Академический Документы
Профессиональный Документы
Культура Документы
Only one Active-Directory integrated zone has been configured in the Company.com
domain. Company.com has requested that you configure DNS zone to automatically
remove DNS records that are outdated.
A. You should consider running the netsh /Reset DNS command from the Command
prompt.
B. You should consider enabling Scavenging in the DNS zone properties page.
C. You should consider reducing the TTL of the SOA record in the DNS zone properties
page.
D. You should consider disabling updates in the DNS zone properties page.
Answer: B
Explanation: In the scenario you should enable scavenging through the zone
properties because scavenging removes the outdated DNS records from the DNS
zone automatically. You should additionally note that patience would be required
when enabling scavenging as there are some safety valves built into scavenging
which takes long to pop.
Reference:
http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=211
QUESTION NO: 2
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
The Company.com network has a server named TESTKING-SR15. You install the Active
Directory Lightweight Directory Services (AD LDS) on TESTKING-SR15.
Answer: B
Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD
LDS application directory partition. You also need to add the snap-in in the
Microsoft Management Console (MMC).
QUESTION NO: 3
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
What action should you take to transfer the Schema Master Operations role to
TESTKING-DC02?
A. Your best option would be to have the dcpromo /adv command executed on
TESTKING-DC02.
B. Your best option would be to have the Schema Master role seized to
TESTKING-DC02.
C. Your best option would be to have Schmmgmt.dll registered on TESTKING-DC02.
D. Your best option would be to add your user account to the Schema Administrators
group.
Answer: B
Reference:
http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-ec9a773f7ffb1033.mspx?mfr
QUESTION NO: 4
You work as the network administrator at Company.com . The Company.com network has
a single forest. The forest functional level is set at Windows Server 2008.
The Company.com network has a Microsoft SQL Server 2005 database server named
TESTKING-DB04 that hosts the Active Directory Rights Management Service (AD
RMS).
You try to access the Active Directory Rights Management Services administration
website but received an error message stating:
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC
service on TESTKING-DB04.
B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on
TESTKING-DB04.
C. You need to reinstall the AD RMS instance on TESTKING-DB04.
D. You need to reinstall the SQL Server 2005 instance on TESTKING-DB04.
E. You need to run the DCPRO command on TESTKING-SR04
Answer: A
Explanation: You need to restart the internet information server (IIS) to correct the
problem. The starting of the MSSQULSVC service will allow you to access the
database from AD RMS administration website.
QUESTION NO: 5
A new Company.com security policy requires that revoked certificate information should
be available for examination at all times.
Answer: B
Explanation: You should use the network load balancing and publish an OCSP
responder. This will ensure that the revoked certificate information will be available
at all times. You do not need to download the entire CRL to check for revocation of
a certificate; the OCSP is an online responder that can receive a request to check
for revocation of a certificate. This will also speed up certificate revocation checking
as well as reducing network bandwidth tremendously.
QUESTION NO: 6
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
You are responsible for managing two servers TESTKING-SR01 and TESTKING-SR02.
They are setup with the following configuration.
Which of the steps must you perform for configuring the Online Responder to be
supported on TESTKING-SR01?
Answer: D
Explanation: In order to configure the online responder role service on
TESTKING-SR01 you need to configure the AIA extension. The authority
information access extension will indicate how to access CA information and
services for the issuer of the certificate in which the extension appears. Information
and services may include on-line validation services and CA policy data. This
extension may be included in subject or CA certificates, and it MUST be
non-critical
QUESTION NO: 7
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008 and all client computers run Windows Vista.
The Company.com network has a client computer named TESTKING-WS640 that was
last used six months ago. During the course of the day you attempt to log on to
TESTKING-WS640 but you are unable to authenticate during the logon process.
Answer: C
QUESTION NO: 8
You work as an enterprise administrator at Company.com . The Company.com network
has a forest with a domain named Company.com .
The Company.com network has a Windows Server 2008 domain controller named
TESTKING-DC01 that hosts the Directory Services Recovery Mode (DSRM) role.
What would be the best option to take to have the DSRM password reset?
A. The best option is to open the Active Directory Security for Computers snap-in.
B. The best option is to run the ntdsutil command.
C. The best option is to run the Netsh command.
D. The best option is to open the Domain Controller security snap-in.
Answer: B
Explanation: You should use the ntdsutil utility to reset the DSRM password. You
can use Ntdsutil.exe to reset this password for the server on which you are working,
or for another domain controller in the domain. Type ntdsutil and at the ntdsutil
command prompt, type set dsrm password.
Reference: http://support.microsoft.com/kb/322672
QUESTION NO: 9
You work as an enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008. Company.com has two offices Chicago and Dallas.
How can you make sure that Dallas Office users use only TESTKING-DC02 for
authentication?
Answer: B
Explanation: You should use the Password Replication Policy on the RODC. This
will allow the users at the Dallas office to log on to the domain with RODC. RODCs
don't cache any user or machine passwords.
QUESTION NO: 10
You work as the network administrator at Company.com . The Company.com network has
a domain named intl.Company.com . All servers on the Company.com network run
Windows Server 2008. The domain controllers on the Company.com domain are
configured to function as DNS servers.
What action should you take to ensure that computers that are not part of the
intl.Company.com domain are not able to dynamically register their DNS registration
information in the intl.Company.com zone?
A. You should consider removing the .(root) zone from the intl.Company.com zone.
B. You should consider running the dnscmd /AgeAllRecords command.
C. You should consider configuring Secure Only dynamic updates.
D. You should consider configuring the intl.Company.com zone as an Active Directory
integrated zone.
Answer: C
Explanation: In order to ensure that only domain members are able to register their
DNS records dynamically you need to set the option Secure only for Dynamic
updates. This will only allow the domain members to register their DNS records
dynamically.
