Term
| Certkiller.com has an Active Directory forest that contains a single domain named ad. Certkiller.com. All domain controllers are configures as DNS servers and have Windows Server 2008 installed. The network has two Active directory-integrated zones: Certkiller es.com and Certkiller ws.com. The company has instructed you to make sure that a user is able to modify records in Certkiller es.com while preventing the user to modify the SOA record in Certkiller ws.com zone. What should you do to achieve this task? A. Modify the permissions ofCertkiller es.com zone by accessing the DNS Manager Console B. Configure the user permissions onCertkiller es.com to include all the users and configure the user permissions on Certkiller ws.com to allow only the administrators group to modify the records C. Modify the permission ofCertkiller ws.com zone by accessing the DNS Manager Console D. Modify the Domain Controllers organizational unit by accessing the Active Directory Users and Computers console. E. None of the above |
|
Definition
| Answer: A Explanation: To allow the user to modify records in Certkiller es.com and prevent him/her to modify the SOA record in Certkiller ws.com zone, you should set the permissions of Certkiller es.com through DNS Manager Console. You set the permissions for the users to modify the records in Certkiller es.com. Since setting permission on one Active directory-integrated zone, you will be preventing the users to modify anything else on the other zones. |
|
|
Term
Certkiller.com has an Active Directory Domain Controller. All domain controllers are configured as
DNS servers and have Windows Server 2008 installed. Only one Active-Directory integrated DNS
zone is configured on the domain. You have to make sure that outdated DNS records are removed
from the DNS zone
automatically. What should you do to achieve this task?
A. Modify the TTL of the SOA record by accessing the zone properties
B. Disable updates from the zone properties
C. Executenetsh/Reset DNS command from the Command prompt
D. Enable Scavenging by accessing the zone properties
E. None of the above |
|
Definition
Answer: D Explanation: Microsoft 70-640: To remove the outdated DNS records from the DNS zone automatically, you should enable
Scavenging through Zone properties. Scavenging will help you clean up old unused records in
DNS. Since "clean up" really means "delete stuff" a good understanding of what you are doing and
a healthy respect for "delete stuff" will keep you out of the hot grease. Because deletion is involved
there are quite a few safety valves built into scavenging that take a long time to pop. When
enabling scavenging, patience is required.
Reference:
http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-
a6bbce0a4304&ID=211 |
|
|
Term
Certkiller.com has a single Active Directory domain. You have configured all domain controllers in
the network as DNS servers and they run Windows Server 2008. A domain controller named CK1
has a standard Primary zone for Certkiller.com and a domain controller named CK2 has a
standard secondary zone for Certkiller.com. You have to make sure that the replication of the
Certkiller.com zone is encrypted so you might not loose any zone data. What should you do to
achieve this task?
A. Create a stub zone and delete the secondary zone
B. Convert the primary zone into an active directory zone and delete the secondary zone
C. Change the interface where DNS server listens on both servers
D. On the standard primary zone, configure zone transfer settings. After that modify the
masterservers lists on the secondary zone
E. None of the above |
|
Definition
| Answer: B Explanation: To make sure that the replication of the Certkiller.com zone is encrypted to prevent data loss. You should convert the primary zone into an active directory zone and delete the secondary zone |
|
|
Term
Certkiller.com has a main office and a branch office. All servers in both offices run Windows
Server 2008. The offices are connected through a MAN link. Certkiller.com has an Active Directory
domain that hosts a single domain called maks. Certkiller.com. There is a domain controller in the
maks. Certkiller.com domain called CK1 . It is located in the main office. You have configured CK1
as a DNS server for maks. Certkiller.com DNS zone. It is configured as a standard primary zone.
You are instructed to install a new domain controller called CK2 in the branch office. After
installing the domain controller, you install DNS on CK2 . You want to ensure that the DNS service
on CK2 can update records and resolve DNS queries in the event of a MAN link failure. What should you do to achieve this objective? A. Configure the DNS on CK1 to forward requests to CK2
B. Add a secondary zone namedraks. Certkiller.com on CK2
C. Convertmaks. Certkiller.com on CK1 to an Active Directory-integrated zone
D. Configure a new stub zone on CK1 and set the forwarding option to CK2 |
|
Definition
Answer: C Explanation: To make sure that the DNS service on CK2 can update records and resolve DNS queries in the
event of a MAN link failure, you should convert maks . Certkiller.com on CK1 to an Active
Directory-integrated zone. Active Directory-integrated DNS, offers two pluses over traditional
zones. For one, the fault tolerance built into Active Directory eliminates the need for primary and
secondary nameservers . Effectively, all nameservers using Active Directory-integrated zones are
primary nameservers . This has a huge advantage for the use of dynamic DNS as well: namely,
the wide availability of nameservers that can accept registrations. Recall that domain controllers
and workstations register their locations and availability to the DNS zone using dynamic DNS. In a
traditional DNS setup, only one type of nameserver can accept these registrations-the primary
server, because it has the only read/write copy of a zone. By creating an Active Directory-
integrated zone, all Windows Server 2008 nameservers that store their zone data in Active
Directory can accept a dynamic registration, and the change will be propagated using Active
Directory multimaster replication. Reference:
http://safari.adobepress.com/9780596514112/active_directory-integrated_zones |
|
|
Term
Certkiller.com has a DNS server with 10 Active Directory Integrated Zones. For auditing purposes,
you have to provide copies of the zone files of the DNS server to the security audit group. What
should you do to achieve this task?
A. Executentdsutil > Partition Management > Display commands
B. executeipconfig/registerdns command
C. execute thednscmd/ZoneExport command
D. Executednscmd/Zoneoutput command |
|
Definition
|
|
Term
| Certkiller.com has a domain controller named EDC11 that runs Windows Server 2008. It is configured as a DNS server for Certkiller.com. You install the DNS serve role on a member server named S1 and after this; you create a standard secondary zone for Certkiller.com. You configured EDC11 as the master server for the zone. What should you do to make sure that S1 receives zone updates from EDC11? A. On Server1, add a conditional forwarder. B. On DC1,modify the zone transfer settings for the contoso.com zone. C. Add the Server1 computer account to theDNSUpdateProxy group. D. On DC1,modify the permissions of contoso.com zone. |
|
Definition
|
|
Term
Certkiller.com has a network consisting of an Active Directory forest named
ebd.com. All servers have Windows Server 2008. All domain controllers are
configured as DNS servers. The ebd.com DNS zone is stored in ForestDnsZones
Active directory partition. A member server contains a standard primary DNS zone for eb.ebd.com.
You need to make sure that all domain controllers can resolve
names for eb.ebd.com. What should you do to achieve this task?
A. Create a delegation in the ebd.com zone
B. Change the properties of SOA record in the eb.ebd.com zone
C. Add NS record in the ebd.com zone
D. Create a secondary zone on a Global catalog server |
|
Definition
|
|
Term
Certkiller.com has a main office and single branch office in another state. With a
single Active-Directory domain forest, Certkiller.com has two domain controllers
named CK1 and CK2 . Both of the domain controllers run Windows Server 2008.
The branch office has a Read-only domain controller (RODC) named CK3 . While
all domain controllers have DNS server role installed, they are configured as
Active-Directory-integrated zones. All DNS zones are configured to allow secure
updates only. You want to enable dynamic DNS updates on CK3 . What should you do to achieve
this task?
A. On DC1, create an active partition and configure the partition to store Active Directory-
integrated zones
B. Un-install the Active Directory Domain services on CK3 and reinstall it as a writeable domain
controller C. Reconfigure RODC on CK3 to allow dynamic updates D. Executednscmd/ZoneResetType command on CK3 |
|
Definition
|
|
Term
Certkiller.com has a huge network that consists of an Active Directory Forest
containing a single domain. Windows Server 2008 is installed on all domain
controllers. They are configured as DNS servers. Certkiller.com has an active
directory-integrated zone with two Active Directory sites. Each site contains five
domain controllers. You added a new NS record to the zone. You have to make sure that all
domain controllers immediately receive the new NS record. What should
you do to achieve this task?
A. Executerepadmin/syncall from the command prompt
B. Reload the zone from the DNS Manager console
C. Create an SOA record from the DNS Manager console
D. Shutdown and then, restart the DNS server service from services snap-in |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain named comm. Certkiller.com. The domain contains
two domain controllers named CK1 and CK2 . Both have the DNS server role installed.
You install a new DNS server named ns. Certkiller.com on the perimeter network.
You configure CK1 to forward all unresolved name requests to ns. Certkiller.com.
But you discover that the DNS forward option is unavailable on CK2 . You have to
configure DNS forwarding on CK2 server to forward unresolved name requests to
ns. Certkiller.com server. Which of the following two actions should you perform to achieve this
task?
A. Clean the DNS cache on CK2 B. configure conditional forwarding on CK2 C. Delete the Root zone on CK2 D. Add zone forwarding on CK2 |
|
Definition
|
|
Term
Certkiller.com has a domain controller that runs Windows Server 2008. It is
configured as a DNS server. You have to record all inbound DNS queries to the server. What
should you configure in the DNS Manager Console?
A. To log errors and warnings, configure event logging
B. Disable automatic logs for recursive queries
C. Enable automatic testing for recursive queries
D. Enable debug logging |
|
Definition
|
|
Term
Certkiller.com has a main office and ten branch offices. It has an Active Directory
forest that hosts a single domain. Each office has one domain controller and they
are configured as an Active Directory site. All sites are connected with the
DEFAULTIPSITELINK object. You have to decrease the replication latency
between the domain controllers. What should you do to achieve this task? A. Decrease the cost between the connection objects
B. Decrease the connection replication interval for all connection objects
C. Decrease the replication interval for the DEFAULTIPSITELINK object
D. Increase the replication interval for the DEFAULTIPSITELINK object |
|
Definition
|
|
Term
Certkiller.com network consists of a single Active Directory domain. Ten domain
controllers are present in the domain. All domain controllers run Windows Server 2008 and are
configured as DNS servers. You are instructed to create a new Active Directory-integrated zone.
You have to make sure that the new zone is only
replicated to four of your domain controllers. What should you do first?
A. executednscmd/enlistdirectorypartition from the command prompt
B. Configure a delegation in theDomainDnsZones application directory partition
C. Configure a new delegation in theForestDnsZones application directory partition
D. Rundnscmd/createdirectorypartition from the command prompt |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain called Certkiller.com. Two DNS servers named Certkiller A and Certkiller A. DNS servers are configured as shown in the Exhibit. Exhibit: Domain users are unable to connect to the Internet website using Certkiller B
because it is configured as a preferred DNS server. You have to enable Internet
name resolution for all client computers. What should you do to achieve this task?
B. Deletethe .(root) zone from Certkiller
C. Configure conditional forwarding onCertkiller
D.
E. Update the Cache.dns file onCertkiller
F. Configure conditional forwarding onCertkiller
G. C. Create a copy of the .(root) zone on Certkiller
H. D. Update the list of root hints servers on Certkiller
I. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest. All domain controllers run Windows Server 2008 and
are configured as DNS servers. You have an Active
Directory-integrated zone for Certkiller.com. You have a Unix-based DNS server. You need to
configure your Windows Server 2008 environment to allow zone
transfers of the Certkiller.com zone to the Unix-based DNS server. What should you do in the DNS
Manager console?
A. Create a secondary zone.
B. Enable BINDsecondaries.
C. Disable recursion.
D. Create a stub zone. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain called es. Certkiller.com.
Certkiller.com has a subsidiary company named Woksworks Inc. Woksworks Inc. has an Active
Directory domain called intranet.woksworks.com. Since woksworks
Inc. security policy doesn't allow the transfer of internal DNS zone data outside the woksworks
network, you have to make sure that Certkiller.com users are able to
resolve names from intranet.woksworks.com domain. What should you do to
achieve this task?
A. Set the conditional forwarding for the intranet.woksworks.com domain
B. Put intranet.woksworks.com in the Active Directory of Certkiller.com
C. Create a subzone for the intranet.woksworks.com domain
D. Reconfigure the intranet.woksworks.com domain as a standard secondary zone
E. None of the above |
|
Definition
A To enable a Certkiller.com user to resolve names from intranet.woksworks.com domain,
you should set the conditional forwarding for the intranet.woksworks.com domain. A
conditional forwarding is a DNS query setting that enables a DNS server to route a
request for a particular name to another DNS server by specifying a name and IP address |
|
|
Term
Certkiller.com has an Active Directory domain called ad. Certkiller.com. There are two domain controllers on the network: CK1 and CK2 . Other administrators try to log on to the domain controllers but their logon attempts fail. You have to identify the logon attempts on the domain controllers. What should you do to achieve this task? A. Check the security tab on the domain controller computer object
B. Access the Event Viewer
C. Check the security data on domain controller event viewer
D. Executenetsh/events command on the command prompt
E. None of the above |
|
Definition
| Answer: B Explanation: To identify the logon attempts on the domain controllers, you should access the Event Viewer and check the logon attempts. The Event viewer will tell you the IP address and other details of the user account which was used to logon to the domain controllers |
|
|
Term
Certkiller.com has an Active Directory domain called ad. Certkiller.com. There are two domain controllers on the network: CK1 and CK2 . Other administrators try to log on to the domain controllers but their logon attempts fail. You have to identify the logon attempts on the domain controllers. What should you do to achieve this task? A. Check the security tab on the domain controller computer object
B. Access the Event Viewer
C. Check the security data on domain controller event viewer
D. Executenetsh/events command on the command prompt
E. None of the above |
|
Definition
| B Explanation: To identify the logon attempts on the domain controllers, you should access the Event Viewer and check the logon attempts. The Event viewer will tell you the IP address and other details of the user account which was used to logon to the domain controllers |
|
|
Term
| Certkiller.com has a single Active Directory domain called int. Certkiller.com. You have installed domain controllers with a DNS server role. The domain controllers run Windows Server 2008. Every computer in the domain and non-domain members, register their DNS records dynamically. You want only the domain members to register their DNS records dynamically. What should you do to configure int. Certkiller.com? A. Configure zone transfers to Name Servers B. Set the Primary DNS server to register authenticated members only C. Disable Everyone group in the Dynamic Objects permission D. Set the option Secure only for Dynamic updates E. None of the above |
|
Definition
| Answer: D Explanation: To make sure only the domain members are able to register their DNS records dynamically , set the option Secure only for Dynamic updates. This will let only the domain members to register their DNS records dynamically. ActualTests .com Reference: www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx |
|
|
Term
Certkiller.com has instructed you to decommission domain controllers that host all forest-wide
operations master roles. Before you start taking down these domain controllers, you want to
transfer all forest-wide operation master roles to another domain. Which two roles should you
transfer to achieve this objective? (Choose two answers. Each answer is a part of the complete
solution)
A. Domain naming master
B. Secondary domain master
C. Forest-wide server master roles
D. Schema master
E. PDC Master |
|
Definition
Answer: A,D Explanation: To transfer all forest-wide operation master roles to another domain, you should transfer
Domain naming master and Schema master. Schema Master: The schema master domain
controller controls all updates and modifications to the schema. To update the schema of
a forest, you must have access to the schema master. There can be only one schema
master in the whole forest. Domain naming master: The domain naming master domain
controller controls the addition or removal of domains in the forest. There can be only
one domain naming master in the whole forest.
Reference: http://support.microsoft.com/kb/324801 |
|
|
Term
Certkiller.com has a single Active Directory domain. The domain controllers run Windows Server
2003. You are instructed to upgrade all domain controllers to Windows Server 2008. To
accomplish this task, you have to configure the Active Directory environment to support multiple
password policies application. What should you do to achieve this task?
A. Create four Active Directory sites
B. Executedcpromo/adv on all domain controllers
C. Executedcpromo/adv on only 2 domain controllers
D. Set the functional level of the domain to Windows Server 2008 |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest that hosts Windows Server 2003
domain controllers only. You are instructed to installed Windows Server 2008
domain controllers. To do that, you need to prepare the Active Directory domain to install Windows
Server 2008 domain controllers. Which of the following two actions should you perform to achieve
this task? (Choose two answers. Each answer is a
part of a complete solution)
A. Raise the domain controller functional level to Window Server 2008
B. Executeadprep/domain command on the server
C. Raise the forest functional level to Windows Server 2008
D. Execute ad prep/forest command on the server |
|
Definition
|
|
Term
Certkiller.com has two active directory forests called Eb1.com and Eb2.com. Both forests have
domain controllers that run Windows Server 2008. Windows Server 2008 is running on the domain
functional level on Eb1.com. The domain functional level of Eb2.com is Windows Server 2003
Native mode. As per instructions, you configure an external trust between Eb1.com and Eb2.com.
To achieve this, you need to enable the Kerberos AES encryption option. What should you do to
achieve this task?
A. Raise the forest functional level of Eb2.com to Windows Server 2008
B. Configure a new forest trust and enable forest-wide authentication
C. Drop the forest functional level of Eb1.com to Windows Server 2003
D. Raise the domain functional level of Eb2.com to Windows Server 2008 |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest with a single domain. The domain has
Windows Server 2008 at its functional level. You are instructed to create a global
distribution group and add users to it. After creating the group and adding users,
you create a shared folder on a Windows Server 2008 member server and place the
global distribution group in a domain local group that has access to the shared folder. What should you do to ensure that the users can access the shared folder? A. Rename the global distribution group to a universal distribution group
B. Change the forest functional level to Windows Server 2008
C. Add Domain Administrators to the global distribution group
D. Modify the group type of the global distribution group to a security group |
|
Definition
|
|
Term
Certkiller.com has a single Active Directory domain. All the domain controllers run Windows
Server 2003. You install Windows Server 2008 on a server. You need to ensure that the new
server is added as a domain controller in the domain. What
should you do to achieve this task?
A. Executedcpromo/controllerprep on a new server
B. Runadprep/forestprep command on a domain controller
C. Runadprep/rodcprep on a new server
D. Rundcpromo/createaccount on a domain controller |
|
Definition
|
|
Term
Certkiller.com has a single Active Directory domain named ad. Certkiller.com.
Windows Server 2008 is installed on all domain controllers. The domain functional level and forest
functional level are set to Windows 2000 native mode. You have to ensure the UPN suffix for
Certkiller.com is available for user accounts. What should you do first to achieve this task?
A. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object
(GPO) to Certkiller.com.
B. Add the new UPN suffix to the forest.
C. Raise the Certkiller.com domain functional level to Windows Server 2003 or Windows Server
2008.
D. Raise the Certkiller.com forest functional level to Windows Server 2003 or Windows Server
2008. |
|
Definition
|
|
Term
Certkiller.com has offices in North America and Asia. It has an Active Directory
forest with two domains. You are assigned the task to reduce the time required to
authenticate users from el.as. Certkiller.com domain when they access resources on
tests.na. Certkiller.com domain. What should you do to achieve this task?
A. Create a one-way shortcut trust from tests.na.Certkiller.com to el.as. Certkiller.com.
B. Increase the replication interval for the DEFAULTIPSITELINK site link
C. Create a one-way shortcut trust fromel.as. Certkiller.com to tests.na. Certkiller.com
D. Increase the replication interval for all connections objects. |
|
Definition
|
|
Term
Certkiller.com network has an Active Directory forest that contains one parent
domain and one child domain. The child domain has two domain controllers that
run Windows Server 2008. All user accounts from the child domain are migrated to
the parent domain. The child domain is scheduled to be decommissioned. You need
to remove the child domain from the Active Directory forest. What are two possible
ways to achieve this goal? (Choose two answers. Each answer is part of the complete
solution.)
A. Use Server Manager on both domain controllers in the child domain to uninstall the Active
Directory domain services role.
B. Run theDcpromo tool that has individual answer files on each domain controller in the child
domain.
C. Delete the computer accounts for each domain controller in the child domain. Remove the trust
relationship between the parent domain and the child domain.
D. Run the Computer Management console to stop the Domain Controller service on both domain
controllers in the child domain. |
|
Definition
|
|
Term
Certkiller.com network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008. You need to create multiple password policies for users in your domain. What should you do? A. From the ADSI Edit snap-in, create multiple Password Setting objects. B. From the Group Policy Management snap-in, create multiple Group Policy objects.
C. From the Schema snap-in, create multiple class schema objects.
D. From the Security Configuration Wizard, create multiple security policies. |
|
Definition
|
|
Term
Certkiller.com has a network consisting of a single Active Directory domain. All
domain controllers run Windows Server 2003. Certkiller.com instructs you to
upgrade all domain controllers to Windows Server 2008. After upgrading the
domain controllers, you need to ensure that the ebsysvolume share replicates by
using DFS Replication (DFS-R). What should you do to achieve this task?
A. Rundfsutil/addrot:ebsysvolume on the command prompt
B. Runnetdom/dfs-r from the command prompt
C. Rundcpromo/attend:attendfile.xml
D. Raise the functional level of the domain to Windows Server 2008 |
|
Definition
|
|
Term
Certkiller.com has a network that consists of a single Active Directory domain.
Windows Server 2008 is installed on all domain controllers in the network. You are instructed to
capture all replication errors from all domain controllers to a central location. What should you do
to achieve this task?
A. Initiate the Active Directory Diagnostics data collector set
B. Set event log subscriptions and configure it
C. Initiate the System Performance data collector set
D. Create a new capture in the Network Monitor |
|
Definition
|
|
Term
Certkiller.com has an existing Active Directory site named esite4. You create a new
Active Directory site and name it esite5. To configure Active Directory replication
between esite4 and esite5, you install a new domain controller and create the site
link between esite4 and esite5. What should you do next to achieve this task?
A. Use the Active Directory Sites and Services console to configure the new domain controller as
a preferred bridgehead server for esite4.
B. Use the Active Directory Sites and Services console to decrease the site link cost between
esite4 and esite5.
C. Use the Active Directory Sites and Services console to assign a new IP subnet to esite5. Move
the new domain controller object to esite5.
D. Use the Active Directory Sites and Services console to configure a new site link bridge object. |
|
Definition
|
|
Term
Certkiller.com has a main office and three branch offices. Each office is configured as a separate
Active Directory site that has its own domain controller. You disable an account that has
administrative rights. You need to immediately replicate the disabled account information to all
sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two.)
A. From the Active Directory Sites and Services console, select the existing connection objects
and force replication.
B. From the Active Directory Sites and Services console, configure all domain controllers as global
catalog servers.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers. |
|
Definition
|
|
Term
Certkiller.com has a main office and 15 branch offices. An Active Directory site with one domain
controller is installed in each office. Only domain controllers in the
main office are configured as Global Catalog servers. On the domain controllers in the branch
offices, you need to deactivate the Universal Group Membership
Caching (UGMC) option. However, you need to deactivate UGMC on a certain
level. On which level should you deactivate UGMC?
