Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering.
You need to create a password policy for the engineering department that is different from your domain password policy.
What should you do?
A. Create a new GPO. Link the GPO to the Engineering OU.
B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU.
C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group.
D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard.
Answer: C
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-f1b69441175b Complex Password Policy on an OU
Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user. A1: I beleive you are referering to PSC and PSO. The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Groups offer better flexibility for managing various sets of users than OUs. For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008. Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects. For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide A2: Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/A3: In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group.
Find the step by step info. http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ Tutorial: How to setup Default and Fine Grain Password Policy One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy. Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard. How to set a Default Domain Password Policy
Step 1 Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note: I have elected to create a new GPO at the top of the domain in this case as I always
try to avoid modifying the “Default Domain Policy”, see Explanations below.
Explanation:
http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx
TechNet: Linking GPOs
If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.
http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx
TechNet: Establishing Group Policy Operational Guidelines
Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.
Step 2
Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows
Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 3
Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order.
TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Done… told you it was easy….
Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-useraccounts.aspx)
How to set a Fine Grain Password Policy
Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH!
Pre-Requisites/Restrictions
You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies The domain functional level must be Windows Server 2008. The other restriction with this option is that you can only apply FGPP to users object or
users in global security groups (not computers). Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies Fine-grained password policies apply only to user objects … and global security groups. TIP: If you setup an “Automatic Shadow Group
(http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-in-windows-server-2008/)” you can apply these password policies to users automatically to
any users located in an OU.
Creating a Password Setting Object (PSO)
Step 1 Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\
Step 2 Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 3
Right click on “CN=Password Settings Container” and then click on “New” then “Object.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 4
Click on “Next”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 5
Type the name of the PSO in the “Value” field and then click “Next”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”.
Step 6
Type in a number that will be the Precedence for this Password Policy then click “Next”.
Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 7
Type “FALSE” in the value field and click “Next”
Note: You should almost never use “TRUE” for this setting.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 8
Type “24” in the “Value” field and click “Next”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 9
Type “TRUE” in the “Value” field and click “Next”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 10
Type “5” in the “Value” field and click “Next”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 11
Type “1:00:00:00” in the “Value” field and click “Next”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 12
Type “42:00:00:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 13
Type “10” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 14
Type “0:00:30:00” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 15
Type “0:00:33:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 16
Click “Finish”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You have now created the Password Settings Object (PSO) and you can close the
ADSIEdit tool.
Now to apply the PSO to a users or group…
Step 17
Open Active Directory Users and Computers and navigate to “System > Password Settings
Container”
Note: Advanced Mode needs to be enabled.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 18
Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 19
Click “Add Windows Accounts….” button.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 20
Select the user or group you want to apply this PSO and click “OK”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 21
Click “OK”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 22
Click “OK”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
And your are done… (told you it was hard).
Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain.
Q2. Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.
You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.
What should you do?
A. Create a new stub zone for the intranet.fabrikam.com domain.
B. Configure conditional forwarding for the intranet.fabrikam.com domain.
C. Create a standard secondary zone for the intranet.fabrikam.com domain.
D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Answer: B
Explanation:
Q3. You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure.
Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume.
What should you do to accomplish this task?
A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS
B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance
C. Move AD LDS database and log files on a separate volume and use windows server backup utility
D. None of the above
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc730941.aspx
Backing up AD LDS instance data with Dsdbutil.exe
With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.
Q4. Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.
You need to audit the deletion of registry keys on each server.
What should you do?
A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.
B. From Audit Policy, modify the System Events settings and the Privilege Use settings.
C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.
D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd408940.aspx
Advanced Security Audit Policy Step-by-Step Guide
A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.
Q5. Your company has two Active Directory forests named contoso.com and fabrikam.com.
The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table.
All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.
Q6. Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com.
You discover that the DNS forwarding option is unavailable on DC2.
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Clear the DNS cache on DC2.
B. Configure conditional forwarding on DC2.
C. Configure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Answer: B,D
Explanation:
Q7. ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network.
You are instructed to capture all replication errors from all domain controllers to a central location.
What should you do to achieve this task?
A. Initiate the Active Directory Diagnostics data collector set
B. Set event log subscriptions and configure it
C. Initiate the System Performance data collector set
D. Create a new capture in the Network Monitor
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx Replication Issues
Q8. You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
What should you do?
A. Add a data recovery agent to the Default Domain Policy.
B. Modify the value in the Number of recovery agents to use box.
C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.
Answer: B
Explanation:
MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.
Q9. You install a read-only domain controller (RODC) named RODC1.
You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.
Which tool should you use?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsadd
D. Dsmgmt
Answer: B
Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the
ability to administer an RODC to a user or a security group. When you delegate the ability
to log on to an RODC to a user or a security group, the user or group is not added the
Domain Admins group and therefore does not have additional rights to perform directory
service operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the
following options:
Modify the Managed By tab of the RODC account properties in theActive Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.
Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC.[See also the second Explanation for more information on how to use dsmgmt.]
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.
Explanation 2: http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
To configure Administrator Role Separation for an RODC
Click Start, click Run, type cmd, and then press ENTER.
At the command prompt, typedsmgmt.exe, and then press ENTER.
At the DSMGMT prompt, typelocal roles, and then press ENTER.
For a list of valid parameters, type ?, and then press ENTER.
By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.
Type add <DOMAIN>\<user><administrative role>
For example, type add CONTOSO\testuser administrators
Q10. You need to create a Password Settings object (PSO).
Which tool should you use?
A. Active Directory Users and Computers
B. ADSI Edit
C. Group Policy Management Console
D. Ntdsutil
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754461.aspx You can create Password Settings objects (PSOs): using the Active Directory module for Windows PowerShell using ADSI Edit using ldifde
Q11. Your company has an Active Directory domain. You install a new domain controller in the
domain. Twenty users report that they are unable to log on to the domain.
You need to register the SRV records.
Which command should you run on the new domain controller?
A. Run the netsh interface reset command.
B. Run the ipconfig /flushdns command.
C. Run the dnscmd /EnlistDirectoryPartition command.
D. Run the sc stop netlogon command followed by the sc start netlogon command.
Answer: D
Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam Question might ask you how to troubleshoot the nonregistration of SRV resource records.
Q12. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1.
You need to log changes made to the Description attribute on all group objects in OU1 only.
What should you do?
A. Run auditpol.exe.
B. Modify the auditing entry for OU1.
C. Modify the auditing entry for the domain.
D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO to OU1.
Answer: B
Explanation:
http://ithompson.wordpress.com/tag/organizational-unit-move/ Do you need to track who/where/when for activities done against the OU’s in your AD? With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566). With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart). I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy. Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion. So where do we start so that we can answer our question at the top of this discussion? First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit. This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now that our auditing is setup what type of events can we expect to see?
Here are a few examples:
In this example (Fig 5), id 5137, we see an OU being created by the Administrator.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 6 shows a Sub OU being created.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 7 shows id 5139, an OU being moved.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136. Figure 8 shows the first part of the rename process.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 9 shows the second part of the rename process.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
With standard auditing some of the other items that we looked at would be next to
impossible with auditing, such as tracking when an OU is renamed and as you can see
from fig 10 hard to read and understand if you did get an event.
Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.
Q13. Your company security policy requires complex passwords.
You have a comma delimited file named import.csv that contains user account information.
You need to create user account in the domain by using the import.csv file.
You also need to ensure that the new user accounts are set to use default passwords and are disabled.
What should you do?
A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.
B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.
C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADD utility to set default passwords for the imported user accounts.
D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADD utility to set passwords for the imported user accounts.
Answer: A
Explanation:
Personal note:
The correct command should be:
csvde - i -k -f import.csv
http://support.microsoft.com/kb/305144
How to use the UserAccountControl flags to manipulate user account properties When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.
You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
Syntax:
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}] Parameters
Specifies import mode. If not specified, the default mode is export. -f <FileName> Identifies the import or export file name. -k Ignores errors during an import operation and continues processing. http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx Dsmod user Modifies attributes of one or more existing users in the directory. Syntax: dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display<DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}] Parameters <UserDN>Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
-pwd {<Password> | *}
Resets the passwords for the users that you want to modify as Password or an asterisk (*).
If you type *, AD
DS prompts you for a user password.
Q14. Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com.
Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com.
You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails.
What should you do?
A. Configure the Expires after option for the contoso.com zone to 4 days.
B. Configure the Retry interval option for the contoso.com zone to 4 days.
C. Configure the Refresh interval option for the contoso.com zone to 4 days.
D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspx
Adjust the Expire Interval for a Zone
You can use this procedure to adjust the expire interval for a Domain Name System (DNS)
zone. Other DNS servers that are configured to load and host the zone use the expire
interval to determine when zone data expires if it is not successfully transferred. By default,
the expire interval for each zone is set to one day.
You can complete this procedure using either the DNS Manager snap-in or the dnscmd
command-line tool.
To adjust the expire interval for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated.
4. Click the Start of Authority (SOA) tab.
5. In Expires after, click a time period in minutes, hours, or days, and then type a number in the text box.
6. Click OK to save the adjusted interval.
Q15. Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned.
You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role.
D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
Answer: C,D
Explanation:
http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx Decommissioning a Domain Controller To complete this task, perform the following procedures:
1. View the current operations master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registration and functionality
7. Verify communication with other domain controllers
8. Verify the availability of the operations masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key 10.Uninstall Active Directory 11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re-import the certificate to the server: Import a certificate
12. Determine whether a Server object has child objects
13. Delete a Server object from a site
http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx Uninstall Active Directory To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.