Reference:
www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx
How can you accomplish the goals. (Each correct answer presents part of the solution.
(Choose TWO.)
Answer: C, D
Explanation: In the scenario you should have the Company.com primary zone
converted to an active directory-integrated zone and delete the secondary zone as
this would ensure replication of the Company.com zone is encrypted whilst
preventing data loss.
QUESTION NO: 12
All master roles in the forest are maintained at a domain controller TESTKING-DC01.
You have another domain controller in the network named TESTKING-DC02 which
contains better hardware and can improve performance. TESTKING-DC01 is to be
removed from the network.
Which option can you select in order to ensure that proper roles are transferred to
TESTKING-DC02 without disrupting the forest wide operations?
A. You should consider transferring the RID Master role and the Schema master role.
B. You should consider transferring the Schema master role and the Domain naming
master role.
C. You should consider transferring the Infrastructure master role and the PDC emulator
role.
D. You should consider transferring the Infrastructure master role and the Domain
naming master role.
E. You should consider transferring the RID Master role and the PDC emulator role.
Answer: C
Explanation: In order to transfer all forest-wide operation master roles to another
domain you need to transfer Domain naming master as well as the Schema master.
Schema Master: The schema master domain controller controls all updates and
modifications to the schema. To update the schema of a forest, you must have access
to the schema master. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest. There can be only one domain naming
master in the whole forest.
Reference: http://support.microsoft.com/kb/324801
QUESTION NO: 13
You work as the enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008. The Company.com network has a domain controller named
TESTKING-DC01 that has a single hard drive named Drive C. Drive C hosts the ntds.dit
database. You have installed an additional hard drive named Drive D on
TESTKING-DC01.
A. The best option is to run the Ntdsutil command with the Files option.
B. The best option is to open the Windows Power Shell and use the Copy and Paste
functions.
C. The best option is to run the xcopy command.
D. The best option is to open the Windows Explorer and use the Cut and Paste functions.
Answer: A
Explanation: The way you move the Active Directory database to a new volume, is
to move the ntds.dit file to the new volume by opening the Files option in the
ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a
larger existing partition.
Reference:
http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-d51707bf01eb1033.mspx?mf
The Company.com network has organizational units (OU's) named Sales, Marketing and
Admin. The Sales OU contains a file server named TESTKING-SR04 that hosts a shared
folder named SalesDocs that contains sensitive customer information.
What action should you take to track access to the SalesDocs folder? (To answer, drag
the appropriate action to the appropriate location in the work area.)
What action should you take to configure TESTKING-SR01 to support key archival?
Answer: C
QUESTION NO: 16
You work as the enterprise administrator at Company.com . The Company.com network
has a domain named Company.com that operates at the Windows Server 2008.
How can you configure the network so that it allows the users of Company.com to have
multiple password policies?
A. You should consider creating multiple class schema objects in the Schema console.
B. You should consider creating multiple Group Policy objects in the Group Policy
Management console.
C. You should consider creating multiple Password Setting objects in the ADSI Edit
console.
D. You should consider creating multiple passwords in Active Directory Users and
Computers.
Answer: C
QUESTION NO: 17
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
What option can you sure to ensure tracking of all DNS queries received by
TESTKING-SR01?
A. You should consider having automatic logging for recursive queries enabled in the
DNS Manager Console on TESTKING-SR01.
B. You should consider having debug logging enabled in the DNS Manager Console on
TESTKING-SR01.
C. You should consider having event logging configured in the DNS Manager Console
on TESTKING-SR01.
Answer: B
QUESTION NO: 18
You work as an enterprise administrator at Company.com . All servers on the
Company.com network run Windows Server 2008. Company.com has its headquarters in
Chicago and a branch office in Miami. The two offices are configured as separate sites.
The Miami site contains a domain controller named TESTKING-DC06. You receive an
instruction from the CIO to install a new application at the Miami office. In order for the
application to run a Global Catalog server is required.
What action should you consider to add a Global Catalog server to the Miami site?
Answer: D
QUESTION NO: 19
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
The network contains two sites London and Paris. The following configuration applies to
each location.
London
- Single Domain Controller named TESTKING-DC01
- Separate Active Directory Site.
Paris
Network Setup
- Both Active Directory Sites are using DEFAULTIPSITELINK object for connectivity.
What action should you take to reduce the delay it takes during replication between
TESTKING-DC01 and TESTKING-DC02?
A. You should consider having the replication interval for the DEFAULTIPSITELINK
object decreased.
B. You should consider having the replication schedule for the DEFAULTIPSITELINK
object increased.
C. You should consider having the cost for the DEFAULTIPSITELINK object decreased.
D. You should consider having a site link bridge installed between TESTKING-DC01
and TESTKING-DC02.
Answer: A
TestKing has several contractual workers who are members of a global group named
PartTimeUsers. A new Company.com security policy requires that any attempts by
contractual workers to access the folders and files on the file servers in the TKServers
OU needs to be tracked.
What action should you take to implement this policy? (To answer, drag the appropriate
action to the appropriate location in the work area.)
What step you can perform to make sure that TESTKING-SR02 is issuing the certificate
revocation lists (CRL).
Answer: C
QUESTION NO: 22
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008 and all client computers run Windows Vista.
During the course of the day a Company.com user named Rory Allen complains that he
receives an error message stating that his account has expired when he attempts to
authenticate to the Company.com domain from his client computer.
What action should you consider to have Rory Allen log on to the Company.com domain
from his client computer?
A. You should consider reducing the account lockout duration in the default domain
policy.