A. Site
B. domain controllers
C. Forest
D. Connection object |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain and two domain controllers named CK1 and CK2 . The CK1 hosts the Schema Master Role. Suddenly the CK1 fails. To rectify the problem, you log on to Active Directory using administrator account. You are trying to transfer the Schema Master Operations role. But you fail. What should you do to ensure that CK2 holds the Schema Master role? A. Register Schemamt.dll on the Active Directory domain and start the Active Directory Schema
snap-in
B. Configure CK2 as a Primary domain controller
C. Join the Schema Administrators group and modify the Schema settings to save records on CK2
D. Seize the Schema Master role on CK2
E. None of the above |
|
Definition
D Explanation: To ensure that CK2 holds the Schema Master role, you should seize the Schema Master role on
CK2 . Seizing the schema master role is a drastic step that should be considered only if the
current operations master will never be available again. So to transfer the schema master
operations role, you have to seize it on CK2 .
Reference:
http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-
ec9a773f7ffb1033.mspx ?mfr |
|
|
Term
Exhibit: (boot disk, 20GB free space, size 60GB) (D, 250GB, 260GB)
A server named CK-LDS1 resides in the Certkiller LAN and has the Active
Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services
(AD LDS) role installed.
An AD LDS instance named CKLDS1 stores its data on the default application directory partition.
The drive letters, size and space available on the CK-LDS1 server are configured as shown in the
table exhibit. You find that the AD LDS database files are growing quickly, so you decide to relocate the AD
LDS application partition to the D: drive where more space is available. Which three actions
should you perform, and in what order? Note: Some answer choices will not be used.
Available steps: run the net start LDSI command, run the net stop LDSI command, run the net stop "domain controller" command, run the net start "domain controller" command, use Ntdsutil tool to move the database files, use the Xcopy command to move the database files
|
|
Definition
1. Run the net stop LDS1 command
2. Use Ntdsutil to move the database files
3. Run the net start LDS1 command |
|
|
Term
Certkiller.com has a network that is comprise of a single Active Directory Domain.
As an administrator at Certkiller.com, you install Active Directory Lightweight
Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable
Secure Sockets Layer (SSL) based connections to the AD LDS server, you install
certificates from a trusted Certification Authority (CA) on the AD LDS server and
client computers. Which tool should you use to test the certificate with AD LDS?
A. Ldp.exe
B. Active Directory Domain services
C. ntdsutil.exe
D. Lds.exe
E. wsamain.exe
F. None of the above |
|
Definition
A Explanation: To test the certificate with AD LDS, you should use the Ldp tool. To establish SSL
connections to AD LDS, a certificate should be present on the server. To setup SSL for AD LDS, a
certificate marked for server authentication from a trusted CA should be installed on a computer
running AD LDS.
To test the certificate with the AD LDS server, you should run ldp.exe which has its own GUI. You
should run Ldp.exe on a computer running AD LDS and connect to the local instance of AD LDS
by employing SSL. |
|
|
Term
Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services
(AD LDS) role is installed on a Windows Server 2008 named Certkiller -LDS1.
An AD LDS instance named LDS1 is storing its data on the default application
directory partition. The AD LDS database files are growing very fast and you need to relocate the
AD LDS application partition to the D: Drive.
What actions you need to perform to do the same? (Select 3. Each option will form a part of
answer)
A. Run the net stop "Domain Controller" command
B. Run the net stopCertkiller -LDS1 command
C. Use theNtdsutil tool to move the database files
D. Run thexcopy command to move the database files
E. Run the net startCertkiller -LDS1 command
F. Run the net start "Domain Controller" command |
|
Definition
Answer: B,C,E Explanation: To relocate the AD LDS application partition to the D: Drive, you need to use Ntdsutil tool. The
Ntdsutil.exe is a command-line tool that allows you to manage Active
Directory. For example it can be used to perform database maintenance of Active
Directory, manage and control single master operations, remove metadata left behind by domain
controllers, and create application directory partitions. Before you use Ntdsutil tool, you need to stop the NTDS service using net stop command on the
Certkiller -LDS1 server and after moving the partition, you need to again start the NTDS service
using net start command on the Certkiller -LDS1 server.
Reference: Using Ntdsutil
http://technet2.microsoft.com/windowsserver/en/library/5b1d983d-ffab-4514-a95e-
6aa0420dacb51033.mspx ?mf
Reference: Event ID 1136 - Schema Operations
http://technet2.microsoft.com/windowsserver2008/en/library/6a5d89c1-81df-445b-b67d-
d5ce9b0fed921033.msp |
|
|
Term
You are formulating the backup strategy for Active Directory Lightweight
Directory Services (AD LDS) to ensure that data and log files are backed up
regularly. This will also ensure the continued availability of data to applications and users in the
event of a system failure.
Because you have limited media resources, you decided to backup only specific
ADLDS instance instead of taking backup of the entire volume. What should you do to accomplish
this task?
A. Use Windows Server backup utility and enable checkbox to take onlybackup of database and
log files of AD LDS
B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance
C. Move AD LDS database and log files on a separate volume and use windows server backup
utility
D. None of the above |
|
Definition
Answer: B Explanation: To backup only specific ADLDS instance instead of taking backup of the entire volume, you need
to use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance.
The Dsdbutil.exe tool allows you to create installation media that corresponds only to the ADLDS
instance that you want to back up instead of backing up entire volumes that contain the ADLDS
instance.
Reference: Step 1: Back Up AD LDS Instance Data
http://technet2.microsoft.com/windowsserver2008/en/library/8e82c111-32da-430e-a954-
c0dbe9f4607f1033.msp |
|
|
Term
Certkiller.com has installed a server. You are assigned to install and run an instance of Active
Directory Lightweight Directory Service (AD LDS). After doing necessary configurations, you start
an instance of AD LDS successfully.
Now you need to create new Organizational Units in the AD LDS application
directory partition. What should you do to create new OUs in the AD LDS
application directory partition?
A. To create the OUs, use thedsmod OU command
B. Employ ADSI Edit Snap-in to create the OUs on the AD LDS application directory partition
C. Create OUs by executingdsadd OU command
D. Create OUs on the AD LDS application directory partition by using Active Directory Users and
Computers snap-in. |
|
Definition
B Explanation: To create new OUs in the AD LDS application directory partition, you should use ADSI Edit snap-
in. ADSI Edit is a snap-in that runs in a Microsoft Management Console
(MMC). The default console containing ADSI Edit is AdsiEdit.msc. If this snap-in is not added in
your MMC, you can do it by adding through Add/Remove Snap-in menu option in the MMC or you
can open AdsiEdit.msc from a Windows Explorer. |
|
|
Term
| Certkiller.com has a server that runs on Windows Server 2008. The server also has
an instance of Active Directory Lightweight Directory Services (AD LDS) running.
In order to test AD LDS, you need to replicate the AD LDS instance on a test
computer located on the network. What should you do to achieve this objective?
A. Execute AD LDS Setup wizard on the test computer to create and install a replica of AD LDS.
B. Executerepadmin/bs command on the test computer
C. Install and configure a new AD LDS instance on the test computer by copy and pasting the
entire partition on the test computer
D. Execute theDsmgmt command on the test computer and create a naming context |
|
Definition
| Answer: A Explanation: To replicate the AD LDS instance on a test computer located on the network, you should execute AD LDS setup wizard on the test computer to create and install a replica of AD LDS. This is the only way to replicate the AD LDS instance on another computer on the network . The setup wizard has the option to replicate the AD LDS instance on another computer |
|
|
Term
Certkiller.com has a server named CKD1. Active Directory Domain Services (AD
DS) role and the Active Directory Lightweight Services (AD LDS) role are installed
on CKD1. An instance of AD LDS named ELDS1 stores its data on the C: drive.
You have to relocate ELDS1 instance to the D: drive. Which three actions should
you perform in sequence to achieve this task? (To answer, move the three
appropriate actions from the list of action on the left to the list on the right in a
correct order.)
Use the ntdsutil command to move the database files, use the windows backup tool to backup and restore the LDSI instance to the D: Drive, run the net start LDSI command, run the net stop LDSI command, run the net start "Active Directory Services", run the xcopy command to move the database files, run the net stop "Active Directory Domain Services" command |
|
Definition
1. Run the net stop LDS1 command
2. Use Ntdsutil to move the database files
3. Run the net start LDS1 command |
|
|
Term
Certkiller.com has a server with Active Directory Rights Management Services (AD
RMS) server installed. Users have computers with Windows Vista installed on them
with an Active Directory domain installed at Windows Server 2003 functional level.
As an administrator at Certkiller.com, you discover that the users are unable to
benefit from AD RMS to protect their documents. You need to configure AD RMS
to enable users to use it and protect their documents. What should you do to achieve
this functionality?
A. Configure an email account in Active Directory Domain Services (AD DS) for each
user.
B. Add and configure ADRMSADMIN account in local administrators group on the user computers
C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group
D. Reinstall the Active Directory domain on user computers
E. All of the above |
|
Definition
Answer: A Explanation: To configure AD RMS to enable users to use it and protect their documents, you should
configure an email account in Active Directory Domain Services (AD DS) for each user.
To regulate access to rights-protected content for all AD RMS users in the AD DS forest,
AD RMS must use AD DS. AD RMS cannot grant licenses to publish and consume
right-protected content if AD DS is not available to work with AD RMS.
You should not add and configure ADRMSADMIN account in local administrators group on the user computers because AD DS is needed for AD RMS to function properly.
Reference:
http://technet2.microsoft.com/windowsserver2008/en/library/c8f83d5b-e10d-4c31-8af9-
d2afb076dbf81033.mspx |
|
|
Term
Certkiller.com has a domain controller that runs Windows Server 2008. The
Certkiller.com network boosts 40 Windows Vista client machines. As an
administrator at Certkiller.com, you want to deploy Active Directory Certificate
service (AD CS) to authorize the network users by issuing digital certificates. What should you do
to manage certificate settings on all machines in a domain from one main location?
A. Configure Enterprise CA certificate settings
B. Configure Enterprise trust certificate settings
C. Configure Advance CA certificate settings
D. Configure Group Policy certificate settings
E. All of the above |
|
Definition
Answer: D Explanation: To manage certificate settings on all machines in a domain from one main location, you
should configure group policy certificate settings. The main feature of certificate settings
in group policy is to allow administrators to manage certificate settings for the entire
network from a single location. When you configure certificate setting by using group
policy , it changes the settings throughout the domain. AD CS is a certificate service that
is a type of server role in Windows Server 2008. You can use server manager to
configure AD CS. |
|
|
Term
Certkiller is having an Active Directory Rights Management Service (AD RMS) server.
Users machines are running Windows Vista and an Active Directory domain is
configured at Microsoft Windows Server 2003 functional level.
Users are complaining that they cannot protect their documents. You need to
configure AD RMS so that users are able to protect their documents. What should
you do?
A. Use a group policy to install the AD RMS client computers B. Add the ADRMSADMIN account to the local administrators group on the computers C. Add the ADRMSSRVC account to the local administrators on the AD RMS server
D. Establish an e-mail account in Active Directory Domain Services (AD DS) for each
user
E. Upgrade the active directory domain to the functional level of Windows 2008 server |
|
Definition
Answer: D Explanation: To configure AD RMS so that users are able to protect their documents, you can
establish an e-mail account in Active Directory Domain Services (AD DS) for each user. The
ADRMS can be enabled on Microsoft Word, Outlook, or PowerPoint in Microsoft
Office2007 applications that can be used to access or send information outside
organization . For additional security, ADRMS can be integrated with other technologies such as
smart cards.
