Docstoc

TestKing v10 70-640 MCTS Windows Server 2008 Active Directory Configuration

Document Sample
TestKing v10 70-640 MCTS Windows Server 2008 Active Directory Configuration Powered By Docstoc
					                  Microsoft 70-640
TS: Windows Server 2008 Active Directory,
                    Configuring
                 Q&A with explanations

                    Version 10.0
Important Note, Please Read Carefully

Other TestKing products
A) Offline Testing engine
Use the offline Testing engine product topractice the questions in an exam environment.
B) Study Guide (not available for all exams)
Build a foundation of knowledge which will be useful also after passing the exam.

Latest Version
We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 90 days after the purchase. You should check your
member zone at TestKing and update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

1.Go towww.testking.com
2.Click on Member zone/Log in
3.The latest versions of all purchased products are downloadable from here. Just click the
links.
For mostupdates,itisenough just to print the new questions at the end of the new version,
not the whole document.

Feedback
If you spot a possible improvement then please let us know. We always interested in
improving product quality.
Feedback should be send to feedback@testking.com. You should include the following:
Exam number, version, page number, question number, and your login ID.

Our experts will answer your mail promptly.

Copyright
Each iPAD file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular iPAD file is
being distributed by you, TestKing reserves the right to take legal action against you
according to the International Copyright Laws.




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            -2-
Table of contents
Topic 1, Configuring the Domain Name System (DNS) for Active Directory (13
Questions)                                                                                  4
 Section 1, Configure zones (7 Questions)                                                   4
 Section 2, Configure DNS server settings (5 Question)                                      8
 Section 3, Configure zone transfers and replication (4 Questions)                         11
Topic 2, Configuring the Active Directory Infrastructure (18 Questions)                    13
 Section 1, Configure a forest or a domain (13 Questions)                                  13
 Section 2, Configure trusts (0 Questions)                                                 19
 Section 3, Configure sites (0 Questions)                                                  19
 Section 4, Configure Active Directory replication (4 Questions)                           19
 Section 5, Configure the global catalog (1 Questions)                                     21
 Section 6, Configure operations masters (1 Question)                                      21
Topic 3, Configuring Additional Active Directory Server Roles (27 Questions)               22
 Section 1, Configure Active Directory Lightweight Directory Service (AD LDS) (7
 Questions)                                                                                22
 Section 2, Configure Active Directory Rights Management Service (AD RMS) (6
 Questions)                                                                                31
 Section 3, Configure the read-only domain controller (RODC) (8 Questions)                 37
 Section 4, Configure Active Directory Federation Services (AD FS) (7 Questions)           43
Topic 4, Creating and Maintaining Active Directory Objects (20 Questions)                  48
 Section 1, Automate creation of Active Directory accounts (1 Question)                    48
 Section 2, Maintain Active Directory accounts (6 Questions)                               48
 Section 3, Create and apply Group Policy objects (GPOs) (4 Questions)                     53
 Section 4, Configure GPO templates (1 Questions)                                          55
 Section 5, Configure software deployment GPOs (3 Questions)                               56
 Section 6, Configure account policies (1 Questions)                                       57
 Section 7, Configure audit policy by using GPOs (5 Questions)                             58
Topic 5, Maintaining the Active Directory Environment (21 Questions)                       61
 Section 1, Configure backup and recovery (8 Questions)                                    61
 Section 2, Perform offline maintenance (5 Questions)                                      68
 Section 3, Configure custom application directory partitions (7 Questions)                73
Topic 6, Configuring Active Directory Certificate Services (6 Questions)                   78
 Section 1, Install Active Directory Certificate Services (3 Questions)                    78
 Section 2, Configure CA server settings (2 Question)                                      79
 Section 3, Manage certificate templates (GPOs) (1 Questions)                              80
 Section 4, Manage enrollments (0 Questions)                                               81
 Section 5, Manage certificate revocations (1 Questions)                                   81

                Leading the way in IT testing and certification tools, www.testking.com
                                                                                          -3-
Total number of questions: 110




            Leading the way in IT testing and certification tools, www.testking.com
                                                                                      -4-
Topic 1, Configuring the Domain Name System (DNS) for
Active Directory (13 Questions)

Section 1, Configure zones (7 Questions)
QUESTION NO: 1
TestKing.com has an Active Directory forest that contains a single domain named
ad.TestKing.com. All domain controllers are configured as DNS servers and have
Windows Server 2008 installed. The network has two Active directory-integrated
zones: TestKinges.com and TestKingws.com. The company has instructed you to
make sure that a user is able to modify records in TestKinges.com while preventing
the user from modifying the SOA record in TestKingws.com zone. What should you
do to achieve this task?

A. Modify the permissions of the TestKinges.com zone by accessing the DNS Manager
    Console
B. Configure the user permissions on TestKinges.com to include all the users and
    configure the user permissions on TestKingws.com to allow only the administrators
    group to modify the records
C. Modify the permission of TestKingws.com zone by accessing the DNS Manager
    Console
D. Modify the Domain Controllers organizational unit by accessing the Active Directory
    Users and Computers console.
E. None of the above.


Answer: A
Explanation:
To allow the user to modify records in TestKinges.com and prevent him/her from
modifying the SOA record in TestKingws.com zone, you should set the permissions of
TestKinges.com through DNS Manager Console. You set the permissions for the users to
modify the records in TestKinges.com. By setting permission on one Active
directory-integrated zone, you will be preventing the users from modifying anything else
on the other zones.




QUESTION NO: 2


                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           -5-
TestKing.com has an Active Directory Domain Controller. All domain controllers
are configured as DNS servers and have Windows Server 2008 installed. Only one
Active-Directory integrated DNS zone is configured on the domain. You need to
make sure that outdated DNS records are removed from the DNS zone
automatically. What should you do to achieve this task?

A. Modify the TTL of the SOA record by accessing the zone properties
B. Disable updates from the zone properties
C. Execute netsh/Reset DNS command from the Command prompt
D. Enable Scavenging by accessing the zone properties
E. None of the above


Answer: D
Explanation:
To remove the outdated DNS records from the DNS zone automatically, you should
enable Scavenging through Zone properties. Scavenging will help you clean up old
unused records in DNS. Since "clean up" really means "delete stuff" a good
understanding of what you are doing and a healthy respect for "delete stuff" will keep
you out of the hot grease. Because deletion is involved there are quite a few safety valves
built into scavenging that take a long time to pop. When enabling scavenging, patience is
required.
Reference:
http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=211




QUESTION NO: 3
TestKing.com has a single Active Directory domain. You have configured all
domain controllers in the network as DNS servers and they run Windows Server
2008. A domain controller named TK1 has a standard Primary zone for
TestKing.com and a domain controller named TK2 has a standard secondary zone
for TestKing.com. You need to make sure that the replication of the TestKing.com
zone is encrypted so you might not loose any zone data. What should you do to
achieve this task?

A. Create a stub zone and delete the secondary zone
B. Convert the primary zone into an active directory zone and delete the secondary zone
C. Change the interface where DNS server listens on both servers
D. On the standard primary zone, configure zone transfer settings. After that modify the
    master servers lists on the secondary zone
E. None of the above
                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           -6-
Answer: B
Explanation:
To make sure that the replication of the TestKing.com zone is encrypted to prevent data
loss, you should convert the primary zone into an active directory zone and delete the
secondary zone




QUESTION NO: 4
TestKing.com has a main office and a branch office. All servers in both offices run
Windows Server 2008. The offices are connected through a MAN link.
TestKing.com has an Active Directory domain that hosts a single domain called
maks.TestKing.com.

There is a domain controller in the maks.TestKing.com domain called TK1. It is
located in the main office. You have configured TK1 as a DNS server for the
maks.TestKing.com DNS zone. It is configured as a standard primary zone.

You are instructed to install a new domain controller called TK2 in the branch
office. After installing the domain controller, you install DNS on TK2. You want to
ensure that the DNS service on TK2 can update records and resolve DNS queries in
the event of a MAN link failure. What should you do to achieve this objective?

A. Configure the DNS on TK1 to forward requests to TK2
B. Add a secondary zone named maks.TestKing.com on TK2
C. Convert maks.TestKing.com on TK1 to an Active Directory-integrated zone
D. Configure a new stub zone on TK1 and set the forwarding option to TK2


Answer: C
Explanation:




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           -7-
To make sure that the DNS service on TK2 can update records and resolve DNS queries
in the event of a MAN link failure, you should convert maks.TestKing.com on TK1 to an
Active Directory-integrated zone. Active Directory-integrated DNS offers two pluses
over traditional zones. For one, the fault tolerance built into Active Directory eliminates
the need for primary and secondary nameservers. Effectively, all nameservers using
Active Directory-integrated zones are primary nameservers. This has a huge advantage
for the use of dynamic DNS as well: namely, the wide availability of nameservers that
can accept registrations. Recall that domain controllers and workstations register their
locations and availability to the DNS zone using dynamic DNS. In a traditional DNS
setup, only one type of nameserver can accept these registrations-the primary server,
because it has the only read/write copy of a zone. By creating an Active
Directory-integrated zone, all Windows Server 2008 nameservers that store their zone
data in Active Directory can accept a dynamic registration, and the change will be
propagated using Active Directory multimaster replication.
Reference:
http://safari.adobepress.com/9780596514112/active_directory-integrated_zones




QUESTION NO. 5
TestKing.com has a DNS server with 10 Active Directory Integrated Zones. For
auditing purposes, you need to provide copies of the zone files of the DNS server to
the security audit group. What should you do to achieve this task?

A. Execute ntdsutil > Partition Management > Display commands
B. execute ipconfig/registerdns command
C. execute the dnscmd/ZoneExport command
D. Execute dnscmd/Zoneoutput command

Answer: C




 QUESTION NO. 6
TestKing.com has a domain controller named EDC11 that runs Windows Server
2008. It is configured as a DNS server for TestKing.com. You install the DNS server
role on a member server named S1 and after this, you create a standard secondary
zone for TestKing.com. You configure EDC11 as the master server for the zone.
What should you do to make sure that S1 receives zone updates from EDC11?

A. On Server1, add a conditional forwarder.



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            -8-
B. On DC1, modify the zone transfer settings for the testking.com zone.
C. Add the Server1 computer account to the DNSUpdateProxy group.
D. On DC1, modify the permissions of testking.com zone.

Answer: B




QUESTION NO. 7
TestKing.com has a network consisting of an Active Directory forest named
ebd.com. All servers run Windows Server 2008. All domain controllers are
configured as DNS servers. The ebd.com DNS zone is stored in the ForestDnsZones
Active directory partition. A member server contains a standard primary DNS zone
for eb.ebd.com. You need to make sure that all domain controllers can resolve
names for eb.ebd.com. What should you do to achieve this task?

A. Create a delegation in the ebd.com zone
B. Change the properties of SOA record in the eb.ebd.com zone
C. Add NS record in the ebd.com zone
D. Create a secondary zone on a Global catalog server

Answer: A




Section 2, Configure DNS server settings (5 Question)
QUESTION NO: 1
TestKing.com has a main office and single branch office in another state.
Testking.com consists of a single Active-Directory domain forest. TestKing.com has
two domain controllers named TK1 and TK2. Both of the domain controllers run
Windows Server 2008. The branch office has a Read-only domain controller
(RODC) named TK3. All domain controllers have DNS server role installed and
they are configured as Active-Directory-integrated zones. All DNS zones are
configured to allow secure updates only. You want to enable dynamic DNS updates
on TK3. What should you do to achieve this task?

A. On DC1, create an active partition and configure the partition to store Active
    Directory-integrated zones
B. Uninstall the Active Directory Domain services on TK3 and reinstall it as a writeable
    domain controller


                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           -9-
C. Reconfigure RODC on TK3 to allow dynamic updates
D. Execute dnscmd/ZoneResetType command on TK3


Answer: B
Explanation:
To enable the dynamic DNS updates on TK3, you should uninstall the Active Directory
Domain services on TK3 and reinstall it as a writeable domain controller. A writeable
domain controller performs originating updates and outbound replication.
Reference: http://msdn.microsoft.com/en-us/library/cc207937.aspx


QUESTION NO.2
TestKing.com has a large network that consists of an Active Directory Forest
containing a single domain. Windows Server 2008 is installed on all domain
controllers. They are configured as DNS servers. TestKing.com has an active
directory-integrated zone with two Active Directory sites. Each site contains five
domain controllers. You added a new NS record to the zone. You have to make sure
that all domain controllers immediately receive the new NS record. What should
you do to achieve this task?

A. Execute repadmin/syncall from the command prompt
B. Reload the zone from the DNS Manager console
C. Create an SOA record from the DNS Manager console
D. Shutdown and then, restart the DNS server service from services snap-in

Answer: A
Explanation:




 QUESTION NO. 3
TestKing.com has an Active Directory domain named comm.TestKing.com. The
domain contains two domain controllers named TK1 and TK2. Both servers have
the DNS server role installed.
You install a new DNS server named ns.TestKing.com on the perimeter network.
You configure TK1 to forward all unresolved name requests to ns.TestKing.com but
you discover that the DNS forward option is unavailable on TK2. You need to
configure DNS forwarding on TK2 server to forward unresolved name requests to
ns.TestKing.com server. Which of the following two actions should you perform to
achieve this task?