B. You should consider resetting Rory Allen's user account.
C. You should consider setting Rory Allen's user account to never expire.
D. You should consider resetting the computer account for Rory Allen's client computer.
Answer: C
QUESTION NO: 23
You work as the network administrator at Company.com . Company.com has its
headquarters in London. The Company.com network has a domain named Company.com
that consists of a single Active Directory site named LondonSite. The LondonSite
contains a domain controller named TESTKING-DC01.
Company.com opens a branch office in York and you create another Active Directory site
named YorkSite.
How can you have Active Directory replication configured between the two sites?
A. You need to consider installing a new domain controller in YorkSite and creating a
site link between the two sites. Then you should consider decreasing the site link cost.
Answer: D
QUESTION NO: 24
You work as the enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . The Company.com network has three domain
controllers named TESTKING-DC01, TESTKING-DC02 and TESTKING-DC03 that
run Windows Server 2003. Company.com purchases a new Windows Server 2008
computer named TESTKING-SR04.
What is the first step you should take to install TESTKING-SR04 as a domain controller
on the Company.com network?
Answer: B
QUESTION NO: 25
You work as an enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008.
A new Company.com domain controller management policy states that replication errors
need to be logged to a central server.
Answer: C
The Company.com domain has two domain controllers named TESTKING-DC01 and
TESTKING-DC02 and the intl.Company.com domain has two domain controllers named
TESTKING-DC03 and TESTKING-DC04.
What actions should you take to remove the intl.Company.com child domain? (To answer,
drag the appropriate action to the appropriate location in the work area.)
What action should you take first if you want the new zone replicated only to
TESTKING-DC05 and TESTKING-DC06?
Answer: A
QUESTION NO: 28
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
The Company.com network has a domain controller named TESTKING-SR01 that also
functions as a DNS server. You add a new stand alone server named TESTKING-SR02
and configure it as a DNS server. You then configure a standard secondary zone with
TESTKING-SR01 as the master server.
What action should you take to have zone updates replicated from TESTKING-SR01 to
TESTKING-SR02?
Answer: D
QUESTION NO. 29
What action should you take to implement this policy? (Choose all that apply.)
A. You should publish a list of trusted certificate authorities and only grant Kara Lang
the necessary permissions to access the Trusted Publishers list.
B. You should apply the code signing template to TESTKING-SR03 and configure the
template only grant Kara Lang the necessary permissions to request code signing
certificates.
C. You should import the Online Certificate Status Protocol (OCSP) Response Signing
certificate to TESTKING-SR03 and only grant Kara Lang the necessary permissions to
distribute code signing certificates.
D. You should add TESTKING-SR03 to the CertPublishers group and only grant Kara
Lang the necessary permissions to manage TESTKING-SR03.
Answer: B
QUESTION NO: 30
You work as a systems administrator at Company.com . The Company.com network has a
forest with a domain named Company.com . All servers on the Company.com network run
Windows Server 2008.
You are responsible for managing a stand-alone server named TESTKING-SR05. You
are in the process of configuring TESTKING-SR05 as an Enterprise certification
authority (CA). You now want to assign the Active Directory Certificate Services (AD
CS) role to TESTKING-SR05. However, you notice that you cannot select the Enterprise
CA option.
Answer: B
QUESTION NO: 31
You work as an enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008 and all client computers run Windows Vista Enterprise Edition.
All client computers are located in an Organizational Unit named ClientPCs.
Company.com has acquired a new third-party application that you need to install on the
client computers. Before you can install the application you need prepare the client
computers by applying a file named tkApp.adm to them. The tkApp.adm file makes
changes to the registry on the client computers.
A. Your best option would be to create a transformation package that applies the
tkApp.adm file and assign the package to the client computers.
B. Your best option would be to copy the tkApp.adm file to a network share and write a
Microsoft Windows PowerShell script that applies the file to the client computers.
C. Your best option would be to write that the Microsoft Windows PowerShell script that
copies the tkApp.adm file to the client computers.
D. Your best option would be to create a Group Policy Object (GPO) that imports the
tkApp.adm and link the GPO to the ClientPCs OU.
Answer: D
Which actions should you take? (To answer, drag the appropriate action to the
appropriate location in the work area.)
Answer:
Due to company growth, Company.com has hired 150 additional employees that are
distributed among the four sites. You create user accounts for the new Company.com
users. However, the new users complain that when they attempt to logon to the domain
they receive an error message stating that their username or password is incorrect.
What action should you take to allow the new Company.com users to log on to the
domain?
A. You should consider resetting the user accounts for the new users.
B. You should consider adding the new users to the Remote Desktop Users group.
C. You should consider running the repadmin /replicate command.
D. You should consider install Global Catalog servers at the Lisbon, Madrid and Paris
sites.
QUESTION NO: 34
You work as the network administrator at Company.com . The Company.com network has
a forest with a domain named Company.com .
The Company.com network has four Windows Server 2008 domain controllers named
TESTKING-DC01, TESTKING-DC02, TESKING-DC03 and TESTKING-DC04. All
four domain controllers run the DNS Server role and are part of an Active Directory
integrated zone. The Company.com network also has a UNIX-based DNS server named
TESTKING-SR05.
What action should you take to ensure that zone transfers to TESTKING-SR05 can
occur?
A. You should consider installing Active Directory Lightweight Directory Services (AD
LDS) on TESTKING-SR05.
B. You should consider running the dcpromo command on TESTKING-SR05.
C. You should consider having a stub zone created for TESTKING-SR05.
D. You should consider configuring BIND secondaries.
Answer: D
QUESTION NO: 35
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . The Company.com has a Windows Server 2008 domain
controller named TESTKING-DC01.
Answer: C
QUESTION NO: 36
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
Answer: C
QUESTION NO: 37
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . The domain functional level is set at Windows Server
2008.
