Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain.
You need to configure DNS to allow only secure dynamic updates.
What should you do first?
A. On DC1 and DC2, configure a trust anchor.
B. On DC1 and DC2, configure a connection security rule.
C. On DC1, configure the zone transfer settings.
D. On DC1, configure the zone to be stored in Active Directory.
Answer: D
Explanation:
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/ Configuring DNS Server for Secure Only Dynamic Updates About Dynamic Updates During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation process automatically installs the DNS server on the computer, in case it does not already exist in the network. After the successful installation of Active Directory Domain Services, the DNS server is by default configured to automatically update the records of only the domain client computers as soon as it receives the registration request from them. This automatic update of DNS records in the DNS database is technically known as ‘Dynamic Updates’. Types of DNS Updates Dynamic updates that DNS server in Windows Server 2008 R2 supports include: Nonsecure and Secure – When this type of dynamic update is selected, any computer can send registration request to the DNS server. The DNS server in return automatically adds the record of the requesting computer in the DNS database, even if the computer does not belong to the same DNS domain. Although this configuration remarkably reduces administrative overhead, this setting is not recommended for the organizations that have highly sensitive information available in the computers. Secure only – When this type of dynamic update is selected, only the computers that are members of the DNS domain can register themselves with the DNS server. The DNS server automatically rejects the requests from the computers that do not belong to the domain. This protects the DNS server from getting automatically populated with records of unwanted, suspicious and/or fake computers. None – When this option is selected, the DNS server does not accept any registration request from any computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database. In most production environments, systems administrators configure Secure Only dynamic updates for DNS. This remarkably reduces the security risks by allowing only the authentic domain client computers to register themselves with the DNS server automatically, and decreases the administrative overhead at the same time. However in some scenarios, administrators choose to have non-Active Directory integrated zone to stay compliant with the policies of the organization. This configuration is not at all recommended because it does not allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database to get replicated automatically to the other DNS servers along with the Active Directory replication process. When DNS zone is not Active Directory integrated, DNS database replication process must be performed manually by the administrators. Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps given as below:
1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on which ‘Secure only’ dynamic updates are to be configured.
2. On the desktop screen, click Start.
3. From the Start menu, go to Administrator Tools > DNS.
4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name.
5. From the expanded list, double-click Forward Lookup Zones.
6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be configured.
7. From the displayed context menu, click Properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
8. On the zone’s properties box, make sure that the General tab is selected.
9. On the selected tab, choose Secure only option from the Dynamic updates drop-down
list.
Note: Secure only option is available only if the DNS zone is Active Directory integrated.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Secure Only Dynamic Update
10. Click OK to apply the modified changes.
11. Close DNS Manager snap-in when done.
Q2. Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.
The TempWorkers group is not nested in any other groups.
You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders.
You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers.
You must achieve this goal without affecting access to other domain resources.
What should you do?
A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group.
B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group.
C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.
D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group.
Answer: A
Explanation:
Personal comment:
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers
access to the shared folders (implies access from the network).
"Deny log on locally" makes no sense in this instance, because we are reffering to shared
folder and supposedly physical access to servers should be highly restricted.
And best practices recommend that you link GPOs at the domain level only for domain
wide purposes.
Q3. You want users to log on to Active Directory by using a new Principal Name (UPN).
You need to modify the UPN suffix for all user accounts.
Which tool should you use?
A. Dsmod
B. Netdom
C. Redirusr
D. Active Directory Domains and Trusts
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx
Dsmod user dsmod user -upn <UPN>
Specifies the user principal names (UPNs) of the users that you want to modify, for
example,
Linda@widgets.contoso.com.
Q4. Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Register a service principal name (SPN) for AD RMS.
B. Register a service connection point (SCP) for AD RMS.
C. Configure the identity setting of the _DRMSAppPool1 application pool.
D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
Set the Service Principal Names (SPN) value for the AD RMS service account
Q5. Your network contains two standalone servers named Server1 and Server2 that have
Active Directory Lightweight Directory Services (AD LDS) installed.
Server1 has an AD LDS instance.
You need to ensure that you can replicate the instance from Server1 to Server2.
What should you do on both servers?
A. Obtain a server certificate.
B. Import the MS-User.ldf file.
C. Create a service user account for AD LDS.
D. Register the service location (SRV) resource records.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspx Administering AD LDS Instances Each AD LDS instance runs as an independent—and separately administered—service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually. AD LDS service account The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation.
Q6. Your network contains a server named Server1 that runs Windows Server 2008 R2.
On Server1, you create an Active Directory Lightweight Directory Services (AD LDS)
instance named
Instance1.
You connect to Instance1 by using ADSI Edit.
You run the Create Object wizard and you discover that there is no User object class. You
need to ensure that you can create user objects in Instance1.
What should you do?
A. Run the AD LDS Setup Wizard.
B. Modify the schema of Instance1.
C. Modify the properties of the Instance1 service.
D. Install the Remote Server Administration Tools (RSAT).
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc772194.aspx To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema.
Q7. Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the
%SYSTEM32% \CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc772451.aspx
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification
authority (CA):
Back up and restore the CA database.
Change the CA configuration.
Change CA security settings.
Issue and manage certificate requests.
Revoke certificates and publish certificate revocation lists (CRLs).
Store and retrieve archived keys.
Start and stop Active Directory Certificate Services (AD CS).
To configure CA event auditing
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. On the Auditing tab, click the events that you want to audit, and then click OK.
5. On the Action menu, point to All Tasks, and then click Stop Service.
6. On the Action menu, point to All Tasks, and then click Start Service.
Additional considerations
To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.
Q8. Your network contains an Active Directory domain. All domain controller run Windows Server 2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2.
You need to minimize the amount of SYSVOL replication traffic on the network.
What should you do?
A. Raise the functional level of the forest to Windows Server 2008 R2.
B. Modify the path of the SYSVOL folder on all of the domain controllers.
C. On a global catalog server, run repadmin.exe and specify the KCC parameter.
D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.
Answer: D
Explanation:
Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role.
Explanation 1: http://technet.microsoft.com/en-us/library/cc794837.aspx Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share.
When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated.
Explanation 2:
http://technet.microsoft.com/en-us/library/dd639809.aspx
Migrating to the Prepared State
The following sections provide an overview of the procedures that you perform when you
migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System
(DFS Replication).
This migration phase includes the tasks in the following list.
Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the
migration to the Prepared state.
Q9. Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned.
You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role.
D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
Answer: C,D
Explanation:
http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx Decommissioning a Domain Controller To complete this task, perform the following procedures:
1. View the current operations master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registration and functionality
7. Verify communication with other domain controllers
8. Verify the availability of the operations masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key 10.Uninstall Active Directory 11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re-import the certificate to the server: Import a certificate
12. Determine whether a Server object has child objects
13. Delete a Server object from a site
http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx Uninstall Active Directory To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.
Q10. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to capture all replication errors from all domain controllers to a central location.
What should you do?
A. Start the Active Directory Diagnostics data collector set.
B. Start the System Performance data collector set.
C. Install Network Monitor and create a new a new capture.
D. Configure event log subscriptions.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx Replication Issues
Q11. Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.
You need to enable the Active Directory Recycle Bin.
What should you use?
A. the Dsmod tool
B. the Enable-ADOptionalFeature cmdlet
C. the Ntdsutil tool
D. the Set-ADDomainMode cmdlet
Answer: B
Explanation:
Similar question to question L/Q5. Explanation:
http://technet.microsoft.com/en-us/library/dd379481.aspx
Enabling Active Directory Recycle Bin
After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active
Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)
Ldp.exe
Q12. Your network contains an Active Directory domain named contoso.com.
You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes.
Which security policy setting should you configure?
A. Audit Sensitive Privilege Use
B. Audit User Account Management
C. Audit Directory Service Changes
D. Audit Other Account Management Events
Answer: C
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/dd772641.aspx
Audit Directory Service Changes This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). Explanation 2: http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step Guide This guide includes a description of the new Active Directory. Domain Services (AD DS) auditing feature in Windows Server. 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte.
Q13. Your company hires 10 new employees.
You want the new employees to connect to the main office through a VPN connection.
You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to shared resources in the main office.
The new employees are unable to access shared resources in the main office.
You need to ensure that users are able to establish a VPN connection to the main office.
What should you do?
A. Grant the new employees the Allow Access Dial-in permission.
B. Grant the new employees the Allow Full control permission.
C. Add the new employees to the Remote Desktop Users security group.
D. Add the new employees to the Windows Authorization Access security group.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx Dial-in properties of a user account The dial-in properties for a user account are: Remote Access Permission (Dial-in or VPN) You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt.
Q14. Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.
You implement Active Directory Rights Management Services (AD RMS).
You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied."
You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Restart IIS.
B. Manually delete the Service Connection Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS Administration Issues "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.
Q15. ABC.com has a network that is comprise of a single Active Directory Domain.
As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers.
Which tool should you use to test the certificate with AD LDS?
A. Ldp.exe
B. Active Directory Domain services
C. ntdsutil.exe
D. Lds.exe
E. wsamain.exe
F. None of the above
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc725767%28v=ws.10%29.aspx Appendix A: Configuring LDAP over SSL Requirements for AD LDS The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled.