
D. On Server3, set the value of the HKLMgSoowaregMicrosoogCryptographygMSCEPg HashAlgorithmgHashAlgorithm
registry key.
Aoswern D
Explanatonn
Referencen
htpn//technet.microsoo.com/en-us/library/f955642.aspx
Managing Network Device Enrollment Service
Confguring NDES
NDES stores its confguraton in the registry key HKEY_LOCAL_MACHINEgSoowaregMicrosoogCryptography
gMSCEP.
To change NDES confguraton, edit the NDES registry setngs by using Regedit.exe or Reg.exe, then restart IIS. If
necessary, create the key and value using the names and data types described in the following table.
Key name
HashAlgorithm g HashAlgorithm
Value Data Type
String
Default value
SHA1
Descripton
Accepted values are SHA1 and MD5.
Question 144
Your network contains an Actve Directory domain.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certfcaton
authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatc certfcate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatcally enroll for certfcates.
Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutl.exe getkey
D. certutl.exe pulse
________________________________________________________________________________________________
Page No | 167
Aoswern D
Explanatonn
htpn//social.technet.microsoo.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-
7c7f80529aab/
What does "certutl -pulse" command do?
Certutl -pulse will initate autoenrollment requests.
It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)
Right-click Certfcates , point to All Tasks , click Automatcally Enroll and Retrieve Certfcates.
The command does require that
- any autoenrollment GPO setngs have already been applied to the target user or computer
- a certfcate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group
containing the user
- The group membership is recognized in the users Token (they have logged on aoer the membership was added
htpn//technet.microsoo.com/library/cc732443.aspx
Certutl
Certutl.exe is a command-line program that is installed as part of Certfcate Services. You can use Certutl.exe to
dump and display certfcaton authority (CA) confguraton informaton, confgure Certfcate Services, backup and
restore CA components, and verify certfcates, key pairs, and certfcate chains.
When certutl is run on a certfcaton authority without additonal parameters, it displays the current certfcaton
authority confguraton. When cerutl is run on a non-certfcaton authority, the command defaults to running the
certutl -dump verb.
Verbs
The following table describes the verbs that can be used with the certutl command.
pulse
Pulse auto enrollment events
Question 145
Your network contains two Actve Directory forests named contoso.com and adatum.com. The functonal level of both
forests is Windows Server 2008 R2. Each forest contains one domain. Actve Directory Certfcate Services (AD CS) is
confgured in the contoso.com forest to allow users from both forests to automatcally enroll user certfcates.
You need to ensure that all users in the adatum.com forest have a user certfcate from the contoso.com certfcaton
authority (CA).
What should you confgure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust setngs.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers setngs.
C. From the Default Domain Policy, modify the Certfcate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certfcaton Authority setngs.
Aoswern C
Explanatonn
Manage Certfcate Enrollment Policy by Using Group Policy
Confguring certfcate enrollment policy setngs by using Group Policy
Question 146
________________________________________________________________________________________________
Page No | 168
You have a server named Server1 that has the following Actve Directory Certfcate Services (AD CS) role services
installedn
Enterprise root certfcaton authority (CA)
Certfcate Enrollment Web Service
Certfcate Enrollment Policy Web Service
You create a new certfcate template.
External users report that the new template is unavailable when they request a new certfcate.
You verify that all other templates are available to the external users.
You need to ensure that the external users can request certfcates by using the new template.
What should you do on Server1?
A. Run iisreset.exe /restart.

B. Run gpupdate.exe /force.
C. Run certutl.exe dspublish.
D. Restart the Actve Directory Certfcate Services service.
Aoswern A
Explanatonn
htpn//social.technet.microsoo.com/wiki/contents/artcles/7734.certfcate-enrollment-web-services-in-
actvedirectory-certfcate-services.aspx
Certfcate Enrollment Web Services in Actve Directory Certfcate Services
Troubleshootng
Managing Certfcate Enrollment Policy Web Service Polling for Certfcate Templates
Certfcate Templates are stored in AD DS, and the Certfcate Enrollment Policy Web Service polls the AD DS
periodically for template changes. Changes made to templates are not refected in real tme on the Certfcate
Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the
tme at which the change is made and when the new templates are available. By default, the Certfcate Enrollment
Policy Web Service polls the directory every 30 minutes for changes. The Certfcate Enrollment Policy Web Service
can be manually forced to refresh its template cache by recycling IIS using the command iisreset.
Question 147
Your network contains an enterprise root certfcaton authority (CA).

You need to ensure that a certfcate issued by the CA is valid.
What should you do?
A. Run syskey.exe and use the Update opton.

B. Run sigverif.exe and use the Advanced opton.
C. Run certutl.exe and specify the -verify parameter.
D. Run certreq.exe and specify the -retrieve parameter.
Aoswern C
Explanatonn
htpn//blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutl.aspx
Basic CRL checking with certutl
Certutl.exe is the command-line tool to verify certfcates and CRLs. To get reliable verifcaton results, you must use
certutl.exe because the Certfcate MMC Snap-In does not verify the CRL of certfcates. A certfcate might be
wrongly shown in the MMC snap-in as valid but once you verify it with certutl.exe you will see that the certfcate is
________________________________________________________________________________________________
Page No | 169
actually invalid.
Question 148
You have an enterprise subordinate certfcaton authority (CA). The CA issues smart card logon certfcates.
Users are required to log on to the domain by using a smart card.
Your company's corporate security policy states that when an employee resigns, his ability to log on to the network
must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee's smart card certfcate.

B. Disable the employee's Actve Directory account.
C. Publish a new delta certfcate revocaton list (CRL).
D. Reset the password for the employee's Actve Directory account.
Aoswern B
Explanatonn
htpn//blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Actve-Directory-account-One-best-practce
Delete or disable an Actve Directory account? One best practce.
I was recently talking to a customer about the best practce for deprovisioning a terminated employee in Actve
Directory. Delete or disable? Microsoo doesn't give the clearest directon on this but common sense does.
The case for deletng an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do
anything. The case for disabling an account is that all of the SIDs are stll atached to the account and you can bring it
back and get the same access right away.
And then the reason for MSFT's lack of directon came into play. Individual needs of the customer. This partcular
customer is a public school system and they ooen lay of an employee and have to re-hire them the next month or
semester. They need that account back.
Question 149
:OTSPOT
Your network contains an Actve Directory domain named contoso.com.

You need to view which password setng object is applied to a user.
Which flter opton in Atribute Editor should you enable? To answer, select the appropriate flter opton in the answer
area.
________________________________________________________________________________________________
Page No | 170
Aoswern <map><m
x1="19" x2="148"
y1="155" y2="177"
ss="0" a="0"
/></map>
Explanatonn
Referencen
View a Resultant PSO for a User or a Global Security Group
You can view the resultant Password Setngs object (PSO) for a user objectn
Viewing the resultant PSO for users using the Actve Directory module for Windows PowerShell
Viewing the resultant PSO for users using the Windows interface
Viewing the resultant PSO for users from the command line using dsget
To view the resultant PSO for a user using Windows interface
1. Open Actve Directory Users and Computers.
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, click Users.
4. In the details pane, right-click the user account for which you want to view the resultant PSO, and then click
Propertes.
5. Click the Atribute Editor tab, and then click Filter.
6. Ensure that the Show atributes/Optonal check box is selected.
7. Ensure that the Show read-only atributes/Constructed check box is selected.
8. Locate the value of the msDS-ResultantPSO atribute in the Atributes list.
Question 150
________________________________________________________________________________________________
Page No | 171
:OTSPOT
Your network contains two Actve Directory forests named contoso.com and fabrikam.com. A two-way forest trust
exists between the forests. Selectve authentcaton is enabled on the trust. Fabrikam.com contains a server named
Server1.
You assign ContosogDomain Users the Manage documents permission and the Print permission to a shared printer on
Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to ContosogDomain Users.
To answer, select the appropriate permission in the answer area.
Aoswern <map><m
x1="31" x2="244"
y1="238" y2="257"
ss="0" a="0"
/></map>
________________________________________________________________________________________________
Page No | 172
Explanatonn
Referencen
Grant the Allowed to Authentcate Permission on Computers in the Trustng Domain or Forest
For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access resources
in a trustng Windows Server 2008 or Windows Server 2003 domain or forest where the trust authentcaton setng
has been set to selectve authentcaton, each user must be explicitly granted the Allowed to Authentcate permission
on the security descriptor of the computer objects (resource computers) that reside in the trustng domain or forest.
Question 151
You add an Online Responder to an Online Responder Array.
You need to ensure that the new Online Responder resolves synchronizaton conficts for all members of the Array.
What should you do?
A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.
B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.
C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array
Controller.
D. From the Online Responder Management Console, select the new Online Responder, and then selectSynchronize
Members with Array Controller.
Aoswern C
________________________________________________________________________________________________
Page No | 173
Explanatonn
Reference 1n
Managing Array members
For each Array, one member is defned as the Array controller; the role of the Array controller is to help resolve
synchronizaton conficts and to apply updated revocaton confguraton informaton to all Array members.
Reference 2n
To designate an Array controller
1. Open the Online Responder snap-in.
2. In the console tree, click Array Confguraton Members.
3. Select the Online Responder that you want to designate as the Array controller.
4. In the Actons pane, click Set as Array Controller.
Question 152
Your network contains a server that runs Windows Server 2008 R2. The server is confgured as an enterprise root
certfcaton authority (CA).
You have a Web site that uses x.509 certfcates for authentcaton. The Web site is confgured to use a manyto-one
mapping.
You revoke a certfcate issued to an external partner. You need to prevent the external partner from accessing the
Web site.
What should you do?
A. Run certutl.exe -crl.

B. Run certutl.exe -delkey.
C. From Actve Directory Users and Computers, modify the membership of the IIS_IUSRS group.
D. From Actve Directory Users and Computers, modify the Contact object for the external partner.
Aoswern A
Explanatonn
htpn//technet.microsoo.com/library/cc732443.aspx
Certutl
Certutl.exe is a command-line program that is installed as part of Certfcate Services. You can use Certutl.exe to
dump and display certfcaton authority (CA) confguraton informaton, confgure Certfcate Services, backup and
restore CA components, and verify certfcates, key pairs, and certfcate chains.
Verbs -CRL
Publish new certfcate revocaton lists (CRLs) [or only delta CRLs]
Requestng Ofine Domain Controller Certfcates (Advanced Certfcate Enrollment and Management)
If you have determined the keycontainername for a specifc certfcate, you can delete the key container with the
following command.
certutl.exe -delkey <KeyContainerNameN
The -delkey opton is supported only with the Windows Server 2003 version of certutl. On Windows 2000, you must
add a prefx to the commands. The prefx is the path you have copied the Windows Server 2003 version of certutl to.
In this white paper, the %HOMEDRIVE%gW2K3AdmPak path is used.
Question 153
________________________________________________________________________________________________
Page No | 174
Your company has a main ofce and fve branch ofces that are connected by WAN links. The company has an Actve
Directory domain named contoso.com.
Each branch ofce has a member server confgured as a DNS server. All branch ofce DNS servers host a secondary
zone for contoso.com.
You need to confgure the contoso.com zone to resolve client queries for at least four days in the event that a WAN
link fails.
What should you do?
A. Confgure the Expires aoer opton for the contoso.com zone to 4 days.
B. Confgure the Retry interval opton for the contoso.com zone to 4 days.
C. Confgure the Refresh interval opton for the contoso.com zone to 4 days.
D. Confgure the Minimum (default) TTL opton for the contoso.com zone to 4 days.
Aoswern A
Explanatonn
Adjust the Expire Interval for a Zone
You can use this procedure to adjust the expire interval for a Domain Name System (DNS) zone. Other DNS servers
that are confgured to load and host the zone use the expire interval to determine when zone data expires if it is not
successfully transferred. By default, the expire interval for each zone is set to one day.
You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.
To adjust the expire interval for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administratve Tools, and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Propertes.
3. On the General tab, verify that the zone type is either Primary or Actve Directory-integrated.
4. Click the Start of Authority (SOA) tab.
5. In Expires aoer, click a tme period in minutes, hours, or days, and then type a number in the text box.
6. Click OK to save the adjusted interval.
Question 154
Your company has an Actve Directory domain named contoso.com. FS1 is a member server in contoso.com.
You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS
domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server.
Users in fabrikam.com are unable to resolve FS1 by using DNS.
You need to ensure that FS1 has an A record in the fabrikam.com DNS zone.
A. Confgure the DHCP server in fabrikam.com with the scope opton 044 WINS/NBNS Servers.
B. Confgure the DHCP server in fabrikam.com by setng the scope opton 015 DNS Domain Name to the domain
name fabrikam.com.
C. Confgure NIC2 by confguring the Append these DNS sufxes (in order)n opton.
D. Confgure NIC2 by confguring the Use this connecton's DNS sufx in DNS registraton opton.
E. Confgure the DHCP server in contoso.com by setng the scope opton 015 DNS Domain Name to the domain name
fabrikam.com.
Aoswern B, D
Question 155
________________________________________________________________________________________________
Page No | 175
Your company Datum Corporaton, has a single Actve Directory domain named intranet.adatum.com. The domain has
two domain controllers that run Windows Server 2008 R2 operatng system. The domain controllers also run DNS
servers.
The intranet.adatum.com DNS zone is confgured as an Actve Directory-integrated zone with the Dynamic updates
setng confgured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain
controllers or member servers.
You need to confgure the intranet.adatum.com zone to meet the new security policy requirement.
A. Remove the Authentcated Users account from the Security tab of the intranet.adatum.com DNS zone propertes.
B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone
propertes.
C. Assign the server computer accounts the Allow on Write All Propertes permission on the Security tab of the
intranet.adatum.com DNS zone propertes.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the
intranet.adatum.com DNS zone propertes.
Aoswern A, D
Explanatonn
htpn//www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/
Managing DNS Dynamic Updates in Windows Server 2008 R2
What Is DNS Dynamic Update?
When a DNS server is installed in a network, during the installaton administrators can confgure it to accept dynamic
updates of client records. Dynamic updates means that DNS client computers can automatcally register their names
along with their IP addresses in the DNS server. When this happens DNS server automatcally creates a Host (A) record
for that client computer that contains hostname of the client and its associated IP address.
Also, during the installaton of DNS server administrators can choose an opton according to which DNS server should
not automatcally update its records and in this conditon administrators must manually create Host (A) records in the
DNS database.
htpn//www.windowsecurity.com/artcles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
DNS Security (Part 2)n DNS Security Steps Prior to Deploying DNSSEC
In this artcle, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your
Windows DNS infrastructuren
Decide who can resolve Internet host names
Don’t co-locate internal and external zones
Lock down the DNS cache
Enable recursion only where needed
Restrict DNS servers to listen on specifc addresses
Consider using a private root hints fle
Randomize your DNS source ports
Be aware of the Global Query Block List
Limit zone transfers
Take advantage of Actve Directory integrated zone security
..
Take advantage of Actve Directory integrated zone security
Actve Directory integrated zones enable you to secure the registraton of resource records when dynamic name
registraton is enabled. Members of the Actve Directory domain can register their resource records dynamically while
non-domain members will be unable to register their names. You can also use discretonary access control lists
________________________________________________________________________________________________
Page No | 176
(DACLs) to control which computers are able to register or change their addressing informaton.
The fgure below shows how you confgure secure dynamic updates.
htpn//www.tutorialspoint.com/shortutorials/confguring-dns-server-for-secure-only-dynamic-updates/
Confguring DNS Server for Secure Only Dynamic Updates
Question 156
Your company has two Actve Directory forests as shown in the following table.
The forests are connected by using a two-way forest trust. Each trust directon is confgured with forest-wide
authentcaton. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access
resources in the contoso.com domain.
You need to confgure the forest trust to meet the new security policy requirement.
What should you do?
A. Delete the outgoing forest trust in the contoso.com domain.