Reference: Active Directory Rights Management Services Overview
http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-
15b156a0b4e01033.msp |
|
|
Term
Certkiller has a single domain network with Windows 2000, Windows 2003, and
Windows 2008 servers. Please see exhibit B. Client computers running Windows XP and
Windows Vista. All domain controllers are running Windows server 2008.
Exhibit B: (Certkiller_DC1, windows server 2008, domain controller) (Certkiller_DC2, windows server 2008, domain controller) (CertkillerSRV5, windows server 2008, file and print server) You need to deploy Active Directory Rights Management System (AD RMS) to
secure all documents, spreadsheets and to provide user authentication. What all you need to
configure in order to complete the deployment of AD RMS?
A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controllerCertkiller
_DC1
B. Ensure that all Windows XP computers have the latest service pack and install the
RMS client on all systems. Install AD RMS on domain controller Certkiller _DC1
C. Upgrade all client computers to Windows Vista. Install AD RMS onCertkiller _SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the
RMS client on all systems. Install AD RMS on domain controller Certkiller _SRV5
E. None of the above |
|
Definition
Answer: D Explanation: To deploy Active Directory Rights Management System (AD RMS) to secure all
documents , spreadsheets and to provide user authentication, you need to ensure that all
Windows XP computers have the latest service pack and install the RMS client on all systems.
Install AD RMS on Certkiller _SRV5.
You can only deploy the AD RMS on a member server in the domain and not on Domain
controllers and therefore you cannot install AD RMS on Certkiller _DC1, which is a
domain controller but on Certkiller _SRV5, which is a File and Print server.
Reference: Pre-installation Information for Active Directory Rights Management
Services
http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3-862c-
7ea309ddb0ed1033.msp
Reference: Active Directory Rights Management Services Overview
http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f-
15b156a0b4e01033.msp |
|
|
Term
Certkiller has a server with Active Directory Rights Management Services (AD
RMS) server installed. Users have computers with Windows Vista installed on them with an Active
Directory domain installed at Windows Server 2003 functional level. As an administrator at
Certkiller.com, you discover that the users are unable to
benefit from AD RMS to protect their documents. You need to configure AD RMS
to enable users to use it and protect their documents. What should you do to achieve this
functionality?
A. Configure an email account in Active Directory Domain Services (AD DS) for each
user.
B. Add and configure ADRMSADMIN account in local administrators group on the user computers
C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group
D. Reinstall the Active Directory domain on user computers
E. All of the above |
|
Definition
| Answer: A Explanation: To configure AD RMS to enable users to use it and protect their documents, you should configure email account in Active Directory Domain Services (AD DS) for each user. User can use the email account application to protect their documents. |
|
|
Term
Certkiller.com has a server that's runs Windows Server 2008. Active directory forest is configured
at the functional level. To enable users to have a database services on the server, you install
Microsoft SQL server 2005 and implement Active Directory Rights Management Service (AD
RMS). While testing the server, you attempt to open the AD RMS administration website. You
receive an error message saying: "SQL Server does not exist or access is denied"
You want to rectify this problem and open AD RMS administration website. Which
two actions should you perform to achieve this objective? (Select two answers. Each
answer is the part of complete solution)
A. Install and configure Message Queuing
B. Restart the Internet Information Server (IIS)
C. Delete the AD RMS instance and the SQL server and install it again.
D. Start the MSSQLSVC service |
|
Definition
B,D Explanation: To rectify the SQL server problem, you have to restart the internet information server (IIS). The IIS
server will be refreshed. Then you start the MSSQULSVC service to start the SQL server. This will
enable you to access the database from AD RMS
administration website |
|
|
Term
You are an administrator at Certkiller.com. Certkiller has a RODC (read-only
domain controller) server at a remote location. The remote location doesn't have
proper physical security. You need to activate non-administrative accounts
passwords on that RODC server. Which of the following action should be
considered to populate the RODC server with non-administrative accounts
passwords?
A. Delete all administrative accounts from the RODC's group
B. Configure the permission to Deny on Receive for administrative accounts on the security tab for
Group Policy Object (GPO)
C. Configure the administrative accounts to be added in the Domain RODC Password Replication
Denied group
D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC
server and on the security tab on GPO, check the Read Allow and the Apply group policy
permissions for the administrators.
E. None of the above |
|
Definition
Answer: C Explanation: To populate the RODC server with non-administrative accounts passwords, you should configure
the administrative accounts to be added in the Domain RODC Password Replication Denied
Group.
The password replication policy is like an access control list. It verifies if the RODC is
permitted to cache a password. When the RODC receives a user or computer logon
request , it forwards the request to Password Replication Policy to determine if the
password for that account should be cached. When the Password Replication Policy
allows RODC to cache a password, the same account can perform subsequent logon in a more
efficient manner.
For non-administrative passwords, you have to add the administrative accounts in the
RODC password replication denied group so that the password could not be cached. The
Password Replication policy lists the accounts that are permitted to be cached and the account
that are denied from being cached. |
|
|
Term
Certkiller.com has a main office and a branch office. Certkiller.com's network
consists of a single Active Directory forest. Some of the servers in the network run Windows
Server 2008 and the rest run Windows server 2003.
You are the administrator at Certkiller.com. You have installed Active Directory
Domain Services (AD DS) on a computer that runs Windows Server 2008. The
branch office is located in a physically insecure place. It has not IT personnel onsite
and there are no administrators over there. You need to setup a Read-Only Domain
Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?
A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above |
|
Definition
Answer: B Explanation: To setup RODC on the computer in the branch office, you should perform an unattended
installation of AD DS. RODC is a new type of domain controller offered by Windows
Server 2008. It is a platform that hosts a read-only replica of Active Directory database.
Through RODC, you can deploy a domain controller easily at locations where physical
security can be compromised, such as a branch office or a perimeter network. You can
ActualTests .com
install RODC on a Server Core installation of Windows Server 2008. You need to be a
member of Domain Admins group or have an authority to perform installation in order to
install RODC. To install RODC on a Server Core system, you need to perform an
unattended installation of AD DS. The main purpose of unattended installations is to install without
responding to a user interface prompt.
You should not perform an attended installation of AD DS because you won't be able to install
RODC on a Server Core installation. Only unattended installations of AD D S can be performed to
install RODC. |
|
|
Term
As the Certkiller administrator you had installed a read-only domain controller (RODC) server at
remote location.
The remote location doesn't provide enough physical security for the server. What should you do
to allow administrative accounts to replicate authentication
information to Read-Only Domain Controllers?
A. Remove any administrative accounts from RODC's group
B. Add administrative accounts to the domain Allowed RODC Password Replication
group
C. Set the Deny on Receive as permission for administrative accounts on the RODC computer
account Security tab for the Group Policy Object (GPO)
D. Configure a new Group Policy Object (GPO) with the Account Lockout settings
enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply
group policy Allow permissions for the administrators on the Security tab for the GPO.
E. None of the above |
|
Definition
Answer: B Explanation: To allow administrative accounts to replicate authentication information to Read-Only Domain
Controllers, you need to add administrative accounts to the domain Allowed RODC Password
Replication group.
By default, only the members of the Allowed RODC Password Replication group are
allowed to replicate authentication information to Read-Only Domain Controllers. The
actual replication would happen only when the members of this group are authenticated
by the RODC. Note that the Administrators group is explicitly denied such replication.
Reference: Security MVP Article of the Month - December 2007 / Physical Security
http://www.microsoft.com/technet/community/columns/secmvp/sv1207.mspx |
|
|
Term
One of the remote branch offices of Certkiller branch is running a Windows Server 2008 having
ready only domain controller (RODC) installed.
For security reasons you don't want some critical credentials like (passwords, encryption keys) to
be stored on RODC.
What should you do so that these credentials are not replicated to any RODC's in the forest?
(Select 2)
A. Configure RODC filtered attribute set on the server
B. Configure RODC filtered set on the server that holds Schema Operations Master role
C. Delegate local administrative permissions for an RODC to any domain user without granting
that user any user rights for the domain
D. Configure forest functional level server for Windows server 2008 to configure filtered attribute
set
E. None of the above |
|
Definition
Answer: B,D Explanation: To ensure the critical credentials are not replicated to any RODC's in the forest, you need
to first configure a filtered attribute set. The attributes that are defined in the RODC
filtered attribute set are not allowed to replicate to any RODCs in the forest. You need to
then configure the RODC filtered set on the server that holds Schema Operations Master
role because the RODC filtered attribute set is configured on the server that holds the
schema operations master role.
You need to use forest functional level server for Windows server 2008 to configure
filtered attribute set because RODC can be configured from a WindowsServer2003
domain controller to replicate the attributes defined in the RODC filtered attribute set by malicious
users and the replication request may succeed.
However, if forest functional level server is Windows Server 2008 then an RODC that is
compromised cannot be exploited in this manner because domain controllers that are running
WindowsServer2003 are not allowed in the forest.
Reference: AD DS: Read-Only Domain Controllers / RODC filtered attribute set
http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-
ecaf649bd3dd1033.msp |
|
|
Term
Certkiller.com has a main office and branch office in another city. You are assigned to deploy and
implement a Read-only Domain Controller (RODC) at the branch
office. You deploy a RODC that runs Windows Server 2008.
What should you do to ensure that the users at the branch office can log on to the domain using RODC? A. Use Password Replication Policy on the RODC
B. Add RODC to the main office
C. Deploy and configure a new bridgehead server in the branch office
D. Deploy and configure a Password Replication Policy on the RODC in the main office |
|
Definition
Answer: A Explanation: To ensure that the users at the branch office can log on to the domain using RODC, you should
use Password Replication Policy. RODC don't cache any user or machine
passwords . You can change this by adding a policy through each RODC's unique
Password Replication Policy (PRP). A policy would create a group for each branch office with a
RODC and add users in that branch office. An administrator, then, can allow
password replication for the branch-office group. |
|
|
Term
Certkiller.com has a main office and 30 branch offices. To manage the network, each branch office
has a separate active directory site that has a dedicated read-only
domain controller (RODC). A branch office located in a far off location reports a robbery. The
robbers have stolen the RODC server. Which utility should you do to recover the user accounts
that were cached on the stolen RODC server?
A. Execute Dsmod.exe
B. Use Active Directory Users and Computers
C. Use Active Directory Sites and Computers
D. Execute Ntdstuil.exe with -ato parameter |
|
Definition
Answer: B Explanation: You should use Active Directory Users and Computers to recover the user accounts
cached on the stolen RODC server. The Active Directory Users and Computers have user
accounts and OUs. You can get the users accounts cached on the stolen RODC server
easily from there. |
|
|
Term
Certkiller.com boosts a main office and 20 branch offices. Configured as a separate site, each
branch office has a Read-Only Domain Controller (RODC) server
installed. Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server? A. Open the RODC computer account security tab and set Allow on the Receive as permission
only for the users that are unable to log on to their accounts
B. Add a password replication policy to the main Domain RODC and add user accounts in the
security group
C. Configure a unique security group for each branch office and add user accounts to the
respective security group. Add the security groups to the password replication allowed group on
the main RODC server
D. Configure and add a separate password replication policy on each RODC computer account |
|
Definition
Answer: D Explanation: To ensure that the cached credential for user accounts are only stored in their local
RODC server, you have to configure and add a separate password replication policy on each
RODC computer account. By adding a separate PRP, the user accounts in each branch office will
be able to authenticate their accounts. |
|
|
Term
Certkiller.com has a main office and a branch office that are configured as a single
Active Directory forest. The functional level of the Active Directory forest is
Windows Server 2003. There are four Windows Server 2003 domain controllers in
the main office. You need to ensure that you are able to deploy a read-only domain
controller (RODC) at the branch office. Which two actions should you perform?