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 10 -
A. Clean the DNS cache on TK2
B. Configure conditional forwarding on TK2
C. Delete the Root zone on TK2
D. Add zone forwarding on TK2

Answer: B, C


QUESTION NO. 4
TestKing.com has a domain controller that runs Windows Server 2008. It is
configured as a DNS server. You need to record all inbound DNS queries to the
server. What should you configure in the DNS Manager Console?

A. To log errors and warnings, configure event logging
B. Disable automatic logs for recursive queries
C. Enable automatic testing for recursive queries
D. Enable debug logging

Answer: D


QUESTION NO. 5
TestKing.com has two Active Directory forests named Testking.com and acme.com.
The company network has three DNS servers named TestKingA, TestKingB, and
TestKingC. The DNS servers are configured as shown in the Exhibit.

Exhibit:




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 11 -
All computers that belong to the acme.com domain have TestKingC configured as
the preferred DNS server. All other computers use TestKingA as the preferred DNS
server. Users from the acme.com domain are unable to connect to the servers that
belong to the TestKing.com domain. You need to ensure users in the acme.com
domain are able to resolve all TestKing.com queries. What should you do to achieve
this task?

A. Create a copy of the _msdcs.Testking.com zone on the TestKingC server.
B. Configure conditional forwarding on TestKingA and TestKingB to forward acme.com
queries to TestKingC.
C. Configure conditional forwarding on TestKingC to forward TestKing.com queries to
TestKingA.
D. Create a copy of the acme.com zone on the TestKingA server and the TestKingB
server.

Answer: C




Section 3, Configure zone transfers and replication (4 Questions)
QUESTION NO. 1
TestKing.com has a main office and ten branch offices. Testking.com has an Active
Directory forest that hosts a single domain. Each office has one domain controller
and each is configured as an Active Directory site. All sites are connected with the
DEFAULTIPSITELINK object. You need to decrease the replication latency
between the domain controllers. What should you do to achieve this task?

A. Decrease the cost between the connection objects
B. Decrease the connection replication interval for all connection objects
C. Decrease the replication interval for the DEFAULTIPSITELINK object
D. Increase the replication interval for the DEFAULTIPSITELINK object

Answer: C
Explanation:


QUESTION NO. 2




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 12 -
The TestKing.com network consists of a single Active Directory domain. Ten
domain controllers are present in the domain. All domain controllers run Windows
Server 2008 and are configured as DNS servers. You are instructed to create a new
Active Directory-integrated zone. You need to make sure that the new zone is only
replicated to four of your domain controllers. What should you do first?

A. execute dnscmd/enlistdirectorypartition from the command prompt
B. Configure a delegation in the DomainDnsZones application directory partition
C. Configure a new delegation in the ForestDnsZones application directory partition
D. Run dnscmd/createdirectorypartition from the command prompt

Answer: D


QUESTION NO. 3
TestKing.com has an Active Directory domain called TestKing.com which contains
two DNS servers named TestKingA and TestKingB. The DNS servers are
configured as shown in the Exhibit.


Exhibit:




Domain users are unable to connect to Internet websites while using TestKingB as
their preferred DNS server. You need to enable Internet name resolution for all
client computers. What should you do to achieve this task?

A. Delete the .(root) zone from TestKingB. Configure conditional forwarding on
    TestKingB.
B. Update the Cache.dns file on TestKingB. Configure conditional forwarding on
    TestKingA.
C. Create a copy of the .(root) zone on TestKingA.
D. Update the list of root hints servers on TestKingB.



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 13 -
Answer: A


QUESTION NO. 4
TestKing.com has an Active Directory forest. All domain controllers run Windows
Server 2008 and are configured as DNS servers. You have an Active
Directory-integrated zone for TestKing.com. You have a Unix-based DNS server.
You need to configure your Windows Server 2008 environment to allow zone
transfers of the TestKing.com zone to the Unix-based DNS server. What should you
do in the DNS Manager console?

A. Create a secondary zone.
B. Enable BIND secondaries.
C. Disable recursion.
D. Create a stub zone.

Answer: B
Explanation:




 Topic 2, Configuring the Active Directory Infrastructure
(18 Questions)

Section 1, Configure a forest or a domain (13 Questions)
QUESTION NO: 1
TestKing.com has an Active Directory domain called es.TestKing.com.
TestKing.com has a subsidiary company named Woksworks Inc. Woksworks Inc.
has an Active Directory domain called intranet.woksworks.com. Since the
woksworks Inc. security policy doesn't allow the transfer of internal DNS zone data
outside the woksworks network, you have to make sure that TestKing.com users are
able to resolve names from intranet.woksworks.com domain. What should you do to
achieve this task?

A. Set conditional forwarding for the intranet.woksworks.com domain
B. Put intranet.woksworks.com in the Active Directory of TestKing.com
C. Create a subzone for the intranet.woksworks.com domain
D. Reconfigure the intranet.woksworks.com domain as a standard secondary zone

                Leading the way in IT testing and certification tools, www.testking.com
                                                                                          - 14 -
E. None of the above


Answer: A
Explanation:
To enable a TestKing.com user to resolve names from intranet.woksworks.com domain,
you should set the conditional forwarding for the intranet.woksworks.com domain. A
conditional forwarding is a DNS query setting that enables a DNS server to route a
request for a particular name to another DNS server by specifying a name and IP address.




QUESTION NO: 2
TestKing.com has an Active Directory domain called ad.TestKing.com. There are
two domain controllers on the network: TK1 and TK2. Other administrators try to
log on to the domain controllers but their logon attempts fail. You need to identify
the logon attempts on the domain controllers. What should you do to achieve this
task?

A. Check the security tab on the domain controller computer object
B. Access the Event Viewer on the Administrators workstations.
C. Check the security log on domain controller using event viewer
D. Execute netsh/events command on the command prompt
E. None of the above


Answer: C
Explanation:
To identify the logon attempts on the domain controllers, you should access the Event
Viewer and check the logon attempts. The Event viewer will tell you the IP address and
other details of the user account which was used to logon to the domain controllers




QUESTION NO: 3
TestKing.com has a single Active Directory domain called int.TestKing.com. You
have installed domain controllers with a DNS server role. The domain controllers
run Windows Server 2008. Every computer in the domain including non-domain
members register their DNS records dynamically. You want only the domain
members to register their DNS records dynamically. What should you do to
configure int.TestKing.com?



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 15 -
A. Configure zone transfers to Name Servers
B. Set the Primary DNS server to register authenticated members only
C. Disable Everyone group in the Dynamic Objects permission
D. Set the option Secure only for Dynamic updates
E. None of the above


Answer: D
Explanation:
To make sure only the domain members are able to register their DNS records
dynamically, set the option Secure only for Dynamic updates. This will let only the
domain members to register their DNS records dynamically.
Reference:
www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx




QUESTION NO: 4
TestKing.com has instructed you to decommission domain controllers that host all
forest-wide operations master roles. Before you start taking down these domain
controllers, you want to transfer all forest-wide operation master roles to another
domain. Which two roles should you transfer to achieve this objective? (Choose two
answers. Each answer is a part of the complete solution)


A. Domain naming master
B. Secondary domain master
C. Forest-wide server master roles
D. Schema master
E. PDC Master


Answer: A, D
Explanation:
To transfer all forest-wide operation master roles to another domain, you should transfer
Domain naming master and Schema master. Schema Master: The schema master domain
controller controls all updates and modifications to the schema. To update the schema of
a forest, you must have access to the schema master. There can be only one schema
master in the whole forest. Domain naming master: The domain naming master domain
controller controls the addition or removal of domains in the forest. There can be only
one domain naming master in the whole forest.

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 16 -
Reference: http://support.microsoft.com/kb/324801


QUESTION NO. 5
TestKing.com has a single Active Directory domain. The domain controllers run
Windows Server 2003. You are instructed to upgrade all domain controllers to
Windows Server 2008. To accomplish this task, you have to configure the Active
Directory environment to support multiple password policies. What should you do
to achieve this task?

A. Create four Active Directory sites
B. Execute dcpromo/adv on all domain controllers
C. Execute dcpromo/adv on only 2 domain controllers
D. Set the functional level of the domain to Windows Server 2008

Answer: D
Explanation:


QUESTION NO. 6
TestKing.com has an Active Directory forest that hosts Windows Server 2003
domain controllers only. You are instructed to install Windows Server 2008 domain
controllers. To do this, you need to prepare the Active Directory domain for the
installation of Windows Server 2008 domain controllers. Which of the following two
actions should you perform to achieve this task? (Choose two answers. Each answer
is a part of a complete solution)

A. Raise the domain controller functional level to Window Server 2008
B. Execute adprep/domain command on the server
C. Raise the forest functional level to Windows Server 2008
D. Execute ad prep/forest command on the server

Answer: B, D




QUESTION NO: 7




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 17 -
TestKing.com has two active directory forests named Eb1.com and Eb2.com. Both
forests have domain controllers that run Windows Server 2008. Windows Server
2008 is the domain functional level of Eb1.com. The domain functional level of
Eb2.com is Windows Server 2003 Native mode. As per instructions, you configure
an external trust between Eb1.com and Eb2.com. To achieve this, you need to
enable the Kerberos AES encryption option. What should you do to achieve this
task?

A. Raise the forest functional level of Eb2.com to Windows Server 2008
B. Configure a new forest trust and enable forest-wide authentication
C. Drop the forest functional level of Eb1.com to Windows Server 2003
D. Raise the domain functional level of Eb2.com to Windows Server 2008

Answer: D
Explanation:


QUESTION NO. 8
TestKing.com has an Active Directory forest with a single domain. The domain has
Windows Server 2008 set as its functional level. You are instructed to create a
global distribution group and add users to it. After creating the group and adding
users, you create a shared folder on a Windows Server 2008 member server and
place the global distribution group in a domain local group that has access to the
shared folder. What should you do to ensure that the users can access the shared
folder?

A. Rename the global distribution group to a universal distribution group
B. Change the forest functional level to Windows Server 2008
C. Add Domain Administrators to the global distribution group
D. Modify the group type of the global distribution group to a security group

Answer: D




QUESTION NO. 9
TestKing.com has a single Active Directory domain. All the domain controllers run
Windows Server 2003. You install Windows Server 2008 on a server. You need to
ensure that the new server is added as a domain controller in the domain. What
should you do to achieve this task?

A. Execute dcpromo/controllerprep on a new server

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 18 -
B. Run adprep/forestprep command on a domain controller
C. Run adprep/rodcprep on a new server
D. Run dcpromo/createaccount on a domain controller

Answer: B


QUESTION NO. 10
TestKing.com has a single Active Directory domain named ad.TestKing.com.
Windows Server 2008 is installed on all domain controllers. The domain functional
level and forest functional level are set to Windows 2000 native mode. You need to
ensure the UPN suffix for TestKing.com is available for user accounts. What should
you do first to achieve this task?

A. Change the Primary DNS Suffix option in the Default Domain Controllers Group
Policy Object (GPO) to TestKing.com.
B. Add the new UPN suffix to the forest.
C. Raise the TestKing.com domain functional level to Windows Server 2003 or Windows
Server 2008.
D. Raise the TestKing.com forest functional level to Windows Server 2003 or Windows
Server 2008.

Answer: B


QUESTION NO. 11
TestKing.com has offices in North America and Asia. It has an Active Directory
forest with two domains. You are assigned the task to reduce the time required to
authenticate users from the el.as.TestKing.com domain when they access resources
in the tests.na.TestKing.com domain. What should you do to achieve this task?

A. Create a one-way shortcut trust from tests.na.TestKing.com to el.as.TestKing.com.
B. Increase the replication interval for the DEFAULTIPSITELINK site link
C. Create a one-way shortcut trust from el.as.TestKing.com to tests.na.TestKing.com
D. Increase the replication interval for all connections objects.

Answer: A


QUESTION NO. 12




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 19 -
The TestKing.com network has an Active Directory forest that contains one parent
domain and one child domain. The child domain has two domain controllers that
run Windows Server 2008. All user accounts from the child domain are migrated to
the parent domain. The child domain is scheduled to be decommissioned. You need
to remove the child domain from the Active Directory forest. What are two possible
ways to achieve this goal? (Choose two answers. Each answer is part of the complete
solution.)

A. Use Server Manager on both domain controllers in the child domain to uninstall the
Active Directory domain services role.
B. Run the Dcpromo tool that has individual answer files on each domain controller in
the child domain.
C. Delete the computer accounts for each domain controller in the child domain. Remove
the trust relationship between the parent domain and the child domain.
D. Run the Computer Management console to stop the Domain Controller service on
both domain controllers in the child domain.