B. Delete the incoming forest trust in the contoso.com domain.
C. Change the propertes of the existng incoming forest trust in the contoso.com domain from Forest-wide
authentcaton to Selectve authentcaton.
________________________________________________________________________________________________
Page No | 177
D. Change the propertes of the existng outgoing forest trust in the contoso.com domain to exclude *.eng.
fabrikam.com from the Name Sufx Routng trust propertes.
Aoswern D
Explanatonn
How Domain and Forest Trusts Work
Actve Directory provides security across multple domains or forests through domain and forest trust relatonships.
Before authentcaton can occur across trusts, Windows must frst determine whether the domain being requested by
a user, computer or service has a trust relatonship with the logon domain of the requestng account. To make this
determinaton, the Windows security system computes a trust path between the domain controller for the server that
receives the request and a domain controller in the domain of the requestng account.
..
Trust Flow
The fow of secured communicatons over trusts determines the elastcity of a trustn how you create or confgure a
trust determines how far the communicaton extends within a forest or across forests. The fow of communicaton
over trusts is determined by the directon of the trust (one-way or two-way) and the transitvity of the trust (transitve
or nontransitve).
One-Way and Two-Way Trusts
Trust relatonships that are established to enable access to resources can be either one-way or two-way. A one-way
trust is a unidirectonal authentcaton path created between two domains. In a one-way trust between Domain A and
Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources
in Domain A. Some one-way trusts can be either nontransitve or transitve depending on the type of trust being
created.
All domain trusts in an Actve Directory forest are two-way, transitve trusts. When a new child domain is created, a
two-way, transitve trust is automatcally created between the new child domain and the parent domain. In a two-way
trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentcaton requests can be
passed between the two domains in both directons. Some two-way relatonships can be nontransitve or transitve
depending on the type of trust being created. An Actve Directory domain can establish a one-way or two-way trust
withn
Windows Server 2003 domains in the same forest.
Windows Server 2003 domains in a diferent forest.
Windows NT 4.0 domains.
Kerberos V5 realms.
Transitve and Nontransitve Trusts
Transitvity determines whether a trust can be extended outside of the two domains with which it was formed. A
transitve trust can be used to extend trust relatonships with other domains; a nontransitve trust can be used to deny
trust relatonships with other domains.
Each tme you create a new domain in a forest, a two-way, transitve trust relatonship is automatcally created
between the new domain and its parent domain. If child domains are added to the new domain, the trust path fows
upward through the domain hierarchy extending the inital trust path created between the new domain and its parent
domain. Transitve trust relatonships fow upward through a domain tree as it is formed, creatng transitve trusts
between all domains in the domain tree.
Authentcaton requests follow these trust paths, so accounts from any domain in the forest can be authentcated by
any other domain in the forest. With a single logon process, accounts with the proper permissions can access
resources in any domain in the forest. The following fgure shows that all domains in Tree 1 and Tree 2 have transitve
trust relatonships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1
can access resources in Tree 2, when the proper permissions are assigned at the resource.
Default Transitve Trust Relatonships
________________________________________________________________________________________________
Page No | 178
In additon to the default transitve trusts established in a Windows Server 2003 forest, by using the New Trust Wizard
you can manually create the following transitve trusts.
Shortcut trust. A transitve trust between domains in the same domain tree or forest that is used to shorten the trust
path in a large and complex domain tree or forest.
Forest trust. A transitve trust between one forest root domain and another forest root domain.
Realm trust. A transitve trust between an Actve Directory domain and a Kerberos V5 realm.
A nontransitve trust is restricted to the two domains in the trust relatonship and does not fow to any other domains
in the forest. A nontransitve trust can be a two-way trust or a one-way trust.
Nontransitve trusts are one-way by default, although you can also create a two-way relatonship by creatng two one-
way trusts. Nontransitve domain trusts are the only form of trust relatonship possible betweenn
A Windows Server 2003 domain and a Windows NT domain
A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust)
By using the New Trust Wizard, you can manually create the following nontransitve trustsn
External trust. A nontransitve trust created between a Windows Server 2003 domain and a Windows
NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a
Windows Server 2003 domain, all existng Windows NT trusts are preserved intact. All trust relatonships between
Windows Server 2003 domains and Windows NT domains are nontransitve.
Realm trust
A nontransitve trust between an Actve Directory domain and a Kerberos V5 realm
Question 157
Your company has an Actve Directory Rights Management Services (AD RMS) server. Users have Windows Vista
computers. An Actve Directory domain is confgured at the Windows Server 2003 functonal level.
You need to confgure AD RMS so that users are able to protect their documents.
________________________________________________________________________________________________
Page No | 179
What should you do?
A. Install the AD RMS client 2.0 on each client computer.

B. Add the RMS service account to the local administrators group on the AD RMS server.
C. Establish an e-mail account in Actve Directory Domain Services (AD DS) for each RMS user.
D. Upgrade the Actve Directory domain to the functonal level of Windows Server 2008.
Aoswern C
Explanatonn
AD RMS Step-by-Step Guide
For each user account and group that you confgure with AD RMS, you need to add an e-mail address and then assign
the users to groups.
Question 158
Your company has an Actve Directory domain. All consultants belong to a global group named TempWorkers.
The TempWorkers group is not nested in any other groups.
You move the computer objects of three fle servers to a new organizatonal unit named SecureServers. These fle
servers contain only confdental data in shared folders.
You need to prevent members of the TempWorkers group from accessing the confdental data on the fle servers.
You must achieve this goal without afectng access to other domain resources.
What should you do?
A. Create a new GPO and link it to the SecureServers organizatonal unit. Assign the Deny access to this computer
from the network user right to the TempWorkers global group.
B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to
the TempWorkers global group.
C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global
group.
D. Create a new GPO and link it to the SecureServers organizatonal unit. Assign the Deny log on locally user right to
the TempWorkers global group.
Aoswern A
Explanatonn
Personal commentn
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the shared folders
(implies access from the network).
"Deny log on locally" makes no sense in this instance, because we are refering to shared folder and supposedly
physical access to servers should be highly restricted.
And best practces recommend that you link GPOs at the domain level only for domain wide purposes.
Question 159
Your network consists of a single Actve Directory domain. User accounts for engineering department are located in
an OU named Engineering.
You need to create a password policy for the engineering department that is diferent from your domain password
policy.
________________________________________________________________________________________________
Page No | 180
What should you do?
A. Create a new GPO. Link the GPO to the Engineering OU.