(Choose two answers. Each answer is a part of the complete solution.)
A. Run theadprep/rodcprep command.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Raise the functional level of the forest to Windows Server 2008. |
|
Definition
|
|
Term
Certkiller.com runs Window Server 2008 on all of its servers. It has a single Active Directory
domain and it uses Enterprise Certificate Authority. The security policy at Certkiller.com makes it
necessary to examine revoked certificate information. You need to make sure that the revoked certificate information is available at all times. What should you do to achieve that? A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer
certificates and link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS
(Internet Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder
E. None of the above |
|
Definition
Answer: D Explanation: To ensure that the revoked certificate information is available at all, you should use the network
load balancing and publish an OCSP responder. OCSP is an online responder that can receive a
request to check for revocation of a certificate without the client having to download the entire
CRL. This process speeds up certificate revocation checking and reduces network bandwidth
used for this process. This can be helpful especially when such checking is down over slow WAN
links. |
|
|
Term
Certkiller.com has a software evaluation lab. There is a server in the evaluation lab
named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005
R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate
software. To connect to the internet, it uses physical network interface card.
Certkiller.com requires every server in the company to access Internet.
Certkiller.com security policy dictates that the IP address space used by software
evaluation lab must not be used by other networks. Similarly, it states the IP
address space used by other networks should not be used by the evaluation lab
network. As an administrator you find you that the applications tested in the
software evaluation lab need to access normal network to connect to the vendors
update servers on the internet. You need to configure all virtual servers on the CKT
server to access the internet. You also need to comply with company's security
policy. Which two actions should you perform to achieve this task? (Choose two
answers. Each answer is a part of the complete solution)
A. Trigger the Virtual DHCP server for the external virtual network and run
ipconfig/renew command on each virtual server
B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)
C. Use Certkiller.com intranet IP addresses on all virtual servers on CKT.
D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network
interface and create a new virtual network.
E. None of the above |
|
Definition
Answer: A,D Explanation: To configure all virtual servers on the CKT server to access the internet and comply with
company's security policy, you should trigger the virtual DHCP server for the external
virtual network and run ipconfig /renew command on each virtual server. Then add and
install Microsoft Loopback adapter network interface on CKT. Create a virtual network using the
new interface.
When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses
are assigned to the virtual servers on CKT server. By running ipconfig /renew command, the new
IP addresses will be renewed. The Microsoft Loopback adapter
network interface will ensure that the IP address space used by other networks are not been used
by the virtual servers on CKT server. You create a new virtual network on the new network
interface which will enable you to access internet. |
|
|
Term
Certkiller has an Active Directory forest with single domain. Some other applications are also
hosted on its perimeter network.
The organization wants single sign-on to all applications hosted on perimeter network. The
company has a domain member server with Active Directory Federation Services (AD FS) role
installed.
You are required to configure the AD FS trust policy to populate AD FS tokens with employee's
information from Active directory domain. What should you do?
A. Add and configure a new account store
B. Add and configure a new organization claim
C. Add and configure a new account partner
D. Add and configure a new application
E. None of the above |
|
Definition
Answer: A Explanation: To configure the AD FS trust policy to populate AD FS tokens with employee's
information from Active directory domain, you need to add and configure a new account store.
AD FS allows the secure sharing of identity information between trusted business
partners across an extranet. When a user needs to access a Web application from one of
its federation partners, the user's own organization is responsible for authenticating the
user and providing identity information in the form of "claims" to the partner that hosts the Web
application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make
authorization decisions. Because claims originate from an account store, you need to configure
account store to configure the AD FS trust policy.
Reference: Active Directory Federation Services
http://msdn2.microsoft.com/en-us/library/bb897402.aspx |
|
|
Term
You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008
in your organization.
Now you need to test the connectivity of clients in the network to ensure that they can successfully
reach the new Federation server and Federation server is
operational. What should you do? (Select all that apply)
A. Go to Services tab, and check if Active Directory Federation Services is running
B. In the event viewer, Applications, Event ID columnlook for event ID 674.
C. Open a browser window, and then type the Federation Service URL for the new federation
server.
D. None of the above |
|
Definition
Answer: B,C Explanation: To test the connectivity of clients in the network to ensure that they can successfully reach the
new Federation server and Federation server is operational, you can look for event ID 674. This
event verifies that the federation server was able to successfully communicate with the Federation
Service.
You can also open a browser window, and then type the Federation Service URL for the new
federation server. The Federation Server Service page should appear along with a
list of links that identify the Web methods that the Federation Service uses. The
Federation Service URL should include the Domain Name System (DNS) host name of the
federation server.
Reference: Event ID 674 - Trust Policy and Configuration
http://technet2.microsoft.com/windowsserver2008/en/library/71705c30-e97f-4e36-92ab-
d33175bf588d1033.msp
Reference: Verify That a Federation Server Is Operational
http://technet2.microsoft.com/windowsserver2008/en/library/ecf28b0c-014 |
|
|
Term
As an administrator at Certkiller.com, you have installed an Active Directory forest that has a single domain. You have installed an Active Directory Federation services (AD FS) on the domain member server. What should you do to configure AD FS to
make sure that AD FS token contains information from the active directory
domain?
A. Add a new account store and configure it
B. Add a new resource partner and configure it
C. Add a new resource store and configure it
D. Add a new administrator account on AD FS and configure it
E. None of the above |
|
Definition
Answer: A Explanation: To ensure that AD FS token contains information from the active directory domain, you should add
a new account store and configure it accordingly. To add a new account store you can use AD FS
console. By expanding the My organization, you right-click on the Account stores and create a
new account store. The Add Account Store Wizard will
guide to through the process. |
|
|
Term
Certkiller.com boosts a two-node Network Load Balancing cluster which is called web. CK1 .com.
The purpose of this cluster is to provide load balancing and high availability of the intranet website
only.
With monitoring the cluster, you discover that the users can view the Network Load
Balancing cluster in their Network Neighborhood and they can use it to connect to
various services by using the name web. CK1 .com. You also discover that there is
only one port rule configured for Network Load Balancing cluster.
You have to configure web. CK1 .com NLB cluster to accept HTTP traffic only.
Which two actions should you perform to achieve this objective? (Choose two
answers. Each answer is part of the complete solution)
A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
B. Run thewlbs disable command on the cluster nodes
C. Assign a unique port rule for NLB cluster by using the NLB Cluster console
D. Delete the default port rules through Network Load Balancing Cluster console |
|
Definition
Answer: A,D Explanation: To configure web. CK1 .com NLB cluster to accept HTTP traffic only, you should first create anew rule for TCP port 80 by using the NLB cluster console. Then you should delete the default port rules through NLB Cluster console. By creating a new rule for
ActualTests .com
TCP port 80, you configure the port to accept only HTTP traffic. Then deleting the default port rules ensure that those rule won't be implemented automatically |
|
|
Term
ActualTests .com
TCP port 80, you configure the port to accept only HTTP traffic. Then deleting the default port rules ensure that those rule won't be implemented automatically. QUESTION NO: 63 Certkiller.com has an Active Directory domain. For regular checkups, you log on to the domain
controller and open Microsoft Management Console (MMC). The
Active Directory Schema snap-in is not available. What should you do to access the Active
Directory Schema snap-in?
A. Register Schmmgmt.dll
B. usingan member account of the Schema Administrators group, log off and log on again
C. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller
D. Execute Ntdsutil.exe command to connect to the Schema Masteroperations master. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain. Another administrator at
Certkiller.com attempts to log on to a computer that was offline for 12 weeks. While accessing the
computer, administrator receives an error message that authentication
has failed. What should you do to ensure that the administrator can log on to the
computer?
A. Disjoin the computer from the domain and rejoin it to the domain. Reset the computer account
B. Delete the computer account from the organizational unit and then add the account again
C. Execute thenetsh command on the computer and set the machine options
D. Executenetsh trust/reset command and join the computer to the domain again.
E. None of the above |
|
Definition
Answer: A Explanation: To ensure that the administrator can log on to the computer, you should disjoin the
computer from the domain and rejoin it again. Rest the computer account too. Due to long
inactivity, the computer was not responding to the authentication query using the Active Directory
records. So when you disjoin and rejoin the computer to the domain and reset the computer
account, the Active Directory refreshes the records. After that the
administrator can easily log on to the computer. |
|
|
Term
Certkiller.com has a network with a single Active Directory domain. There are two domain
controllers installed which run Windows Server 2008. You have enabled the Audit account
management policy and Audit directory services access settings for the entire domain. You must
ensure that the changes made to Active Directory
objects are logged. The changes logged must show the old and new values of any attribute. What
should you do to achieve this task?
A. Enable the Audit Directory services access setting and directory service changes by accessing
Default Domain Controllers policy
B. Disable Audit account management policy and enable it again
C. Execute auditpol.exe and configure the security settings of the domaincontrollers
Organizational unit
D. Execute Audipol.exe and disable the default domain policy
E. None of the above |
|
Definition
| Answer: C Explanation: To make sure the changes made to active directory objects are logged and the logs show the old and new values of any attribute, you should run audipol.exe and configure the security settings for the domain controllers Organizational Unit |
|
|
Term
Certkiller.com has an Active Directory domain which runs Windows Server 2008. A user attempts
to log on to the domain from the client computer using his account. He receives the following
message:
"This account has expired. Contact your administrator to reactivate the account"
What should you do to ensure that the user is able to log on to the domain using his account?
A. Open the properties of the user account and change the option to "Never Expire"
B. Open the properties of the user account and extend the Logon Hours setting
C. Open the properties of the user account and modify the default domain policy to decrease the
duration of account lockout.
D. Change the password option to never expire in the user account properties |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest containing many domain controllers. All domain
controllers run Windows Server 2008. Another administrator has accidentally deleted an
organizational unit and its child objects. You have to perform an authoritative restore of the deleted
organizational unit and its child objects.
Which of the following four actions should you perform in sequence to achieve this task? (Move
appropriate actions for the list of actions in the left to the answer area at the right. Arrange them in
the correct order.)
Restart the domain controller in safe mode, restart the domain controller, use the ntdsutil to make the organizational unit as authoritative, restart the domain controller in Directory Services Restore Mode, use the dsadd utility to recreate the organizational unit, restore the system state data to a date before the organizational unit was deleted |
|
Definition
1. Restart the domain controller in DSRM
2. Restore the system state data to a data before the organizational unit was deleted
3. Use the ntdsutil to make the organizational unit as authoritative |
|
|
Term
As an administrator at Certkiller.com, you create 200 new user accounts. The users are located in
six different sites. The users report that when they try to log on, they receive the following error
message "The username or password is incorrect"
You confirm that the user accounts exist and are enabled. You also confirm that the username and
password are correct too. You have to identity the cause of this
failure. You also need to ensure that the new users are able to log on using their accounts. What
should you do to achieve this task?
A. Repadmin
B. Rsdiag
C. Active Directory Domains and Trusts
D. Rstools |
|
Definition
|
|
Term
Certkiller.com network consists of a single Active Directory domain. All domain
controllers run Windows Server 2008. Some of the Lightweight Directory Access
Protocol (LDAP) clients are using the largest amount of CPU resources on a domain
controller. You need to identify those. What should you do to achieve this task?
A. Execute the Active Directory Diagnostics Data Collector Set a review the Active Directory report
B. Open Resource Monitor and review the performance data
C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
D. Review the Hardware Events log in the Event Viewer. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain with an organizational unit called
Sales. This organizational unit hosts two global security groups named Sales
directors and Sales executives. Certkiller has instructed you to apply desktop
restrictions to the sales executives group. However, the desktop restrictions should
not be applied to the Sales directors group. You create a GPO named Desktop
Lockdown and link it to the Sales organizational unit. What should you do next?
