Microsoft Certkiller 70-640 Exam Bundle · Microsoft Certkiller 70-640 Exam Bundle Number : 70-640 Passing Score : 700 Time Limit : 145 min File Version : 23.7 Microsoft 70-640 Exam

Microsoft Certkiller 70-640 Exam Bundle

Number: 70-640Passing Score: 700Time Limit: 145 minFile Version: 23.7

http://www.gratisexam.com/

Microsoft 70-640 Exam Bundle

Exam Name: Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam

For Full Set of Questions please visit: http://www.certkiller.com/exam-70-640.htm

Exam A

QUESTION 1You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine thesize of the Active Directory database on Server1.

What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 2You need to receive an e-mail message whenever a domain user account is locked out.

Which tool should you use?

A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard

Correct Answer: BSection: (none)Explanation


QUESTION 3Your network contains an Active Directory domain named contoso.com.

You have a management computer named Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate onComputer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

Correct Answer: ASection: (none)Explanation


QUESTION 4Your network contains an Active Directory domain that has two sites. You need to identify whether logon scriptsare replicated to all domain controllers.

Which folder should you verify?

A. GroupPolicyB. NTDSC. SoftwareDistributionD. SYSVOL

Correct Answer: DSection: (none)Explanation


QUESTION 5You install a standalone root certification authority (CA) on a server named Server1.

You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the localcomputer's Trusted Root Certification Authorities store.

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameterB. certreq.exe and specify the -retrieve parameterC. certutil.exe and specify the -dspublish parameterD. certutil.exe and specify the -importcert parameter



QUESTION 6You have an enterprise subordinate certification authority (CA).

You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must notbe allowed to revoke certificates.

What should you do?

A. Add Group1 to the local Administrators group.

B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.



QUESTION 7You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued.

The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

A. Add a data recovery agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.



QUESTION 8You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardwaresecurity module. You need to back up Active Directory Certificate Services on the CA.


Which command should you run?

A. certutil.exe backupB. certutil.exe backupdbC. certutil.exe backupkeyD. certutil.exe store



QUESTION 9You have Active Directory Certificate Services (AD CS) deployed.

You create a custom certificate template.

You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. In a Group Policy object (GPO), configure the autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.

Correct Answer: ADSection: (none)Explanation


QUESTION 10You have an enterprise subordinate certification authority (CA). You have a custom certificate template that hasa key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.

Which console should you use?

A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management



QUESTION 11Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.

The functional level of the domain is Windows Server 2003.

You have a certification authority (CA).

The relevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.



QUESTION 12You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation ofthe Active Directory database on the domain controller. You must achieve this goal without affecting theavailability of the DHCP service. What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.



QUESTION 13Your network contains an Active Directory forest. You need to add a new user principal name (UPN) suffix tothe forest. Which tool should you use?

A. Active Directory Administrative CenterB. Active Directory Domains and TrustsC. Active Directory Sites and ServicesD. Active Directory Users and Computers



QUESTION 14Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2connect to each other by using a slow WAN link.

You discover that the cached password for a user named User1 is compromised on the RODC.

On a domain controller in Site1, you change the password for User1.

You need to replicate the new password for User1 to the RODC immediately. The solution must not replicateother objects to the RODC. Which tool should you use?

A. Active Directory Sites and ServicesB. Active Directory Users and ComputersC. RepadminD. Replmon



QUESTION 15Your network contains an Active Directory domain named contoso.com. The properties of the contoso.comDNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

You need to update all service location (SRV) records for a domain controller in the domain. What should youdo?

A. Restart the Netlogon service.B. Restart the DNS Client service.C. Run sc.exe and specify the triggerinfo parameter.D. Run ipconfig.exe and specify the /registerdns parameter.


Explanation/Reference:Explanation:

QUESTION 16Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You have a listthat contains the mobile phone number of each user. You need to add the mobile number of each user toActive Directory. What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.B. Create a file that contains the mobile phone numbers, and then run csvde.exe.C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.

D. From Active Directory Users and Computers, select all of the users, and then modify the properties of theusers.



QUESTION 17Your network contains an Active Directory domain named contoso.com. All domain controllers and memberservers run Windows Server 2008. All client computers run Windows 7. From a client computer, you create anaudit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy GroupPolicy object (GPO). You discover that the audit policy is not applied to the member servers. The audit policy isapplied to the client computers. You need to ensure that the audit policy is applied to all member servers and allclient computers. What should you do?

A. Add a WMI filter to the Default Domain Policy GPO.B. Modify the security settings of the Default Domain Policy GPO.C. Configure a startup script that runs auditpol.exe on the member servers.D. Configure a startup script that runs auditpol.exe on the domain controllers.



QUESTION 18Your company uses an application that stores data in an Active Directory Lightweight Directory Services (ADLDS) instance named Instance1. You attempt to create a snapshot of Instance1 as shown in the exhibit. (Clickthe Exhibit button.)

You need to ensure that you can take a snapshot of Instance1. What should you do?

A. At the command prompt, run net start VSS.B. At the command prompt, run net start Instance1.C. Set the Startup Type for the Instance1 service to Disabled.D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.



QUESTION 19Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains amember server that is configured to collect all of the events that occur on the domain controllers. You need toensure that administrators are notified when a specific event occurs on any of the domain controllers. You wantto achieve this goal by using the minimum amount of administrative effort. What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.



QUESTION 20Your network contains a single Active Directory domain named contoso.com. An administrator accidentallydeletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone. You need to ensure thatthe _msdsc.contoso.com zone contains all of the required DNS records.What should you do on each domain controller?

A. Restart the Netlogon service.B. Restart the DNS Server service.C. Run dcdiag.exe /fix.D. Run ipconfig.exe /registerdns.



QUESTION 21Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domaincontrollers. You add multiple DNS records to the zone. You need to ensure that the records are replicated to allDNS servers. Which tool should you use?

A. DnslintB. Ldp

C. NslookupD. Repadmin



QUESTION 22Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the zonefor contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zonefor contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com. Whichtwo actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Create a zone delegation record in the contoso.com zone.B. Create a zone delegation record in the eu.contoso.com zone.C. Create an Active Directory-integrated zone for _msdsc.contoso.com.D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.

Correct Answer: ACSection: (none)Explanation


QUESTION 23You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.What should you do?

A. Run defrag.exe /a /c.B. Run defrag.exe /c /u.C. From Ntdsutil, use the Files option.D. From Ntdsutil, use the Metadata cleanup option.



QUESTION 24Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 Standard. You need to install an enterprise subordinate certificationauthority (CA) that supports private key archival. You must achieve this goal by using the minimum amount ofadministrative effort. What should you do first?

A. Initialize the Trusted Platform Module (TPM).B. Upgrade the member server to Windows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.



QUESTION 25You have an enterprise subordinate certification authority (CA). You have a custom Version 3

certificate template. Users can enroll for certificates based on the custom certificate template by using theCertificates console. The certificate template is unavailable for Web enrollment. You need to ensure that thecertificate template is available on the Web enrollment pages. What should you do?

A. Run certutil.exe Cpulse.B. Run certutil.exe Cinstallcert.C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.



QUESTION 26Your network contains an Active Directory domain. The domain contains a member server named Server1 thatruns Windows Server 2008 R2. You need to configure Server1 as a global catalog server. What should you do?