Answer: A, B


QUESTION NO. 13
TestKing.com network consists of a single Active Directory domain. The functional
level of the forest is Windows Server 2008. You need to create multiple password
policies for users in your domain. What should you do?

A. From the ADSI Edit snap-in, create multiple Password Setting objects.
B. From the Group Policy Management snap-in, create multiple Group Policy objects.
C. From the Schema snap-in, create multiple class schema objects.
D. From the Security Configuration Wizard, create multiple security policies.

Answer: A



Section 2, Configure trusts (0 Questions)
Section 3, Configure sites (0 Questions)

Section 4, Configure Active Directory replication (4 Questions)
QUESTION NO. 1




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 20 -
TestKing.com has a network consisting of a single Active Directory domain. All
domain controllers run Windows Server 2003. TestKing.com instructs you to
upgrade all domain controllers to Windows Server 2008. After upgrading the
domain controllers, you need to ensure that the ebsysvolume share replicates by
using DFS Replication (DFS-R). What should you do to achieve this task?

A. Run dfsutil/addrot:ebsysvolume on the command prompt
B. Run netdom/dfs-r from the command prompt
C. Run dcpromo/attend:attendfile.xml
D. Raise the functional level of the domain to Windows Server 2008

Answer: D


QUESTION NO. 2
TestKing.com has a network that consists of a single Active Directory domain.
Windows Server 2008 is installed on all domain controllers in the network. You are
instructed to capture all replication errors from all domain controllers to a central
location. What should you do to achieve this task?

A. Initiate the Active Directory Diagnostics data collector set
B. Set event log subscriptions and configure it
C. Initiate the System Performance data collector set
D. Create a new capture in the Network Monitor

Answer: B


QUESTION NO. 3
TestKing.com has an existing Active Directory site named esite4. You create a new
Active Directory site and name it esite5. To configure Active Directory replication
between esite4 and esite5, you install a new domain controller and create the site
link between esite4 and esite5. What should you do next to achieve this task?

A. Use the Active Directory Sites and Services console to configure the new domain
controller as a preferred bridgehead server for esite4.
B. Use the Active Directory Sites and Services console to decrease the site link cost
between esite4 and esite5.
C. Use the Active Directory Sites and Services console to assign a new IP subnet to
esite5. Move the new domain controller object to esite5.
D. Use the Active Directory Sites and Services console to configure a new site link
bridge object.

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 21 -
Answer: C

QUESTION NO. 4
TestKing.com has a main office and three branch offices. Each office is configured
as a separate Active Directory site that has its own domain controller. You disable
an account that has administrative rights. You need to immediately replicate the
disabled account information to all sites. What are two possible ways to achieve this
goal? (Each correct answer presents a complete solution. Choose two.)

A. From the Active Directory Sites and Services console, select the existing connection
objects and force replication.
B. From the Active Directory Sites and Services console, configure all domain
controllers as global catalog servers.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.

Answer: A, C




Section 5, Configure the global catalog (1 Questions)
QUESTION NO. 1
TestKing.com has a main office and 15 branch offices. An Active Directory site with
one domain controller is installed in each office. Only domain controllers in the
main office are configured as Global Catalog servers. On the domain controllers in
the branch offices, you need to deactivate the Universal Group Membership
Caching (UGMC) option. However, you need to deactivate UGMC on a certain
level. On which level should you deactivate UGMC?

A. Site
B. domain controllers
C. Forest
D. Connection object

Answer: A




Section 6, Configure operations masters (1 Question)

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 22 -
QUESTION NO. 1
TestKing.com has an Active Directory domain and two domain controllers named
TK1 and TK2. TK1 hosts the Schema Master Role. Suddenly TK1 fails. To rectify
the problem, you log on to Active Directory using the administrator account. You
are trying to transfer the Schema Master Operations role but you are unsuccessful.
What should you do to ensure that TK2 holds the Schema Master role?

A. Register Schemamt.dll on the Active Directory domain and start the Active Directory
    Schema snap-in
B. Configure TK2 as a Primary domain controller
C. Join the Schema Administrators group and modify the Schema settings to save records
    on TK2
D. Seize the Schema Master role on TK2
E. None of the above


Answer: D
Explanation:
To ensure that TK2 holds the Schema Master role, you should seize the Schema Master
role on TK2. Seizing the schema master role is a drastic step that should be considered
only if the current operations master will never be available again. So to transfer the
schema master operations role, you have to seize it on TK2.
Reference:
http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-ec9a773f7ffb1033.mspx?mfr




Topic 3, Configuring Additional Active Directory Server
Roles (27 Questions)



Section 1, Configure Active Directory Lightweight Directory
Service (AD LDS) (7 Questions)


                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 23 -
QUESTION NO: 1 DRAG DROP
Exhibit:




A server named TK-LDS1 resides in the TestKing LAN and has the Active
Directory Domain Services (AD DS) role and the Active Directory Lightweight
Directory Services (AD LDS) role installed.

An AD LDS instance named TKLDS1 stores its data on the default application
directory partition.
The drive letters, size and space available on the TK-LDS1 server are configured as
shown in the table exhibit.

You find that the AD LDS database files are growing quickly, so you decide to
relocate the AD LDS application partition to the D: drive where more space is
available. Which three actions should you perform, and in what order? Note: Some
answer choices will not be used.




                Leading the way in IT testing and certification tools, www.testking.com
                                                                                          - 24 -
Answer:
Explanation:




               Leading the way in IT testing and certification tools, www.testking.com
                                                                                         - 25 -
QUESTION NO: 2
TestKing.com has a network that is comprised of a single Active Directory Domain.
As an administrator at TestKing.com, you install Active Directory Lightweight
Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable
Secure Sockets Layer (SSL) based connections to the AD LDS server, you install
certificates from a trusted Certification Authority (CA) on the AD LDS server and
client computers. Which tool should you use to test the certificate with AD LDS?

A. Ldp.exe
B. Active Directory Domain services
C. ntdsutil.exe
D. Lds.exe



                Leading the way in IT testing and certification tools, www.testking.com
                                                                                          - 26 -
E. wsamain.exe
F. None of the above


Answer: A
Explanation:
To test the certificate with AD LDS, you should use the Ldp tool. To establish SSL
connections to AD LDS, a certificate should be present on the server. To setup SSL for
AD LDS, a certificate marked for server authentication from a trusted CA should be
installed on a computer running AD LDS.
To test the certificate with the AD LDS server, you should run ldp.exe which has its own
GUI. You should run Ldp.exe on a computer running AD LDS and connect to the local
instance of AD LDS by employing SSL.




QUESTION NO: 3
The Active Directory Domain Services (AD DS) and Active Directory Lightweight
Directory Services (AD LDS) roles are installed on a Windows Server 2008 named
TestKing-LDS1.

An AD LDS instance named LDS1 is storing its data on the default application
directory partition. The AD LDS database files are growing very fast and you need
to relocate the AD LDS application partition to the D: Drive.

What actions you need to perform to do the same? (Select 3. Each option will form a
part of answer)

A. Run the net stop "Domain Controller" command
B. Run the net stop TestKing-LDS1 command
C. Use the Ntdsutil tool to move the database files
D. Run the xcopy command to move the database files
E. Run the net start TestKing-LDS1 command
F. Run the net start "Domain Controller" command


Answer: B, C, E
Explanation:




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 27 -
To relocate the AD LDS application partition to the D: Drive, you need to use Ntdsutil
tool. The Ntdsutil.exe is a command-line tool that allows you to manage Active
Directory. For example it can be used to perform database maintenance of Active
Directory, manage and control single master operations, remove metadata left behind by
domain controllers, and create application directory partitions.

Before you use Ntdsutil tool, you need to stop the NTDS service using net stop command
on the TestKing-LDS1 server and after moving the partition, you need to again start the
NTDS service using net start command on the TestKing-LDS1 server.

Reference: Using Ntdsutil

http://technet2.microsoft.com/windowsserver/en/library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx?mf


Reference: Event ID 1136 - Schema Operations

http://technet2.microsoft.com/windowsserver2008/en/library/6a5d89c1-81df-445b-b67d-d5ce9b0fed921033.msp




QUESTION NO: 4
You are formulating the backup strategy for Active Directory Lightweight
Directory Services (AD LDS) to ensure that data and log files are backed up
regularly. This will also ensure the continued availability of data to applications and
users in the event of a system failure.

Because you have limited media resources, you decide to backup only a specific
ADLDS instance instead of taking backup of the entire volume. What should you do
to accomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of
database and log files of AD LDS
B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS
instance
C. Move AD LDS database and log files on a separate volume and use windows server
backup utility
D. None of the above


Answer: B

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 28 -
Explanation:
To backup only specific ADLDS instance instead of taking backup of the entire volume,
you need to use Dsdbutil.exe tool to create installation media that corresponds only to the
ADLDS instance.

The Dsdbutil.exe tool allows you to create installation media that corresponds only to the
ADLDS instance that you want to back up instead of backing up entire volumes that
contain the ADLDS instance.

Reference: Step 1: Back Up AD LDS Instance Data

http://technet2.microsoft.com/windowsserver2008/en/library/8e82c111-32da-430e-a954-c0dbe9f4607f1033.msp




QUESTION NO: 5
TestKing.com has installed a server. You are assigned to install and run an instance
of Active Directory Lightweight Directory Service (AD LDS). After doing the
necessary configurations, you start an instance of AD LDS successfully.

Now you need to create new Organizational Units in the AD LDS application
directory partition. What should you do to create new OUs in the AD LDS
application directory partition?

A. To create the OUs, use the dsmod OU <OrganizationalUnitDN> command
B. Employ ADSI Edit Snap-in to create the OUs on the AD LDS application directory
    partition
C. Create OUs by executing dsadd OU <OrganizationalUnitDN> command
D. Create OUs on the AD LDS application directory partition by using Active Directory
    Users and Computers snap-in.


Answer: B
Explanation:
To create new OUs in the AD LDS application directory partition, you should use ADSI
Edit snap-in. ADSI Edit is a snap-in that runs in a Microsoft Management Console
(MMC). The default console containing ADSI Edit is AdsiEdit.msc. If this snap-in is not
added in your MMC, you can do it by adding through Add/Remove Snap-in menu option
in the MMC or you can open AdsiEdit.msc from a Windows Explorer.




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 29 -
QUESTION NO: 6
TestKing.com has a server that runs on Windows Server 2008. The server also has
an instance of Active Directory Lightweight Directory Services (AD LDS) running.
In order to test AD LDS, you need to replicate the AD LDS instance on a test
computer located on the network. What should you do to achieve this objective?

A. Execute AD LDS Setup wizard on the test computer to create and install a replica of
    AD LDS.
B. Execute repadmin/bs <servername> command on the test computer
C. Install and configure a new AD LDS instance on the test computer by copy and
    pasting the entire partition on the test computer
D. Execute the Dsmgmt command on the test computer and create a naming context

Answer: A
Explanation
To replicate the AD LDS instance on a test computer located on the network, you should
execute AD LDS setup wizard on the test computer to create and install a replica of AD
LDS. This is the only way to replicate the AD LDS instance on another computer on the
network. The setup wizard has the option to replicate the AD LDS instance on another
computer.




QUESTION NO. 7
TestKing.com has a server named TKD1. Active Directory Domain Services (AD
DS) role and the Active Directory Lightweight Services (AD LDS) role are installed
on TKD1. An instance of AD LDS named ELDS1 stores its data on the C: drive.
You need to relocate the ELDS1 instance to the D: drive. Which three actions
should you perform in sequence to achieve this task? (To answer, move the three
appropriate actions from the list of action on the left to the list on the right in a
correct order.)




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 30 -
Answer:
Explanation:




               Leading the way in IT testing and certification tools, www.testking.com
                                                                                         - 31 -
Section 2, Configure Active Directory Rights Management
Service (AD RMS) (6 Questions)

            Leading the way in IT testing and certification tools, www.testking.com
                                                                                      - 32 -
QUESTION NO: 1
TestKing.com has a server with Active Directory Rights Management Services (AD
RMS) server installed. Testking.com has an Active Directory domain installed at
Windows Server 2003 functional level. Users have computers with Windows Vista
installed on them. As an administrator at TestKing.com, you discover that the users
are unable to benefit from AD RMS to protect their documents. You need to
configure AD RMS to enable users to use it and protect their documents. What
should you do to achieve this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each
    user.
B. Add and configure ADRMSADMIN account in local administrators group on the user
    computers
C. Add and configure the ADRMSSRVC account in AD RMS server's local
    administrator group
D. Reinstall the Active Directory domain on user computers
E. All of the above


Answer: A
Explanation:
To configure AD RMS to enable users to use it and protect their documents, you should
configure an email account in Active Directory Domain Services (AD DS) for each user.
To regulate access to rights-protected content for all AD RMS users in the AD DS forest,
AD RMS must use AD DS. AD RMS cannot grant licenses to publish and consume
right-protected content if AD DS is not available to work with AD RMS.
You should not add and configure ADRMSADMIN account in local administrators group
on the user computers because AD DS is needed for AD RMS to function properly.

Reference:

http://technet2.microsoft.com/windowsserver2008/en/library/c8f83d5b-e10d-4c31-8af9-d2afb076dbf81033.mspx




QUESTION NO: 2




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 33 -
TestKing.com has a domain controller that runs Windows Server 2008. The
TestKing.com network has 40 Windows Vista client machines. As an administrator
at TestKing.com, you want to deploy Active Directory Certificate service (AD CS) to
authorize the network users by issuing digital certificates. What should you do to
manage certificate settings on all machines in a domain from one main location?

A. Configure Enterprise CA certificate settings
B. Configure Enterprise trust certificate settings
C. Configure Advance CA certificate settings
D. Configure Group Policy certificate settings
E. All of the above


Answer: D
Explanation:
To manage certificate settings on all machines in a domain from one main location, you
should configure group policy certificate settings. The main feature of certificate settings
in group policy is to allow administrators to manage certificate settings for the entire
network from a single location. When you configure certificate setting by using group
policy, it changes the settings throughout the domain. AD CS is a certificate service that
is a type of server role in Windows Server 2008. You can use server manager to
configure AD CS.




QUESTION NO: 3
TestKing has an Active Directory Rights Management Service (AD RMS) server.

Users machines are running Windows Vista and an Active Directory domain is
configured at Microsoft Windows Server 2003 functional level.

Users are complaining that they cannot protect their documents. You need to
configure AD RMS so that users are able to protect their documents. What should
you do?

A. Use a group policy to install the AD RMS client computers
B. Add the ADRMSADMIN account to the local administrators group on the computers
C. Add the ADRMSSRVC account to the local administrators on the AD RMS server
D. Establish an e-mail account in Active Directory Domain Services (AD DS) for each
    user
E. Upgrade the active directory domain to the functional level of Windows 2008 server



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 34 -
Answer: D
Explanation:
To configure AD RMS so that users are able to protect their documents, you can establish
an e-mail account in Active Directory Domain Services (AD DS) for each user.

The ADRMS can be enabled on Microsoft Word, Outlook, or PowerPoint in Microsoft
Office2007 applications that can be used to access or send information outside
organization. For additional security, ADRMS can be integrated with other technologies
such as smart cards.

Reference: Active Directory Rights Management Services Overview

http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-15b156a0b4e01033.msp




 QUESTION NO: 4
TestKing.com has a single domain network with Windows 2000, Windows 2003, and
Windows 2008 servers. Please see exhibit B. The Client computers are running
Windows XP and Windows Vista. All domain controllers are running Windows
server 2008.

                                               Exhibit B

         Servers                    Operating system                            Role
     TestKing_DC1                 Windows server 2008                   Domain controller
     TestKing_DC2                 Windows server 2008                   Domain controller
     TestKing_SRV5                Windows server 2008                 File and Print server

You need to deploy Active Directory Rights Management System (AD RMS) to
secure all documents and spreadsheets and to provide user authentication. What do
you need to configure in order to complete the deployment of AD RMS?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller
    TestKing_DC1
B. Ensure that all Windows XP computers have the latest service pack and install the
    RMS client on all systems. Install AD RMS on domain controller TestKing_DC1

                   Leading the way in IT testing and certification tools, www.testking.com
                                                                                              - 35 -
C. Upgrade all client computers to Windows Vista. Install AD RMS on TestKing_SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the
    RMS client on all systems. Install AD RMS on domain controller TestKing_SRV5
E. None of the above


Answer: D
Explanation:
To deploy Active Directory Rights Management System (AD RMS) to secure all
documents, spreadsheets and to provide user authentication, you need to ensure that all
Windows XP computers have the latest service pack and install the RMS client on all
systems. Install AD RMS on TestKing_SRV5.

You can only deploy the AD RMS on a member server in the domain and not on Domain
controllers and therefore you cannot install AD RMS on TestKing_DC1, which is a
domain controller but on TestKing_SRV5, which is a File and Print server.

Reference: Pre-installation Information for Active Directory Rights Management
Services

http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-7ea309ddb0ed1033.msp


Reference: Active Directory Rights Management Services Overview

http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-15b156a0b4e01033.msp




QUESTION NO: 5
TestKing has a server with Active Directory Rights Management Services (AD
RMS) server installed. Users have computers with Windows Vista installed on them.
The Active Directory domain is installed at Windows Server 2003 functional level.
As an administrator at TestKing.com, you discover that the users are unable to
benefit from AD RMS to protect their documents. You need to configure AD RMS
to enable users to use it and protect their documents. What should you do to achieve
this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each
    user.
B.

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 36 -
    Add and configure ADRMSADMIN account in local administrators group on the user
    computers
C. Add and configure the ADRMSSRVC account in AD RMS server's local
    administrator group
D. Reinstall the Active Directory domain on user computers
E. All of the above


Answer: A
Explanation
To configure AD RMS to enable users to use it and protect their documents, you should
configure email account in Active Directory Domain Services (AD DS) for each user.
User can use the email account application to protect their documents.




QUESTION NO: 6
TestKing.com has a server that's runs Windows Server 2008. An Active directory
forest is configured at the Windows 2008 functional level. To enable users to have a
database services on the server, you install Microsoft SQL server 2005 and
implement Active Directory Rights Management Service (AD RMS). While testing
the server, you attempt to open the AD RMS administration website. You receive an
error message saying:

"SQL Server does not exist or access is denied"

You want to rectify this problem and open the AD RMS administration website.
Which two actions should you perform to achieve this objective? (Select two
answers. Each answer is the part of complete solution)

A. Install and configure Message Queuing
B. Restart the Internet Information Server (IIS)
C. Delete the AD RMS instance and the SQL server and install it again.
D. Start the MSSQLSVC service


Answer: B, D
Explanation:
To rectify the SQL server problem, you have to restart the internet information server
(IIS). The IIS server will be refreshed. Then you start the MSSQULSVC service to start
the SQL server. This will enable you to access the database from AD RMS
administration website.

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 37 -
Section 3, Configure the read-only domain controller (RODC) (8
Questions)
QUESTION NO: 1
You are an administrator at TestKing.com. TestKing has a RODC (read-only
domain controller) server at a remote location. The remote location doesn't have
proper physical security. You need to activate non-administrative accounts
passwords on that RODC server. Which of the following action should be
considered to populate the RODC server with non-administrative accounts
passwords?

A. Delete all administrative accounts from the RODC's group
B. Configure the permission to Deny on Receive for administrative accounts on the
    security tab for Group Policy Object (GPO)
C. Configure the administrative accounts to be added in the Domain RODC Password
    Replication Denied group
D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC
    server and on the security tab on GPO, check the Read Allow and the Apply group policy
    permissions for the administrators.
E. None of the above


Answer: C
Explanation:
To populate the RODC server with non-administrative accounts passwords, you should
configure the administrative accounts to be added in the Domain RODC Password
Replication Denied Group.
The password replication policy is like an access control list. It verifies if the RODC is
permitted to cache a password. When the RODC receives a user or computer logon
request, it forwards the request to Password Replication Policy to determine if the
password for that account should be cached. When the Password Replication Policy
allows RODC to cache a password, the same account can perform subsequent logon in a
more efficient manner.

For non-administrative passwords, you have to add the administrative accounts in the
RODC password replication denied group so that the password could not be cached. The
Password Replication policy lists the accounts that are permitted to be cached and the
account that are denied from being cached.


                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 38 -
QUESTION NO: 2
TestKing.com has a main office and a branch office. TestKing.com's network
consists of a single Active Directory forest. Some of the servers in the network run
Windows Server 2008 and the rest run Windows server 2003.

You are the administrator at TestKing.com. You have installed Active Directory
Domain Services (AD DS) on a computer that runs Windows Server 2008. The
branch office is located in a physically insecure place. It has no IT personnel onsite
and there are no administrators over there. You need to setup a Read-Only Domain
Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?

A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above


Answer: B
Explanation
To setup RODC on the computer in the branch office, you should perform an unattended
installation of AD DS. RODC is a new type of domain controller offered by Windows
Server 2008. It is a platform that hosts a read-only replica of Active Directory database.
Through RODC, you can deploy a domain controller easily at locations where physical
security can be compromised, such as a branch office or a perimeter network. You can
install RODC on a Server Core installation of Windows Server 2008. You need to be a
member of Domain Admins group or have an authority to perform installation in order to
install RODC. To install RODC on a Server Core system, you need to perform an
unattended installation of AD DS. The main purpose of unattended installations is to
install without responding to a user interface prompt.

You should not perform an attended installation of AD DS because you won't be able to
install RODC on a Server Core installation. Only unattended installations of AD D S can
be performed to install RODC.




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 39 -
QUESTION NO: 3
As the TestKing administrator you have installed a read-only domain controller
(RODC) server at remote location.

The remote location doesn't provide enough physical security for the server. What
should you do to allow administrative accounts to replicate authentication
information to Read-Only Domain Controllers?

A. Remove any administrative accounts from RODC's group
B. Add administrative accounts to the domain Allowed RODC Password Replication
group
C. Set the Deny on Receive as permission for administrative accounts on the RODC
computer account Security tab for the Group Policy Object (GPO)
D. Configure a new Group Policy Object (GPO) with the Account Lockout settings
enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply
group policy Allow permissions for the administrators on the Security tab for the GPO.
E. None of the above


Answer: B
Explanation:
To allow administrative accounts to replicate authentication information to Read-Only
Domain Controllers, you need to add administrative accounts to the domain Allowed
RODC Password Replication group.

By default, only the members of the Allowed RODC Password Replication group are
allowed to replicate authentication information to Read-Only Domain Controllers. The
actual replication would happen only when the members of this group are authenticated
by the RODC. Note that the Administrators group is explicitly denied such replication.

Reference: Security MVP Article of the Month - December 2007 / Physical Security
http://www.microsoft.com/technet/community/columns/secmvp/sv1207.mspx




QUESTION NO: 4
One of the remote branch offices of TestKing.com is running a Windows Server
2008 read only domain controller (RODC).

For security reasons you don't want any critical credentials like (passwords,
encryption keys) to be stored on the RODC.



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 40 -
What should you do so that these credentials are not replicated to any RODC's in
the forest? (Select 2)

A. Configure RODC filtered attribute set on the server
B. Configure RODC filtered set on the server that holds Schema Operations Master role
C. Delegate local administrative permissions for an RODC to any domain user without
    granting that user any user rights for the domain
D. Configure forest functional level server for Windows server 2008 to configure filtered
    attribute set
E. None of the above


Answer: B, D
Explanation:
To ensure the critical credentials are not replicated to any RODC's in the forest, you need
to first configure a filtered attribute set. The attributes that are defined in the RODC
filtered attribute set are not allowed to replicate to any RODCs in the forest. You need to
then configure the RODC filtered set on the server that holds Schema Operations Master
role because the RODC filtered attribute set is configured on the server that holds the
schema operations master role.

You need to use forest functional level server for Windows server 2008 to configure
filtered attribute set because RODC can be configured from a WindowsServer2003
domain controller to replicate the attributes defined in the RODC filtered attribute set by
malicious users and the replication request may succeed.

However, if forest functional level server is Windows Server 2008 then an RODC that is
compromised cannot be exploited in this manner because domain controllers that are
running WindowsServer2003 are not allowed in the forest.

Reference: AD DS: Read-Only Domain Controllers / RODC filtered attribute set

http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.msp




QUESTION NO: 5
TestKing.com has a main office and branch office in another city. You are assigned
to deploy and implement a Read-only Domain Controller (RODC) at the branch
office. You deploy a RODC that runs Windows Server 2008.



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 41 -
What should you do to ensure that the users at the branch office can log on to the
domain using RODC?

A. Use Password Replication Policy on the RODC
B. Add a RODC to the main office
C. Deploy and configure a new bridgehead server in the branch office
D. Deploy and configure a Password Replication Policy on the RODC in the main office


Answer: A
Explanation:
To ensure that the users at the branch office can log on to the domain using RODC, you
should use a Password Replication Policy. RODCs don't cache any user or machine
passwords. You can change this by adding a policy through each RODC's unique
Password Replication Policy (PRP). A policy would create a group for each branch office
with a RODC and add users in that branch office. An administrator, then, can allow
password replication for the branch-office group.




QUESTION NO: 6
TestKing.com has a main office and 30 branch offices. To manage the network, each
branch office has a separate active directory site that has a dedicated read-only
domain controller (RODC). A branch office located in a far off location reports a
robbery. The robbers have stolen the RODC server. Which utility should you use to
recover the user accounts that were cached on the stolen RODC server?