A. Set the Deny Apply Group Policy permission for the Sales directors on theDesktopLockdown
GPO
B. Set the Deny Apply Group Policy permission for the Sales Executives on theDesktopLockdown
GPO
C. Set the Allow Apply Group Policy permission for the Local domain users onDesktopLockdown
GPO
D. Set the Allow Apply Group Policy permission for the Authenticated Users on DesktopLockdown GPO |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest which runs Windows Server 2008. It has branch
offices all around the world. The forest includes finance organizational units for an office in the
following locations:
New York
London
Amsterdam
Rome
Each location has a child organizational unit named finance. The finance
organizational unit hosts all the users and computers in the finance department.
The offices in London and, Amsterdam and New York are connected by T1
connections. However, the office in Rome is connected by a 128-Kbps ISDN
connection. Certkiller.com has instructed you to install an application on all
computers in the finance department. Which two actions should you perform to
achieve this task? (Choose two answers. Each answer is a part of the complete
solution)
A. Create a Group Policy Object (GPO) namedaccountingtree Install that assigns the application
to the computers. Link the GPO to each finance organizational unit
B. Create a GPO named accounting tree install that assigns the application to each user in the
organizational unit. Link the GPO to each finance organizational unit
C. Change the slow link detection setting to 2,544 Kbps (T1) in the GPO
D. Disable the slow link detection setting in the GPO |
|
Definition
|
|
Term
Certkiller.com has purchased a new application to deploy on 200 computers. You are instructed to
deploy the application on all 200 computers. To install the
application, you have to modify the registry on each target computer before
installing the application. Registry modifications are in a file that has an .adm
extension. You have to prepare the target computers for the application. What
should you do to achieve this task? A. Create a new Group Policy Object (GPO) and import the .adm file into it. Edit the GPO and link
it to an organizational unit that contains the target computers
B. Create a Microsoft WindowsPowerShell script to copy the .adm file to the startup folder of each
target computer.
C. Create a Microsoft WindowsPowerShell script to copy the .adm file to each computer.
Run the REDIRCmp CONTAINER-DN command on each target computer.
D. Create a Microsoft WindowsPowerShell script to copy the .adm file to each
computer. Run the REDIRUsr CONTAINER-DN command on each target computer. |
|
Definition
|
|
Term
| Certkiller.com has an Active Directory forest containing eight linked GPOs. One of the eight GPOs publishes applications to user objects. One of the user reports that the application is not available for installation. You have to identity whether the GPO is applied. What should you do to achieve this task? A. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
B. Run the GPRESULT /S /Z command at the command prompt.
C. Run the Group Policy Results utility for the computer.
D. Run the Group Policy Results utility for the user. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest that contains Windows Server 2008 domain
controllers and DNS servers. All client computers run Windows XP. You need to use your client
computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX
central store. What should you do?
A. Add your account to the DomainAdmins group.
B. Create a folder on the Primary Domain Controller (PDC) emulator for the domain in
thePolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.
C. Upgrade your client computers to Windows Vista.
D. Install .NET Framework 3.0 on your client computer. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest. There is a main office and five branch
offices. Each branch office has an organizational unit and a child organizational
unit called Accounts. The Accounts organizational unit contains all users and
computers of the accounts department. You are directed to install Peachtree
application only on the computers in the finance organizational unit. To install the
application, you create a GPO named FinanceApp. What should you do next to
achieve this task?
A. Create a GPO to assign application to the user groups in the accounts organizational unit. Link
theFinanceApp GPO to the organizational unit.
B. Create a GPO and assign the application to each computer account. Link theFinanceApp GPO
to the Accounts organizational unit.
C. Configure the GPO to assign the application to the computer account. Link theFinanceApp
GPO to the organizational unit in each location
D. Configure the GPO to assign the application to the organizational unit. Link theFinanceApp
GPO to the Accounts organizational unit. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest that hosts client computers running Windows Vista
and Windows XP. Certkiller.com has directed you to ensure that users are able to install approved
application updates on their computers. Which of the following two actions should you perform to
achieve this task? (Choose two answers. Each answer is part of the complete solution)
A. Create a GPO and link it to the domain. Configure the GPO to direct client computers to the
Microsoft WSUS server for approved updates
B. In the environment, install the Microsoft WSUS application on a server and configure the server
to search for new updates on the internet. Configure it to approve all required
updates.
C. Configure automatic updates in the control panel of client computers
D. Create a GPO and link it to the server. Configure the GPO to automatically search for updates
on Microsoft update site |
|
Definition
|
|
Term
Certkiller.com has an organizational unit called subproduction. The organizational unit has a child
organizational unit called Research. You create a GPO named
Software Deployment and link it to the Production organizational unit. You create a shadow group
for the Research organizational unit. You need to deploy an
application to users in the subproduction organizational unit. You also need to
ensure that the application is not deployed to users in the Research organizational unit. What are
two possible ways to achieve this goal? (Choose two answers. Each answer is part of the
complete solution)
A. Configure the Enforce setting on the software deployment GPO.
B. Configure the Block Inheritance setting on thesubproduction organizational unit.
C. Configure the Block Inheritance setting on the research organizational unit.
D. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the
research security group. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest. There is one main office and branch office in two
different locations. Both of the locations have an organizational unit. Certkiller has instructed you
to ensure that the branch office administrators are able to create and apply GPOs only to their
respective organizational unit. Which two actions should you perform to achieve this task?
A. Add branch administrators for each organizational unit in the ManagedBy Tab settings.
B. Add the branch officeadministrators user accounts in the Group Policy Creator Owners Group
C. Execute the Delegation of Control Wizard and delegate the right to link GPOs for their branch
organizational units to the branch administrators
D. Execute the Delegation of Control Wizard and delegate the right to links GPOs for the domain
to the branch office administrators |
|
Definition
|
|
Term
You are an administrator at Certkiller.com. Certkiller has a network of 5 member
servers acting as file servers. It has an Active Directory domain. You have installed
a software application on the servers. As soon as the application is installed, one of
the member servers shuts down itself. To trace and rectify the problem, you create a
Group Policy Object (GPO). You need to change the domain security settings to
trace the shutdowns and identify the cause of it. What should you do to perform this
task?
A. Link the GPO to the domain and enable System Events option
B. Link the GPO to the domain and enable Audit Object Access option
C. Link the GPO to the Domain Controllers and enable Audit Object Access option
D. Link the GPO to the Domain Controllers and enable Audit Process tracking option
E. Perform all of the above actions |
|
Definition
Answer: A Explanation: To change the domain security settings to trace the shutdowns and identify the cause of it, you
should link the Group Policy Object to the domain and enable System Events
option . The system events will track the problem and tell you what is causing the
shutdowns .
You should not enable Audit Object Access option because it is used to audit the access
to the objects like registry keys, files and folders.
You should not enable Audit Process tracking option because this option is used to audit the
process tracking on a server. |
|
|
Term
Certkiller.com has organizational units in the Active Directory domain. There are 10 servers in the
organizational unit called Security. As an administrator at
Certkiller.com, you generate a Group Policy Object (GPO) and link it to the
Security organizational unit. What should you do to monitor the network
connections to the servers in Security organizational unit?
A. Start the Audit Object Access option
B. Start the Audit System Events option
C. Start the Audit Logon Events option
D. Start the Audit process tracking option
E. All of the above |
|
Definition
Answer: C Explanation: To monitor the network connections to the servers in security organizational unit, you
should start the Audit Logon Events option. The Audit logon event is a security setting
that decides whether to audit each instance of a user logging on or off from a computer.
Basically, the account logon events are generated on domain controllers to monitor the
domain account activity and local account activity on local computers. If you enable both
account logon and logon audit policy categories, the domain account logons will generate
a logon or log off event on a server or a workstation and they will generate a logon or log
off event on the domain controller. So if you start the Audit logon events option, you will be able to monitor the network connections to the servers in security organizational unit |
|
|
Term
Certkiller.com has purchased laptop computers that will be used to connect to a
wireless network. You create a laptop organizational unit and create a Group Policy
Object (GPO) and configure user profiles by utilizing the names of approved
wireless networks. You link the GPO to the laptop organizational unit. The new
laptop users complain to you that they cannot connect to a wireless network. What
should you do to enforce the group policy wireless settings to the laptop computers?
A. Executegpupdate/target:computer command at the command prompt on laptop computers
B. Execute Add a network command and leave the SSID (service set identifier) blank
C. Executegpupdate/boot command at the command prompt on laptops computers
D. Connect each laptop computer to a wired network and log off the laptop computer and then
login again.
E. None of the above |
|
Definition
Answer: D Explanation: To enforce the group policy wireless settings on the laptop computers, you should
connect each laptop to a wired network and log off on the laptop computer. Login again to enforce
the group policy wireless settings. When you connect the laptop to a wired network and log off and
then login again, the wireless settings group policy is enforced and users can connect to a
wireless network. |
|
|
Term
Certkiller.com has file server located in an organizational unit named Salaries. The files servers
have salaries files in a folder named CKsalaries. You create a GPO. You have to track which
employees access the salaries files on the file servers. What should you do you achieve this task?
A. Enable Audioobject access option. Link the GPO to the Salaries organizational unit.
On the file servers, configure Auditing for the Everyone group in the Payroll folder.
B. Enable the Audit process tracking option. Link the GPO to the Payroll organizational
unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit object access option. Link the GPO to the domain. On the domain
controllers, configure Auditing for the Authenticated Users group in the Payroll folder.
D. Enable the Audit process tracking option. Link the GPO to the Domain Controllers
organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the
Payroll folder. |
|
Definition
|
|
Term
Certkiller.com has a group of consultants. All consultants belong to a global group named
TempWorkers. You were advised to place three file servers in a new
organizational unit named Secureserv. These file servers contain confidential data located in
shared folders. After placing the file servers, you need to record any failed attempts made by the
consultants to access confidential data. Which of the following two actions should you perform to
achieve this task?
A. On each shared folder on the three file servers, add theTempWorkers global groups to
the Auditing tab. configure the Failed Full control setting in the Auditing Entry dialog
box.
B. Create and link a new GPO to theSecureServ organizational unit. Configure the Deny
access to this computer from the network user rights setting for the TempWorkers global
group.
C. On each shared folder on the three file servers, add the three servers to the Auditing tab.
Configure the Failed Full control setting in the Auditing Entry dialog box.
D. Create and link a new GPO to theSecureServ organizational unit. Configure the Audit privilege
use Failure audit policy setting.
E. Create and link a new GPO to theSecureServ organizational unit. Configure the Audit
object access Failure audit policy setting. |
|
Definition
|
|
Term
Certkiller asks you to implement Windows Cardspace in the domain. You want to use Windows
Cardspace at your home. Your home and office computers run
Windows Vista Ultimate. What should you do to create a backup copy of Windows Cardspace
cards to be used at home?
A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB
drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB
drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ WindowsCardspace application to backup the data on your USB drive
E. Reformat the C: Drive
F. None of the above |
|
Definition
Answer: D Explanation: Of course, you should use Windows Cardspace application to backup the data on your USB drive.
You can use this data on any computer to access and use Windows
Cardspace . Windows Cardspace is a tool that creates relationships with website and online
services. Windows CardSpace provides a unique way for
1. sites to request information from you
2. you to review the identity of a site
3. you to manage your information by using information cards
4. you to review card information before you send it.