The Company.com network has a file server named TESTKING-SR04. You configure a
shared folder named KINGDATA on TESTKING-SR04. You then move users to a new
global distribution group named DISTGRP. You grant a domain local group named
DLOCGRP access to KINGDATA. You then add DISTGRP to DLOCGRP.
What action should you take to make sure that all users in the DISTGRP group are able
to access the KINGDATA share?
Leading the way in IT testing and certification tools, www.Company.com
- 32 -
A. You should configure DISGRP to be a universal distribution group.
B. You should configure DISGRP to be a security group.
C. You should configure DLOCGRP to be a universal security group.
D. You should add the DISTGRP to the Local Administrators group on
TESTKING-SR04.
Answer: B
QUESTION NO: 38
You work as an enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008. Company.com has its headquarters in Chicago.
Company.com opens a new branch office in Dallas. You need to allow Company.com
users in the Dallas office to access network resources in the Chicago office. You assign
the Company.com users in the Dallas office the Read and Execute permissions to the
network resources in the Chicago office. You then create a VPN connection which the
Company.com users in the Dallas office to establish connectivity to the Chicago office.
However, the users in the Dallas office report that they cannot connect to the Chicago
office by using the VPN connection.
A. Your best option would to assign the Allow Access Dial-in permission to the users in
the Dallas office.
B. Your best option would to make the users in the Dallas office members of the Remote
Desktop Users security group.
C. Your best option would to make the users in the Dallas office members of the Network
Configuration Operators security group.
D. Your best option would to delete and recreate the VPN connection.
Answer: A
QUESTION NO: 39
You work as the network administrator at Company.com . The network has the following
configuration.
What action should you take to determine which LDAP clients are consuming the most
CPU resources on TESTKING-DC01?
A. You should open System Information and view the Hardware Resources node.
B. You should open Task Manager and view the Processes tab.
C. You should open the Active Directory Diagnostics Data Collector and view of the
Active Directory report.
D. You should open the Resource Monitor opened and view the CPU performance data.
Answer: C
QUESTION NO: 40
You work as an enterprise administrator at Company.com . The Company.com network
has a forest with a domain named Company.com . All servers on the Company.com network
run Windows Server 2003.
You need to upgrade the domain controllers from Windows Server 2003 to Windows
2008 on Company.com domain.
What command can be used on servers running Windows 2003 in order to prepare
Company.com for the upgrade?
Answer: B
QUESTION NO: 41
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2008.
Answer: A
QUESTION NO: 42
You work as an enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008. Company.com has its headquarters in Seattle and branch offices in
Dallas, Miami and Chicago. Each office is configured as a separate site named Seattle,
Dallas, Miami and Chicago.
Where should you consider deactivating the Universal Group Membership Caching
(UGMC) option at the Dallas, Miami and Chicago offices?
A. You should consider deactivating the UGMC in Active Directory Users and
Computers.
B. You should consider deactivating the UGMC at the Site level.
C. You should consider deactivating the UGMC through a Group Policy Object linked to
the domain.
D. You should consider deactivating the UGMC at the Organizational Unit (OU) level.
QUESTION NO: 43
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All servers on the Company.com network run Windows
Server 2003.
You have just performed the migration of domain controllers from Windows 2003 to
Windows 2008.
Answer: B
QUESTION NO: 44
You work as an enterprise administrator at Company.com . The Company.com network
has a forest with a domain named Company.com . The forest functional level is set at
Windows Server 2003 Native Mode. Company.com has two divisions namely Chicago
and a Dallas.
The Company.com network has three Windows Server 2003 domain controllers named
TESTKING-DC01, TESTKING-DC02 and TESTKING-DC03 that are located in the
Chicago office. You want to install a read-only domain controller (RODC) named
TESTKING-DC04 in the Dallas office.
A. You should consider upgrading TESTKING-DC01 to Windows Server 2008 and then
execute the adprep /rodcprep command on TESTKING-DC01.
B. You should consider configuring the Dallas network as a separate site and upgrading
TESTKING-DC04 to Windows Server 2008.
C. You should consider upgrading all domain controllers to Windows Server 2008 and
having the forest functional level set to Windows Server 2008.
Answer: A
QUESTION NO: 45
You work as an enterprise administrator at Company.com . The Company.com network
has a domain named Company.com . All servers on the Company.com network run
Windows Server 2008.
You have a workstation called Testking-WS10 and performed the following tasks:
What action should you take to make sure that the Testking-WS10 computer account has
been created in an organizational unit (OU)?
A. You should consider using Active Directory Users and Computers to create the
computer accounts.
B. You should consider using the csvde command.
C. You should consider using the Idifde command.
D. You should consider using the dsadd command.
Answer: D
QUESTION NO: 46
You work as the network administrator at Company.com . The Company.com network has
a domain named Company.com . All server on the Company.com network run Windows
Server 2008. The Company.com network has two domain controllers named
TESTKING-DC01 and TESTKING-DC02.
What action should you take to verify the successful replication of Active Directory
information TESTKING-DC01 to TESTKING-DC02?
What should you do? (Each correct answer presents part of the solution. Choose two.)
QUESTION NO: 2
You have deployed Active Directory Federation Services (AD FS) in your organization.
You need to configure another organization as a federated partner. Your organization is
the resource partner in this partnership.
You need to exchange partner values with the partner organization. You want to do this
with as little administrative effort as possible.
A. Add your partner's domain as an Active Directory Domain Services (AD DS) Account
store.
B. Export your trust policy files and send the resulting file to the partner administrator.
C. Have the partner send its federation server's validation certificate.
D. Deploy an AD FS Proxy in the partner's perimeter network.
Answer: B
QUESTION NO: 3
A computer running Microsoft Windows Server 2008 is configured as a domain
controller. The computer also supports other services, including the Dynamic Host
Configuration Protocol (DHCP) service.
