Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.
What should you use?
A. the Add-WBSystemState cmdlet
B. the Group Policy Management console
C. the Wbadmin tool
D. the Windows Server Backup feature
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc770536.aspx
To back up a Group Policy object
1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up.
2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All.
Q2. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista.
You need to ensure that all client computers can apply Group Policy pExplanations.
What should you do?
A. Upgrade all Windows XP client computers to Windows 7.
B. Create a central store that contains the Group Policy ADMX files.
C. Install the Group Policy client-side extensions (CSEs) on all client computers.
D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).
Answer: C
Explanation:
http://www.microsoft.com/en-us/download/details.aspx?id=3628 Group Policy PExplanation Client Side Extensions for Windows XP (KB943729) Multiple Group Policy PExplanations have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1).
Multiple Group Policy PExplanations have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy PExplanations enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy PExplanation extensions. http://www.petenetlive.com/KB/Article/0000389.htm
Server 2008 Group Policy PExplanations and Client Side Extensions Problem Group Policy PExplanations (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the "Client side Extensions" (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Solution
You may not have noticed, but if you edit or create a group policy in Server 2008 now, you will see there is a "PExplanations" branch. Most IT Pro's will have seen the addition of the "Policies" folder some time ago because it adds an extra level to get to the policies that were there before :)
C:\Documents and Settings\usernwz1\Desktop\1.PNG
OK Cool! What can you do with them?
1. Computer PExplanations: Windows Settings
Environment: Lets you control, and send out Environment variables via Group Policy.
Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the
next section).
Folder: As above, but for folders.
Ini Files: Allows you to Create, Replace, Update or Delete an ini file.
Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either
manually type in the Explanation use a Wizard, or extract the key(s) values you want to send
them out via group policy.
Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via
group policy.
Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group
policy.
2. Computer PExplanations: Control Panel Settings
Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC
settings via group policy. (Note: there's a bug if your using SQL authentication see here).
Devices: Lets you enable and disable hardware devices by type and class, to be honest it's
a little "clunky".
Folder Options: Allows you to set "File Associations" and set the default programs that will
open particular file extensions.
Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users
OR local groups.
Handy if you want to create an additional admin account, or reset all the local
administrators passwords via group policy.
Network Options: Lets you send out VPN and dial up connection settings to your clients,
handy if you use PPTP Windows Server VPN's.
Power Options: With XP these are Power Options and Power Schemes, With Vista and
later OS's they are Power Plans. This is much needed, I've seen many "Is there a group
policy for power options?" or disabling hibernation questions in forums. And you can use
the options Tab, to target particular machine types (i.e. only apply if there is a battery
present).
Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in
accounts to have the accounts printer.
Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later),
this could be handy to deploy a patch or some virus/malware removal process.
Service: Essentially anything you can do in the services snap in you can push out through
group policy, set services to disables or change the logon credentials used for a service. In
addition you can set the recovery option should a service fail.
3. User Configuration: Windows Settings
Applications: Answers on a Postcard? I can't work out what these are for!
Drive Mappings: Traditionally done by login script or from the user object, but use this and
you can assign mapped drives on a user/group basis.
Environment: As above lets you control and send out Environment variables via Group
Policy, but on a user basis.
Files: As above. allows you to copy, modify the attributes, replace or delete a file (for
folders see the next section), but on a user basis.
Folders: As above, but for folders on a user by user basis.
Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by
user basis.
Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You
can either manually type in the Explanation use a Wizard, or extract the key(s) values you
want to send out via group policy, this time for users not computers.
Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients
via group policy for users.
4. User Configuration: Control Panel Settings
All of the following options are covered above on "Computer Configuration"
Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis. Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard. Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user. Explanations: http://technet.microsoft.com/en-us/library/dd367850%28WS.10%29.aspx Group Policy PExplanations
Q3. ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.
Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.
You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?
A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754629.aspx
Install an RODC on a Server Core installation
To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS.
Q4. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed.
You have an application named App1 that is configured to use Server1 for AD FS authentication.
You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.
You need to ensure that App1 can use Server2 for authentication.
What should you do on Server2?
A. Add an attribute store.
B. Create a relying party trust.
C. Create a claims provider trust.
D. Create a relaying provider trust.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/dd807132%28v=ws.10%29.aspx Create a Relying Party Trust Using Federation Metadata http://pipe2text.com/?page_id=815 Setting up a Relying Party Trust in ADFS 2.0 http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trustin-ad-fs-2-0.aspx Using Federation Metadata to establish a Relying Party Trust in AD FS 2.0
Q5. Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA).
On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled.
You need to install an enterprise subordinate CA on the server.
What should you use to log on to the new server?
A. an account that is a member of the Certificate Publishers group in the child domain
B. an account that is a member of the Certificate Publishers group in the forest root domain
C. an account that is a member of the Schema Admins group in the forest root domain
D. an account that is a member of the Enterprise Admins group in the forest root domain
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506-568ddb21d46b
In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient).