The Windows CardSpace has a backup feature. You can use it to backup cards data to a storage
medium.
You should not backup the system state data by using backup status tool on your USB drive. It is
not related to the scenario mentioned above.
You should not backup \Windows\Globalization folder by using backup status and save the folder
on your USB drive because backup status will not be able to backup the data on to any storage
device. |
|
|
Term
Certkiller.com has a network that consists of a single Active Directory domain. A
technician has accidently deleted an Organizational unit (OU) on the domain
controller. As an administrator of Certkiller.com, you are in process of restoring the
OU. You need to execute a non-authoritative restore before an authoritative restore
of the OU. Which backup should you use to perform non-authoritative restore of
Active Directory Domain Services (AD DS) without disturbing other data stored on
domain controller?
A. Critical volume backup
B. Backup of all the volumes
C. Backup of the volume that hosts Operating system
D. Backup of AD DS folders
E. all of the above |
|
Definition
Answer: A Explanation: You should use critical volume backup to perform non-authoritative restore of AD DS
without disturbing other data stored on domain controller. At the time of backup, an
authoritative restore process returns a designated object or a container of objects to its
state . The authoritative restore marks the OU as authoritative and causes the replication
process to restore it to all domain controllers in the domain. You must first complete a non-authoritative restore before performing an authoritative restore of AD DS. You also need to ensure that the replication does not occur after non-authoritative restore. You must do a critical-volume backup before you perform a non-authoritative restore. To prevent the replication from occurring after the non-authoritative and to perform the authoritative restore portion of the operation, you must restart the domain controller in Directory Services Restore Mode and perform the authoritative restore at the domain controller that you are restoring. You should start the domain controller normally after performing the authoritative restore of AD DS. You should also synchronize replication with all replication partners |
|
|
Term
Certkiller.com has an Active Directory forest on a single domain. The domain operates Windows
Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active
Directory database that hosts 6000 objects.
You have backed up the system state data using third-party backup software. To restore backup,
you start the domain controller in the Directory Services Restore Mode (DSRM).
You need to perform an authoritative restore of the organizational unit and restore the domain
controller to its original state. Which three actions should you perform? The answer should be in a
sequence. Drag and drop the appropriate action into the sequential order.
Perform a restore system state data to time before the organizational unit was deleted, run the dsastat utility, start the domain controller in Services (local) MMC, restart the domain controller in safe mode, run the ntdsutil, |
|
Definition
| 1. Perform a restore of system state data to a date before the organizational unit was deleted, run the ntdsutil, start the domain controller in Services (local) MMC |
|
|
Term
| The Certkiller has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS. You need to prepare the domain controller for disaster recovery apart from the routine backup procedures. You are unable to launch the backup utility while attempting to back up the system state data for the data controller. You need to backup system state data from the Windows Server 2008 domain controller server. What should you do? A. Add your user account to the local Backup Operators group B. Install the Windows Server backup feature using the Server Manager feature C. Install the Removable Storage Manager feature using the Server Manager feature D. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server. E. None of the above |
|
Definition
| Answer: B Explanation: To backup system state data from the Windows Server 2008 domain controller server, you need to install the Windows Server backup feature using the Server Manager feature. Windows Server Backup is not installed by default. You must install it by using the Add Features option in Server Manager. Reference: What's New in AD DS Backup and Recovery? http://technet2.microsoft.com/windowsserver2008/en/library/67f18955-c504-4d63-9f84- 9b8c25d428e81033.msp |
|
|
Term
You had installed Windows Server 2008 on a computer and configured it as a file server, named
FileSrv1.
The FileSrv1 computer contains four hard disks, which are configured as basic
disks. For fault tolerance and performance you want to configure Redundant Array of Independent
Disks (RAID) 0 +1 on FileSrv1.
Which utility you will use to convert basic disks to dynamic disks on FileSrv1?
A. Diskpart.exe
B. Chkdsk.exe
C. Fsutil.exe
D. Fdisk.exe
E. None of the above |
|
Definition
Answer: A Explanation: To convert basic disks to dynamic disks on FileSrv1, you need to use Diskpart.exe utility.
Reference: Managing and Troubleshooting Desktop Storage / Basic Disks
http://www.informit.com/articles/article.aspx?p=332154 |
|
|
Term
Certkiller.com has a single Active Directory domain and two domain controllers
which run Windows Server 2008. Due to a problem, you need to reset the Directory Services
Recovery Mode (DSRM) password on one domain controller. What tool should you use to achieve
this task?
A. Active Directory Security for Computers snap-in
B. Netsh
C. ntdsutil
D. Domain Controller security snap-in
E. All of the above |
|
Definition
Answer: C Explanation: To reset the DSRM password on a single domain controller, you should use ntdsutil
utility . You can use Ntdsutil.exe to reset this password for the server on which you are
working , or for another domain controller in the domain. Type ntdsutil and at the ntdsutil command
prompt, type set dsrm password. Reference: http://support.microsoft.com/kb/322672 |
|
|
Term
Certkiller.com has a domain controller that runs Windows Server 2008. The server is a backup
server with a single 500-GB hard disk and has three partitions for the applications, operating
system and data. As per company policy, you perform daily backups of the server. The hard disk
fails and you replace the hard disk with a new one of same capacity. After restarting the computer
on the installation media, you select repair your computer option. You want to restore the
operating system and all the other files. What should you do to achieve this task?
A. Do the startuprepair
B. Perform the System Restore
C. At the command prompt, executewebadmin utility
D. Perform the Disk defragment |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain running Windows Server 2008. The Finance OU
(organizational unit) contains an OU for computers, an OU for groups
and an OU for users. As per company policy, you perform daily backups. Another
administrator mistakenly deletes the groups OU. You have to restore the Groups
OU without affecting users and computers in the Finance OU. What should you do
to achieve this task?
A. Perform an authoritative restore of the Groups OU
B. Perform a complete restore of the Finance OU
C. Perform a non-authoritative restore of the Finance OU
D. Perform a non-authoritative restore of the Groups OU |
|
Definition
|
|
Term
Critical services are running on CKD20, a domain controller. You have completed restructuring the
organizational unit hierarchy for the domain and deleted the
needless objects. What would you do to perform an offline defragmentation of the Active Directory
database on CKD20 while ensuring that the critical services
remain online?
A. Open the Microsoft Management Console (MMC) and stop the Domain Controller service. After
that, run the defrag tool
B. Start the domain controller in the Directory Service restore mode and run theNtdsutil
tool
C. Start the domain controller and then use the Defrag tool to start defragmentation
D. Open the MMC and stop the Domain Controller service. After that, run theNtdsutil
tool.
E. All of the above |
|
Definition
Answer: D Explanation: To perform an offline defragmentation of the Active Directory database on CKD20 while
ensuring that the critical services remain online, you should open the MMC and stop the
Domain Controller service. Then you should run Ntdsutil tool. Ntdsutil is a
command-line tool that offers management facilities for Active Directory.
When you stop the Domain Controller service, the critical services remain online. Then
you should run Ntdsutil tool which will find out the location of the data files, working
directory and log files. You can use the info command which is a part of ntdsutil
command-line tool to find out the location of the data files, log files and working
directory . The info command analyzes and reports the free space for all disks installed on the
computer and reads the registry keys that contact the location of the Active Directory files and
reports their values. |
|
|
Term
Certkiller.com has servers on the main network that run Windows Server 2008. It also has two
domain controllers. Active Directory services are running on a domain controller named CKDC1.
You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the
server. What should you do to perform
offline critical updates on CKDC1 without rebooting the server?
A. Start the Active Directory Domain Services on CKDC1
B. Disconnect from the network and start the Windows update feature
C. Stop the Active Directory domain services and install the updates. Start the Active Directory
domain services after installing the updates
D. Stop Active Directory domain services and install updates. Disconnect from the network and
then connect again
E. None of the above |
|
Definition
C Explanation: To perform offline critical updates on CKDC1 without rebooting the server, you should
stop the Active Directory domain services and install the updates. Start the Active
Directory domain services after installing the updates. By stopping the Active Directory
domain services, you don't need to reboot the server. The updates are related to the
Windows Server 2008 on CKDC1 so when you stop the Active Directory domain
services and start it again after the installation of the updates, the Server will perform in a
normal way. |
|
|
Term
There are 100 server and 2000 computers present at Certkiller.com headquarters. The DHCP
service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high
availability of the service. The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity. A 200GB single volume
is configured on the shared disk. Certkiller.com has decided to host a Windows Internet Naming
Service (WINS) on CKMFON1. The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creating the WINS service group on cluster available on
CKMFON1 node. The wizard shows an error "no disks are
available" during configuration. Which action should you perform to configure
storage volumes on CKMFON1 to successfully add the WINS Service group to
CKMFON1?
A. Backup all data on the single volume on CKMFON1 and configure the disk with
GUID partition table and create two volumes. Restore the backed up data on one of the volumes
and use the other for WINS service group
B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it.
Use this volume to fix the error in the wizard
C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes
on these disk and direct CKMOFONI to use CKMFON2 volume for the WINS service
group
D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use
this volume to fix the error in the wizard
E. None of the above |
|
Definition
Answer: B Explanation: To configure storage volumes on CKMFON1 to successfully add the WINS Service
group to CKMFON1, you need to add a new physical shared disk to the CKMFON1
cluster and configure a new volume on it. Use this volume to fix the error in the wizard. This is
because a cluster does not use shared storage. A cluster must use a hardware solution base either on shared storage or on replication between nodes.
Reference: No disks found
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2964971&SiteID=17 |
|
|
Term
Domain Controller Bill12 runs critical services in Certkiller network.
Restructuring of organizational unit domain hierarchy is being done and all unnecessary objects
also being deleted.
Offline de-fragmentation of the active directory database is to be performed on
Bill12. We also need to ensure that critical services keep alive. What should you
do?
A. Start the domain controller in the Directory Services restore mode. Run the defrag utility
B. Start the domain controller in the Directory Services restore mode. Run theNtdsutil utility
C. Stop the Domain controller service in the Services MMC and run the Defrag utility.
D. Stop the Domain controller service in the Services MMC and run theNtdsutil utility
E. None of the above |
|
Definition
Answer: D Explanation: To perform offline de-fragmentation of the active directory database on Bill12, you
need to Stop the Domain controller service in the Services MMC and run the Ntdsutil
utility
You can use the restart feature of AD DS to stop AD DS so that you can perform offline operations
such as defragmentation of Active Directory objects.
Reference: Superior Identity Management Features in Windows Server 2008 Enterprise and
Windows Server 2008 Datacenter / Directory Services: Active Directory Domain
Services
http://download.microsoft.com/download/8/2/f/82fa3808-7168-46f1-a07b-
f1a7c9cb4e85/WS08% 20Identity%20 |
|
|
Term
| The corporate network of Certkiller consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Certkiller 1 and Certkiller 2. To ensure central monitoring of events you decided to collect all the events on one server, Certkiller 1. To collect events from Certkiller 2 and transfer them to Certkiller 1, you configured the required event subscriptions. You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol. However, you discovered that none of the subscriptions work. Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution). A. Through Run window execute the winrm quickconfig command on Certkiller 2. B. Through Run window execute the wecutil qc command on Certkiller 2. C. Add theCertkiller 1 account to the Administrators group on Certkiller 2. D. Through Run window execute the winrm quickconfig command on Certkiller 1. E. Add theCertkiller 2 account to the Administrators group on Certkiller 1. F. Through Run window execute the wecutil qc command on Certkiller 1. |
|
Definition
Answer: A,B,C Explanation: The subscriptions are not working because Normal subscriptions work only in Workgroup
environment.