A. Modify the Active Directory schema.

B. From Ntdsutil, use the Roles option.C. Run the Active Directory Domain Services Installation Wizard on Server1.D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).



QUESTION 27Your network contains an Active Directory domain. All domain controller run Windows Server 2003. Youreplace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise thefunctional level of the domain to Windows Server 2008 R2. You need to minimize the amount of SYSVOLreplication traffic on the network. What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run

dfsrmig.exe.



QUESTION 28Your network contains an Active Directory forest. The forest contains two domain controllers. The domaincontrollers are configured as shown in the following table.

All client computers run Windows 7. You need to ensure that all client computers in the domain keep the sametime as an external time server. What should you do?

A. From DC1, run the time command.B. From DC2, run the time command.C. From DC1, run the w32tm.exe command.D. From DC2, run the w32tm.exe command.



QUESTION 29Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers. The domain controllers are configured as shown in the following table.

All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range. You need to minimize the numberof client authentication requests sent to DC2. What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign thesubnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign thesubnet to Site1. Move DC1 to Site1.

C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign thesubnet to Site1. Move DC2 to Site1.

D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign thesubnet to Site1. Move DC2 to Site1.



QUESTION 30Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configureAD RMS to use Kerberos authentication. Which two actions should you perform? (Each correct answerpresents part of the solution. Choose two.)

A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS)

Correct Answer: ADSection: (none)Explanation


QUESTION 31Your company has four offices. The network contains a single Active Directory domain. Each office has adomain controller. Each office has an organizational unit (OU) that contains the user accounts for the users inthat office. In each office, support technicians perform basic troubleshooting for the users in their respectiveoffice. You need to ensure that the support technicians can reset the passwords for the user accounts in theirrespective office only. The solution must prevent the technicians from creating user accounts. What should youdo?

A. For each OU, run the Delegation of Control Wizard.

B. For the domain, run the Delegation of Control Wizard.C. For each office, create an Active Directory group, and then modify the security settings for each group.D. For each office, create an Active Directory group, and then modify the controlAccessRights attribute for

each group.



QUESTION 32Your network contains a single Active Directory domain. Client computers run either Windows XP

Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in anorganizational unit (OU) named OU1.

You link a new Group Policy object (GPO) named GPO10 to OU1.

You need to ensure that GPO10 is applied only to client computers that run Windows 7.

What should you do?

A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.B. Enable block inheritance on OU1.C. Create a WMI filter and assign the filter to GPO10.D. Modify the permissions of OU1.



QUESTION 33Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from thenwtraders.com forest can access AD RMS protected content in the contoso.com forest. What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Create an external trust from nwtraders.com to contoso.com.C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.D. Create an external trust from contoso.com to nwtraders.com.



QUESTION 34You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC).What should you do?

A. Run the repadmin.exe command and specify the /prp parameter.B. From Active Directory Sites and Services, modify the properties of the RODC computer object.C. From Active Directory Users and Computers, modify the properties of the RODC computer object.D. Run the dsrm.exe command and specify the -u parameter.



QUESTION 35Your company has a main office and four branch offices.

An Active Directory site exists for each office. Each site contains one domain controller. Each branch office sitehas a site link to the main office site.

You discover that the domain controllers in the branch offices sometimes replicate directly to each other.

You need to ensure that the domain controllers in the branch offices only replicate to the domain controller inthe main office.

What should you do?

A. Modify the firewall settings for the main office site.B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.C. Disable site link bridging.D. Modify the security settings for the main office site.



QUESTION 36Your network contains an Active Directory domain.

You create and mount an Active Directory snapshot.

You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can browse the contents of the Active Directory snapshot. What should you?

A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.B. Change the value of the dbpath parameter, and then rerun dsamain.exe.C. Change the value of the ldapport parameter, and then rerun dsamain.exe.D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.



Exam B


You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy linksfor the domain.

What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Backup-GPO cmdlet.



QUESTION 2Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the DirectoryServices Restore Mode (DSRM) password on the domain controller. Which tool should you use?

A. NtdsutilB. DsamainC. Active Directory Users and ComputersD. Local Users and Groups



QUESTION 3Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).B. Configure an Online Certification Status Protocol (OCSP) responder.C. Modify the settings of the delta certificate revocation list (CRL).D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).



QUESTION 4Your network contains an Active Directory domain. The domain contains an organizational unit (OU) namedOU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed serviceaccounts from being deleted accidentally from OU1. Which cmdlet should you use?

A. Set-ADUserB. Set-ADOrganizationalUnitC. Set-ADServiceAccountD. Set-ADObject



QUESTION 5Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writabledomain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllersrun Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remotesite. The solution must minimize the amount of replication traffic that occurs during the installation of ActiveDirectory Domain Services (AD DS) on DC3. What should you do first?

A. Run dcpromo.exe /createdcaccount on DC3.B. Run ntdsutil.exe on DC2.C. Run dcpromo.exe /adv on DC3.D. Run ntdsutil.exe on DC1.



QUESTION 6Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers areconfigured as global catalog servers.

You remove the global catalog role from a domain controller named DC5.

You need to reclaim the hard disk space used by the global catalog on DC5.

What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).B. From Active Directory Sites and Services, modify the general properties of DC5.C. From Ntdsutil, use the Semantic database analysis option.D. From Ntdsutil, use the Files option.

Correct Answer: DSection: (none)

Explanation


QUESTION 7A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone aredomain controllers.

You add multiple DNS records to the zone.

You need to ensure that the new records are available on all DNS servers as soon as possible.


A. LdpB. RepadminC. NtdsutilD. NslookupE. Active Directory Sites And Services consoleF. Active Directory Domains And Trusts consoleG. DnslintH. Dnscmd


Explanation/Reference:Repadmin /syncall

QUESTION 8You have a DNS zone that is stored in a custom application partition. You need to add a domain controller tothe replication scope of the custom application partition. Which tool should you use?

A. DNScmdB. DNS ManagerC. Server ManagerD. Dsmod



QUESTION 9Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has theActive Directory Certificate Services (AD CS) role installed. You configure a certificate template namedTemplate1 for autoenrollment. You discover that certificates are not being issued to any client computers. Theevent logs on the client computers do not contain any autoenrollment errors. You need to ensure that all of theclient computers automatically receive certificates based on Template1. What should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).B. Modify the Default Domain Controllers Policy Group Policy object (GPO).

C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.D. Restart Certificate Services on Server1.



QUESTION 10Your network contains an Active Directory domain named contoso.com. A partner company has an ActiveDirectory domain named nwtraders.com.

The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.

You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on theInternet.

What should you do first?

A. Modify the Trusted Root Certification Authorities store.B. Modify the Intermediate Certification Authorities store.C. Create conditional forwarders.D. Add a root hint to the DNS server.



QUESTION 11Your network contains an Active Directory forest. The forest contains multiple domains.

You need to ensure that users in the human resources department can search for employees by using theemployeeNumber attribute.

What should you do?

A. From Active Directory Sites and Services, modify the properties of each global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the user object class.C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.



QUESTION 12Your network contains a single Active Directory domain. The domain contains an enterprise certificationauthority (CA).

You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database.

You modify the e-mail certificate template to support key archival.

What should you do next?

A. Issue the key recovery agent certificate template.B. Run certutil.exe -recoverkey.C. Run certreq.exe-policy.D. Modify the location of the Authority Information Access (AIA) distribution point.



QUESTION 13Your network contains a domain controller that runs Windows Server 2008 R2.

You run the following command on the domain controller:

dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -allowNonAdminAccess

The command fails. You need to ensure that the command completes successfully.

How should you modify the command?

A. Change the value of the -dbpath parameter.B. Include the path to Dsamain.C. Change the value of the -ldapport parameter.D. Remove the CallowNonAdminAccess parameter.



QUESTION 14Your network contains an Active Directory domain. The domain contains 10 domain controllers that runWindows Server 2008 R2.

You need to monitor the following information on the domain controllers during the next five days:

Memory usageProcessor usageThe number of LDAP queries

What should you do?

A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.B. Use the System Performance Data Collector Set (DCS).C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.

D. Use the Active Directory Diagnostics Data Collector Set (DCS).




Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) namedRODC1.

You need to view the most recent user accounts authenticated by RODC1.


A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.



QUESTION 16Your network contains an Active Directory domain. The domain contains 3,000 client computers.All of the client computers run Windows 7.

Users log on to their client computers by using standard user accounts.

You plan to deploy a new application named App1.

The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run.

You need to deploy App1 to all client computers. The solution must meet the following requirements:

- App1 must automatically detect and replace corrupt application files.- App1 must be available from the Start menu on each client computer.


A. Create a logon script that calls Setup.exe for App1.B. Create a .zap file.C. Create a startup script that calls Setup.exe for App1.D. Repackage App1 as a Windows Installer package.




Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in theexhibit. (Click the Exhibit button.)

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA),

you discover that the enterprise subordinate CA option is unavailable.

You need to configure Server2 as an enterprise subordinate CA.


A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.C. Import the root CA certificate.D. Join Server2 to the domain.



QUESTION 18Your network contains an Active Directory domain. The domain contains an enterprise certification authority(CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.

Which tool should you use to assign permissions to Admin1?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services



QUESTION 19Your network contains an Active Directory domain. All DNS servers are domain controllers. You view theproperties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that only domain members can register DNS records in the zone. What should you do first?

A. Modify the zone type.B. Create a trust anchor.C. Modify the Advanced properties of the DNS server.D. Modify the Dynamic updates setting.



QUESTION 20Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functionallevel of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains twodomains. You need to ensure that users in contoso.com can access the resources in all domains. The solutionmust require the minimum number of trusts.

Which type of trust should you create?

A. externalB. forestC. realmD. shortcut



QUESTION 21You install an Active Directory domain in a test environment.

You need to reset the passwords of all the user accounts in the domain from a domain controller.

Which two Windows PowerShell commands should you run? (Each correct answer presents part of thesolution, choose two.)

A. $ newPassword = *B. Import-Module ActiveDirectoryC. Import-Module WebAdministrationD. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - ResetE. Set- ADAccountPossword - NewPassword - ResetF. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )G. Import-Module ServerManager

Correct Answer: DFSection: (none)Explanation


QUESTION 22Your network contains two forests named adatum.com and litwareinc.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a forest trust between adatum.com and litwareinc.com.


A. Create an external trust.B. Raise the functional level of both forests.C. Configure SID filtering.D. Raise the functional level of all the domains.



QUESTION 23Your network contains an Active Directory forest named adatum.com.

You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.

What should you install before you create the AD RMS root cluster?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008

Correct Answer: ESection: (none)Explanation


QUESTION 24Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains adomain controller named DC1.

You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource recordnamed Server1 to the zone. The target host of the record is server2.contoso.com.

When you ping Server1, you discover that the name fails to resolve. You are able to successfully pingserver2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.

Which command should you run?

A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domainB. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forestC. DnscmdDCl.contoso.com/config/Enableglobalnamessupport 1D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest



QUESTION 25You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which protocol should you allow on Server1?

A. KerberosB. SSLC. SMBD. RPC



QUESTION 26Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS. You need to update ADRMS to use the new password.


A. Active Directory Rights Management ServicesB. Active Directory Users and ComputersC. Local Users and GroupsD. Services



QUESTION 27Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted FileSystem (EFS) certificates.

You need to archive the private key for all new EFS certificates.

Which snap-in should you use?

A. Active Directory Users and ComputersB. Authorization ManagerC. Group Policy ManagementD. Enterprise PKIE. Security TemplatesF. TPM ManagementG. CertificatesH. Certification AuthorityI. Certificate Templates

Correct Answer: HSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730721


You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate

template


A. Enterprise PKIB. TPM ManagementC. CertificatesD. Active Directory Users and ComputersE. Authorization ManagerF. Certification AuthorityG. Group Policy ManagementH. Security TemplatesI. Certificate Templates

Correct Answer: ISection: (none)Explanation



You need to approve a pending certificate request.


A. Active Directory Users and ComputersB. Authorization ManagerC. Certification AuthorityD. Group Policy ManagementE. Certificate TemplatesF. TPM ManagementG. CertificatesH. Enterprise PKII. Security Templates



Exam C

QUESTION 1Your network contains an Active Directory domain named adatum.com.

You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

A. Reverse Lookup ZonesB. adatum.comC. Forward Lookup ZonesD. Conditional ForwardersE. _msdcs.adatum.com



QUESTION 2Your network contains an Active Directory domain named adatum.com. The domain contains a domaincontroller named DC1. DC1 has an IP address of 192.168.200.100.

You need to identify the zone that contains the Pointer (PTR) record for 0C1.

Which zone should you identify?

A. adatum.comB. _msdcs.adatum.comC. 100.168.192.in-addr.arpaD. 200.168.192.in-addr.arpa




The password policy of the domain requires that the passwords for all user accounts be changed every 50days.

You need to create several user accounts that will be used by services. The passwords for these accountsmust be changed automatically every 50 days.

Which tool should you use to create the accounts?

A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. Active Directory Module for Windows PowerShell

D. ADSI EditE. Active Directory Domains and Trusts



QUESTION 4Your network contains an Active Directory domain. The domain contains several domain controllers. You needto modify the Password Replication Policy on a read-only domain controller (RODC).


A. Group Policy ManagementB. Active Directory Domains and TrustsC. Active Directory Users and ComputersD. Computer ManagementE. Security Configuration Wizard



QUESTION 5Your network contains an Active Directory forest. The forest contains two domains named contoso.com andwoodgrovebank.com.

You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.

You need to ensure that Attribute1 is included in the global catalog.

What should you do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User

objects.C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the

forest.



QUESTION 6Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the ActiveDirectory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named

Instance1 and Instance2.

You need to remove Instance2 from Server1 without affecting Instance1.


A. NTDSUtilB. DsdbutilC. Programs and Features in the Control PanelD. Server Manager



QUESTION 7Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to collect all of the Directory Services events from all of the domain controllers and store the events ina single central computer.

What should you do?

A. Run the ntdsutil.exe command.B. Run the repodmin.exe command.C. Run the Get-ADForest cmdlet.D. Run the dsamain.exe command.E. Create custom views from Event Viewer.F. Run the dsquery.exe command.G. Configure the Active Directory Diagnostics Data Collector Set (DCS),H. Configure subscriptions from Event Viewer.I. Run the eventcreate.exe command.J. Create a Data Collector Set (DCS).




You need to create a snapshot of Active Directory.

What should you do?

A. Run the dsquery.exe command.B. Run the dsamain.exe command.C. Create custom views from Event Viewer.D. Configure subscriptions from Event Viewer.