Q6. Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on Server2.
You need to export the token-signing certificate from Server1, and then import the certificate to Server2.
Which format should you use to export the certificate?
A. Base-64 encoded X.509 (.cer)
B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
C. DER encoded binary X.509 (.cer)
D. Personal Information Exchange PKCS #12 (.pfx)
Answer: D
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/ff678038.aspx
Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.
[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in Explanation 2.]
Explanation 2: http://technet.microsoft.com/en-us/library/cc784075.aspx
Export the private key portion of a token-signing certificate
To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then click Active Directory Federation Services. Right-click Federation Service, and then click Properties. On the General tab, click View. In the Certificate dialog box, click the Details tab. On the Details tab, click Copy to File. On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next. On the Export File Format page, selectPersonal Information Exchange = PKCS #12 (.PFX), and then click Next. (...)
Q7. You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. The domain contains five domain controllers.
You need to monitor the replication of the group policy template files.
Which tool should you use?
A. Dfsrdiag
B. Fsutil
C. Ntdsutil
D. Ntfrsutl
Answer: A
Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with
DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level
2003.
With domain functional level 2003 you can only use Ntfrsutl.
Q8. Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to
01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. On DC1, run the Restore-ADObject cmdlet.
B. On DC3, run the Restore-ADObject cmdlet.
C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services.
D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.
Answer: D
Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Explanation 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers. Explanation 2: http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete.
Q9. You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.
You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.
Which inbound TCP port should you allow on Server1?
A. 88
B. 135
C. 443
D. 445
Answer: C
Q10. Your network contains an Active Directory domain.
You need to restore a deleted computer account from the Active Directory Recycle Bin.
What should you do?
A. From the command prompt, run recover.exe.
B. From the command prompt, run ntdsutil.exe.
C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx Step 2: Restore a Deleted Active Directory Object Applies To: Windows Server 2008 R2 This step provides instructions for completing the following tasks with Active Directory Recycle Bin: Displaying the Deleted Objects container Restoring a deleted Active Directory object using Ldp.exe Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets Restoring multiple, deleted Active Directory objects
To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets
1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER: Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active-directory-recycle-binusing-ad-powershell.aspx Restoring object from the Active Directory Recycle Bin using AD Powershell
Q11. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple password policies.
What should you do?
A. Raise the functional level of the domain to Windows Server 2008.
B. On one domain controller, run dcpromo /adv.
C. Create multiple Active Directory sites.
D. On all domain controllers, run dcpromo /adv.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server. 2008 domains. In Microsoft. Windows. 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set to Windows Server 2008 or higher.
Q12. Your network contains an Active Directory domain. The domain is configured as shown in the following table.
Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users inBranch2 only authenticate to the domain controllers in
Main.
What should you do?
A. On DC3, set the AutoSiteCoverage value to 0.
B. On DC3, set the AutoSiteCoverage value to 1.
C. On DC1 and DC2, set the AutoSiteCoverage value to 0.
D. On DC1 and DC2, set the AutoSiteCoverage value to 1.
Answer: A
Q13. Your company has a DNS server that has 10 Active Directory integrated zones.
You need to provide copies of the zone files of the DNS server to the security department.
What should you do?
A. Run the dnscmd /ZoneInfo command.
B. Run the ipconfig /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutil > Partition Management > List commands.
Answer: C
Explanation:
http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/ DNS Zone Export In Non-AD Integrated DNS Zones DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder. When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In AD Integrated DNS Zones AD-integrated zones are stored in the directory they do not have corresponding zone files
i.e. they are not stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory. Now it is important task for us to take a backup of these AD integrated zones before making any changes to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is: DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile> <ZoneName> — FQDN of zone to export /Cache to export cache As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The command to export the file would be: Dnscmd server1 /ZoneExport habib.local habib.local.bak
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You can refer to a complete article on DNSCMD in Microsoft TechNet website
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx
Q14. You create a Password Settings object (PSO).
You need to apply the PSO to a domain user named User1.
What should you do?
A. Modify the properties of the PSO.
B. Modify the account options of the User1 account.
C. Modify the security settings of the User1 account.
D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).
Answer: A
Explanation: http://technet.microsoft.com/en-us/library/cc731589.aspx To apply PSOs to users or global security groups using the Windows interface
1. Open Active Directory Users and Computers
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, click Password Settings Container.
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.
7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.
Q15. Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.
You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.
At which level should you deactivate UGMC?
A. Server
B. Connection object
C. Domain
D. Site
Answer: D
Explanation:
http://www.ntweekly.com/?p=788
http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when:
1. Universal Group membership does not change frequently.
2. Low WAN bandwidth between Domain Controllers in different sites.
It is also recommended to disable UGMC if all Domain Controllers in a forest are Global
Catalogs.