To configure the event collection and event forwarding on the two servers, you need to first add
the Certkiller 1 account to the Administrators group on Certkiller 2.
Because you are working with machines that are part of an Active Directory (AD), on the source
computer, type winrmquickconfig command.
Then, type y followed with Enter to make the changes. This command sets up the source system
to accept WS-Management requests from other computers.
Now, move to the collection system. Repeat the WinRM command. This will allow you to control
bandwidth usage or latency of the event forwarding process.
Next, using the same elevated command prompt, run wecutilqc command. Then, type y followed
with Enter to make the changes. This will configure the Windows Event
Collector service to delayed autostart and start the service.
Reference: Collect Vista Events
http://www.prismmicrosys.com/newsletters_june2007.php |
|
|
Term
Certkiller.com has an active directory forest on a single domain. Certkiller needs a distributed
application that employs a custom application. The application is
directory partition software named PARDAT
A. You need to implement this
application for data replication. Which two tools should you use to achieve this task? (Choose two
answers. Each answer is a part of a complete solution)
B. Dnscmd
C. Ntdsutil
D. Ipconfig
E. Dnsutil F. All of the above |
|
Definition
Answer: A,B Explanation: To implement the application for data replication, you should use the Dnscmd and
Ntdsutiltools. The dnscmd command displays and changes the properties of DNS
servers , zones and resource records. Through dnscmd , you can manually modify these
properties , create and delete zone and resources records and forces replication events
between DNS server physical memory and DNS databases and data file. You can
implement the PARDATA application and distribute it through dnscmd .
Ntdsutil tool is a command-line utility that offers management facilities for Active
Directory. You can create application directory partitions using this tool. The tool has a
series of menus that allow you to perform multiple management tasks. Ntdstul is installed
in the systemroot\system32 folder. It can be accessed through command prompt. |
|
|
Term
Certkiller.com has a main office and a branch office. Active Directory domain is
present in each office. The users of sales department need some space to store data
for an application named SalesPros. You create an application directory partition
for this purpose. You want to add a replica of SalesPros application directory
partition to the domain controller in the branch office too. The domain controller is
called CKO2. Which tool should you use to add replica for the SalesPros application directory
partition to CKO2?
A. Dnscmd.exe
B. Repadmin.exe
C. Ntdsutil.exe
D. Dcpromo.exe
E. All of the above |
|
Definition
Answer: C Explanation: To add replica for the SalesPros application directory partition to CKO2, you should use
Ntdsutiltool.Ntdsutil tool is a command-line utility that offers management facilities for
Active Directory. You can create application directory partitions using this tool. The tool
has a series of menus that allow you to perform multiple management tasks. Ntdstul is
installed in the systemroot\system32 folder. It can be accessed through command prompt |
|
|
Term
Certkiller has an Active Directory forest with six domains. The company has 5 sites. The company
requires a new distributed application that uses a custom application directory partition named
ResData for data replication.
The application is installed on one member server in five sites. You need to
configure the five member servers to receive the ResData application directory partition for data
replication. What should you do?
A. Run theDcpromo utility on the five member servers
B. Run the Regsvr32 command on the five member servers
C. Run theWebadmin command on the five member servers
D. Run theRacAgent utility on the five member servers |
|
Definition
Answer: A Explanation: To configure the five member servers to receive the ResData application directory
partition for data replication, you need to run the Dcpromo utility on the five member
servers . ApplicationPartitionsToReplicate :"" parameter with partition names can be used with
Dcpromo to specify the application directory partitions that dcpromo will replicate. Reference:
Dcpromo
http://technet2.microsoft.com/windowsserver2008/en/library/d660e761-9ee7-4382-822a-
06fc2365a1d21033.msp |
|
|
Term
The company has an Active directory forest and they require a new distributed
application that uses a custom application directory partition named ResData. We need to
implement the ResData application directory partition for data replication. To achieve your goal
what two utilities you should run?
A. Ntdsutil
B. Wbadmin
C. RacAgent
D. Regsvr32 |
|
Definition
|
|
Term
Certkiller.com servers run Windows Server 2008. It has a single Active Directory domain. A server called CK4 has file services role installed. You install some disk for additional storage. The disks are configured as shown in the exhibit. To support data stripping with parity, you have to create a new drive volume. What should you do to achieve this objective? A. Build a new spanned volume by combining Disk0 and Disk1
B. Create a new Raid-5 volume by adding another disk
C. Create a new virtual volume by combining Disk 1 and Disk 2
D. Build a new striped volume by combining Disk0 and Disk 2 |
|
Definition
Answer: B Explanation: To support data stripping with parity, you should create a new Raid-5 volume by adding another
disk. By adding another volume, the total number of disk will be four. This way you can easily
create data strip and the parity strips. |
|
|
Term
Certkiller.com has servers that run Windows Server 2008. There are 2 domain controllers installed on the network. An Active Directory database is installed on the D volume of a domain controller. You want to move the Active Directory database to a new volume. What should you do to achieve this task? A. Open the Files option in theNtdsutil utility and move the ntds.dit file to the new volume
B. Move the ntds.dit file to the new volume using Copy Paste function in the Windows Power Shell
C. Use XCOPY command on Windows Command prompt to move ntds.dit file to the new volume
D. Use Windows Explorer to move ntds.dit file to the new volume. |
|
Definition
A Explanation: To move the Active Directory database to a new volume, you should move the ntds.dit
file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move
the database file, the log files, or both to a larger existing partition. If you are not using Ntdsutil.exe
when moving files to a different partition, you will need to manually
update the registry.
Reference:
http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-
d51707bf01eb1033.msp |
|
|
Term
Certkiller.com has a server that runs an instance of AD LDS. You have to create new
organizational units in the AD LDS application directory partition. What should
you do to achieve this task?
A. Create the organizational units on the AD LDS application directory partition by accessing the
ADSI Edit snap-in
B. Executedsmod OU command to create Organizational units
C. Use the Active Directory Users and Computers snap-in to create the organizational units on the
AD LDS application directory partition.
D. Executedsadd OU command to create Organizational units |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain. As an administrator, you plan to
install the Active Directory Certificate Service (AD CS) role on a member server
running Windows Server 2008. You have to make sure that the Account Operators
group is able to issue smartcard credentials without being able to revoke certificate.
Which of the following three actions should you perform to achieve this task?
A. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
B. Install the AD CS role and configure it as a Standalone CA.
C. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Create an Enrollment Agent certificate.
F. Create a Smartcard logon certificate. |
|
Definition
|
|
Term
| Certkiller.com has a server that runs Windows Server 2008. The Enterprise Root CA is also installed on the server. The Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing C A. You have to allow users to request certificates from a web interface. To do that, you install AD CS role. What should you do next? A. Configure the Certification Authority Web Enrollment Role Service on a member server. B. Configure the Online Responder Role Service on a member server. C. Configure the Certification Authority Web Enrollment Role Service on a domain controller. D. Configure the Online Responder Role Service on a domain controller. |
|
Definition
|
|
Term
Certkiller.com has an Active Directory forest. You want to install an Enterprise
certification authority (CA) on a stand-alone server. When you try to add Active
Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available.
You have to install the AD CS role as an Enterprise CA. What should you do first to achieve this
task?
A. Add the Active Directory Certificate Services (AD CS) role.
B. Add the Web server (IIS) role and the AD LDS role.
C. Add the DNS Server role.
D. Join the server to the domain. |
|
Definition
|
|
Term
Certkiller.com has servers that run Windows Server 2008. You administer 2 servers
named S1 and S2. You have installed the enterprise root certification authority
(CA) on S1 and Online Responder role service on S2. You want the S1 to support
the online responder. What should you do to configure online responder on S1?
A. On S1, configure Authority Information Access (AIA) extension B. ConfigureCertPublishers group on S1 and S2
C. Configure Dual Certificate List extension on S1 and S2
D. Create a conventional Group Policy Object (GPO) and import enterprise root CA certificate.
Link the GPO to S1
E. None of the above |
|
Definition
A Explanation: To configure online responder role service on S1, you should configure AIA extension.
The authority information access extension indicates how to access CA information and
services for the issuer of the certificate in which the extension appears. Information and services
may include on-line validation services and CA policy data. (The location of CRLs is not specified
in this extension; that information is provided by the
cRLDistributionPoints extension.) This extension may be included in subject or CA certificates,
and it MUST be non- criticalReference :
datatracker.ietf.org/documents/LIAISON/file315.pdf |
|
|
Term
Certkiller.com has a server that runs Windows Server 2008. Primarily this server
has certification services configured as a stand-alone Certification Authority (CA).
As per company policy, you are required to audit changes to the CA configuration
setting and the CA security settings. Which two actions should you perform to
achieve this task? (Choose two answers. Each answer is part of the complete
solution)
A. Open the Certification services snap-in and configure auditing
B. Enable and configure the Audit object Access setting in the local security policy for the
certification services server
C. Configure the certification services server to log successful and failed attempts to change
permissions on files in %SYSTEM32%\CertSrv directory
D. Open the Certification services snap-in and configure auditing for security settings |
|
Definition
|
|
Term
Certkiller.com has an Active Directory domain. All servers in the Active Directory run Windows
Server 2008. Certkiller.com runs Enterprise Root certification
authority (CA). You have to make sure that only administrators can sign code.
Which two tasks should you perform to achieve this task? A. Change the local computer policy of the Enterprise Root CA to allow only administrators to
manage Trusted Publishers.
B. Publish the code signing template
C. Change the security settings on the template to allow only the administrators to request code
signing certificates
D. Distribute the code signing template among the administrators and ask them to add it to the
trust peer certificates. |
|
Definition
|
|
Term
Certkiller.com employs Windows Server 2008 Enterprise certificate authority (CA) to issue certificates. You're instructed to implement key archival. What should you do to achieve this task? A. On the server, archive the private key
B. ConfigureHisecdc security template
C. Revoke theEnterprise subordinate CA and issue a user certificate to users of the encrypted files
D. Configure the automaticenrollement for the computers that store encrypted files |
|
Definition
|
|
Term
| Certkiller.com has a domain controller named EDC11 that runs Windows Server 2008. It is configured as a DNS server for Certkiller.com. You install the DNS serve should you do to achieve this objective? A. Configure the DNS on CK1 to forward requests to CK2 B. Add a secondary zone namedraks. Certkiller.com on CK2 C. Convertmaks. Certkiller.com on CK1 to an Active Directory-integrated zone D. Configure a new stub zone on CK1 and set the forwarding option to CK2 |
|
Definition
| Answer: C Explanation: To make sure that the DNS service on CK2 can update records and resolve DNS queries in the event of a MAN link failure, you should convert maks . Certkiller.com on CK1 to an Active Directory-integrated zone. Active Directory-integrated DNS, offers two pluses over traditional zones. For one, the fault tolerance built into Active Directory eliminates the need for primary and secondary nameservers . Effectively, all nameservers using Active Directory-integrated zones are primary nameservers . This has a huge advantage for the use of dynamic DNS as well: namely, the wide availability of nameservers that can accept registrations. Recall that domain controllers and workstations register their locations and availability to the DNS zone using dynamic DNS. In a traditional DNS setup, only one type of nameserver can accept these registrations-the primary server, because it has the only read/write copy of a zone. By creating an Active Directory- integrated zone, all Windows Server 2008 nameservers that store their zone data in Active Directory can accept a dynamic registration, and the change will be propagated using Active Directory multimaster replication. Reference: http://safari.adobepress.com/9780596514112/active_directory-integrated_zones |
|
|