A. Execute Dsmod.exe
B. Use Active Directory Users and Computers
C. Use Active Directory Sites and Computers
D. Execute Ntdstuil.exe with -ato parameter


Answer: B
Explanation
You should use Active Directory Users and Computers to recover the user accounts
cached on the stolen RODC server. The Active Directory Users and Computers have user
accounts and OUs. You can get the users accounts cached on the stolen RODC server
easily from there.




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 42 -
QUESTION NO: 7
TestKing.com consists of a main office and 20 branch offices. Configured as a
separate site, each branch office has a Read-Only Domain Controller (RODC)
server installed.
Users in remote offices complain that they are unable to log on to their accounts.
What should you do to make sure that the cached credentials for user accounts are
only stored in their local branch office RODC server?

A. Open the RODC computer account security tab and set Allow on the Receive as
    permission only for the users that are unable to log on to their accounts
B. Add a password replication policy to the main Domain RODC and add user accounts
    in the security group
C. Configure a unique security group for each branch office and add user accounts to the
    respective security group. Add the security groups to the password replication allowed
    group on the main RODC server
D. Configure and add a separate password replication policy on each RODC computer
    account


Answer: D
Explanation:
To ensure that the cached credential for user accounts are only stored in their local
RODC server, you have to configure and add a separate password replication policy on
each RODC computer account. By adding a separate PRP, the user accounts in each
branch office will be able to authenticate their accounts.




QUESTION NO. 8
TestKing.com has a main office and a branch office that are configured as a single
Active Directory forest. The functional level of the Active Directory forest is
Windows Server 2003. There are four Windows Server 2003 domain controllers in
the main office. You need to ensure that you are able to deploy a read-only domain
controller (RODC) at the branch office. Which two actions should you perform?
(Choose two answers. Each answer is a part of the complete solution.)

A. Run the adprep/rodcprep command.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Raise the functional level of the forest to Windows Server 2008.

Answer: A, B

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 43 -
Section 4, Configure Active Directory Federation Services (AD
FS) (7 Questions)
QUESTION NO: 1
TestKing.com runs Window Server 2008 on all of its servers. It has a single Active
Directory domain and it uses an Enterprise Certificate Authority. The security
policy at TestKing.com makes it necessary to examine revoked certificate
information. You need to make sure that the revoked certificate information is
available at all times. What should you do to achieve that?

A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer
    certificates and link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the
    domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through
    ISAS (Internet Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder
E. None of the above


Answer: D
Explanation:
To ensure that the revoked certificate information is available at all, you should use the
network load balancing and publish an OCSP responder. OCSP is an online responder
that can receive a request to check for revocation of a certificate without the client having
to download the entire CRL. This process speeds up certificate revocation checking and
reduces network bandwidth used for this process. This can be helpful especially when
such checking is down over slow WAN links.




QUESTION NO: 2
TestKing.com has a software evaluation lab. There is a server in the evaluation lab
named as TKT. TKT runs Windows Server 2008 and Microsoft Virtual Server 2005
R2. TKT has 200 virtual servers running on an isolated virtual segment to evaluate
software. To connect to the internet, it uses a physical network interface card.
TestKing.com requires every server in the company to access the Internet.


                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 44 -
The TestKing.com security policy dictates that the IP address space used by the
software evaluation lab must not be used by other networks. Similarly, it states that
the IP address space used by other networks should not be used by the evaluation
lab network. As an administrator you find you that the applications tested in the
software evaluation lab need to access the normal network to connect to the vendors
update servers on the internet. You need to configure all virtual servers on the TKT
server to access the internet. You also need to comply with company's security
policy. Which two actions should you perform to achieve this task? (Choose two
answers. Each answer is a part of the complete solution)

A. Trigger the Virtual DHCP server for the external virtual network and run
    ipconfig/renew command on each virtual server
B. On TKT's physical network interface, activate the Internet Connection Sharing (ICS)
C. Use TestKing.com intranet IP addresses on all virtual servers on TKT.
D. Add and install a Microsoft Loopback Adapter network interface on TKT. Use a new
    network interface and create a new virtual network.
E. None of the above


Answer: A, D
Explanation:
To configure all virtual servers on the TKT server to access the internet and comply with
company's security policy, you should trigger the virtual DHCP server for the external
virtual network and run ipconfig/renew command on each virtual server. Then add and
install Microsoft Loopback adapter network interface on TKT. Create a virtual network
using the new interface.

When you configure the Virtual DHCP server for the external virtual network, a set of IP
addresses are assigned to the virtual servers on TKT server. By running ipconfig/renew
command, the new IP addresses will be renewed. The Microsoft Loopback adapter
network interface will ensure that the IP address space used by other networks are not
been used by the virtual servers on TKT server. You create a new virtual network on the
new network interface which will enable you to access internet.




QUESTION NO: 3
TestKing.com has an Active Directory forest with single domain. Some applications
are hosted on Testking's perimeter network.




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 45 -
The organization wants single sign-on to all applications hosted on the perimeter
network. The company has a domain member server with the Active Directory
Federation Services (AD FS) role installed.

You are required to configure the AD FS trust policy to populate AD FS tokens with
employee's information from Active directory domain. What should you do?

A. Add and configure a new account store
B. Add and configure a new organization claim
C. Add and configure a new account partner
D. Add and configure a new application
E. None of the above


Answer: A
Explanation:
To configure the AD FS trust policy to populate AD FS tokens with employee's
information from Active directory domain, you need to add and configure a new account
store.

AD FS allows the secure sharing of identity information between trusted business
partners across an extranet. When a user needs to access a Web application from one of
its federation partners, the user's own organization is responsible for authenticating the
user and providing identity information in the form of "claims" to the partner that hosts
the Web application. The hosting partner uses its trust policy to map the incoming claims
to claims that are understood by its Web application, which uses the claims to make
authorization decisions. Because claims originate from an account store, you need to
configure account store to configure the AD FS trust policy.

Reference: Active Directory Federation Services
http://msdn2.microsoft.com/en-us/library/bb897402.aspx




QUESTION NO: 4
You have installed an Active Directory Federation Services (AD FS) role on a server
running Windows server 2008 in your organization.

Now you need to test the connectivity of clients in the network to ensure that they
can successfully reach the new Federation server and that the Federation server is
operational. What should you do? (Select all that apply)



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 46 -
A. Go to the Services tab, and check if Active Directory Federation Services is running
B. In the event viewer, Applications, Event ID column look for event ID 674.
C. Open a browser window, and then type the Federation Service URL for the new
    federation server.
D. None of the above


Answer: B, C
Explanation:
To test the connectivity of clients in the network to ensure that they can successfully
reach the new Federation server and Federation server is operational, you can look for
event ID 674. This event verifies that the federation server was able to successfully
communicate with the Federation Service.

You can also open a browser window, and then type the Federation Service URL for the
new federation server. The Federation Server Service page should appear along with a
list of links that identify the Web methods that the Federation Service uses. The
Federation Service URL should include the Domain Name System (DNS) host name of
the federation server.

Reference: Event ID 674 - Trust Policy and Configuration

http://technet2.microsoft.com/windowsserver2008/en/library/71705c30-e97f-4e36-92ab-d33175bf588d1033.msp


Reference: Verify That a Federation Server Is Operational


http://technet2.microsoft.com/windowsserver2008/en/library/ecf28b0c-014


QUESTION NO: 5
As an administrator at TestKing.com, you have installed an Active Directory forest
that has a single domain. You have installed Active Directory Federation services
(AD FS) on a domain member server. What should you do to configure AD FS to
make sure that AD FS token contains information from the active directory
domain?

A. Add a new account store and configure it
B. Add a new resource partner and configure it
C. Add a new resource store and configure it

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 47 -
D. Add a new administrator account on AD FS and configure it
E. None of the above


Answer: A
Explanation
To ensure that AD FS token contains information from the active directory domain, you
should add a new account store and configure it accordingly. To add a new account store
you can use AD FS console. Expand My organization, right-click on the Account stores
and create a new account store. The Add Account Store Wizard will guide to through the
process.




QUESTION NO: 6
TestKing.com contains a two-node Network Load Balancing cluster which is called
web.TK1.com. The purpose of this cluster is to provide load balancing and high
availability of the intranet website only.

While monitoring the cluster, you discover that the users can view the Network
Load Balancing cluster in their Network Neighborhood and they can use it to
connect to various services by using the name web.TK1.com. You also discover that
there is only one port rule configured for the Network Load Balancing cluster.

You need to configure the web.TK1.com NLB cluster to accept HTTP traffic only.
Which two actions should you perform to achieve this objective? (Choose two
answers. Each answer is part of the complete solution)

A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster
    console
B. Run the wlbs disable command on the cluster nodes
C. Assign a unique port rule for NLB cluster by using the NLB Cluster console
D. Delete the default port rules through Network Load Balancing Cluster console


Answer: A, D
Explanation:
To configure web.TK1.com NLB cluster to accept HTTP traffic only, you should first
create anew rule for TCP port 80 by using the NLB cluster console. Then you should
delete the default port rules through NLB Cluster console. By creating a new rule for
TCP port 80, you configure the port to accept only HTTP traffic. Then deleting the
default port rules ensure that those rule won't be implemented automatically.

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 48 -
Topic 4, Creating and Maintaining Active Directory
Objects (20 Questions)
Section 1, Automate creation of Active Directory accounts (1
Question)
QUESTION NO: 1
TestKing.com has an Active Directory domain. For regular checkups, you log on to
the domain controller and open Microsoft Management Console (MMC). The
Active Directory Schema snap-in is not available. What should you do to access the
Active Directory Schema snap-in?

A. Register Schmmgmt.dll
B. using an member account of the Schema Administrators group, log off and log on
    again
C. Add the Active Directory Lightweight Directory Services (AD LDS) role to the
    domain controller
D. Execute Ntdsutil.exe command to connect to the Schema Master operations master.

Answer: A
Explanation




Section 2, Maintain Active Directory accounts (6 Questions)
QUESTION NO: 1
TestKing.com has an Active Directory domain. Another administrator at
TestKing.com attempts to log on to a computer that was offline for 12 weeks. While
accessing the computer, the administrator receives an error message that
authentication has failed. What should you do to ensure that the administrator can
log on to the computer?

A. Disjoin the computer from the domain and rejoin it to the domain. Reset the computer
    account
B. Delete the computer account from the organizational unit and then add the account
    again
C. Execute the netsh command on the computer and set the machine options
D. Execute netsh trust/reset command and join the computer to the domain again.
                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 49 -
E. None of the above


Answer: A
Explanation:
To ensure that the administrator can log on to the computer, you should disjoin the
computer from the domain and rejoin it again. Reset the computer account too. Due to
long inactivity, the computer was not responding to the authentication query using the
Active Directory records. So when you disjoin and rejoin the computer to the domain and
reset the computer account, the Active Directory refreshes the computer account
password. After that the administrator can easily log on to the computer.




QUESTION NO. 2
TestKing.com has a network with a single Active Directory domain. There are two
domain controllers installed which run Windows Server 2008. You have enabled the
Audit account management policy and Audit directory services access settings for
the entire domain. You must ensure that the changes made to Active Directory
objects are logged. The changes logged must show the old and new values of any
attribute. What should you do to achieve this task?

A. Enable the Audit Directory services access setting and directory service changes by
    accessing Default Domain Controllers policy
B. Disable Audit account management policy and enable it again
C. Execute auditpol.exe and configure the security settings of the domain controllers
    Organizational unit
D. Execute Audipol.exe and disable the default domain policy
E. None of the above


Answer: C
Explanation:
To make sure the changes made to active directory objects are logged and the logs show
the old and new values of any attribute, you should run audipol.exe and configure the
security settings for the domain controllers Organizational Unit.


QUESTION NO. 3
TestKing.com has an Active Directory domain which runs Windows Server 2008. A
user attempts to log on to the domain from a client computer using his account. He
receives the following message:

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 50 -
"This account has expired. Contact your administrator to reactivate the account"

What should you do to ensure that the user is able to log on to the domain using his
account?


A. Open the properties of the user account and change the option to "Never Expire"
B. Open the properties of the user account and extend the Logon Hours setting
C. Open the properties of the user account and modify the default domain policy to
    decrease the duration of account lockout.
D. Change the password option to never expire in the user account properties

Answer: A
Explanation:


QUESTION NO. 4
TestKing.com has an Active Directory forest containing many domain controllers.
All domain controllers run Windows Server 2008. Another administrator has
accidently deleted an organizational unit and its child objects. You need to perform
an authoritative restore of the deleted organizational unit and its child objects.
Which of the following actions should you perform in sequence to achieve this task?
(Move appropriate actions for the list of actions in the left to the answer area at the
right. Arrange them in the correct order.)




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 51 -
Answer:
Explanation:




               Leading the way in IT testing and certification tools, www.testking.com
                                                                                         - 52 -
QUESTION NO. 5
As an administrator at TestKing.com, you create 200 new user accounts. The users
are located in six different sites. The users report that when they try to log on, they
receive the following error message:
"The username or password is incorrect"

You confirm that the user accounts exist and are enabled. You also confirm that the
usernames and passwords are correct too. You need to identity the cause of this
failure. You also need to ensure that the new users are able to log on using their
accounts. Which utility should you use to achieve this task?