B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU.
C. Create a global security group and add all the user accounts for the engineering department to the group. Create a
new Password Policy Object (PSO) and apply it to the group.
D. Create a domain local security group and add all the user accounts for the engineering department to the group.
From the Actve Directory Users and Computer console, select the group and run the Delegaton of Control Wizard.
Aoswern C
Explanatonn
htpn//social.technet.microsoo.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-
f1b69441175b
Complex Password Policy on an OU
Qn Is it possible to apply a complex password policy to an OU instead of entre domain (Windows 2008 R2). I'm
under the impression it can only be applied to either a security group or an individual user.
A1n
I beleive you are referering to PSC and PSO.
The Password Setngs Container (PSC) object class is created by default under the System container in the
domain. It stores the Password Setngs objects (PSOs) for that domain. You cannot rename, move, or delete
this container.
PSOs cannot be applied to organizatonal units (OUs) directly. If your users are organized into OUs,
consider creatng global security groups that contain the users from these OUs and then applying the
newly defned fne-grained password and account lockout policies to them. If you move a user from
one OU to another, you must update user memberships in the corresponding global security groups.
Groups ofer beter fexibility for managing various sets of users than OUs.
For the fne-grained password and account lockout policies to functon properly in a given domain, the domain
functonal level of that domain must be set to Windows Server 2008.
Fine-grained password policies apply only to user objects and global security groups. They cannot be applied
to Computer objects.
For more info, please see below artclen
htpn//technet.microsoo.com/en-us/library/cc770842(WS.10).aspx
A2n
Here is a link to how you setup fnd grain password policy... However you can only apply it to a Security Group.
htpn//www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fne-grain-password-policy/ A3n
In additon, for fne grated password policy ; you need DLF 2008 and you can apply that policy on a single user and
only global security group.
Find the step by step info.
htpn//social.technet.microsoo.com/wiki/contents/artcles/4627.aspx
htpn//www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fne-grain-password-policy/
Tutorialn How to setup Default and Fine Grain Password Policy
One strange thing that stll seems to catch a lot of people out is that you can only have one password policy for your
user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it
will apply to all the users in that OU…. but it doesn’t. Microsoo did introduce Fine Grain Password Policies with
Windows Server 2008 however this can only be set based on a security group membership and you stll need to use
the very un-user-friendly ADSI edit tool to make the changes to the policy.
Below I will go through how you change the default domain password policy and how you then apply a fne grain
password policy to your environment. The Good news is setng the default password policy for a domain is really
easy. The Bad news is that setng a fne grain password policy is really hard.
________________________________________________________________________________________________
Page No | 181
How to set a Default Domain Password Policy

Step 1
Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”).
Noten I have elected to create a new GPO at the top of the domain in this case as I always try to avoid modifying the
“Default Domain Policy”, see references below.
Referencen
TechNetn Linking GPOs
If you need to modify some of the setngs contained in the Default Domain Policy GPO, it is recommended that you
create a new GPO for this purpose, link it to the domain, and set the Enforce opton.
TechNetn Establishing Group Policy Operatonal Guidelines
Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new
GPO at the domain level and set it to override the default setngs in the default policies.
Step 2
Edit the “Domain Password Policy” GPO and go to Computer ConfguratonsNPoliciesNWindows
SetngsNSecurity SetngsNAccount PolicyNPassword Policy and confgured the password policies setngs to the
confguraton you desire.
Step 3
Once you have confgured the password policy setngs make the “Domain Password Policy” GPO the highest in the
Linked GPO processing order.
TIPn Make sure you inform all your users when you are going to do this as it may trigger them to change their
________________________________________________________________________________________________
Page No | 182
password the next tme they logon.
Done… told you it was easy….

Noten Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s
password policy. As far as I know this is the only excepton to the rule as to how GPO’s apply to objects. As you can see
in the image below the “Minimum password length” in the “Domain Password Policy” GPO is stll applied to the
domain controller even though I have another GPO linking to the “Domain Controllers” OU confguraton the same
setng.
For a beter explanaton as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the
password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout
Policy Setngs must be linked to the AD domain object to be afectve on AD domain user accounts
(htpn//blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout- policy-
setngs-must-be-linked-to-the-ad-domain-object-to-be-afectve-on-ad-domain-useraccounts.aspx)
How to set a Fine Grain Password Policy
Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only
way to have diferent password polices for the users in your environment was to have separate domains… OUCH!
Pre-Requisites/Restrictons
You domain must be Windows Server 2008 Natve Mode, this means ALL of your domain controllers must be running
Windows Server 2008 or later. You can check this by selecton the “Raise domain functonal level” on the top of the
domain in Actve Directory Users and Computers.
________________________________________________________________________________________________
Page No | 183
Reference
AD DSn Fine-Grained Password Policies
The domain functonal level must be Windows Server 2008.
The other restricton with this opton is that you can only apply FGPP to users object or users in global security groups
(not computers).
Reference
AD DSn Fine-Grained Password Policies
Fine-grained password policies apply only to user objects … and global security groups.
TIPn If you setup an “Automatc Shadow Group (htpn//policelli.com/blog/archive/2008/01/15/manage-
shadowgroups-
in-windows-server-2008/)” you can apply these password policies to users automatcally to any users located in an
OU.
Creatng a Password Setng Object (PSO)
Step 1
Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the
new password policy.
Noten If you do not see this opton go to “Turn Windows Features On or Of” and make sure the “AD DS and AD LDS
Tools” are installed. (You will need RSAT also installed if you are on Windows 7).g
Step 2
Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password
Setngs Container”.
________________________________________________________________________________________________
Page No | 184
Step 3
Right click on “CN=Password Setngs Container” and then click on “New” then “Object.
Step 4
Click on “Next”
________________________________________________________________________________________________
Page No | 185
Step 5
Type the name of the PSO in the “Value” feld and then click “Next”
Noten With the excepton of the password length the following values are all the same as the default values in the
“Default Domain Policy”.
Step 6
Type in a number that will be the Precedence for this Password Policy then click “Next”.
Noten This is used if a users has multple Password Setngs Object (PSO) applied to them.
________________________________________________________________________________________________
Page No | 186
Step 7
Type “FALSE” in the value feld and click “Next”
Noten You should almost never use “TRUE” for this setng.
Step 8
Type “24” in the “Value” feld and click “Next”
________________________________________________________________________________________________
Page No | 187
Step 9
Type “TRUE” in the “Value” feld and click “Next”
Step 10
________________________________________________________________________________________________
Page No | 188
Step 11
Type “1n00n00n00” in the “Value” feld and click “Next”
Step 12
________________________________________________________________________________________________
Page No | 189
Step 13
Step 14
Type “0n00n30n00” feld and click “Next”
________________________________________________________________________________________________
Page No | 190
Step 15
Step 16
Click “Finish”
________________________________________________________________________________________________
Page No | 191
You have now created the Password Setngs Object (PSO) and you can close the ADSIEdit tool.
Now to apply the PSO to a users or group…
Step 17
Open Actve Directory Users and Computers and navigate to “System N Password Setngs
Container”
Noten Advanced Mode needs to be enabled.
Step 18
Double click on the PSO you created then click on the “Atribute Editor” tab and then select the
________________________________________________________________________________________________
Page No | 192
“msDS-PSOAppliedTo” atribute and click “Edit”
Step 19
Click “Add Windows Accounts….” buton.
Step 20
Select the user or group you want to apply this PSO and click “OK”
________________________________________________________________________________________________
Page No | 193
Step 21
Click “OK”
Step 22
Click “OK”
________________________________________________________________________________________________
Page No | 194
And your are done… (told you it was hard).

