Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your company has an Active Directory domain.
You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema Administrators group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing.
D. Register Schmmgmt.dll.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start, type command prompt and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator.
2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll
3. Click Start, click Run, type mmc and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK.
6. To save this console, on the File menu, click Save.
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save.
* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save
Q2. Company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication.
The application is installed on one member server in five sites.
You need to configure the five member servers to receive the ResData application directory partition for data replication.
What should you do?
A. Run the Dcpromo utility on the five member servers.
B. Run the Regsvr32 command on the five member servers
C. Run the Webadmin command on the five member servers
D. Run the RacAgent utility on the five member servers
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc732887%28v=ws.10%29.aspx
Dcpromo Syntax dcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv]
/uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion |
CreateDCAccount | UseExistingAccount |Demotion}]dcpromo Promotion operation
parameters:
ApplicationPartitionsToReplicate:""
Specifies the application directory partitions that dcpromo will replicate. Use the following
format: "partition1" "partition2" "partitionN"
Use * to replicate all application directory partitions.
Q3. Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A. Run the Dnscmd.exe /ZoneResetType command on DC3.
B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
C. Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones.
D. Run the Ntdsutil.exe > DS Behavior commands on DC3.
Answer: B
Explanation:
Q4. You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.
What should you use?
A. the Add-WBSystemState cmdlet
B. the Group Policy Management console
C. the Wbadmin tool
D. the Windows Server Backup feature
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc770536.aspx
To back up a Group Policy object
1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up.
2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All.
Q5. Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain.
You need to create the computer accounts in an OU.
What should you do?
A. Run the csvde -f computers.csv command
B. Run the ldifde -f computers.ldf command
C. Run the dsadd computer <computerdn> command
D. Run the dsmod computer <computerdn> command
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc754539%28v=ws.10%29.aspx Dsadd computer Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof <GroupDN ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}] Personal comment: you use ldifde and csvde to import and export directory objects to Active Directory http://support.microsoft.com/kb/237677 http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
Q6. Your network contains an Active Directory forest named contoso.com.
You plan to add a new domain named nwtraders.com to the forest.
All DNS servers are domain controllers.
You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest.
What should you do?
A. Add the computer accounts of all the domain controllers to the DnsAdmins group.
B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
C. Create a standard primary zone on a domain controller in the forest root domain.
D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.
Answer: D
Q7. Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade DNS1 to Windows Server 2008 R2.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx
DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in
Windows Server. 2008 R2 and Windows. 7. With Windows Server 2008 R2 DNS server,
you can now sign and host DNSSECsigned zones to provide security for your DNS
infrastructure.
The following changes are available in DNS server in Windows Server 2008 R2:
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7:
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
Ability to check whether the DNS server with which it communicated has performed
validation on the client’s behalf. The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy. What does DNSSEC do? DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.
Q8. HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.
The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.
You need to configure DC2 as a global catalog server.
Which object's properties should you modify? To answer, select the appropriate object in the answer area.
Answer:
Q9. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All client computers run Windows 7.
You install Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From Server1, run djoin.exe.
B. From Server1, run netdom.exe.
C. From a Windows 7 computer, run djoin.exe.
D. Upgrade one domain controller to Windows Server 2008 R2.
E. Raise the functional level of the domain to Windows Server 2008.
Answer: A,C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Q10. Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com.
Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com.
You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails.
What should you do?
A. Configure the Expires after option for the contoso.com zone to 4 days.
B. Configure the Retry interval option for the contoso.com zone to 4 days.
C. Configure the Refresh interval option for the contoso.com zone to 4 days.
D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspx
Adjust the Expire Interval for a Zone
You can use this procedure to adjust the expire interval for a Domain Name System (DNS)
zone. Other DNS servers that are configured to load and host the zone use the expire
interval to determine when zone data expires if it is not successfully transferred. By default,
the expire interval for each zone is set to one day.
You can complete this procedure using either the DNS Manager snap-in or the dnscmd
command-line tool.
To adjust the expire interval for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated.
4. Click the Start of Authority (SOA) tab.
5. In Expires after, click a time period in minutes, hours, or days, and then type a number in the text box.
6. Click OK to save the adjusted interval.
Q11. Your company, Contoso Ltd has a main office and a branch office. The offices are
connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.
What should you do?
A. Create a new stub zone named ad.contoso.com on DC2.
B. Create a new standard secondary zone named ad.contoso.com on DC2.
C. Configure the DNS server on DC2 to forward requests to DC1.
D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Answer: D
Explanation:
Q12. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.
Which tool should you use?
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Repadmin
D. Replmon
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc742095.aspx
Repadmin /rodcpwdrepl
Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).
Example:
The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:
repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com
Q13. Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data.
You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data.
What should you do?
A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility.
B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account.
C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group.
D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group.
Answer: D
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest.
The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.
The following table describes the differences between the scopes of each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When to use groups with domain local scope Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer.
Q14. ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.
Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.
You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?
A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754629.aspx
Install an RODC on a Server Core installation
To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS.
Q15. Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller.
You disable an account that has administrative rights.
You need to immediately replicate the disabled account information to all sites.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers.
B. From the Active Directory Sites and Services console, select the existing connection objects and force replication.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Answer: B,C
Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx Force replication over a connection To force replication over a connection
1. Open Active Directory Sites and Services.
C:\Documents and Settings\usernwz1\Desktop\1.PNG