                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 53 -
A. Repadmin
B. Rsdiag
C. Active Directory Domains and Trusts
D. Rstools

Answer: A




 QUESTION NO. 6
The TestKing.com network consists of a single Active Directory domain. All domain
controllers run Windows Server 2008. Some of the Lightweight Directory Access
Protocol (LDAP) clients are using the largest amount of CPU resources on a domain
controller. You need to identify those. What should you do to achieve this task?

A. Execute the Active Directory Diagnostics Data Collector Set a review the Active
    Directory report
B. Open Resource Monitor and review the performance data
C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
D. Review the Hardware Events log in the Event Viewer.

Answer: A




Section 3, Create and apply Group Policy objects (GPOs) (4
Questions)
QUESTION NO.1
TestKing.com has an Active Directory domain with an organizational unit called
Sales. This organizational unit hosts two global security groups named Sales
directors and Sales executives. TestKing has instructed you to apply desktop
restrictions to the sales executives group. However, the desktop restrictions should
not be applied to the Sales directors group. You create a GPO named Desktop
Lockdown and link it to the Sales organizational unit. What should you do next?


A.



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 54 -
    Set the Deny Apply Group Policy permission for the Sales directors on the
    DesktopLockdown GPO
B. Set the Deny Apply Group Policy permission for the Sales Executives on the
    DesktopLockdown GPO
C. Set the Allow Apply Group Policy permission for the Local domain users on
    DesktopLockdown GPO
D. Set the Allow Apply Group Policy permission for the Authenticated Users on
    DesktopLockdown GPO

Answer: A


QUESTION NO: 2
TestKing.com has an Active Directory forest which runs Windows Server 2008. It
has branch offices all around the world. The forest includes finance organizational
units for offices in the following locations:

New York
London
Amsterdam
Rome

Each location has a child organizational unit named finance. The finance
organizational unit hosts all the users and computers in the finance department.

The offices in London, Amsterdam and New York are connected by T1 connections.
However, the office in Rome is connected by a 128-Kbps ISDN connection.
TestKing.com has instructed you to install an application on all computers in the
finance department. Which two actions should you perform to achieve this task?
(Choose two answers. Each answer is a part of the complete solution)

A. Create a Group Policy Object (GPO) that assigns the application to the computers.
    Link the GPO to each finance organizational unit
B. Create a GPO that assigns the application to each user in the organizational unit. Link
    the GPO to each finance organizational unit
C. Change the slow link detection setting to 2,544 Kbps (T1) in the GPO
D. Disable the slow link detection setting in the GPO

Answer: A, C


QUESTION NO. 3

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 55 -
TestKing.com has purchased a new application to deploy on 200 computers. You
are instructed to deploy the application on all 200 computers. To install the
application, you have to modify the registry on each target computer before
installing the application. Registry modifications are in a file that has an .adm
extension. You need to prepare the target computers for the application. What
should you do to achieve this task?

A. Create a new Group Policy Object (GPO) and import the .adm file into it. Edit the
    GPO and link it to an organizational unit that contains the target computers
B. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup
    folder of each target computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.
    Run the REDIRCmp CONTAINER-DN command on each target computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each
    computer. Run the REDIRUsr CONTAINER-DN command on each target computer.

Answer: A


QUESTION NO. 4
TestKing.com has an Active Directory forest containing eight linked GPOs. One of
the eight GPOs publishes applications to user objects. One of the user reports that
the application is not available for installation. You have to identity whether the
GPO is applied. What should you do to achieve this task?

A. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the Group Policy Results utility for the computer.
D. Run the Group Policy Results utility for the user.

Answer: D




Section 4, Configure GPO templates (1 Questions)
QUESTION NO.1
TestKing.com has an Active Directory forest that contains Windows Server 2008
domain controllers and DNS servers. All client computers run Windows XP. You
need to use your client computers to edit domain-based GPOs by using the ADMX
files that are stored in the ADMX central store. What should you do?



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 56 -
A. Add your account to the Domain Admins group.
B. Create a folder on the Primary Domain Controller (PDC) emulator for the domain in
the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.
C. Upgrade your client computers to Windows Vista.
D. Install .NET Framework 3.0 on your client computer.

Answer: C




Section 5, Configure software deployment GPOs (3 Questions)
QUESTION NO. 1
TestKing.com has an Active Directory forest. There is a main office and five branch
offices. Each branch office has an organizational unit and a child organizational
unit called Accounts. The Accounts organizational unit contains all users and
computers of the accounts department. You are directed to install an application
only on the computers in the finance organizational unit. To install the application,
you create a GPO named FinanceApp. What should you do next to achieve this
task?

A. Create a GPO to assign the application to the user groups in the accounts
    organizational unit. Link the FinanceApp GPO to the organizational unit.
B. Create a GPO and assign the application to each computer account. Link the
    FinanceApp GPO to the Accounts organizational unit.
C. Configure the GPO to assign the application to the computer account. Link the
    FinanceApp GPO to the organizational unit in each location
D. Configure the GPO to assign the application to the organizational unit. Link the
    FinanceApp GPO to the Accounts organizational unit.

Answer: C


QUESTION NO. 2
TestKing.com has an Active Directory forest that hosts client computers running
Windows Vista and Windows XP. TestKing.com has directed you to ensure that
users are able to install approved application updates on their computers. Which of
the following two actions should you perform to achieve this task? (Choose two
answers. Each answer is part of the complete solution)

A. Create a GPO and link it to the domain. Configure the GPO to direct client computers
    to the Microsoft WSUS server for approved updates

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 57 -
B. In the environment, install the Microsoft WSUS application on a server and configure
    the server to search for new updates on the internet. Configure it to approve all required
    updates.
C. Configure automatic updates in the control panel of client computers
D. Create a GPO and link it to the server. Configure the GPO to automatically search for
    updates on Microsoft update site

Answer: A, B




 QUESTION NO. 3
TestKing.com has an organizational unit called Production. The organizational unit
has a child organizational unit called Research. You create a GPO named Software
Deployment and link it to the Production organizational unit. You create a shadow
group for the Research organizational unit. You need to deploy an application to
users in the Production organizational unit. You also need to ensure that the
application is not deployed to users in the Research organizational unit. What are
two possible ways to achieve this goal? (Choose two answers. Each answer is part of
the complete solution)

A. Configure the Enforce setting on the software deployment GPO.
B. Configure the Block Inheritance setting on the Production organizational unit.
C. Configure the Block Inheritance setting on the Research organizational unit.
D. Configure security filtering on the Software Deployment GPO to Deny Apply group
policy for the research security group.

Answer: C, D




Section 6, Configure account policies (1 Questions)
QUESTION NO: 1
TestKing.com has an Active Directory forest. There is one main office and a branch
office in two different locations. Both of the locations have an organizational unit.
TestKing has instructed you to ensure that the branch office administrators are able
to create and apply GPOs only to their respective organizational unit. Which two
actions should you perform to achieve this task?

A.

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 58 -
    Add the branch administrators for each organizational unit in the Managed By Tab
    settings.
B. Add the branch office administrators user accounts in the Group Policy Creator
    Owners Group
C. Execute the Delegation of Control Wizard and delegate the right to link GPOs for their
    branch organizational units to the branch administrators
D. Execute the Delegation of Control Wizard and delegate the right to links GPOs for the
    domain to the branch office administrators

Answer: B, C



Section 7, Configure audit policy by using GPOs (5 Questions)
QUESTION NO: 1
You are an administrator at TestKing.com. TestKing.com has a network of 5
member servers acting as file servers. It has an Active Directory domain. You have
installed a software application on the servers. As soon as the application is
installed, one of the member servers shuts down itself. To trace and rectify the
problem, you create a Group Policy Object (GPO). You need to change the domain
security settings to trace the shutdowns and identify the cause of it. What should
you do to perform this task?

A. Link the GPO to the domain and enable System Events option
B. Link the GPO to the domain and enable Audit Object Access option
C. Link the GPO to the Domain Controllers and enable Audit Object Access option
D. Link the GPO to the Domain Controllers and enable Audit Process tracking option
E. Perform all of the above actions


Answer: A
Explanation:
To change the domain security settings to trace the shutdowns and identify the cause of
it, you should link the Group Policy Object to the domain and enable System Events
option. The system events will track the problem and tell you what is causing the
shutdowns.

You should not enable Audit Object Access option because it is used to audit the access
to the objects like registry keys, files and folders.

You should not enable Audit Process tracking option because this option is used to audit
the process tracking on a server.

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 59 -
QUESTION NO: 2
TestKing.com has organizational units in the Active Directory domain. There are 10
servers in the organizational unit called Security. As an administrator at
TestKing.com, you generate a Group Policy Object (GPO) and link it to the
Security organizational unit. What should you do to monitor the network
connections to the servers in Security organizational unit?

A. Start the Audit Object Access option
B. Start the Audit System Events option
C. Start the Audit Logon Events option
D. Start the Audit process tracking option
E. All of the above


Answer: C
Explanation:
To monitor the network connections to the servers in security organizational unit, you
should start the Audit Logon Events option. The Audit logon event is a security setting
that decides whether to audit each instance of a user logging on or off from a computer.

Basically, the account logon events are generated on domain controllers to monitor the
domain account activity and local account activity on local computers. If you enable both
account logon and logon audit policy categories, the domain account logons will generate
a logon or log off event on a server or a workstation and they will generate a logon or log
off event on the domain controller. So if you start the Audit logon events option, you will
be able to monitor the network connections to the servers in security organizational unit.




QUESTION NO: 3
TestKing.com has purchased laptop computers that will be used to connect to a
wireless network. You create a laptop organizational unit and create a Group Policy
Object (GPO) and configure user profiles by utilizing the names of approved
wireless networks. You link the GPO to the laptop organizational unit. The new
laptop users complain to you that they cannot connect to a wireless network. What
should you do to enforce the group policy wireless settings to the laptop computers?

A.



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 60 -
    Execute gpupdate/target:computer command at the command prompt on laptop
    computers
B. Execute Add a network command and leave the SSID (service set identifier) blank
C. Execute gpupdate/boot command at the command prompt on laptops computers
D. Connect each laptop computer to a wired network and log off the laptop computer and
    then login again.
E. None of the above


Answer: D
Explanation:
To enforce the group policy wireless settings on the laptop computers, you should
connect each laptop to a wired network and log off on the laptop computer. Login again
to enforce the group policy wireless settings. When you connect the laptop to a wired
network and log off and then login again, the wireless settings group policy is enforced
and users can connect to a wireless network.




 QUESTION NO. 4
TestKing.com has file server located in an organizational unit named Salaries. The
files servers have salaries files in a folder named TKsalaries. You create a GPO.
You need to track which employees access the salaries files on the file servers. What
should you do you achieve this task?

A. Enable the Audit object access option. Link the GPO to the Salaries organizational
    unit. On the file servers, configure Auditing for the Everyone group in the TKsalaries
    folder.
B. Enable the Audit process tracking option. Link the GPO to the Salaries organizational
    unit. On the file servers, configure Auditing for the Everyone group in the TKsalaries
    folder.
C. Enable the Audit object access option. Link the GPO to the domain. On the domain
    controllers, configure Auditing for the Authenticated Users group in the TKsalaries
    folder.
D. Enable the Audit process tracking option. Link the GPO to the Domain Controllers
    organizational unit. On the file servers, configure Auditing for the Authenticated Users
    group in the TKsalaries folder.

Answer: A


QUESTION NO. 5

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 61 -
TestKing.com has a group of consultants. All consultants belong to a global group
named TempWorkers. You were advised to place three file servers in a new
organizational unit named Secureserv. These file servers contain confidential data
located in shared folders. After placing the file servers in the Secureserv OU, you
need to record any failed attempts made by the consultants to access confidential
data. Which of the following two actions should you perform to achieve this task?

A. On each shared folder on the three file servers, add the TempWorkers global groups to
    the Auditing tab. configure the Failed Full control setting in the Auditing Entry dialog
    box.
B. Create and link a new GPO to the SecureServ organizational unit. Configure the Deny
    access to this computer from the network user rights setting for the TempWorkers global
    group.
C. On each shared folder on the three file servers, add the three servers to the Auditing
    tab. Configure the Failed Full control setting in the Auditing Entry dialog box.
D. Create and link a new GPO to the SecureServ organizational unit. Configure the Audit
    privilege use Failure audit policy setting.
E. Create and link a new GPO to the SecureServ organizational unit. Configure the Audit
    object access Failure audit policy setting.