Fine Grain Password Policies as you can see are very difcult to setup and manage so it is probably best you use them
sparingly in your organisaton… But if you really have to have a simple password or extra complicated password then
at least it give you away to do this without having to spin up another domain.
Question 160
Your network contains an Actve Directory domain. The domain contains two domain controllers named DC1 and DC2.
DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a
standard secondary DNS zone for the domain.
You need to confgure DNS to allow only secure dynamic updates.
A. On DC1 and DC2, confgure a trust anchor.

B. On DC1 and DC2, confgure a connecton security rule.
C. On DC1, confgure the zone transfer setngs.
D. On DC1, confgure the zone to be stored in Actve Directory.
Aoswern D
Explanatonn
htpn//www.tutorialspoint.com/shortutorials/confguring-dns-server-for-secure-only-dynamic-updates/
Confguring DNS Server for Secure Only Dynamic Updates
About Dynamic Updates
During the installaton of Actve Directory Domain Services on Windows Server 2008 R2, the installaton process
automatcally installs the DNS server on the computer, in case it does not already exist in the network.
________________________________________________________________________________________________
Page No | 195
Aoer the successful installaton of Actve Directory Domain Services, the DNS server is by default confgured to
automatcally update the records of only the domain client computers as soon as it receives the registraton request
from them. This automatc update of DNS records in the DNS database is technically known as ‘Dynamic Updates’.
Types of DNS Updates
Dynamic updates that DNS server in Windows Server 2008 R2 supports includen
Nonsecure and Secure – When this type of dynamic update is selected, any computer can send registraton request to
the DNS server. The DNS server in return automatcally adds the record of the requestng computer in the DNS
database, even if the computer does not belong to the same DNS domain.
Although this confguraton remarkably reduces administratve overhead, this setng is not recommended for the
organizatons that have highly sensitve informaton available in the computers.
Secure only – When this type of dynamic update is selected, only the computers that are members of the DNS domain
can register themselves with the DNS server. The DNS server automatcally rejects the requests from the computers
that do not belong to the domain. This protects the DNS server from getng automatcally populated with records of
unwanted, suspicious and/or fake computers.
None – When this opton is selected, the DNS server does not accept any registraton request from any computers
whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualifed Domain
Names (FQDNs) of the client computers to the DNS database.
In most producton environments, systems administrators confgure Secure Only dynamic updates for DNS.
This remarkably reduces the security risks by allowing only the authentc domain client computers to register
themselves with the DNS server automatcally, and decreases the administratve overhead at the same tme.
However in some scenarios, administrators choose to have non-Actve Directory integrated zone to stay compliant
with the policies of the organizaton. This confguraton is not at all recommended because it does not allow
administrators to confgure DNS server for Secure only updates, and it does not allow the DNS database to get
replicated automatcally to the other DNS servers along with the Actve Directory replicaton process. When DNS zone
is not Actve Directory integrated, DNS database replicaton process must be performed manually by the
administrators.
Confgure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server
To confgure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps
given as belown
1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on
which ‘Secure only’ dynamic updates are to be confgured.
2. On the desktop screen, click Start.
3. From the Start menu, go to Administrator Tools N DNS.
4. On DNS Manager snap-in, from the console tree in the leo, double-click to expand the DNS server name.
5. From the expanded list, double-click Forward Lookup Zones.
6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be confgured.
7. From the displayed context menu, click Propertes.
________________________________________________________________________________________________
Page No | 196
8. On the zone’s propertes box, make sure that the General tab is selected.
9. On the selected tab, choose Secure only opton from the Dynamic updates drop-down list.
Noten Secure only opton is available only if the DNS zone is Actve Directory integrated.
Secure Only Dynamic Update

10. Click OK to apply the modifed changes.
11. Close DNS Manager snap-in when done.
Question 161
Your network contains a domain controller that has two network connectons named Internal and Private.
Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain
controller from registering Host (A) records for the 10.10.10.5 IP address.
What should you do?
A. Modify the netlogon.dns fle on the domain controller.

