Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU.
You need to execute a non-authoritative restore before an authoritative restore of the OU.
Which backup should you use to perform non- authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller?
A. Critical volume backup
B. Backup of all the volumes
C. Backup of the volume that hosts Operating system
D. Backup of AD DS folders
E. all of the above
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc730683%28v=ws.10%29.aspx Performing a Nonauthoritative Restore of AD DS To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a system state backup. To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic uses the wbadmin start systemstaterecovery command. You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if you do not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use the wbadmin start recovery command.
Q2. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers.
B. Modify the security settings on the template to allow only administrators to request code signing certificates.
C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy.
D. Publish the code signing template.
Answer: B,D
Explanation:
http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.
Q3. Your network contains an Active Directory forest named contoso.com.
You plan to add a new domain named nwtraders.com to the forest.
All DNS servers are domain controllers.
You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest.
What should you do?
A. Add the computer accounts of all the domain controllers to the DnsAdmins group.
B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
C. Create a standard primary zone on a domain controller in the forest root domain.
D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.
Answer: D
Q4. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can query the snapshot by using LDAP.
What should you do?
A. Run the dsamain.exe command.
B. Create custom views from Event Viewer.
C. Run the ntdsutil.exe command.
D. Configure subscriptions from Event Viewer.
E. Run the Get-ADForest cmdlet.
F. Create a Data Collector Set (DCS).
G. Run the eventcreate.exe command.
H. Configure the Active Directory Diagnostics Data Collector Set (DCS).
I. Run the repadmin.exe command.
J. Run the dsquery.exe command.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc753609.aspx The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. Requirements for using the Active Directory database mounting tool You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers
Q5. Your network contains an Active Directory domain named contoso.com.
You create a GlobalNames zone. You add an alias (CNAME) resource record named
Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?
A. From the command prompt, use the netsh tool.
B. From the command prompt, use the dnscmd tool.
C. From DNS Manager, modify the properties of the GlobalNames zone.
D. From DNS Manager, modify the advanced settings of the DNS server.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc731744.aspx Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd<ServerName> /config /enableglobalnamessupport 1
Q6. Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1.
You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can take a snapshot of Instance1.
What should you do?
A. At the command prompt, run net start VSS.
B. At the command prompt, run net start Instance1.
C. Set the Startup Type for the Instance1 service to Disabled.
D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.
Answer: A
Explanation:
Hard to find Explanations on this, but the solution can be found by eliminating the rest.
Instance1 is running, otherwise you'd get a different message at the snaphot: create step.
("AD service
must be running in order to perform this operation", on my virtual server.)
Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type
for the Volume
Shadow Copy Service (VSS) to Manual.
Q7. You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
What is the minimal forest functional level that you should use?
A. Windows Server 2008 R2
B. Windows Server 2008
C. Windows Server 2003
D. Windows 2000
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc731243.aspx
Prerequisites for Deploying an RODC
Complete the following prerequisites before you deploy a read-only domain controller (RODC):
Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-valuereplication (LVR) is available.
Q8. Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.
Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.
Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.
You need to ensure that the G_Marketing members can access the folder from the network.
What should you do?
A. From Windows Explorer, modify the NTFS permissions of the folder.
B. From Windows Explorer, modify the share permissions of the folder.
C. From Active Directory Users and Computers, modify the computer object for Server1.
D. From Active Directory Users and Computers, modify the group object for G_Marketing.
Answer: C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644
After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.
To assign this permission:
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
Q9. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC).
You add a user named User1 to the Allowed RODC Password Replication Group.
The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that
he is unable to log on to the domain.
The WAN link is restored and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if the WAN link fails.
What should you do?
A. Create a Password Settings object (PSO) and link the PSO to User1's user account.
B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.
Answer: D
Q10. Your network contains an Active Directory domain. The domain contains four domain
controllers.
You modify the Active Directory schema.
You need to verify that all the domain controllers received the schema modification.
Which command should you run?
A. dcdiag.exe /a
B. netdom.exe query fsmo
C. repadmin.exe /showrepl *
D. sc.exe query ntds
Answer: C
Explanation:
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx Getting Over Replmon
Status Checking Replmon had the option to generate a status report text file. It could tell
you which servers were configured to replicate with each other, if they had any errors, and
so on. It was pretty useful actually, and one of the main reasons people liked the tool.
Repadmin.exe offers similar functionality within a few of its command line options. For
example, we can get a summary report:
Repadmin /replsummary *
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the
other DCs are not available and cannot tell you their status.
You can also use more verbose commands with Repadmin to see details about which DCs
are or are not replicating:
Repadmin /showrepl *
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q11. Your network consists of an Active Directory forest that contains one domain. All domain controllers run.
Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.
You have two Active Directory sites. Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
Q12. HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.
You need to enable universal group membership caching in the Seattle site.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
Answer:
Q13. Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.
You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network.
You need to ensure that the new server is already joined to the domain when it first connects to the internal network.
What should you do?
A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter.
B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter.
C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter.
D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter.
Answer: C
Explanation:
Explanation 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active
Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into
the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Explanation 2:
http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx
Steps for performing an offline domain join
The offline domain join process includes the following steps:
1. Run the djoin.exe /provision command to create computer account metadata for the
destination computer (the computer that you want to join to the domain). As part of this
command, you must specify the name of the domain that you want the computer to join.
2. Run the djoin.exe /requestODJ command to insert the computer account metadata into
the Windows directory of the destination computer.
3. When you start the destination computer, either as a virtual machine or after a complete
operating system installation, the computer will be joined to the domain that you specify.
Q14. Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade DNS1 to Windows Server 2008 R2.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx
DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in
Windows Server. 2008 R2 and Windows. 7. With Windows Server 2008 R2 DNS server,
you can now sign and host DNSSECsigned zones to provide security for your DNS
infrastructure.
The following changes are available in DNS server in Windows Server 2008 R2:
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7:
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
Ability to check whether the DNS server with which it communicated has performed
validation on the client’s behalf. The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy. What does DNSSEC do? DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.
Q15. You are decommissioning domain controllers that hold all forest-wide operations master roles.
You need to transfer all forest-wide operations master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
A. Domain naming master
B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Answer: A,E
Explanation: