Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. You need to identify all failed logon attempts on the domain controllers.
What should you do?
A. View the Netlogon.log file.
B. View the Security tab on the domain controller computer object.
C. Run Event Viewer.
D. Run the Security and Configuration Wizard.
Answer: C
Explanation:
http://support.microsoft.com/kb/174074 Security Event Descriptions This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of "Security." Event ID: 529 Type: Failure Audit Description: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 530 Type: Failure Audit Description: Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 531 Type: Failure Audit Description: Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 532 Type: Failure Audit Description: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 533 Type: Failure Audit Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 534 Type: Failure Audit Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 535 Type: Failure Audit Description: Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 536 Type: Failure Audit Description: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 537 Type: Failure Audit Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6
Q2. Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed.
You need to ensure that the user is able to log on to the computer.
What should you do?
A. Run the netsh command with the set and machine options.
B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.
C. Run the netdom TRUST /reset command.
D. Run the Active Directory Users and Computers console to disable, and then enable the computer account.
Answer: B
Explanation:
Q3. You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?
A. Active Directory Administrative Center
B. Event Viewer
C. Resource Monitor
D. Security Configuration Wizard
Answer: B
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways: Start A Program - Launches an application. Often, administrators write a script that carries
out a series of tasks that they would otherwise need to manually perform, and automatically
run that script when an event appears.
Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP)
server you specify.
Often, administrators configure urgent events to be sent to a mobile device.
Display A Message - Displays a dialog box showing a message. This is typically useful only
when a user needs to be notified of something happening on the computer.
To trigger a task when an event occurs, follow one of these three procedures:
Find an example of the event in Event Viewer. Then, right-click the event and click Attach
Task To This Event. A wizard will guide you through the process.
Q4. You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Answer: B
Explanation: Repadmin allows us to check the replication status and also allows us to
force a replication between domain controllers.
Explanation:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.
Q5. You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company's corporate security policy states that when an employee resigns, his ability
to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee's smart card certificate.
B. Disable the employee's Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee's Active Directory account.
Answer: B
Explanation:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.
Q6. Your network contains an Active Directory forest.
You add an additional user principal name (UPN) suffix to the forest.
You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount of administrative effort.
What should you use?
A. the Active Directory Domains and Trusts console
B. the Active Directory Users and Computers console
C. the Csvde tool
D. the Ldifde tool
Answer: D
Q7. You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5 minutes.
Which three actions should you perform? (Each correct answer presents part of the solution.
Choose three.)
A. Set the Minimum password age setting to one day.
B. Set the Maximum password age setting to one day.
C. Set the Account lockout duration setting to 5 minutes.
D. Set the Reset account lockout counter after setting to 5 minutes.
E. Set the Account lockout threshold setting to 3 invalid logon attempts.
F. Set the Enforce password history setting to 3 passswords remembered.
Answer: C,D,E
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q8. Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table.
All client computers run Windows 7.
You need to ensure that all client computers in the domain keep the same time as an external time server.
What should you do?
A. From DC1, run the time command.
B. From DC2, run the time command.
C. From DC1, run the w32tm.exe command.
D. From DC2, run the w32tm.exe command.
Answer: D
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/cc816748.aspx
Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest. Explanation 2: http://technet.microsoft.com/en-us/library/cc773263.aspx Windows Time Service Tools and Settings Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source.
W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service.
Q9. Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS Servers.
You have a standard primary zone for dev.contoso.com that is stored on a member server.
You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.
What should you do?
A. On the member server, create a stub zone.
B. On the member server, create a NS record for each domain controller.
C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest.
D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Further information:
http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx Assign a Conditional Forwarder for a Domain Name http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders
Q10. Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutil.exe getkey
D. certutil.exe pulse
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/
What does "certutil -pulse" command do?
Certutil -pulse will initiate autoenrollment requests.
It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)
Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve
Certificates.
The command does require that
-any autoenrollment GPO settings have already been applied to the target user or computer
-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user
-The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events
Q11. Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.
You need to configure the forests to meet the following requirements:
. Users in Forest3 must be able to access resources in Forest1
. Users in Forest1 must be able to access resources in Forest3.
. The number of trusts must be minimized.
What should you do?
A. In Forest2, modify the name suffix routing settings.
B. In Forest1 and Forest3, configure selective authentication.
C. In Forest1 and Forest3, modify the name suffix routing settings.
D. Create a two-way forest trust between Forest1 and Forest3.
E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.
Answer: D
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) page
639:
Forest Trusts
(...)
You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them.
Q12. HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate
filter option in the answer area.
Answer:
Q13. Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level is Windows 2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?
A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
C. Add the new UPN suffix to the forest.
D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com.
Answer: C
Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest
Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest. Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Q14. Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.
B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units.
D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators.
Answer: A,B
Explanation:
Q15. Your company has a main office and a branch office. The main office contains two domain controllers.
You create an Active Directory site named BranchOfficeSite.
You deploy a domain controller in the branch office, and then add the domain controller to the BranchOfficeSite site.
You discover that users in the branch office are randomly authenticated by either the domain controller in the branch office or the domain controllers in the main office.
You need to ensure that the users in the branch office always attempt to authenticate to the domain controller in the branch office first.
What should you do?
A. Create organizational units (OUs).
B. Create Active Directory subnet objects.
C. Modify the slow link detection threshold.
D. Modify the Location attribute of the computer objects.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754697.aspx Understanding Sites, Subnets, and Site Links Sites overview Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller.
Associating sites and subnets A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the site. Note The term "subnet" in AD DS does not have the strict networking definition of the set of all addresses behind a single router. The only requirement for an AD DS subnet is that the address prefix conforms to the IP version 4 (IPv4) or IP version 6 (IPv6) format. When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites.
Locating domain controllers by site Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links.