E. Create a Data Collector Set (DCS).F. Configure the Active Directory Diagnostics Data Collector Set (DCS).G. Run the repadmin.exe command.H. Run the ntdsutil.exe command.I. Run the Get-ADForest cmdlet.J. Run the eventcreate.exe command.




You mount an Active Directory snapshot.

You need to ensure that you can query the snapshot by using LDAP.

What should you do?

A. Run the dsamain.exe command.B. Create custom views from Event Viewer.C. Run the ntdsutil.exe command.D. Configure subscriptions from Event Viewer.E. Run the Get-ADForest cmdlet.F. Create a Data Collector Set (DCS).G. Run the eventcreate.exe command.H. Configure the Active Directory Diagnostics Data Collector Set (DCS).I. Run the repadmin.exe command.J. Run the dsquery.exe command.



Exam D

QUESTION 1Your network contains an Active Directory forest named adatum.com.

The forest contains four child domains named europe.adatum.com, northamerica.adatum.com,asia.adatum.com, and africa.adatum.com.

You need to create four new groups in the forest root domain. The groups must be configured as shown in thefollowing table.

What should you do?

To answer, drag the appropriate group type to the correct group name in the answer area.

Select and Place:

Correct Answer:

Section: (none)Explanation



You need to use Group Policies to deploy the line-of-business applications shown in the following table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:

Correct Answer:


Explanation/Reference:You can use Group Policy to distribute computer programs by using the following methods: Assigning SoftwareYou can assign a program distribution to users or computers. If you assign the program to a user, it is installedwhen the user logs on to the computer. When the user first runs the program, the installation is finalized. If youassign the program to a computer, it is installed when the computer starts, and it is available to all users wholog on to the computer. When a user first runs the program, the installation is finalized. Publishing SoftwareYou can publish a program distribution to users. When the user logs on to the computer, the published programis displayed in the Add or Remove Programs dialog box, and it can be installed from there.

QUESTION 3Your network contains an Active Directory forest.

The DNS infrastructure fails.

You rebuild the DNS infrastructure.

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

To answer, select the appropriate service in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:The Netlogon service would be involved with this.

QUESTION 4Your network contains an Active Directory forest named contoso.com.

The password policy of the forest requires that the passwords for all of the user accounts be changed every 30days.

You need to create user accounts that will be used by services. The passwords for these accounts must bechanged automatically every 30 days.

Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:Creating a Managed Service Account

Applies To: Windows Server 2008 R2This topic explains how to use the Active Directory module for Windows PowerShell to create a managedservice account. Managed service accounts are used to run various services for applications that are operatingin your domain environment.Example 1The following example demonstrates how to create a service account, SQL-SRV1, in the container ManagedService Accounts in the Fabrikam.com domain:New-ADServiceAccount -Name SQL-SRV1 -Path "CN=Managed ServiceAccounts,DC=FABRIKAM,DC=COM"

QUESTION 5Your network contains an Active Directory domain named contoso.com. The domain contains a domaincontroller named Server1. Server1 has an IP address of 192.168.200.100.

You need to view the Pointer (PTR) record for Server1.

Which zone should you open in the DNS snap-in to view the record?

To answer, select the appropriate zone in the answer area.

Point and Shoot:

Correct Answer:


Explanation/Reference:the corresponding in-addr.arpa zone would be 200.168.192, assuming a default subnet of /24s


You need to create a new site link between two sites named Site1 and Site3. The site link must support the

replication of domain objects.

Under which node in Active Directory Sites and Services should you create the site link?

To answer, select the appropriate node in the answer area

Point and Shoot:

Correct Answer:


Explanation/Reference:To create a site link Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, clickAdministrative Tools, and then click Active Directory Sites and Services.In the console tree, right-click the intersite transport protocol that you want the site link to use.Where? Active Directory Sites and Services\Sites\Inter-Site Transports\IP or SMTP

Click New Site Link.In Name, type the name for the site link.In Sites not in this site link, click a site to add to the site link, and then click Add. Repeat to add more sites tothe site link. To remove a site from the site link, in Sites in this link, click the site, and then click Remove.When you have added the sites that you want to be connected by this site link, click OK.

QUESTION 7Your network contains two forests named contoso.com and fabrikam.com. The functional level of all thedomains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create atrust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com can onlyaccess the servers in fabrikam.com that have the Allowed to Authenticate permission set.

What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.

Build List and Reorder:

Correct Answer:



QUESTION 8Your network contains an Active Directory forest named contoso.com. You need to create an Active DirectoryRights Management Services (AD RMS) licensing-only cluster.

What should you do?



Correct Answer:



QUESTION 9Your network contains an Active Directory forest named contoso.com. The forest contains a domain controllernamed DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runsWindows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7. Computer1is not connected to the network. You need to join Computer1 to the contoso.com domain.

What should you do?



Correct Answer:




You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

To answer, select the appropriate node in the answer area.

Point and Shoot:

Correct Answer:



QUESTION 11Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operationsmaster roles. DC1 fails. You need to rebuild DC1 by reinstalling the operating system. You also need to rollbackall operations master roles to their original state. You perform a metadata cleanup and remove all references ofDC1.

Which three actions should you perform next?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.)


Correct Answer:



QUESTION 12You need to perform an offline defragmentation of an Active Directory database. Which four actions should youperform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer areaand arrange them in the correct order.)


Correct Answer:



QUESTION 13ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. Anew administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts6000 objects. You have backed up the system state data using third-party backup software. To restore backup,you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform anauthoritative restore of the organizational unit and restore the domain controller to its original state. Which threeactions should you perform?


Correct Answer:



Exam E

QUESTION 1Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1 and a domain controller named DC1.

On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription isconfigured to collect all events.

After several days, you discover that Server1 failed to collect any events from DC1, although there are morethan 100 new events in the Application log of DC1.

You need to ensure that Server1 collects events from DC1.

What should you do?

A. On Server1, run wecutil quick-config.B. On Server1, run winrm quickconfig.C. On DC1, run wecutil quick-config.D. On DC1, run winrm quickconfig.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc748890

QUESTION 2A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured asshown in the following table.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00 A.M.every day.

At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001.

You need to restore the deleted user account. You must achieve this goal by using the minimum administrativeeffort.

What should you do?

A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.B. On DC001, run the Restore-ADObject cmdlet.C. On DC006, run the Restore-ADObject cmdlet.D. On DC001, stop AD DS, restore the system state, and then start AD DS.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc755296(v=ws.10).aspx

QUESTION 3Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts inthe Finance organizational unit (OU). You must achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. Modify the Group Policy permissions.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.



http://technet.microsoft.com/en-us/library/cc731076.aspx


You have an organizational unit (OU) named Sales and an OU named Engineering.

You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the SalesOU and contain multiple settings.

You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, thesetting in GPO2 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure thatall non-conflicting settings in both GPOs are applied.

What should you do?

A. Configure Restricted Groups.B. Configure the link order.C. Link the GPO to the Sales OU.D. Link the GPO to the Engineer OU.E. Enable loopback processing in merge mode.F. Modify the Group Policy permissions.G. Configure WMI filtering.H. Configure Group Policy Permissions.I. Enable loopback processing in replace mode.J. Enable block inheritance.


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc757050(v=ws.10).aspx#BKMK_change

QUESTION 5A corporate network includes a single Active Directory Domain Services (AD DS) domain.