You need to move the Active Directory database on the computer. You must minimize
the impact on the other services running on the computer.
What should you do first? (Each correct answer presents a complete solution. Choose
two.)
QUESTION NO: 4
Your company's network consists of 10 Microsoft Windows Server 2008 domain
controllers. There are also 15 member servers running Windows Server 2008 and 1,000
client computers running Windows XP Professional. All computers are members of a
single Active Directory domain. A Public Key Infrastructure (PKI) is also in place using
Active Directory Certificate Services. Users are required to enroll for a User certificate
using Web enrollment.
Users are reporting that the response time is very slow when accessing servers that host
financial data. Certificate authentication is required to access these servers. You discover
that the network is extremely busy and network bandwidth is reaching capacity.
You need to re-configure the Certificate Authority (CA) infrastructure to help reduce
traffic on the network.
QUESTION NO: 5
Your company's network is configured as a single Active Directory domain. All domain
controllers are running Windows Server 2008. The network currently has only a single
site. The company is preparing to open a branch office.
You must ensure that administrators at the branch office can create, modify, and delete
user accounts only for employees at the branch office. Administrators must be able to
manage user accounts even if the link to the corporate office is unavailable.
Answer: D
QUESTION NO: 6
You work as a Network Administrator for Perfect Solutions Inc. The company has its
headquarters in
Los Angeles. The branch offices of the company are located in Denver, San Jose, and
San Diego. All locations are connected through 128Kbps leased lines.
You are configuring the network of the company. The company wants to configure a
Windows 2008 Active Directory-based network. You are supposed to provide a design
for the network. The management of the company does not want unnecessary traffic over
the WAN connection.
Which of the following strategies will you implement to fulfill the requirements of the
company?
A. Create a separate site for each location. Move the domain controllers to their
respective sites.
B. Create a separate site for each location. Keep all domain controllers at the
headquarters site.
C. Create a site for the headquarters and move all domain controllers to this site.
D. Create a single site that covers all locations. Keep all domain controllers at the
headquarters.
Answer: A
QUESTION NO: 7
You work as a Network Administrator for Tech Perfect Inc. The company has a
Windows 2008 Active Directory-based network. The company's network consists of two
sites, namely San Francisco and San Diego. These sites are connected with a high-speed
T1 line as shown in the image below:
QUESTION NO: 8
You work as a Network Administrator for Tech Perfect Inc. The company has a
Windows 2008 Active Directory-based network. All client computers on the network run
Windows Vista Ultimate. You have configured a Dynamic DNS (DDNS) on the network.
There are a lot of mobile users who often connect to and disconnect from the network.
Users on the network complain of slow network responses. You suspect that the stale
records on the DNS server may be the cause of the issue. You want to remove the stale
records.
Which of the following technologies will you use to accomplish the task?
A. Scavenging
B. Aging
C. Forwarding
D. RODC
Answer: A
QUESTION NO: 9
QUESTION NO: 10
You work as a Network Administrator for Blue Well Inc. The company has a Windows
2000 single domain Active Directory-based network. The company wants to upgrade all
its servers to Windows Server 2008 and then its network to a Windows 2008 Active
Directory-based network. Before upgrading the network, you want to test the transfer of
user and computer accounts from the existing environment to the new environment. You
take the following steps:
Create some test users and a test group in the existing environment.
Make these users members of the group.
Create a new Windows 2008 forest in a new server.
Which of the following tools will you use to test the successful transfer of user and
computer accounts and groups?
QUESTION NO: 11
A. Configure universal group membership caching at the branch office. Remove the
domain controller.
B. Install a global catalog server at the branch office. Remove the domain controller.
C. Install an RODC at the branch office. Remove the domain controller.
D. Place the domain controller at the branch in a strong room secured with locks and
keys.
Answer: C
QUESTION NO: 12
You work as a Network Administrator for Net World International. The company has an
Active Directory-based Windows single forest network. Organizational units (OUs) are
configured separately for each department. All the department's users and computers are
placed in their respective OUs. A domain-level OU is also configured on the network to
implement domain-wide policies. Rick, a Sales Manager, complains that he is unable to
access an application. You suspect that a group policy is preventing Rick from accessing
the application. You want to find out the effective group policies on Rick. Which
command-line tool will you use to accomplish the task?
A. GPUPDATE
B. GETRESULT
C. GPRESULT
D. Resultant Set of Policy Wizard
Answer: C
QUESTION NO: 13
You work as a Network Administrator for Tech Perfect Inc. The company has an Active
Directorybased network. You have installed Windows Server 2008 on a computer. You
want to configure the server as a Certificate Authority (CA). Which of the following
utilities will you use to accomplish the task?
Leading the way in IT testing and certification tools, www.Company.com
- 44 -
A. Manage Your Server
B. Configure Your Server
C. Security Configuration Wizard
D. Server Manager
Answer: D
QUESTION NO: 14
You work as a Network Administrator for Maya Inc. The company has a Windows
Active Directory-based single domain network. The company's offices are located in Los
Angeles, Denver, San Jose, and San Diego. All locations have been configured as
separates sites. The company' headquarters is located in Los Angeles. The network is
configured as shown in the image below:
You have configured domain controllers at each site. A bridgehead server is configured
at the headquarters. Each branch office contains fifty users. Users use an Active
Directory integrated application. You experience that the bridgehead server at the
headquarters is receiving a lot of Active Directory replication traffic from the branch
offices. You are required to reduce the Active Directory replication traffic. Which of the
following steps will you take to accomplish the task?
Answer: C
QUESTION NO: 15
QUESTION NO: 16
You work as a Network Administrator for Net World Inc. The company has a Windows
Active Directory-based single forest network. The functional level of the forest is
Windows Server 2008. All client computers on the network run Windows Vista Ultimate.