B. Modify the Name Server setngs of the DNS zone for the domain.
C. Modify the propertes of the Private network connecton on the domain controller.
D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.
Aoswern C
Explanatonn
Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller
________________________________________________________________________________________________
Page No | 197
Symptoms On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is
a possibility that the Host A DNS registraton can occur for unwanted NIC(s).
If the client queries for DC’s DNS records and gets an unwanted record or the record of a diferent network which is
not reachable to client, the client will fail to contact the DC causing authentcaton and many other issues.
Cause
The DNS server will respond to the query in a round robin fashion. If the DC has multple NICs registered in DNS. The
DNS will serve the client with all the records available for that DC.
To prevent this, we need to make sure the unwanted NIC address is not registered in DNS.
Below are the services that are responsible for Host A record registraton on a DC
1. Netlogon service
2. DNS server service (if the DC is running DNS server service)
3. DHCP client /DNS client (2003/2008)
If the NIC card is confgured to register the connecton address in DNS, then the DHCP /DNS client service will
Register the record in DNS. Unwanted NIC should be confgured not to register the connecton address in DNS
If the DC is running DNS server service, then the DNS service will register the interface Host A record that it has set to
listen on. The Zone propertes, “Name server” tab list out the IP addresses of interfaces present on the DC. If it has
listed both the IPs, then DNS server will register Host A record for both the IP addresses.
We need to make sure only the required interface listens for DNS and the zone propertes, name server tab has
required IP address informaton
Resoluton To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid
the issue).
1. Under Network Connectons Propertesn On the Unwanted NIC TCP/IP Propertes -N Advanced -N DNS -
N Uncheck "Register this connectons Address in DNS"
2. Open the DNS server consolen highlight the server on the leo pane Acton-N Propertes and on the "Interfaces" tab
select "listen on only the following IP addresses". Remove unwanted IP address from the list
3. On the Zone propertes, select Name server tab. Along with FQDN of the DC, you will see the IP address associated
with the DC. Remove unwanted IP address if it is listed.
Aoer performing this delete the existng unwanted Host A record of the DC.
Question 162
Your network contains an Actve Directory forest named contoso.com.

You plan to add a new domain named nwtraders.com to the forest.
All DNS servers are domain controllers.
You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers
in the forest.
What should you do?
A. Add the computer accounts of all the domain controllers to the DnsAdmins group.
B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
C. Create a standard primary zone on a domain controller in the forest root domain.
D. Create an Actve Directory-integrated zone on a domain controller in the forest root domain.
Aoswern D
Question 163
Your network contains an Actve Directory domain named contoso.com. The domain contains a domain controller
named DC1. DC1 hosts a standard primary zone for contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
________________________________________________________________________________________________
Page No | 198
You need to prevent the non-domain member computers from registering records in the contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com zone.
A. Confgure a trust anchor.

B. Run the Security Confguraton Wizard (SCW).
C. Change the contoso.com zone to an Actve Directory-integrated zone.
D. Modify the security setngs of the %SystemRoot%gSystem32gDns folder.
Aoswern C
Explanatonn
Actve Directory-Integrated Zones
DNS servers running on domain controllers can store their zones in Actve Directory. In this way, it is not necessary to
confgure a separate DNS replicaton topology that uses ordinary DNS zone transfers, because all zone data is
replicated automatcally by means of Actve Directory replicaton. This simplifes the process of deploying DNS and
provides the following advantagesn
Multple masters are created for DNS replicaton. Thereforen
Any domain controller in the domain running the DNS server service can write updates to the Actve Directory–
integrated zones for the domain name for which they are authoritatve. A separate DNS zone transfer topology is not
needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers
update which names, and prevent unauthorized computers from overwritng existng names in DNS
Question 164
Your network contains an Actve Directory domain named contoso.com.

You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target
host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve.
You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?
A. From the command prompt, use the netsh tool.

B. From the command prompt, use the dnscmd tool.
C. From DNS Manager, modify the propertes of the GlobalNames zone.
D. From DNS Manager, modify the advanced setngs of the DNS server.
Aoswern B
Explanatonn
Enable GlobalNames zone support
The GlobalNames zone is not available to provide name resoluton untl GlobalNames zone support is explicitly
enabled by using the following command on every authoritatve DNS server in the forestn
dnscmd<ServerNameN /confg /enableglobalnamessupport 1
Question 165
________________________________________________________________________________________________
Page No | 199
Your company has a main ofce and a branch ofce.

The network contains an Actve Directory domain named contoso.com. The DNS zone for contoso.com is confgured
as an Actve Directory-integrated zone and is replicated to all domain controllers in the domain.
The main ofce contains a writable domain controller named DC1. The branch ofce contains a read- only domain
controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are confgured as DNS
servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicatng to RODC1.
What should you do?
A. Modify the replicaton scope for the contoso.com zone.

B. Flush the DNS cache and enable cache locking on RODC1.
C. Confgure conditonal forwarding for the contoso.com zone.
D. Modify the zone transfer setngs for the contoso.com zone.
Aoswern A
Explanatonn
Change the Zone Replicaton Scope
You can use the following procedure to change the replicaton scope for a zone. Only Actve Directory Domain Services
(AD DS)–integrated primary and stub forward lookup zones can change their replicaton scope.
Secondary forward lookup zones cannot change their replicaton scope.
Understanding DNS Zone Replicaton in Actve Directory Domain Services
You can store Domain Name System (DNS) zones in the domain or applicaton directory parttons of Actve
Directory Domain Services (AD DS). A partton is a data structure in AD DS that distnguishes data for diferent
replicaton purposes.
The following table describes the available zone replicaton scopes for AD DS-integrated DNS zone data.
When you decide which replicaton scope to choose, consider that the broader the replicaton scope, the greater the
network trafc caused by replicaton. For example, if you decide to have AD DS–integrated DNS zone data replicated
to all DNS servers in the forest, this will produce greater network trafc than replicatng the DNS zone data to all DNS
servers in a single AD DS domain in that forest.
AD DS-integrated DNS zone data that is stored in an applicaton directory partton is not replicated to the global
________________________________________________________________________________________________
Page No | 200
catalog for the forest. The domain controller that contains the global catalog can also host applicaton directory
parttons, but it will not replicate this data to its global catalog.
AD DS-integrated DNS zone data that is stored in a domain partton is replicated to all domain controllers in its AD DS
domain, and a porton of this data is stored in the global catalog. This setng is used to support Windows 2000.
If an applicaton directory partton's replicaton scope replicates across AD DS sites, replicaton will occur with the
same intersite replicaton schedule as is used for domain partton data.
By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the
applicaton directory parttons that are hosted on a domain controller in the same manner as it registers domain
controller locator (Locator) DNS resource records for the domain partton that is hosted on a domain controller.
Question 166
Your network contains an Actve Directory domain named contoso.com. The domain contains the servers shown in
The functonal level of the forest is Windows Server 2003. The functonal level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
A. Change the functonal level of the forest.