The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs: HRUsers and HR Computers. User accounts for the HR department reside in the HR Users OU. Computeraccounts for the HR department reside in the HR Computers OU. All HR department employees belong to asecurity group named HR Employees. All HR department computers belong to a security group named HRPCs.


Company policy requires that passwords are a minimum of 6 characters.

You need to ensure that, the next time HR department employees change their passwords, the passwords arerequired to have at least 8 characters. The password length requirement should not change for employees ofany other department.

What should you do?

A. Modify the password policy in the GPO that is applied to the domain.B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.C. Create a fine-grained password policy and apply it to the HR Users OU.D. Modify the password policy in the GPO that is applied to the domain controllers OU.



QUESTION 6A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular useraccounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OUnamed Admins.

You need to ensure that any time an administrator modifies an employee's name in AD DS, the change isaudited.


A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to theEmployees OU.

B. Modify the searchFlags property for the Name attribute in the Schema.C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the

Admins OU.D. Use the Auditpol.exe command-line tool to enable the directoryservicechanges auditing subcategory.




You need to provide a user named User1 with the ability to create and manage subnet objects. The solutionmust minimize the number of permissions assigned to User1.

What should you do?

A. From Active Directory Users and Computers, run the Delegation of Control wizard.B. From Active Directory Administrative Centre, add User1 to the Schema Admins group.C. From Active Directory Sites and Services, run the Delegation of Control wizard.D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.



QUESTION 8A corporate network contains a Windows Server 2008 R2 Active Directory forest.

You need to add a User Principle Name (UPN) suffix to the forest.

What tool should you use?

A. Dsmgmt.B. Active Directory Domains and Trusts console.C. Active Directory Users and Computers console.D. Active Directory Sites and Services console.




All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service Pack 1(SP1). The functional level of the domain is Windows Server 2003.

You need to configure SYSVOL to use DFS Replication.

Which tools should you use? (Each correct answer presents part of the solution. Choose two.)

A. DfsrmigB. FrsdiagC. NtdsutilD. Set-ADForestE. RepadminF. Set-ADDomainModeG. DFS Management

Correct Answer: AFSection: (none)Explanation


QUESTION 10You manage an Active Directory forest named contoso.com.

The forest contains an empty root domain named contoso.com and a child domain named child.contoso.com.All domain controllers run Windows Server 2008. The functional level of the forest is Windows Server 2008.

You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal byusing the minimum amount of administrative effort.

What should you do?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.


Correct Answer:



QUESTION 11Your network contains an Active Directory forest. The forest contains one domain named contoso.com.

You attempt to run adprep /domainprep and the operation fails.

You discover that the first domain controller deployed to the forest failed.

You need to run adprep /domainprep successfully.

What should you do?

A. Move the domain naming master role.B. Install a read-only domain controller (RODC).C. Move the PDC emulator role.D. Move the RID master role.E. Move the infrastructure master role.F. Deploy an additional global catalog server.G. Move the bridgehead server.H. Move the schema master role.I. Restart the Active Directory Domain Services (AD DS) service.J. Move the global catalog server.



QUESTION 12Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2.

The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named RODC1.

You install the DNS Server server role on RODC1.

You discover that RODC1 does not have any application directory partitions.

You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.

What should you do?

A. From DNS Manager, create secondary zones.B. Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter.C. From DNS Manager, right-click RODC1 and click Update Server Data Files.D. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.




You need to identify whether a fine-grained password policy is applied to a specific group.


A. Credential ManagerB. Group Policy Management Editor

C. Active Directory Users and ComputersD. Active Directory Sites and Services



QUESTION 14Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forestcontains one domain. A two-way forest trust exists between the forests.

You plan to add users from fabrikam.com to groups in contoso.com.

You need to identify which group you must use to assign users in fabrikam.com access to the shared folders incontoso.com.

To which group should you add the users?

A. Group 1: Security Group - Domain Local.B. Group 2: Distribution Group - Domain Local.C. Group 3: Security Group - Global.D. Group 4: Distribution Group - Global.E. Group 5: Security Group - Universal.F. Group 6: Distribution Group - Univeral.


Explanation/Reference:I think A is wrong here. You would need to use Universal groups to assign users across forests.

Domain local groups Groups that are used to grant permissions within a single domain. Members of domainlocal groups can include only accounts (both user and computer accounts) and groups from the domain inwhich they are defined.

Global groups Groups that are used to grant permissions to objects in any domain in the domain tree or forest.Members of global groups can include only accounts and groups from the domain in which they are defined.

Universal groups Groups that are used to grant permissions on a wide scale throughout a domain tree orforest. Members of global groups include accounts and groups from any domain in the domain tree or forest.

Security groups Groups that can have security descriptors associated with them. You define security groups indomains using Active Directory Users And Computers.

Distribution groups Groups that are used as e-mail distribution lists. They can't have security descriptorsassociated with them. You define distribution groups in domains using Active Directory Users And Computers.

http://technet.microsoft.com/en-us/library/bb726978.aspx

QUESTION 15Your network contains an Active Directory domain. The domain contains two file servers. The file servers areconfigured as shown in the following table.

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.

You configure the advanced audit policy.

You discover that the settings are not applied to Server1. The settings are applied to Server2.

You need to ensure that access to the file shares on Server1 is audited.

What should you do?

A. From Active Directory Users and Computers, modify the permissions of the computer account for Server1.B. From GPO1, configure the Security Options.C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.D. On Server1, run seceditexe and specify the /configure parameter.E. On Server1, run auditpol.exe and specify the /set parameter.




You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU contains over 200user accounts.

The Sales OU and the Engineering OU contain several user accounts that are members of a universal groupnamed Group1.

You have a Group Policy object (GPO) linked to the domain.

You need to prevent the GPO from being applied to the members of Group1 only.

What should you do?

A. Modify the Group Policy permissions.B. Configure Restricted Groups.C. Configure WMI filtering.D. Configure the link order.E. Enable loopback processing in merge mode.F. Link the GPO to the Sales OU.G. Configure Group Policy Preferences.H. Link the GPO to the Engineering OU.I. Enable block inheritance.J. Enable loopback processing in replace mode.




You have two Group Policy objects (GPOS) named GPO1 and GPO2. GPO1 and GPO2 are linked to theFinance organizational unit (OU) and contain multiple settings.

You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, thesetting in GPO2 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure thatall non-conflicting settings in both GPOs are applied.

What should you do?

A. Configure the link order.B. Configure Restricted Groups.C. Enable block inheritance.D. Link the GPO to the Finance OU.E. Enable Ioopback processing in merge mode.F. Enable Ioopback processing in replace mode.G. Link the GPO to the Human Resources OU.H. Configure Group Policy Preferences.I. Configure WMI filtering.J. Modify the Group Policy permissions.



QUESTION 18A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone aredomain controllers.




A. Active Directory Sites And Services consoleB. NtdsutilC. DnslintD. Nslookup

Correct Answer: A


Explanation/Reference:ssniyer -- In the case where (Exam J, Q24) Repadmin is not an answer option, I will go with AD Sites andServices because it allows to force AD replication across connection objects.

Both DNSLint and nslookup are diagnostic tools. DNSLint is useful to make sure RRs are associated with theright services and nslookup for domain namespace resolution issues. There is no diagnostic need in thisquestion.

Dnscmd is useful to administer/maintain a DNS server or zone using a command line tool. It is also the righttool to create Application Directory Partition. However, I don't see literature to suggest it as a good replicationtool for AD integrated zones.

QUESTION 19Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domaincontrollers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the Active Directory-integrated zone for contoso.com.

From DNS Manager on DC1, you enable scavenging for the contoso.com zone.

You discover stale DNS records in the zone.

You need to ensure that the stale DNS records are deleted from contoso.com.

What should you do?

A. From DNS Manager, enable scavenging on DC1.B. From DNS Manager, reload the zone.C. Run dnscmd.exe and specify the ageallrecords parameter.D. Run dnscmd.exe and specify the startscavenging parameter.



QUESTION 20Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2 Enterprise. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA).

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted FileSystem (EFS) certificates.

All users plan to encrypt files by using EFS.

You need to ensure that the private keys for all new EFS certificates are archived.


A. Share and Storage ManagementB. Security Configuration wizardC. Enterprise PKI

D. Active Directory Administrative CenterE. Certification AuthorityF. Group Policy ManagementG. Certificate TemplatesH. Authorization ManagerI. Certificates


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc730721.aspx

http://technet.microsoft.com/en-us/library/cc730721

QUESTION 21Your network contains an Active Directory forest named adatum.com. All domain controllers currently runWindows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is WindowsServer 2003.

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.


A. Deploy a writable domain controller that runs Windows Server 2008 R2.B. Raise the functional level of the forest to Windows Server 2008.C. Run adprep.exe.D. Raise the functional level of the domain to Windows Server 2003.



QUESTION 22Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest.

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in thecontoso.com forest.

What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.B. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.C. Create an external trust from nwtraders.com to contoso.com.D. Create an external trust from contoso.com to nwtraders.corn.



http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx


All users have a value set for the Department attribute.

From Active Directory Users and computers, you search a domain for all users who have a Departmentattribute value of Marketing.

The search returns 50 users.

From Active Directory Users and Computers, you search the entire directory for all users who have aDepartment attribute value of Marketing.

The search does not return any users.

You need to ensure that a search of the entire directory for users in the marketing department returns all of theusers who have the Marketing Department attribute.

What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in, modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in, modify the properties of the user class.



QUESTION 24A corporate network includes a single Active Directory Domain Services (AD DS) domain. The AD DSinfrastructure is shown in the following graphic.

When the Montreal site domain controller is offline, authentication requests for Montreal branch office users aresent to the Toronto site domain controller.

You need to ensure that when the Montreal Site domain controller is offline, authentication requests forMontreal branch office users are sent to the Quebec City site domain controller.

What should you do?

A. Create a site link bndge between the Montreal site and the Quebec City site.B. Enable the global catalog role on the Montreal site domain controller.C. Modify the Default Domain Policy Group Policy Object.D. Delete the Toronto-Montreal Site Link


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc733142(v=ws.10).aspx


You need to activate the Active Directory Recycle Bin in the domain.


A. DsamainB. Set-ADDomainC. Add-WindowsFeatureD. Ldp


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379481(v=WS.10).aspx

Exam F


The Administrator deletes an OU named OU1 accidentally.

You need to restore OU1. Which cmdlet should you use?

A. Set-ADObject cmdlet.B. Set-ADOrganizationalUnit cmdlet.C. Set-ADUser cmdlet.D. Set-ADGroup cmdlet.



QUESTION 2Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts inthe Finance organizational unit (OU). You must achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. Modify the Group Policy Permission.B. Configure WMI filtering.C. Enable block inheritance.D. Enable loopback processing in replace mode.E. Configure the link order.F. Configure Group Policy Preferences.G. Link the GPO to the Human Resources OU.H. Configure Restricted Groups.I. Enable loopback processing in merge mode.J. Link the GPO to the Finance OU.




All users have a value set for the Department attribute.

From Active Directory Users and Computers, you search a domain for all users who have a Department

attribute value of Marketing. The search returns 50 users.

From Active Directory Users and Computers, you search the entire directory for all users who have aDepartment attribute value of Marketing.

The search does not return any users.

You need to ensure that a search of the entire directory for users in the marketing department returns all of theusers who have the Marketing Department attribute.

What should you do?

A. Install the Windows Search Service role service on a global catalog server.B. From the Active Directory Schema snap-in modify the properties of the Department attribute.C. Install the Indexing Service role service on a global catalog server.D. From the Active Directory Schema snap-in modify the properties of the user class.




You discover the following event in the Event log of domain controllers: "The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is " %1 ""

You need to ensure that the domain controllers can acquire new account-identifier pools successfully.

What should you do?

A. Move the PDC emulator role.B. Move the schema master role.C. Move the global catalog server.D. Move the domain naming master role.E. Move the infrastructure master role.F. Move the RID master role.G. Restart the Active Directory Domain Services (AD DS) service.H. Deploy an additional global catalog server.I. Move the bridgehead server.J. Install a read-only domain controller (RODC).

Correct Answer: FSection: (none)Explanation

Explanation/Reference:http://technet.microsoft.com/en-us/library/cc756699(v=ws.10)


You need to create one password policy for administrators and another password policy for all other users.


A. NtdsutilB. Active Directory Users and ComputersC. ADSI EditD. Group Policy Management Console (GPMC)


Explanation/Reference:http://technet.microsoft.com/en-US/library/cc754461.aspx


You need to identify whether a fine-grained password policy is applied to a specific group.


A. Active Directory Sites and ServicesB. Authorization ManagerC. Local Security PolicyD. ADSI Edit


Explanation/Reference:The link below instructs you to access the "Attribute Editor" via Active Directory Users and Computers. Howeverthe "Attribute Editor" can also be accessed by right-clicking on a user or group in ADSI Edit.

http://technet.microsoft.com/en-US/library/cc770848.aspx





A. RepadminB. Active Directory Domains and Trusts consoleC. LdpD. Ntdsutil


Explanation/Reference:http://technet.microsoft.com/en-us/library/cc835086(v=ws.10)

QUESTION 8Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forestcontains a single domain.

A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.

Contoso.com contains a group named Group 1.

Fabrikam.com contains a server named Server1.

You need to ensure that users in Group1 can access resources on Server1.

What should you modify?

A. the permissions of the Group1 groupB. the UPN suffixes of the contoso.com forestC. the UPN suffixes of the fabrikam.com forestD. the permissions of the Server1 computer account


Explanation/Reference:Please Check Answer



Users in the Sates OU frequently log on to client computers in the Engineering OU.

You need to meet the following requirements:

- All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the EngineeringOU must be applied to sales users when they log on to client computers in the Engineering OU.- Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log onto client computers in the Sales OU.- Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



Loopback with Merge—In the case of Loopback with Merge, the Group Policy object list is a concatenation.The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer(obtained during computer startup) is appended to this list. Because the computer's GPOs are processed afterthe user's GPOs, they have precedence if any of the settings conflict.

http://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx

QUESTION 10You have an Active Directory domain named contoso.com.

You need to view the account lockout threshold and duration for the domain.


A. Computer ManagementB. Net ConfigC. Active Directory Users and ComputersD. Gpresult



QUESTION 11Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2.


You need to ensure that all of the members of a group named Managers can view the event log entries forCertificate Services.


A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management

Correct Answer: G


Explanation/Reference:There is mention of an Event Log Reader Group. Membership should be able to be configured in AD Usersand Groups. Check this answer. In the MMFSH dump he has the anwser AD Users and Groups, however thisis not a option here so I have left it Group Policy Management.