Answer: A, E




 Topic 5, Maintaining the Active Directory Environment
(21 Questions)


Section 1, Configure backup and recovery (8 Questions)
QUESTION NO: 1
TestKing asks you to implement Windows Cardspace in the domain. You want to
use Windows Cardspace at your home. Your home and office computers run
Windows Vista Ultimate. What should you do to create a backup copy of Windows
Cardspace cards to be used at home?

A.


                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 62 -
    Log on with your administrator account and copy \Windows\ServiceProfiles folder to
    your USB drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on
    your USB drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ the Windows Cardspace application to backup the data on your USB drive
E. Reformat the C: Drive
F. None of the above


Answer: D
Explanation:
Of course, you should use Windows Cardspace application to backup the data on your
USB drive. You can use this data on any computer to access and use Windows
Cardspace. Windows Cardspace is a tool that creates relationships with website and
online services. Windows CardSpace provides a unique way for

1. sites to request information from you
2. you to review the identity of a site
3. you to manage your information by using information cards
4. you to review card information before you send it.

The Windows CardSpace has a backup feature. You can use it to backup cards data to a
storage medium.
You should not backup the system state data by using backup status tool on your USB
drive. It is not related to the scenario mentioned above.
You should not backup \Windows\Globalization folder by using backup status and save
the folder on your USB drive because backup status will not be able to backup the data
on to any storage device.




 QUESTION NO: 2
TestKing.com has a network that consists of a single Active Directory domain. A
technician has accidently deleted an Organizational unit (OU) on the domain
controller. As an administrator of TestKing.com, you are in process of restoring the
OU. You need to execute a non-authoritative restore before an authoritative restore
of the OU. Which backup should you use to perform a non-authoritative restore of
Active Directory Domain Services (AD DS) without disturbing other data stored on
domain controller?



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 63 -
A. Critical volume backup
B. Backup of all the volumes
C. Backup of the volume that hosts Operating system
D. Backup of AD DS folders
E. all of the above


Answer: A
Explanation:
You should use critical volume backup to perform non-authoritative restore of AD DS
without disturbing other data stored on domain controller. At the time of backup, an
authoritative restore process returns a designated object or a container of objects to its
state. The authoritative restore marks the OU as authoritative and causes the replication
process to restore it to all domain controllers in the domain. You must first complete a
non-authoritative restore before performing an authoritative restore of AD DS. You also
need to ensure that the replication does not occur after non-authoritative restore. You
must do a critical-volume backup before you perform a non-authoritative restore. To
prevent the replication from occurring after the non-authoritative and to perform the
authoritative restore portion of the operation, you must restart the domain controller in
Directory Services Restore Mode and perform the authoritative restore at the domain
controller that you are restoring. You should start the domain controller normally after
performing the authoritative restore of AD DS. You should also synchronize replication
with all replication partners.




QUESTION NO: 3 DRAG DROP
TestKing.com has an Active Directory forest containing a single domain. The
domain operates Windows Server 2008. A new administrator accidentally deletes an
entire organizational unit in the Active Directory database that hosts 6000 objects.

You have backed up the system state data using third-party backup software. To
restore backup, you start the domain controller in the Directory Services Restore
Mode (DSRM).

You need to perform an authoritative restore of the organizational unit and restore
the domain controller to its original state. Which three actions should you perform?
The answer should be in a sequence. Drag and drop the appropriate action into the
sequential order.




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 64 -
Answer:
Explanation:




               Leading the way in IT testing and certification tools, www.testking.com
                                                                                         - 65 -
When an authoritative restore needs to be performed for Active Directory objects, you
need to perform a non-authoritative restore first. Then without restarting the domain
controller, you should use the ntdsutil authoritative restore command to mark the objects
to be restored as authoritative. You can then restart the domain controller normally and
perform additional tasks as needed.

Therefore the sequence of steps should be:
1. Perform a restore of system state data to time before the organizational unit was
    deleted
2. Run Ntdslutil utility
3. Start Domain Controller Service in Services (local) Microsoft Management Console
    (MMC)


Reference: How to Restore Windows Server 2003 Active Directory
http://www.petri.co.il/restore-windows-server-2003-active-directory.htm

Reference: Performing an Authoritative Restore of Deleted AD DS Objects

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 66 -
http://technet2.microsoft.com/windowsserver2008/en/library/f4e9ee21-ee35-4650-acca-798555c0c32c1033.msp




 QUESTION NO: 4
The TestKing.com network has a Windows 2008 domain controller server. This
server is routinely backed up over the network from a dedicated backup server that
is running Windows Server 2003.

You need to prepare the domain controller for disaster recovery. You are unable to
launch the backup utility while attempting to back up the system state data for the
data controller.

You need to backup system state data from the Windows Server 2008 domain
controller server. What should you do?

A. Add your user account to the local Backup Operators group
B. Install the Windows Server backup feature using the Server Manager feature
C. Install the Removable Storage Manager feature using the Server Manager feature
D. Deactivating the backup job that is configured to backup Windows 2008 server
    domain controller on the Windows 2003 server.
E. None of the above


Answer: B
Explanation:
To backup system state data from the Windows Server 2008 domain controller server,
you need toinstall the Windows Server backup feature using the Server Manager feature.
Windows Server Backup is not installed by default. You must install it by using the Add
Features option in Server Manager.

Reference: What's New in AD DS Backup and Recovery?

http://technet2.microsoft.com/windowsserver2008/en/library/67f18955-c504-4d63-9f84-9b8c25d428e81033.msp




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 67 -
 QUESTION NO: 5
You have installed Windows Server 2008 on a computer and configured it as a file
server, named FileSrv1.

The FileSrv1 computer contains four hard disks, which are configured as basic
disks. For fault tolerance and performance you want to configure Redundant Array
of Independent Disks (RAID) 0 +1 on FileSrv1.

Which utility you will use to convert basic disks to dynamic disks on FileSrv1?

A. Diskpart.exe
B. Chkdsk.exe
C. Fsutil.exe
D. Fdisk.exe
E. None of the above


Answer: A
Explanation:
To convert basic disks to dynamic disks on FileSrv1, you need to use Diskpart.exe utility.

Reference: Managing and Troubleshooting Desktop Storage / Basic Disks
http://www.informit.com/articles/article.aspx?p=332154


QUESTION NO. 6
TestKing.com has a single Active Directory domain and two domain controllers
which run Windows Server 2008. Due to a problem, you need to reset the Directory
Services Recovery Mode (DSRM) password on one domain controller. What tool
should you use to achieve this task?

A. Active Directory Security for Computers snap-in
B. Netsh
C. ntdsutil
D. Domain Controller security snap-in
E. All of the above


Answer: C
Explanation:




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 68 -
To reset the DSRM password on a single domain controller, you should use ntdsutil
utility. You can use Ntdsutil.exe to reset this password for the server on which you are
working, or for another domain controller in the domain. Type ntdsutil and at the ntdsutil
command prompt, type set dsrm password.
Reference: http://support.microsoft.com/kb/322672
QUESTION NO. 7
TestKing.com has a domain controller that runs Windows Server 2008. The server
is a backup server with a single 500-GB hard disk and has three partitions for the
applications, operating system and data. As per company policy, you perform daily
backups of the server. The hard disk fails and you replace the hard disk with a new
one of same capacity. After restarting the computer using the installation media,
you select the repair your computer option. You want to restore the operating
system and all the other files. What should you do to achieve this task?

A. Do the startup repair
B. Perform the System Restore
C. At the command prompt, execute the webadmin utility
D. Perform the Disk defragment

Answer: C


QUESTION NO. 8
TestKing.com has an Active Directory domain running Windows Server 2008. The
Finance OU (organizational unit) contains an OU for computers, an OU for groups
and an OU for users. As per company policy, you perform daily backups. Another
administrator mistakenly deletes the groups OU. You need to restore the Groups
OU without affecting users and computers in the Finance OU. What should you do
to achieve this task?

A. Perform an authoritative restore of the Groups OU
B. Perform a complete restore of the Finance OU
C. Perform a non-authoritative restore of the Finance OU
D. Perform a non-authoritative restore of the Groups OU

Answer: A




Section 2, Perform offline maintenance (5 Questions)

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 69 -
QUESTION NO: 1
Critical services are running on TKD20, a domain controller in the Testking.com
domain. You have completed restructuring the organizational unit hierarchy for the
domain and deleted the needless objects. What would you do to perform an offline
defragmentation of the Active Directory database on TKD20 while ensuring that the
critical services remain online?

A. Open the Microsoft Management Console (MMC) and stop the Domain Controller
    service. After that, run the defrag tool
B. Start the domain controller in the Directory Service restore mode and run the Ntdsutil
    tool
C. Start the domain controller and then use the Defrag tool to start defragmentation
D. Open the MMC and stop the Domain Controller service. After that, run the Ntdsutil
    tool.
E. All of the above


Answer: D
Explanation
To perform an offline defragmentation of the Active Directory database on TKD20 while
ensuring that the critical services remain online, you should open the MMC and stop the
Domain Controller service. Then you should run Ntdsutil tool. Ntdsutil is a
command-line tool that offers management facilities for Active Directory.

When you stop the Domain Controller service, the critical services remain online. Then
you should run Ntdsutil tool which will find out the location of the data files, working
directory and log files. You can use the info command which is a part of ntdsutil
command-line tool to find out the location of the data files, log files and working
directory. The info command analyzes and reports the free space for all disks installed on
the computer and reads the registry keys that contact the location of the Active Directory
files and reports their values.




QUESTION NO: 2
TestKing.com has servers on the main network that run Windows Server 2008. It
also has two domain controllers. Active Directory services are running on a domain
controller named TKDC1. You need to perform critical updates of Windows Server
2008 on TKDC1 without rebooting the server. What should you do to perform
offline critical updates on TKDC1 without rebooting the server?

A. Start the Active Directory Domain Services on TKDC1

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 70 -
B. Disconnect from the network and start the Windows update feature
C. Stop the Active Directory domain services and install the updates. Start the Active
    Directory domain services after installing the updates
D. Stop Active Directory domain services and install updates. Disconnect from the
    network and then connect again
E. None of the above


Answer: C
Explanation
To perform offline critical updates on TKDC1 without rebooting the server, you should
stop the Active Directory domain services and install the updates. Start the Active
Directory domain services after installing the updates. By stopping the Active Directory
domain services, you don't need to reboot the server. The updates are related to the
Windows Server 2008 on TKDC1 so when you stop the Active Directory domain
services and start it again after the installation of the updates, the Server will perform in a
normal way.




QUESTION NO: 3
There are 100 server and 2000 computers present at TestKing.com headquarters.
The DHCP service is installed on a two-node Microsoft failover cluster named
TKMFO to ensure the high availability of the service. The nodes are named as
TKMFON1 and TKMFON2.

The cluster on TKMFO has one physical shared disk of 400 GB capacity. A 200GB
single volume is configured on the shared disk. TestKing.com has decided to host
Windows Internet Naming Service (WINS) on TKMFON1. The DHCP and WINS
services will be hosted on other nodes.

Using the High Availability Wizard, you begin creating the WINS service group on
cluster available on the TKMFON1 node. The wizard shows an error "no disks are
available" during configuration. Which action should you perform to configure
storage volumes on TKMFON1 to successfully add the WINS Service group to
TKMFON1?

A. Backup all data on the single volume on TKMFON1 and configure the disk with
GUID partition table and create two volumes. Restore the backed up data on one of the
volumes and use the other for WINS service group
B. Add a new physical shared disk to the TKMFON1 cluster and configure a new volume
on it. Use this volume to fix the error in the wizard

                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 71 -
C. Add new physical shared disks to TKMFON1 and EMBFON2. Configure the volumes
on these disk and direct TKMOFONI to use TKMFON2 volume for the WINS service
group
D. Add and configure a new volume on the existing shared disk which has 400GB of
space. Use this volume to fix the error in the wizard
E. None of the above


Answer: B
Explanation:
To configure storage volumes on TKMFON1 to successfully add the WINS Service
group to TKMFON1, you need to add a new physical shared disk to the TKMFON1
cluster and configure a new volume on it. Use this volume to fix the error in the wizard.
This is because a cluster does not use shared storage. A cluster must use a hardware
solution based either on shared storage or on replication between nodes.

Reference: No disks found
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2964971&SiteID=17




QUESTION NO: 4
Domain Controller King12 runs critical services in TestKing.com network.
Restructuring of organizational unit domain hierarchy is being done and all
unnecessary objects also being deleted.

Offline de-fragmentation of the active directory database is to be performed on
King12. We also need to ensure that critical services keep alive. What should you
do?

A. Start the domain controller in the Directory Services restore mode. Run the defrag
    utility
B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil
    utility
C. Stop the Domain controller service in the Services MMC and run the Defrag utility.
D. Stop the Domain controller service in the Services MMC and run the Ntdsutil utility
E. None of the above


Answer: D
Explanation:



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 72 -
To perform offline de-fragmentation of the active directory database on King12, you
need to Stop the Domain controller service in the Services MMC and run the Ntdsutil
utility

You can use the restart feature of AD DS to stop AD DS so that you can perform offline
operations such as defragmentation of Active Directory objects.