B. Change the functonal level of the domain.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade DNS1 to Windows Server 2008 R2.
Aoswern D
Explanatonn
DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in Windows Server® 2008 R2 and
Windows® 7. With Windows Server 2008 R2 DNS server, you can now sign and host DNSSECsigned zones to provide
security for your DNS infrastructure.
The following changes are available in DNS server in Windows Server 2008 R2n
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7n
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
Ability to check whether the DNS server with which it communicated has performed validaton on the client’s behalf.
The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resoluton Policy Table (NRPT),
which stores setngs that defne the DNS client’s behavior. The NRPT is typically managed through Group Policy.
What does DNSSEC do?
________________________________________________________________________________________________
Page No | 201
DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specifed in
RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authentcated denial of existence to DNS. In
additon to several new concepts and operatons for both the DNS server and the DNS client, DNSSEC introduces four
new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS.
In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed.
When a DNS server hostng a signed zone receives a query, it returns the digital signatures in additon to the records
queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the
responses are authentc and have not been tampered with. In order to do so, the resolver or server must be
confgured with a trust anchor for the signed zone, or for a parent of the signed zone.
Question 167
Your network contains a domain controller that is confgured as a DNS server. The server hosts an Actve Directory-
integrated zone for the domain.
You need to reduce how long it takes untl stale records are deleted from the zone.
What should you do?
A. From the confguraton directory partton of the forest, modify the tombstone lifetme.
B. From the confguraton directory partton of the forest, modify the garbage collecton interval.
C. From the aging propertes of the zone, modify the no-refresh interval and the refresh interval.
D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.
Aoswern C
Explanatonn
Set Aging and Scavenging Propertes for a Zone
The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for
________________________________________________________________________________________________
Page No | 202
performing cleanup and removal of stale resource records, which can accumulate in zone data over tme.
You can use this procedure to set the aging and scavenging propertes for a specifc zone using either the DNS
Manager snap-in or the dnscmd command-line tool.
To set aging and scavenging propertes for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administratve Tools, and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Propertes.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging propertes as needed.
To set aging and scavenging propertes for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following command, and then press ENTERn
dnscmd <ServerNameN /Confg <ZoneNameN {/Aging <ValueN|/RefreshInterval <ValueN|/
NoRefreshInterval <ValueN}
Question 168
You have an Actve Directory domain named contoso.com.

You have a domain controller named Server1 that is confgured as a DNS server.
Server1 hosts a standard primary zone for contoso.com. The DNS confguraton of Server1 is shown in the exhibit.
(Click the Exhibit buton.)
________________________________________________________________________________________________

Microsoft Exam Material

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Microsoft Exam Material

Загружено:

Авторское право:

Доступные форматы

Looking for Real Exam Questions for IT Certification Exams!

Command to view the audit policy categories and Subcategoriesn

How to enable the change auditng policy using a command line

How to set up auditng in object SACLs

A. Create a new stub zone named ad.contoso.com on DC2.

A. Use the dsmod OU <OrganizatonalUnitDNN command to create the organizatonal units.

A. Confgure DC2 as a bridgehead server.

A. Import the enterprise root CA certfcate.

* Member workstatons and servers.

A. Add and confgure a new account partner.

A. Actve Directory Users and Computers snap-in

A. Add another RODC to the branch ofce.

A. Set dynamic updates to Secure Only.

A. Domain naming master

The fve FSMO roles aren

A. Create a new stub zone for the intranet.fabrikam.com domain.

An Actve Directory database is installed on the C volume of a domain controller.

To move the directory database and log fles to a local driven

A. Perform an authoritatve restore of the Sales OU.

A. Enable debug logging.

A. Run the Dnscmd.exe /ZoneResetType command on DC3.

A. Clear the DNS cache on DC2.

Reviewing DNS Concepts

A. Confgure the Block Inheritance setng on the R&D organizatonal unit.

placement within an OU.

A. The Server Manager console

A. Decrease the replicaton schedule for the DEFAULTIPSITELINK object.

A. Raise the forest functonal level of fabrikam.com to Windows Server 2008.

A. Import the enterprise root CA certfcate.

What is Windows Recovery Environment?

A. Run the netdom remove DC1 command.

A. From the DNS Manager console, reload the zone.

You have a Windows Server 2008 R2 Enterprise Root C

B. Confgure the Online Responder Role Service on a domain controller.

A. Run the move-item command in the Microsoo Windows PowerShell utlity.

A. Modify the propertes of the SOA record in the contoso.com zone.

What should you do frst?

A. On a domain controller run adprep /rodcprep.

A. Start the Actve Directory Diagnostcs data collector set.

A. Set up Automatc Updates through Control Panel on the client computers.

Decommissioning a Domain Controller

Command Prompt, and then click Run as administrator.

A. On DC1, modify the permissions of contoso.com zone.

Your company has an Actve Directory forest.

A. Add the DNS Server role.

Well, you need to fulfll basic requirementsn

A. Update the list of root hints servers on DNS2.

A. Raise the functonal level of the domain to Windows Server 2008.

D. Confgure conditonal forwarding on DNS3 to forward contoso.com queries to DNS1.

A. Decrease the replicaton interval for all Connecton objects.

Understanding When to Create a Shortcut Trust

Using one-way trusts

Adding New Administratve Templates to a GPO

A. Run the Group Policy Results utlity for the user.

Your company has an Actve Directory domain.

A. Create an Enrollment Agent certfcate.

A. Actve Directory Domains and Trusts

the Unix-based DNS server.

A. Enable BIND secondaries

Your company has an Actve Directory domain.

A. Confgure auditng in the Certfcaton Authority snap-in.

Store and retrieve archived keys.

A. Add the global distributon group to the Domain Administrators group.

Your company hires 10 new employees.