QUESTION 12Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2 Enterprise. All client computers run Windows 7 Professional.


You need to approve a pending certificate request.


A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management






You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts inthe Sales OU. You must achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.

I. Link the GPO to the Sales OU.J. Link the GPO to the Engineering OU.



QUESTION 14A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNSservers.

You plan to create an Active Directory-integrated zone.

You need to ensure that the new zone is replicated to only four of the domain controllers.


A. Use the ntdsutil tool to modify the DS behavior for the domain.B. Use the ntdsutil tool to add a naming context.C. Create a new delegation in the ForestDnsZones application directory partition.D. Use the dnscmd tool with the /zoneadd parameter.



QUESTION 15A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS sites.The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers.

You need to determine which domain controller holds the Inter-Site Topology Generator role for the Torontosite.

What should you do?

A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site.B. Use the Ntdsutil tool with the roles parameter.C. Use the Ntdsutil tool with the LDAP policies parameter.D. Use the Active Directory Sites and Services console to view the properties of each domain controller in the

Toronto site.



QUESTION 16Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a

read-only domain controller (RODC) named RODC1.

You need to identify which user accounts can have their password cached on RODC1.


A. RepadminB. DcdiagC. Get-ADDomainControllerPasswordReplicationPolicyUsageD. Adtest


Explanation/Reference:The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts thatare authenticated by a read-only domain controller (RODC) or that have passwords that are stored on thatRODC. The list of accounts that are stored on a RODC is known as the revealed list.

http://technet.microsoft.com/en-us/library/ee617194.aspx

QUESTION 17A network contains an Active Directory forest. The forest contains three domains and two sites.

You remove the global catalog from a domain controller named DC2. DC2 is located in Site1.

You need to reduce the size of the Active Directory database on DC2. The solution must minimize the impacton all users in Site1.


A. On DC2, start the Protected Storage service.B. On DC2, stop the Active Directory Domain Services service.C. Start DC2 in Safe Mode.D. Start DC2 in Directory Services Restore Mode.



QUESTION 18You have an enterprise subordinate certification authority (CA).

You have a custom certificate template that has a key length of 1,024 bits. The template is enabled forautoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.


A. Group Policy Management MMC Snap-InB. Certificates MMC Snap-In on the Certificate AuthorityC. Certificate Templates MMC Snap-InD. Certification Authority MMC Snap-In




You attempt to create a new child domain and you receive the following error message: "An LDAP read ofoperational attributes failed."

You need to ensure that you can add a new child domain to the forest.

What should you do?

A. Move the PDC emulator role.B. Move the RID master role.C. Move the infrastructure master role.D. Move the schema master role.E. Move the domain naming master role.F. Move the global catalog server.G. Move the bridgehead server.H. Install a read-only domain controller (RODC).I. Deploy an additional global catalog server.J. Restart the Active Directory Domain Services (AD DS) service.





You need to ensure that when users log on to client computers, they are added automatically to the localAdministrators group. The users must be removed from the group when they log off of the client computers.

What should you do?

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.

F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the Group Policy object (GPO) to the Sales OU.J. Link the Group Policy object (GPO) to the Engineering OU.



QUESTION 21Your network contains an Active Directory forest named contoso.com. The forest contains two member serversnamed Server1 and Server2. Server1 and Server2 have the DNS Server server role installed.

Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server forcontoso.com.

You experience issues with the copy of the zone on Server2,

You verify that both copies of the zone have the same serial number.

You need to transfer a complete copy of the zone from Server1 to Server2.

What should you do on Server2?

A. From DNS Manager, right-click contoso.com and click Transfer from Master.B. From Services, right-click DNS Server and click Refresh.C. From Services, right-click DNS Server and click Restart.D. From DNS Manager, right-click contoso.com and click Reload.E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.



QUESTION 22Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllernamed DC3 and DC4,

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.

At 07:00, an administrator deletes a user account while he is logged on to DC1.

"A Composite Solution With Just One Click" - Certification Guaranteed 266 Microsoft 70-640 ExamYou need to restore the deleted user account. You want to achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start ActiveDirectory Domain Services.

B. On DC3, run the Restore-ADObject cmdlet.C. On DC1, run the Restore-ADObject cmdlet.D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory

Domain Services.



QUESTION 23Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2

The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named R0DC1. You install the DNS Server server role onR0DC1.

You discover that R0DC1 does not have any DNS application directory partitions.

You need to ensure that R0DC1 has a copy of the DNS application directory partition of contoso.com.

What should you do? (Each correct answer presents a complete solution. Choose two.)

A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.B. Run ntdsutil.exe. From the Partition Management context, run the create nc command.C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DESection: (none)Explanation

Explanation/Reference:Please Check but I think this should be A and C and not A and D.

I have changed it to A and C.

Reason: Once the application directory partition is created, contoso.com should replicate to it.

Dnscmd /enlistdirectorypartition --- Adds the DNS server to the specified directory partition's replica set.

Dnscmd /createbuiltindirectorypartitions

Creates a DNS application directory partition. When DNS is installed, an application directory partition for theservice is created at the forest and domain levels. Use this command to create DNS application directorypartitions that were deleted or never created. With no parameter, this command creates a built-in DNSdirectory partition for the domain.

To create the default DNS application directory partitions

Using the Windows interface

Open DNS.

In the console tree, right-click the applicable DNS server.

Where?

DNS/applicable DNS server

Click Create Default Application Directory Partitions.

Follow the instructions to create the DNS application directory partitions.





A. NtdsutilB. DnscmdC. RepadminD. Nslookup


Explanation/Reference:Please Check

Repadmin /syncall

Because this is a Active Directory-integrated zone, you can use Repadmin /syncall to update everythingencluding DNS records.

QUESTION 25Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2.ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.

You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.

You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 andADFS3.

A. Personal Information Exchange PKCS #12 (.pfx)B. DER encoded binary X.509 (.cer)C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)D. Base-64 encoded X.S09 (.cer)



QUESTION 26Your network contains an Active Directory domain named contoso.com. The functional level of the forest isWindows Server 2008 R2.

The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.

On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configurationsettings by using a local GPO.

You need to identify what will be audited on DC1.


A. Get-ADObjectB. SeceditC. Security Configuration and AnalysisD. Auditpol



QUESTION 27A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.


A. DsmodB. CsvdeC. LdifdeD. Dsrm



QUESTION 28Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).

The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controllernamed DC1 has a copy of the application directory partition.

You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.


A. Active Directory Sites and ServicesB. DsmodC. DcpromoD. Dsmgmt



I don't think this is Dsmod. It is most likely Dcpromo.

Dsmod -- Modifies an existing object of a specific type in the directory.

QUESTION 29Your network contains an Active Directory forest. The forest contains three domains. All domain controllershave the DNS Server server role installed.

The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client computers,and domain controllers of each domain. Site1 contains the first domain controller deployed to the forest.

"A Composite Solution With Just One Click" - Certification Guaranteed 277 Microsoft 70-640 ExamThe sites connect to each other by using unreliable WAN links.

The users in Site2 and Site3 report that is takes a long time to log on to their client computer when they usetheir user principal name (UPN). The users in Site1 do not experience the same issue.

You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their clientcomputer by using their UPN.

What should you do?