The company's headquarters is located in San Francisco. The company has three branch
offices located in San Jose, San Diego, and New Orleans. Each location is configured as
a different site. Each site location is configured as a separate domain too. The branch
offices are connected to the headquarters as shown in the image below:
The location information of the resources is placed in Active Directory. Users in the New
Orleans domain regularly search for available resources in Active Directory by using the
Entire Directory option. The users complain of slow response time while searching
Active Directory for resources. You are required to improve the response time for users
at the New Orleans office.
QUESTION NO: 17
You work as a Network Administrator for Maya Inc. The company has a Windows
network environment. The network is configured as a Windows Active Directory-based
single forest single domain network. The network contains Windows Server 2003 and
Windows Server 2008 domain controllers. Client computers on the network either run
Windows Vista Ultimate or Windows XP Professional. A new security policy is to be
implemented. It requires multiple password policies to be implemented on the network.
You are required to prepare the network for implementing the new security policy. Your
solution must involve minimum administrative efforts. Which of the following steps will
you take to accomplish the task?
Each correct answer represents a part of the solution. Choose two.
A. Upgrade all domain controllers running Windows Server 2003 to Windows Server
2008.
B. Raise the functional level of the forest to Windows Server 2008.
C. Configure different domains for different password policies.
D. Upgrade all computers running Windows XP Professional to Windows Vista.
E. Raise the functional level of the domain to Windows Server 2008.
Answer: A. E
QUESTION NO: 18
You work as a Network Administrator for Peach Tree Inc. The company has a Windows
Server 2003- based network. The company wants to upgrade all its Windows 2003
servers to Windows Server
2008.
Before upgrading the servers, you want to test the new operating system and its
reliability. You also want to test various different operating systems. Which of the
following features of Windows Server 2008 allows you to install and run different
operating systems on a single computer?
A. RODC
B. Hyper-V
C. RSoP
D. Online Responder
Which of the following designs will you use to fulfill the requirements of the company?
A. Create a multi-forest network.
Create a forest for each branch office and one for the main office.
Delegate the authority for the resource administration to the local Administrators for their
respective forests.
Delegate the authority to the main office's forest to the Domain Admins group only.
B. Create a single domain network.
Create an organizational unit (OU) for each branch office and an OU for the main office.
Delegate the authority for the resource administration to the local Administrators for their
own OUs.
Delegate the authority for the main office's OU to the Domain Admins group only.
C. Create a domain for the main office.
Create child domains for the branch offices.
Keep all the user accounts in the main office domain and the resources on each domain of
the branch offices.
Give Administrators Full Control access to the domain controllers.
D. Create a single domain network.
Create a site for each branch office and a site for the main office.
Delegate the authority for the resource administration to the local Administrators for their
respective sites.
Delegate the authority of the main office's site to the Domain Admins group only.
Answer: B
QUESTION NO: 20
You are the systems administrator for your company, a plastic container manufacturer
and distributor. The company's network consists of a single Active Directory forest. The
network contains an Internet Information Services (IIS) server that hosts a Web
application that allows users to purchase your company's products online.
QUESTION NO: 21
You administer your company's network. The network consists of a single Active
Directory domain. All servers run Windows Server 2008, and all client computers run
Windows Vista. The company's written security policy stipulates that employees must
use certificates for remote access and secure e-mail. Only designated administrators are
authorized to approve users' requests for certificates, issue certificates, and revoke
certificates.
You install Certificate Services on several servers and configure them as enterprise
certification authorities (CAs).
You must assign the appropriate privileges to the designated administrators in accordance
with the company policy. Which of the following should you do?
A. Issue an Enrollment Agent certificate to each designated administrator.
B. Assign the designated administrators to the Certificate Manager role on each CA.
C. Assign the Allow - Enroll permission for each certificate template to the designated
administrators.
D. Assign the Allow - Write permission for each CA to the designated administrators.
Answer: B
QUESTION NO: 22
You are the systems administrator for your company. The company's network consists of
a single Active Directory domain. A computer running Windows Server 2008 has both
Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory
Services (AD LDS) roles installed. The AD LDS server contains an instance with the
default name that is used by several applications that access data from and write data to
the AD LDS database.
Over time, users report to you that the AD LDS applications have become slow. To
resolve this problem, you want to defragment the AD LDS database.
QUESTION NO: 24
You are the network administrator for Network Corporation. Your network has a single
domain, and all of the domain controllers run Windows Server 2008.
A domain controller in the branch office failed this morning. This domain controller does
not hold any other roles.
You bring the domain controller back on line, but you need to perform a nonauthoritative
restore of the domain controller. You do not have a critical volume backup of the domain
controller on hand, but you do have a recent full backup.
What should be your first action to perform a nonauthoritative restore of the domain
controller?
Answer: C
QUESTION NO: 25
You are the network administrator of your company. Your company has a main office
and a branch office. The main office network consists of a single Active Directory
domain.
You want to create a new domain for the branch office in the same forest as the main
office domain. Which operations master role must be available in the forest for you to
create a new domain for the branch office successfully?
A. Schema master
B. Domain naming master
C. Relative ID (RID) master
D. Primary domain controller (PDC) emulator master
E. Infrastructure master
Answer: B
QUESTION NO: 26
You are the network administrator of your company. You install Windows Server 2008
on all servers on the network. All client computers are configured to run Windows Vista.
You want to be able to use Advanced Encryption Standard (AES) with Kerberos for
encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys.
What is the minimum domain functional level that is required to support AES encryption
with Kerberos?
A. Windows 2000 Server mixed
B. Windows 2000 Server native
C. Windows Server 2003
D. Windows Server 2008
Answer: D
QUESTION NO: 27
QUESTION NO: 28
You are the network administrator for your company. Your company's network has a
single forest with three domains. All domain controllers in your forest are Windows
Server 2008. Each domain is configured to be a separate site.
Recently the telephone company has changed the telephone number of a department in
the location of one of your company's domains. There are 55 accounts that are affected
by the telephone number change. You need to change the telephone number property in
the 55 different accounts.
You want to perform the update as quickly as possible. What should you do?
A. Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number
and use CSVDE to import the accounts.
B. In Active Directory Users and Computers, select Find from the Action menu and
create a saved LDAP query that will return the 55 user accounts. Select all of the user
accounts returned by the query and simultaneously modify the telephone number in their
accounts' properties.
C. Create a saved LDAP query that will return user accounts of the 55 user accounts.
Export the results to a tab-delimited file, modify the expiration date in the file and use the
LDIFDE utility to import the file into Active Directory.
D. In Active Directory Users and Computers, select Find from the
Answer: B
QUESTION NO: 29
You are the administrator for a nationwide company with over 5,000 employees. Your
main office has approximately 4,500 employees, while the company's ten remote offices
have 50 users residing in each. You are often unaware of the physical security in place at
these offices. However, since there is a fairly sizable amount of users at each office, you
must provide them with directory services.
What is the BEST option to use for directory services when security is often an
unknown?
Answer: B
QUESTION NO: 30
You are the administrator for a nationwide company with over 5,000 employees. Your
director tells you your company has just signed into a partnership with another
organization, and that you will be responsible for ensuring that authentication can occur
between both organizations without the need for additional sign-on accounts. Your boss
mentions that the partner has a variety of Directory Services installed throughout their
organizations. Which of the following can Active Directory Federation Services NOT
connect to?
Answer: B
QUESTION NO: 31
QUESTION NO: 32
You are creating a new standard primary zone for the company you work for, Name
Resolution University, using the domain nru.corp. You create the zone through the DNS
management console, and now you want to view the corresponding DNS zone file,
nru.corp.dns. Where do you need to look in order to find this file?
A. You cannot view the zone file because it is stored in Active Directory.
B. You can look in the %systemroot%\system32\dns folder.
C. You cannot view the DNS file except by using the DNS management console.
D. The DNS zone file is actually just a key in the Windows Registry. You need to use the
Registry Editor if you want to view the file.
Answer: B
QUESTION NO: 33
You have implemented DNS on a Windows Server 2008 Core Server installation. You
want to list the DNS zones on this server. What command-line utility would you use to
accomplish this?
A. ocsetup.
B. netsh.
C. dnscmd.
D. None of the above. You must use the GUI from another Windows Server
2008 host.
Answer: C
A. Helps you reset a computer password stored in Active Directory so the computer can
make a trusted connection with Active Directory.
B. Helps you reboot the computer.
C. Helps you restart netlogon services.
D. Helps you change the authentication protocol from NTML to Kerberos.
Answer: A
QUESTION NO: 35
Josh is responsible for administering a small Active Directory domain. Recently, your
company has acquired a small company where all the computers are installed in a
workgroup. Which of the following operations must she perform in order to create the
computer accounts? (Choose all that apply.)
A. Select Start | Run, and then type in the joinallwks /user:administrator command.
B. Select Start | Programs | Administrative Tools | Active Directory Users and
Computers, and then right-click the computer container and create the computer objects.
C. Rename the existing computers in a workgroup.
D. Query for resources.
Answer: B
QUESTION NO: 36
Himma is managing an Active Directory environment of a medium-size company. He is
troubleshooting a problem with the Active Directory. One of the administrators made an
update to a user object and another reported that he had not seen the changes appear on
another DC. It was more than a week since the change was made. Robin checks the
problem by making a change to another Active Directory object. Within a few hours, the
change appears on a few DCs, but not on all of them. Which of the following is a
possible cause for this problem?
Answer: A
QUESTION NO: 37
A. Additional sites
B. Additional site links
C. Bridgehead servers
D. Site link bridges
Answer: D
QUESTION NO: 38
Maria is an administrator of a medium-size organization responsible for managing Active
Directory replication traffic. She finds an error in the replication configuration. How can
she look for specific error messages related to replication?
QUESTION NO: 39
Martin is going to be migrating his Lotus Notes environment into his newly established
Windows Server 2008 forest. He has guidance on what he will require for Group Policy
settings for the different teams and departments.
He has not yet created his OU structure. How should Joey proceed in creating the
required GPOs?
Answer: A
QUESTION NO: 40
A. You configure a GPO at the domain level, and publish the application to all
computers.
B. You configure a GPO at the site level, and assign the application to all computers.
C. You create a GPO with the required settings and link it into all OUs that have
computer accounts in it. You set the options to assign the application to computers.
D. You tell him it cannot be done.
Answer: D
QUESTION NO: 41
Joe is responsible for administering her company's PKI. The company has an offline root
CA and four enterprise subordinate CAs, each of which issues certificates to users in a
major division of the company.
As a result of corporate downsizing and reorganization, one of the four major divisions is
being disbanded. Betsy must ensure that resources on the network will not accept
certificates from the subordinate CA located in the division that is being disbanded.
Which of the following should she do? (Each correct answer represents part of the
solution. Choose three answers.)
A. At the disbanded division's subordinate CA, revoke all the certificates that it has
issued.
B. Uninstall the AD CS role from the disbanded division's subordinate CA.
C. Bring the offline root CA online, revoke the disbanded division's subordinate CA's
certificate, and then take the root CA back offline.
D. Publish a new base CRL.
E. Publish a new delta CRL.
F. Copy the new CRL to the network's CRL distribution point.
G. Add the AIA extension to all URLs where certificates issued by the disbanded
division's subordinate CA can be retrieved.
Answer: C, D, F
QUESTION NO: 42
Martin is responsible for administering AD CS within his company's AD DS domain. He
has configured a PKI that consists of a standalone root CA and two enterprise
subordinate CAs on servers running Windows Server 2008 Enterprise Edition. He wants
to configure the subordinate CAs to support the Online Responder service for keeping
track of revoked certificates. Which of the following tasks must Jim perform? (Each
correct answer represents part of the solution. Choose two answers.)
Leading the way in IT testing and certification tools, www.Company.com
- 57 -
A. Enable the use of the OCSP Response Signing certificate template from the Certificate
Templates snap-in.
B. Configure the CA servers to publish delta CRLs.
C. From the Extensions tab of the CA server's Properties dialog box, configure a CRL
distribution point on the CA servers.
D. From the Extensions tab of the CA server's Properties dialog box, select the URL for
the online responder, and select the check box labeled Include in the AIA Extension of
Issued Certificates.
E. From the Extensions tab of the CA server's Properties dialog box, select the URL for
the online responder, and select the check boxes labeled Include in the AIA Extension of
Issued Certificates and Include in the Online Certificate Status Protocol (OCSP)
Extension.
Answer: A, E
QUESTION NO: 43
Lee is responsible for maintaining DNS on his company's AD DS network, which
consists of a single domain in which all servers run Windows Server 2008. The company
operates an office in downtown Denver and a suburban office in Littleton.
QUESTION NO: 44
Kevin is responsible for maintaining AD DS replication on his company's network,
which consists of three domains and nine sites. When he uses replmon to check the
automatically configured replication topology, he notices that connection paths are not
established in what he thinks is the optimum manner.
Answer: B
QUESTION NO: 45
Greg is the network administrator for a company that operates an AD DS network
consisting of a single domain. Company executives have signed a long-term partnership
agreement with another company that also operates an AD DS network. Users in Greg's
company will require access to rights-protected confidential information that is stored on
web servers located on the second company's network. Users in the second company will
not require access to documents on Greg's network.
Which two of the following should Carol configure on her network? (Each correct
answer represents part of the solution. Choose two answers.)
QUESTION NO: 46
You are the network administrator for a company that operates an AD DS network
consisting of a single domain. Servers run Windows Server 2008, and client computers
run Windows Vista Enterprise. The domain contains OUs that are structured according to
the departmental structure of the company, and all OUs have multiple
GPOs linked to them.
A. Use the Group Policy Modeling Wizard for the Design OU. Choose the Engineering
OU to simulate policy settings.
B.
Answer: A
QUESTION NO: 47
Joe's company operates an AD DS forest consisting of a single tree with an empty root
domain and five child domains that represent operational divisions. Joe is responsible for
maintaining the FSMO roles. In total, how many FSMO roles are present in this tree?
A. One schema master, one domain naming master, six RID masters, six PDC emulators,
and six infrastructure masters
B. One schema master, one domain naming master, five RID masters, five PDC
emulators, and five infrastructure masters
C. Six schema masters, six domain naming masters, six RID masters, six PDC emulators,
and six infrastructure masters
D. One schema master, one domain naming master, one RID master, one PDC emulator,
and one infrastructure master
Answer: A
QUESTION NO: 48
You administer the network for a catering company called Thoughtful Food. Your firm
operates a single domain AD DS network that includes three Windows Server 2008
computers and a mix of Windows XP Professional and Windows Vista Business clients.
Management has notified you that a competitor known as Engorge & Devour
has taken a keen interest in your pumpkin soup recipe. Two employees of Thoughtful
Food have recently resigned and taken up positions with Engorge & Devour, and
management is afraid that they will attempt to steal proprietary formulas and recipes
belonging to Thoughtful Food by breaking into your network. You are tasked with
improving logon security on Thoughtful Food's network by limiting the number of failed
logon attempts for all users on the network and by establishing an audit policy for
tracking failed logon attempts.
Which of the following tasks should you undertake to complete this task? (Each correct
answer represents part of the solution. Choose two answers.)
A. Edit the Default Domain Policy GPO to enable auditing and account lockout.
QUESTION NO: 49
Kevin is the senior network administrator for his company. The CIO has asked him to
create an OU structure that enables the Research department to administer its own user
accounts so that the IT department staff other than Kevin don't have permissions to this
OU. Kevin is the only member of the Enterprise Admins group, other than the
domain's default administrator account, whose password is known only by Kevin and the
CIO.
Kevin creates a Research Admins security group and Research OU, delegates
administrative permissions to the Research Admins group, and removes the IT
department security group from the permissions list.
A few days later, Kevin discovers that another administrator has been resetting user
accounts for Research employees. What has he missed?
A. Kevin needs to create a separate Research domain to isolate it from the corporate
domain.
B. Kevin needs to change the password on the domain administrator account because the
other administrator must be using that account.
C. Kevin needs to remove the Enterprise Admins group from the permissions list.
D. Kevin needs to remove the Domain Admins group from the permissions list.
Answer: D
QUESTION NO: 50
Jim is the systems administrator for a company that operates an AD DS network
consisting of a single domain. He is configuring the properties of several GPOs, one of
which is linked to the domain, and the others are linked to various OUs, including child
OUs. At the domain level, Jim configures a Restricted Desktop GPO that removes the
Network and Games folders from the Start menu. On the Scope tab for this policy in
Group Policy Management Console (GPMC), he sets the Enforced option to Yes. Jim
also configures another GPO that disables the removal of the Network folder, links it to
the IT OU, and specifies Block Inheritance so that the IT staff will be able to use this
folder. Later, a couple of IT staffers call to complain that they are unable to reach the
Network folder.
Answer: B