Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7.
You need to forward the logon events of all the domain controllers in contoso.com to Computer1.
All new domain controllers must be dynamically added to the subscription.
What should you do?
A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.
B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.
C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).
D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).
Answer: A
Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
Setting up a Source Initiated Subscription
Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription.
Q2. Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).
An RODC server is stolen from one of the branch offices.
You need to identify the user accounts that were cached on the stolen RODC server.
Which utility should you use?
A. Dsmod.exe
B. Ntdsutil.exe
C. Active Directory Sites and Services
D. Active Directory Users and Computers
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc835486%28v=ws.10%29.aspx Securing Accounts After an RODC Is Stolen If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC. An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in.
Q3. Your company has a main office and a branch office.
You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.
You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.
What should you do?
A. Configure the NTDS Site Settings object.
B. Create Active Directory subnet objects.
C. Create Active Directory Domain Services connection objects.
D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.
Answer: B
Q4. You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2.
You need to monitor the replication of the group policy template files.
Which tool should you use?
A. Dfsrdiag
B. Fsutil
C. Ntdsutil
D. Ntfrsutl
Answer: D
Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with
DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level
2003.
With domain functional level 2003 you can only use Ntfrsutl.
Q5. You install a read-only domain controller (RODC) named RODC1.
You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.
Which tool should you use?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsadd
D. Dsmgmt
Answer: B
Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the
ability to administer an RODC to a user or a security group. When you delegate the ability
to log on to an RODC to a user or a security group, the user or group is not added the
Domain Admins group and therefore does not have additional rights to perform directory
service operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the
following options:
Modify the Managed By tab of the RODC account properties in theActive Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.
Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC.[See also the second Explanation for more information on how to use dsmgmt.]
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.
Explanation 2: http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
To configure Administrator Role Separation for an RODC
Click Start, click Run, type cmd, and then press ENTER.
At the command prompt, typedsmgmt.exe, and then press ENTER.
At the DSMGMT prompt, typelocal roles, and then press ENTER.
For a list of valid parameters, type ?, and then press ENTER.
By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.
Type add <DOMAIN>\<user><administrative role>
For example, type add CONTOSO\testuser administrators
Q6. ABC.com has purchased laptop computers that will be used to connect to a wireless network.
You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks.
You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network.
What should you do to enforce the group policy wireless settings to the laptop computers?
A. Execute gpupdate/target:computer command at the command prompt on laptop computers
B. Execute Add a network command and leave the SSID (service set identifier) blank
C. Execute gpupdate/boot command at the command prompt on laptops computers
D. Connect each laptop computer to a wired network and log off the laptop computer and then login again.
E. None of the above
Answer: D
Q7. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1.
You need to log changes made to the Description attribute on all group objects in OU1 only.
What should you do?
A. Run auditpol.exe.
B. Modify the auditing entry for OU1.
C. Modify the auditing entry for the domain.
D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO to OU1.
Answer: B
Explanation:
http://ithompson.wordpress.com/tag/organizational-unit-move/ Do you need to track who/where/when for activities done against the OU’s in your AD? With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566). With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart). I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy. Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion. So where do we start so that we can answer our question at the top of this discussion? First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit. This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now that our auditing is setup what type of events can we expect to see?
Here are a few examples:
In this example (Fig 5), id 5137, we see an OU being created by the Administrator.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 6 shows a Sub OU being created.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 7 shows id 5139, an OU being moved.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136. Figure 8 shows the first part of the rename process.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 9 shows the second part of the rename process.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
With standard auditing some of the other items that we looked at would be next to
impossible with auditing, such as tracking when an OU is renamed and as you can see
from fig 10 hard to read and understand if you did get an event.
Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.
Q8. Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.
Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.
Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.
You need to ensure that the G_Marketing members can access the folder from the network.
What should you do?
A. From Windows Explorer, modify the NTFS permissions of the folder.
B. From Windows Explorer, modify the share permissions of the folder.
C. From Active Directory Users and Computers, modify the computer object for Server1.
D. From Active Directory Users and Computers, modify the group object for G_Marketing.
Answer: C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644
After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.
To assign this permission:
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
Q9. You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks.
For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1.
Which utility you will use to convert basic disks to dynamic disks on FileSrv1?
A. Diskpart.exe
B. Chkdsk.exe
C. Fsutil.exe
D. Fdisk.exe
E. None of the above
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc771534.aspx
[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.
Q10. Your network contains an Active Directory domain. The domain contains three domain
controllers.
One of the domain controllers fails.
Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts.
Which operations master role should you seize?
A. domain naming master
B. infrastructure master
C. primary domain controller (PDC) emulator
D. RID master
E. schema master
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes. In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.
RID master The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.
http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-activedirectory/ 5081138 Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm Seizing FSMO Roles
Q11. You have an Active Directory domain named contoso.com.
You have a domain controller named Server1 that is configured as a DNS server.
Server1 hosts a standard primary zone for contoso.com. The DNS configuration of Server1
is shown in the exhibit. (Click the Exhibit button.)
You discover that stale resource records are not automatically removed from the contoso.com zone.
You need to ensure that the stale resource records are automatically removed from the contoso.com zone.
What should you do?
A. Set the scavenging period of Server1 to 0 days.
B. Modify the Server Aging/Scavenging properties.
C. Configure the aging properties for the contoso.com zone.
D. Convert the contoso.com zone to an Active Directory-integrated zone.
Answer: C
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools,
and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start,
point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as
administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/
NoRefreshInterval <Value>}
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q12. ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed.
Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server?
A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts
B. Add a password replication policy to the main Domain RODC and add user accounts in the security group
C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server
D. Configure and add a separate password replication policy on each RODC computer account
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.
Q13. Your company has a main office and a branch office.
The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server.
You remove the global catalog from DC5.
You need to reduce the size of the Active Directory database on DC5.
The solution must minimize the impact on all users in the branch office.
What should you do first?
A. Start DC5 in Safe Mode.
B. Start DC5 in Directory Services Restore Mode.
C. On DC5, start the Protected Storage service.
D. On DC5, stop the Active Directory Domain Services service.
Answer: D
Explanation:
http://allcomputers.us/windows_server/windows-server-2008-r2---manage-the-active-directory-database-%28part-2%29---defragment-the-directory-database---audit-active-directory-service.aspx Windows Server 2008 R2 : Manage the Active Directory Database (part 2) - Defragment the Directory Database & Audit Active Directory Service
3. Defragment the Directory Database A directory database gets fragmented as you add, change, and delete objects to your database. Like any file system–based storage, as the directory database is changed and updated, fragments of disk space will build up so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directory performs an online defragmentation of the directory database every 12 hours with the garbage collection process, an automated directory database cleanup, and IT pros should be familiar with it. However, online defragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data around for easier access. Depending on how much fragmentation you actually have in the database, running an offline defragmentation—which does decrease the size of the database—could have a significant effect on the overall size of your NTDS.DIT database file. There is a little problem associated with defragmenting databases. They have to be taken offline in order to have the fragments removed and the database resized. In Windows Server 2008 R2, there is a great feature that allows you to take the database offline without shutting down the server. It's called Restartable Active Directory, and it could not be much easier to stop and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service.
1. Start the Services tool from the Control Panel.
2. Right-click Active Directory Domain Services, and select Stop.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 4. You can use the Services tool to stop and restart Active Directory. That's it! Now when you stop Active Directory Domain Services, any other dependent services will also be stopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network. The really cool thing about Restartable AD is that while the directory services and its dependent services are stopped, other services on the local machine are not. So, perhaps you have a shared printer running on your DC. Print services still run, and print operations do not stop. Nice!
3.1. Offline Directory Defragmentation
Now that you have stopped Active Directory services, it is time to get down to the business
of offline defragmentation of the directory database:
1. Back up the database.
2. Open a command prompt, and type NTDSUTIL.
3. Type ACTIVATE INSTANCE NTDS.
4. Type FILES, and press Enter.
5. Type INFO, and press Enter. This will tell you the current location of the directory
database, its size, and the size of the associated log files. Write all this down.
6. Make a folder location that has enough drive space for the directory to be stored.
7. Type COMPACT TO DRIVE:\DIRECTORY, and press Enter. The drive and directory are
the locations you set up in step 5. If the drive path contains spaces, put the whole path in
quotation marks, as in "C:\database defrag".
A new defragmented and compacted NTDS.DIT is created in the folder you specified.
8. Type QUIT, and press Enter.
9. Type QUIT again, and press Enter to return to the command prompt. 10.If defragmentation succeeds without errors, follow the NTDSUTIL prompts. 11.Delete all log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive. 12.Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4. 13.Close the command prompt. 14.Open the Services tool, and start Active Directory Domain Services. Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size of your database depending on how long it has been since your last offline defrag. The hard thing about offline defrag is that every network is different, so making recommendations about how often to use the offline defrag process is somewhat spurious. I recommend you get to know your directory database. Monitor its size and growth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using offline defragmentation on a frequency that works well for your network and your directory database. One of the cool things about offline defragmentation is that if you should happen to have an error occur during the defragmentation process, you still have your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues.
Q14. Your network contains an Active Directory forest. All domain controllers run Windows
Server 2008 Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:
You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network.
What should you do?
A. Upgrade Server1 to Windows Server 2008 R2.
B. Upgrade Server2 to Windows Server 2008 R2.
C. Raise the functional level of the domain to Windows Server 2008.
D. Install the Windows Server 2008 R2 Active Directory Schema updates.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd759243.aspx
Installation requirements
Before installing the certificate enrollment Web services, ensure that your environment
meets these requirements:
A host computer as a domain member running Windows Server 2008 R2.
An Active Directory forest with a Windows Server 2008 R2 schema.
An enterprise certification authority (CA) running Windows Server 2008 R2, Windows
Server 2008, or
Windows Server 2003.
Q15. Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed.
You need to move the Active Directory database on DC1 to an alternate location.The solution must minimize impact on the network during the database move.
What should you do first?
A. Restart DC1 in Safe Mode.
B. Restart DC1 in Directory Services Restore Mode.
C. Start DC1 from Windows PE.
D. Stop the Active Directory Domain Services service on DC1.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc794895%28v=ws.10%29.aspx Relocating the Active Directory Database Files Applies To: Windows Server 2008, Windows Server 2008 R2 Relocating Active Directory database files usually involves moving files to a temporary location while hardware updates are being performed and then moving the files to a permanent location. On domain controllers that are running versions of Windows 2000 Server and Windows Server 2003, moving database files requires restarting the domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introduces restartable Active Directory Domain Services (AD DS), which you can use to perform database management tasks without restarting the domain controller in DSRM. Before you move database files, you must stop AD DS as a service.