Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/ DC promotion and adprep/forestprep
Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder"
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the
contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to
the schema master role holder and run Adprep from there.
A2: to introduce the first W2K8 DC within an AD forest....
(1) no AD forest exists yet:
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
Q2. Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in the following Command Prompt window.
You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com.
What should you modify?
A. the root hints of the DNS server
B. the security settings of the zone
C. the Windows Firewall settings on the DNS server
D. the zone transfer settings of the zone
Answer: D
Explanation:
http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm
11.7 Troubleshooting nslookup Problems
11.7.4 Query Refused Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here's what it looks like when nslookup exits on startup because of a refused query: % nslookup *** Can't find server name for address 192.249.249.3: Query refused *** Default servers are not available % This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup. Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see: % nslookup Default Server: hp.com
Address: 15.255.152.4 > server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3 > carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3 *** terminator.movie.edu can't find carrie.movie.edu.: Query refused > ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused
Q3. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store.
A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application.
You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company.
What should you create on Server1?
A. a new application
B. a resource partner
C. an account partner
D. an organization claim
Answer: D
Explanation:
Since the account store has already been configured, what needs to be done is to use the account store to map an AD DS global security group to an organization claim (called group claim extraction). So that's what we need to create for authentication: an organization claim.
Creating a resource/account partner is part of setting up the Federation Trust.
Explanation 1: http://technet.microsoft.com/en-us/library/dd378957.aspx
Configuring the Federation Servers [All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to post here.]
Explanation 2: http://technet.microsoft.com/en-us/library/cc732147.aspx
Add an AD DS Account Store If user and computer accounts that require access to a resource that is protected by Active Directory Federation Services (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as anaccount storeon a federation server in the Federation Service that authenticates the accounts.
Explanation 3: http://technet.microsoft.com/en-us/library/cc731719.aspx
Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS)account storefor an account Federation Service, you mapan organization group claimto a security group in AD DS. This mapping is called a group claim extraction.
Q4. Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest.
You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest.
What should you do?
A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.
B. Create an external trust from nwtraders.com to contoso.com.
C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.
D. Create an external trust from contoso.com to nwtraders.com.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/hh311036.aspx
Using AD RMS trust
It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust.
Q5. Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on Server2.
You need to export the token-signing certificate from Server1, and then import the certificate to Server2.
Which format should you use to export the certificate?
A. Base-64 encoded X.509 (.cer)
B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
C. DER encoded binary X.509 (.cer)
D. Personal Information Exchange PKCS #12 (.pfx)
Answer: D
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/ff678038.aspx
Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.
[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in Explanation 2.]
Explanation 2: http://technet.microsoft.com/en-us/library/cc784075.aspx
Export the private key portion of a token-signing certificate
To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then click Active Directory Federation Services. Right-click Federation Service, and then click Properties. On the General tab, click View. In the Certificate dialog box, click the Details tab. On the Details tab, click Copy to File. On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next. On the Export File Format page, selectPersonal Information Exchange = PKCS #12 (.PFX), and then click Next. (...)
Q6. You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2.
You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2.
B. Use the Active Directory Sites and Services console to configure a new site link bridge object.
C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.
D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1.
Answer: A
Explanation:
http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-eplication.htm Inter-site Replication The process of creating a custom site link has five basic steps:
1. Create the site link.
2. Configure the site link's associated attributes.
3. Create site link bridges.
4. Configure connection objects. (This step is optional.)
5. Designate a preferred bridgehead server. (This step is optional)
http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx Replication between sites
Q7. Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to
01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. On DC1, run the Restore-ADObject cmdlet.
B. On DC3, run the Restore-ADObject cmdlet.
C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services.
D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.
Answer: D
Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Explanation 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers. Explanation 2: http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete.
Q8. Your network consists of an Active Directory forest that contains one domain. All domain controllers run.
Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.
You have two Active Directory sites. Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
Q9. You have a domain controller named Server1 that runs Windows Server 2008 R2.
You need to determine the size of the Active Directory database on Server1.
What should you do?
A. Run the Active Directory Sizer tool.
B. Run the Active Directory Diagnostics data collector set.
C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.
D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc961761.aspx Directory Data Store Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separate locations on a given domain controller: %SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). %SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is used when you promote a Windows 2000 – based computer to a domain controller. The availability of this file allows you to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot% \System32 directory into the %SystemRoot%\NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers.
Q10. Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.
You need to audit the deletion of registry keys on each server.
What should you do?
A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.
B. From Audit Policy, modify the System Events settings and the Privilege Use settings.
C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.
D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd408940.aspx
Advanced Security Audit Policy Step-by-Step Guide
A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.
Q11. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.
You need to ensure that Attribute1 is replicated to the global catalog.
What should you do?
A. In Active Directory Sites and Services, configure the NTDS Settings.
B. In Active Directory Sites and Services, configure the universal group membership caching.
C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.
D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.
Answer: D
Explanation:
http://www.tech-faq.com/the-global-catalog-server.html The Global Catalog Server The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.
How to Include Additional Attributes in the GC The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC. To add the Active Directory Schema snap-in in the MMC:
1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.
3. Click OK to acknowledge that the dll was successfully registered.
4. Click Start, Run, and enter mmc in the Run dialog box.
5. When the MMC opens, select Add/Remove Snap-in from the File menu.
6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.
7. Close all open dialog boxes. To include additional attributes in the GC:
1. Open the Active Directory Schema snap-in.
2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu.
3. Additional attributes are added on the General tab.
4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
5. Click OK.
Q12. Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties.
Answer: A,D
Explanation:
http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/ Managing DNS Dynamic Updates in Windows Server 2008 R2 What Is DNS Dynamic Update? When a DNS server is installed in a network, during the installation administrators can configure it to accept dynamic updates of client records. Dynamic updates means that DNS client computers can automatically register their names along with their IP addresses in the DNS server. When this happens DNS server automatically creates a Host (A) record for that client computer that contains hostname of the client and its associated IP address. Also, during the installation of DNS server administrators can choose an option according to which DNS server should not automatically update its records and in this condition administrators must manually create Host (A) records in the DNS database. http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-
Security-Part2.html
DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your Windows DNS infrastructure: Decide who can resolve Internet host names Don’t co-locate internal and external zones Lock down the DNS cache Enable recursion only where needed Restrict DNS servers to listen on specific addresses Consider using a private root hints file Randomize your DNS source ports Be aware of the Global Query Block List Limit zone transfers Take advantage of Active Directory integrated zone security
Take advantage of Active Directory integrated zone security Active Directory integrated zones enable you to secure the registration of resource records when dynamic name registration is enabled. Members of the Active Directory domain can register their resource records dynamically while non-domain members will be unable to register their names. You can also use discretionary access control lists (DACLs) to control which computers are able to register or change their addressing information. The figure below shows how you configure secure dynamic updates.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/ Configuring DNS Server for Secure Only Dynamic Updates
Q13. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?
A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.
B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone.
D. On both servers, modify the interface that the DNS server listens on.
Answer: B
Explanation:
Q14. There are 100 servers and 2000 computers present at your company's headquarters.
The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service.
The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity.
A 200GB single volume is configured on the shared disk.
Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.
The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node.
The wizard shows an error "no disks are available" during configuration.
Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1?
A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group
B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard.
C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group
D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard
E. None of the above
Answer: B
Explanation:
http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage-volumes-on-ckmfon1-tosuccessfully-add-the-wins-service-group-to-ckmfon1/
To configure storage volumes on CKMFON1 to successfully add the WINS Service group
to CKMFON1, you need to add a new physical shared disk to the CKMFON1 cluster and
configure a new volume on it.
Use this volume to fix the error in the wizard.
This is because a cluster does not use shared storage.
A cluster must use a hardware solution based either on shared storage or on replication
between nodes.
Q15. Your company asks you to implement Windows Cardspace in the domain.
You want to use Windows Cardspace at your home.
Your home and office computers run Windows Vista Ultimate.
What should you do to create a backup copy of Windows Cardspace cards to be used at home?
A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ Windows Cardspace application to backup the data on your USB drive.
E. Reformat the C: Drive
F. None of the above
Answer: D
Explanation:
http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros#
BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer
Windows CardSpace for IT pros
Microsoft Windows CardSpace. is a system for creating relationships with websites and
online services.
Windows CardSpace provides a consistent way for:
Sites to request information from you.
You to review the identity of a site.
You to manage your information by using Information Cards.
You to review card information before you send it.
Windows CardSpace can replace the user names and passwords that you use to register
with and log on to websites and online services.
15. How do I back up my cards or transfer them to another computer?
Cards are stored on your computer in an encrypted format. To save a backup file
containing some or all of your cards or to use a card on a different computer, you can save
cards to a backup card file.
To back up your cards:
1. Start Windows CardSpace.
2. View all your cards.
3. In the pane on the right of your screen, click Back up cards.
4. Select the cards that you want to back up.
5. Browse to the folder where you want to save the backup card file, and then give it a
name.
When you complete these steps, you save a file containing some or all of your cards. You
can copy the backup card file to media such as a Universal Serial Bus (USB) storage
device, CD, or other digital media. You can restore the backup card file on this computer or
on another computer.
To restore your cards
1. Save the backup card file to the computer.
2. Browse to the location of the file on the computer.
3. Double-click the file, and then follow the instructions to restore the cards.