A. Configure a global catalog server in Site2 and a global catalog server in Site3.B. Reduce the replication interval of the site links.C. Move a primary domain controller (PDC) emulator to Site2 and to Site3.D. Add additional domain controllers to Site2 and to Site3.E. Reduce the cost of the site links.F. Enable universal group membership caching in Site2 and in Site3.



QUESTION 30You have a client computer named Computer1 that runs Windows 7.

On Computer1, you configure a source-initiated subscription.

You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1.The subscription is configured to use the HTTP protocol.

You discover that events from the Security log of DC1 are not collected on Computer1. Events from theApplication log of DC1 and the System log of DC1 are collected on Computer1.

You need to ensure that events from the Security log of DC1 are collected on Computer1.

What should you do?

A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller.B. Add the Network Service security principal to the Event Log Readers group on the domain.C. Configure the subscription to use custom Event Delivery Optimization settings.D. Configure the subscription to use the HTTPS protocol.



QUESTION 31Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Sitel and Site2. Site2 contains a read-only domain controller (RODC).

You need to identify which user accounts attempted to authenticate to the RODC.


A. Active Directory Users and ComputersB. NtdsutilC. Get-ADAccountResultantPasswordReplicationPolicyD. Adtest


Explanation/Reference:Get-ADDomainControllerPasswordReplicationPolicyUsage

o get accounts that are authenticated by the RODC, use the AuthenticatedAccounts parameter. To get theaccounts that have passwords stored on the RODC, use the RevealedAccounts parameter.

http://technet.microsoft.com/en-us/library/ee617194.aspx

QUESTION 32Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to generate a file that contains the last logon time and the custom attribute values for each user in theforest.

What should you use?

A. the Get-ADUser cmdletB. the Export-CSV cmdletC. the Net User commandD. the Dsquery User tool



QUESTION 33A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority(CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to ahardware security module for private key storage.

You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CAoption is not available.

You need to install the AD CS server role as an Enterprise CA on CA1.


A. Add the DNS Server server role to CA1.B. Add the Web Server (IIS) server role and the AD CS server role to CA1.C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.D. Join CA1 to the domain.



QUESTION 34Your company has an Active Directory forest. Each regional office has an organizational unit (OU) namedMarketing. The Marketing OU contains all users and computers in the region's Marketing department.

You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs.

You create a GPO named MarketingApps.

What should you do next?

A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain.B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU.D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.



QUESTION 35Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click theExhibit button.)

Each organizational unit (OU) contains over 500 user accounts.

The Finance OU and the Human Resources OU contain several user accounts that are members of a universalgroup named Group1.


You need to prevent the GPO from being applied to the members of Group1 only.

What should you do?

Exhibit:

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.



Exam G

QUESTION 1Your network contains an Active Directory domain. The domain contains a domain controller named DC1 thatruns windows Server 2008 R2 Service Pack 1 (SP1).

You need to implement a central store for domain policy templates.

What should you do?

To answer, select the source content that should be copied to the destination folder in the answer area.

Hot Area:

Correct Answer:


Explanation/Reference:http://www.petri.co.il/creating-group-policy-central-store.htm


The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibitbutton.)

You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit button.)

You need to provide users with examples of a valid password.

Which password examples should you provide to the users? (Each correct answer presents a completesolution. Choose three.)

A. 123456!@#$%^B. !@#$1234ABCDC. passwordl234D. 1-2-3-4-5-a-b-c-eE. %%PASS1234%%F. 111111aaaaaaa

Correct Answer: BDESection: (none)Explanation

Explanation/Reference:Passwords must contain characters from three of the following five categories:

Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic

characters)

Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrilliccharacters)

Base 10 digits (0 through 9)

Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. Thisincludes Unicode characters from Asian languages.

http://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx

QUESTION 3Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The forest contains a single domain.

You need to ensure that objects can be restored from the Active Directory Recycle Bin.


A. NtdsutilB. Set-ADDomainC. DsamainD. Enable-ADOptionalFeature


Explanation/Reference:http://technet.microsoft.com/en-us/library/dd379481%28v=ws.10%29.aspx

QUESTION 4Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click theExhibit button.)

Users in the Finance organizational unit (OU) frequently log on to client computers in the Human ResourcesOU.

You need to meet the following requirements:

- All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the HumanResources OU must be applied to finance users when they log on to client computers in the Engineering OU.- Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they logon to client computers in the Finance OU.- Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human ResourcesOU.

What should you do?

Exhibit:

A. Modify the Group Policy permissions.B. Enable block inheritance.C. Configure the link order.D. Enable loopback processing in merge mode.E. Enable loopback processing in replace mode.F. Configure WMI filtering.G. Configure Restricted Groups.H. Configure Group Policy Preferences.I. Link the GPO to the Finance OU.J. Link the GPO to the Human Resources OU.



QUESTION 5Your company plans to open a new branch office.

The new office will have a low-speed connection to the Internet.

You plan to deploy a read-only domain controller (RODC) in the branch office.

You need to create an offline copy of the Active Directory database that can be used to install the ActiveDirectory on the new RODC.

Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.

Select and Place:

Correct Answer:




You need to use Group Policies to deploy the applications shown in the following table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Select and Place:

Correct Answer:




You need to view which password setting object is applied to a user.

Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter option in theanswer area.

Hot Area:

Correct Answer:



QUESTION 8Your network contains two Active Directory forests named contoso.com and fabrikam.com.

A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.

Fabrikam.com contains a server named Server1.

You assign Contoso\Domain Users the Manage documents permission and the Print permission to a sharedprinter on Server1.

You discover that users from contoso.com cannot access the shared printer on Server1.

You need to ensure that the contoso.com users can access the shared printer on Server1.

Which permission should you assign to Contoso\Domain Users.

To answer, select the appropriate permission in the answer area.

Hot Area:

Correct Answer:



QUESTION 9Your network contains an Active Directory forest named contoso.com. The forest contains two sites namedSeattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configuredas shown in the following table.

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.

You need to configure DC2 as a global catalog server.

Which object's properties should you modify?

To answer, select the appropriate object in the answer area.

Hot Area:

Correct Answer:


Explanation/Reference:To designate a domain controller to be a global catalog server

Open Active Directory Sites and Services.

In the console tree expand the Sites container, and then expand the site in which you are designating aglobal catalog server.

Expand the Servers container and then expand the Server object for the domain controller that you want todesignate as a global catalog server.

Right-click the NTDS Settings object for the target server, and then click Properties.

Select the Global Catalog check box, and then click OK.

http://technet.microsoft.com/en-us/library/cc782576%28v=ws.10%29

QUESTION 10Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directorysites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-onlydomain controller (RODC).

You accidentally delete the site link between the two sites.

You recreate the site link while you are connected to a domain controller in Seattle.

You need to replicate the change to the RODC in Montreal.

Which node in Active Directory Sites and Services should you use?

To answer, select the appropriate node in the answer area.

Hot Area:

Correct Answer:



QUESTION 11Your network contains an Active Directory forest named contoso.com. The forest contains two sites namedSeattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configuredas shown in the following table.

You need to enable universal group membership caching in the Seattle site.

Which object's properties should you modify?

To answer, select the appropriate object in the answer area.

Hot Area:

Correct Answer:




Documents

Microsoft Certkiller 70-640 Exam Bundle · Microsoft Certkiller 70-640 Exam Bundle Number : 70-640 Passing Score : 700 Time Limit : 145 min File Version : 23.7 Microsoft 70-640 Exam