Reference: Superior Identity Management Features in Windows Server 2008 Enterprise
and Windows Server 2008 Datacenter / Directory Services: Active Directory Domain
Services

http://download.microsoft.com/download/8/2/f/82fa3808-7168-46f1-a07b-f1a7c9cb4e85/WS08%20Identity%20




QUESTION NO: 5
The corporate network of TestKing consists of a Windows Server 2008 single Active
Directory domain. The domain has two servers named TestKing1 and TestKing2.

To ensure central monitoring of events you decide to collect all the events on one
server, TestKing1. To collect events from TestKing2 and transfer them to
TestKing1, you configure the required event subscriptions. You selected the Normal
option for the Event delivery optimization setting by using the HTTP protocol.

However, you discovered that none of the subscriptions work. Which of the
following actions would you perform to configure the event collection and event
forwarding on the two servers? (Select three. Each answer is a part of the complete
solution).

A. Through Run window execute the winrm quickconfig command on TestKing2.
B. Through Run window execute the wecutil qc command on TestKing2.
C. Add the TestKing1 account to the Administrators group on TestKing2.
D. Through Run window execute the winrm quickconfig command on TestKing1.
E. Add the TestKing2 account to the Administrators group on TestKing1.
F. Through Run window execute the wecutil qc command on TestKing1.


Answer: A, B, C
Explanation:




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 73 -
The subscriptions are not working because Normal subscriptions work only in
Workgroup environment.
To configure the event collection and event forwarding on the two servers, you need to
first add the TestKing1 account to the Administrators group on TestKing2.
Because you are working with machines that are part of an Active Directory (AD), on the
source computer, type winrm quickconfig command.
Then, type y followed with Enter to make the changes. This command sets up the source
system to accept WS-Management requests from other computers.
Now, move to the collection system. Repeat the WinRM command. This will allow you
to control bandwidth usage or latency of the event forwarding process.
Next, using the same elevated command prompt, run wecutil qc command. Then, type y
followed with Enter to make the changes. This will configure the Windows Event
Collector service to delayed autostart and start the service.
Reference: Collect Vista Events
http://www.prismmicrosys.com/newsletters_june2007.php




Section 3, Configure custom application directory partitions (7
Questions)
QUESTION NO: 1
TestKing.com has an active directory forest that contains a single domain.
TestKing.com needs a distributed application that employs a custom application.
The application is directory partition software named PARDATA. You need to
implement this application for data replication. Which two tools should you use to
achieve this task? (Choose two answers. Each answer is a part of a complete
solution)

A. Dnscmd
B. Ntdsutil
C. Ipconfig
D. Dnsutil
E. All of the above


Answer: A, B
Explanation




                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 74 -
To implement the application for data replication, you should use the Dnscmd and
Ntdsutil tools. The dnscmd command displays and changes the properties of DNS
servers, zones and resource records. Through dnscmd, you can manually modify these
properties, create and delete zone and resources records and forces replication events
between DNS server physical memory and DNS databases and data file. You can
implement the PARDATA application and distribute it through dnscmd.

Ntdsutil tool is a command-line utility that offers management facilities for Active
Directory. You can create application directory partitions using this tool. The tool has a
series of menus that allow you to perform multiple management tasks. Ntdstul is installed
in the systemroot\system32 folder. It can be accessed through command prompt.




QUESTION NO: 2
TestKing.com has a main office and a branch office. The Testking.com network is
configured as a single Active Directory domain. The users of the sales department
need some space to store data for an application named SalesPros. You create an
application directory partition for this purpose. You want to add a replica of
SalesPros application directory partition to the domain controller in the branch
office too. The domain controller is called TKO2. Which tool should you use to add
replica for the SalesPros application directory partition to TKO2?

A. Dnscmd.exe
B. Repadmin.exe
C. Ntdsutil.exe
D. Dcpromo.exe
E. All of the above


Answer: C
Explanation
To add replica for the SalesPros application directory partition to TKO2, you should use
Ntdsutil tool. Ntdsutil tool is a command-line utility that offers management facilities for
Active Directory. You can create application directory partitions using this tool. The tool
has a series of menus that allow you to perform multiple management tasks. Ntdstul is
installed in the systemroot\system32 folder. It can be accessed through command prompt.




QUESTION NO: 3



                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 75 -
TestKing.com has an Active Directory forest with six domains. The company has 5
sites.

The company requires a new distributed application that uses a custom application
directory partition named ResData for data replication.

The application is installed on one member server in five sites. You need to
configure the five member servers to receive the ResData application directory
partition for data replication. What should you do?

A. Run the Dcpromo utility on the five member servers
B. Run the Regsvr32 command on the five member servers
C. Run the Webadmin command on the five member servers
D. Run the RacAgent utility on the five member servers


Answer: A
Explanation:
To configure the five member servers to receive the ResData application directory
partition for data replication, you need to run the Dcpromo utility on the five member
servers. ApplicationPartitionsToReplicate:"" parameter with partition names can be used
with Dcpromo to specify the application directory partitions that dcpromo will replicate.

Reference: Dcpromo

http://technet2.microsoft.com/windowsserver2008/en/library/d660e761-9ee7-4382-822a-06fc2365a1d21033.msp




 QUESTION NO: 4
Testking.com has an Active directory forest and they require a new distributed
application that uses a custom application directory partition named ResData. We
need to implement the ResData application directory partition for data replication.
To achieve your goal what two utilities you should run?

A. Ntdsutil
B. Wbadmin
C. RacAgent
D. Regsvr32



                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 76 -
Answer: A, B




QUESTION NO: 5
Exhibit:




TestKing.com servers run Windows Server 2008. Testking.com has a single Active
Directory domain. A server named TK4 has the file services role installed. You
install some disks for additional storage. The disks are configured as shown in the
exhibit. To support data stripping with parity, you need to create a new drive
volume. What should you do to achieve this objective?

A. Build a new spanned volume by combining Disk0 and Disk1
B. Create a new Raid-5 volume by adding another disk
C. Create a new virtual volume by combining Disk 1 and Disk 2
D. Build a new striped volume by combining Disk0 and Disk 2


Answer: B
Explanation


                Leading the way in IT testing and certification tools, www.testking.com
                                                                                          - 77 -
To support data stripping with parity, you should create a new Raid-5 volume by adding
another disk. By adding another volume, the total number of disk will be four. This way
you can easily create data strip and the parity strips.




QUESTION NO. 6
TestKing.com has servers that run Windows Server 2008. There are 2 domain
controllers installed on the network. The Active Directory database is installed on
the D volume of a domain controller. You want to move the Active Directory
database to a new volume. What should you do to achieve this task?

A. Open the Files option in the Ntdsutil utility and move the ntds.dit file to the new
    volume
B. Move the ntds.dit file to the new volume using Copy Paste function in the Windows
    Power Shell
C. Use XCOPY command on Windows Command prompt to move ntds.dit file to the
    new volume
D. Use Windows Explorer to move ntds.dit file to the new volume.

Answer: A
Explanation:
To move the Active Directory database to a new volume, you should move the ntds.dit
file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe
to move the database file, the log files, or both to a larger existing partition. If you are not
using Ntdsutil.exe when moving files to a different partition, you will need to manually
update the registry.
Reference:
http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-d51707bf01eb1033.msp




QUESTION NO. 7
TestKing.com has a server that runs an instance of AD LDS. You need to create new
organizational units in the AD LDS application directory partition. What should
you do to achieve this task?

A. Create the organizational units on the AD LDS application directory partition by
    accessing the ADSI Edit snap-in
B. Execute dsmod OU <OUDN> command to create Organizational units
C.

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 78 -
    Use the Active Directory Users and Computers snap-in to create the organizational units
    on the AD LDS application directory partition.
D. Execute dsadd OU command to create Organizational units

Answer: A




Topic 6, Configuring Active Directory Certificate Services
(6 Questions)
Section 1, Install Active Directory Certificate Services (3
Questions)
QUESTION NO.1
TestKing.com has an Active Directory domain. As an administrator, you plan to
install the Active Directory Certificate Service (AD CS) role on a member server
running Windows Server 2008. You need to make sure that the Account Operators
group is able to issue smartcard credentials without being able to revoke
certificates. Which of the following three actions should you perform to achieve this
task?

A. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator
group.
B. Install the AD CS role and configure it as a Standalone CA.
C. Restrict certificate managers for the Smartcard logon certificate to the Account
Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Create an Enrollment Agent certificate.
F. Create a Smartcard logon certificate.

Answer: A, D, F




QUESTION NO.2
TestKing.com has a server that runs Windows Server 2008. An Enterprise Root CA
is also installed on the server. The Security policy prevents port 443 and port 80
from being opened on domain controllers and on the issuing CA. You need to allow
users to request certificates from a web interface. To do that, you install AD CS
role. What should you do next?
                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 79 -
A. Configure the Certification Authority Web Enrollment Role Service on a member
server.
B. Configure the Online Responder Role Service on a member server.
C. Configure the Certification Authority Web Enrollment Role Service on a domain
controller.
D. Configure the Online Responder Role Service on a domain controller.

Answer: A




 QUESTION NO. 3
TestKing.com has an Active Directory forest. You want to install an Enterprise
certification authority (CA) on a stand-alone server. When you try to add Active
Directory Certificate Services (AD CS) role, you find that the Enterprise CA option
is not available. You have to install the AD CS role as an Enterprise CA. What
should you do first to achieve this task?

A. Add the Active Directory Certificate Services (AD CS) role.
B. Add the Web server (IIS) role and the AD LDS role.
C. Add the DNS Server role.
D. Join the server to the domain.

Answer: D




Section 2, ConfigureCAserver settings (2 Question)
QUESTION NO. 1
TestKing.com has servers that run Windows Server 2008. You administer two
servers named S1 and S2. You have installed the enterprise root certification
authority (CA) on S1 and Online Responder role service on S2. You want the S1
server to support the online responder. What should you do to configure online
responder on S1?

A. On S1, configure Authority Information Access (AIA) extension
B. Configure CertPublishers group on S1 and S2
C. Configure Dual Certificate List extension on S1 and S2
D. Create a conventional Group Policy Object (GPO) and import enterprise root CA
    certificate. Link the GPO to S1
E. None of the above

                 Leading the way in IT testing and certification tools, www.testking.com
                                                                                           - 80 -
Answer: A
Explanation:
To configure online responder role service on S1, you should configure AIA extension.
The authority information access extension indicates how to access CA information and
services for the issuer of the certificate in which the extension appears. Information and
services may include on-line validation services and CA policy data. (The location of
CRLs is not specified in this extension; that information is provided by the
cRLDistributionPoints extension.) This extension may be included in subject or CA
certificates, and it MUST be non-criticalReference:
datatracker.ietf.org/documents/LIAISON/file315.pdf

QUESTION NO. 2
TestKing.com has a server that runs Windows Server 2008. This server has
certificate services configured as a stand-alone Certification Authority (CA). As per
company policy, you are required to audit changes to the CA configuration setting
and the CA security settings. Which two actions should you perform to achieve this
task? (Choose two answers. Each answer is part of the complete solution)

A. Open the Certification services snap-in and configure auditing
B. Enable and configure the Audit object Access setting in the local security policy for
    the certification services server
C. Configure the certification services server to log successful and failed attempts to
    change permissions on files in %SYSTEM32%\CertSrv directory
D. Open the Certification services snap-in and configure auditing for security settings

Answer: A, B



Section 3, Manage certificate templates (GPOs) (1 Questions)
QUESTION NO. 1
TestKing.com has an Active Directory domain. All servers in the Active Directory
run Windows Server 2008. TestKing.com runs an Enterprise Root certification
authority (CA). You need to make sure that only administrators can sign code.
Which two tasks should you perform to achieve this task?

A. Change the local computer policy of the Enterprise Root CA to allow only
    administrators to manage Trusted Publishers.
B. Publish the code signing template
C.


                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 81 -
    Change the security settings on the template to allow only the administrators to request
    code signing certificates
D. Distribute the code signing template among the administrators and ask them to add it
    to the trust peer certificates.

Answer: B, C



Section 4, Manage enrollments (0 Questions)

Section 5, Manage certificate revocations (1 Questions)
QUESTION NO. 1
TestKing.com uses a Windows Server 2008 Enterprise certificate authority (CA) to
issue certificates. You are instructed to implement key archival. What should you do
to achieve this task?

A. On the server, archive the private key
B. Configure Hisecdc security template
C. Revoke the Enterprise subordinate CA and issue a user certificate to users of the
    encrypted files
D. Configure the automatic enrollement for the computers that store encrypted files

Answer: A




                  Leading the way in IT testing and certification tools, www.testking.com
                                                                                            - 82 -

				
DOCUMENT INFO
Shared By:
Tags: windows
Stats:
views:25
posted:3/22/2013
language:English
pages:82