70 640

Page 1 of 173
Item: 1 (Ref:Cert-70-640.2.2.2)
You are the administrator of your company's Windows Server 2008 single Active Directory forest. The forest consists of one domain, named verigon.com. All servers on the domain run Windows Server 2008, and all client computers run Windows Vista. The functional level of the network is Windows Server 2008. Verigon has decided to purchase a company called DreamSuites. The DreamSuites company network consists of a single Windows Server 2003 domain, named dreamsuites.com. The users in the sales department of Verigon need to access files from the sales department on several servers of DreamSuites. The server at DreamSuites is named Server1. You must configure access for Verigon's users, but DreamSuites users must not be allowed access to Verigon. What should you do?
j k l m n Configure a one-way external trust where dreamsuites.com trusts verigon.com.
j k l m n Configure a one-way external trust where verigon.com trusts dreamsuites.com. j k l m n Configure a one-way shortcut trust between the dreamsuites.com domain and the verigon.com domain.
j k l m n Configure a one-way shortcut trust between the verigon.com domain and the dreamsuites.com domain.
Answer: Configure a one-way external trust where dreamsuites.com trusts verigon.com.
Explanation:
You should configure a one-way external trust where dreamsuites.com trusts verigon.com. A one-way external trust will allow an explicit trust to be created between a Windows Server 2008 forest and a Windows Server 2003 domain. The domain providing access to the resource is configured as the trusting domain, and the domain supporting the users who will gain access to the resources is configured as the trusted domain. To allow users to access resources on Server1 in the dreamsuites.com domain, the dreamsuites.com domain must trust verigon.com domain. With outgoing forest and external trusts, you can specify either selective or domain-wide authentication. Domain-wide authentication provides users from a trusted domain the same level of access to local resources as users from the local forest. Selective authentication allows users from a trusted domain to authenticate only to those resources to which they are explicitly allowed to authenticate. In this scenario, the sales department at Verigon needs to access sales department files on several DreamSuites servers. You can configure domain-wide authentication since the Verigon users need access to several resources. If the Verigon users needed access to a single server, you could use Selective authentication to ensure that Verigon users only have access to the single server. You should not configure a one-way external trust where verigon.com trusts dreamsuites.com. This action will allow the users at dreamsuites.com to access resources in the verigon.com domain. This is opposite of the objectives stated in the scenario. You cannot configure a one-way shortcut trust between the dreamsuites.com domain and the verigon.com domain. A shortcut trust is configured to allow access to resources between two domains that are logically distant from each other in the Active Directory tree. These domains must reside in the same Active Directory forest, which verigon.com and dreamsuites.com do not.
Item: 2 (Ref:Cert-70-640.3.3.10)
You are the network administrator for your company. The company network consists of Windows Server 2003 domain controllers. You plan to install a new Windows Server 2008 domain controller in the existing domain. This domain controller will be the first Windows Server 2008 writable domain controller in the Window Sever 2003 domain and you would like it to be a global catalog server as well. What should you do before installing the new Windows Server 2008 domain controller?
j k l m n Run the adprep /rodcprep command on any computer in the forest to prepare the forest.
Copyright 2009 Transcender LLC, a Kaplan Professional Company. All Rights Reserved.
Page 2 of 173
j k l m n Run the adprep /domainprep command on the infrastructure master to prepare the domain. j k l m n Run the adprep /domainprep /gpprep command on the infrastructure master to prepare the domain.
j k l m n Run the adprep /forestprep command on the schema operations master for extending the schema.
Answer: Run the adprep /forestprep command on the schema operations master for extending the schema.
Explanation:
You should run the adprep /forestprep command on the schema operations master for extending the schema before installing the new Windows Server 2008 domain controller. This command is used to prepare the forest by extending the schema. You must run this command on the schema operations master. After running adprep/forestprep on the schema master, you must run the adprep /domainprep command on the infrastructure master in each domain in the forest. You should not run the adprep /domainprep command on the infrastructure master to prepare the domain before installing the new Windows Server 2008 domain controller. This command prepares the existing Windows Server 2003 domains installing a new Windows Server 2008 domain controller. However, it must be preceded by preparing the forest with the adprep /forestprep command on the schema operations master. After preparing the forest and the domain, you must then install Active Directory Domain Services (AD DS) to create a new Windows Server 2008 domain controller. If you also want it to be a global catalog server as well, this can be accomplished after the installation by using Active Directory Users and Computers tool or the Active Directory Domains and Trusts tool. You should not run the adprep /rodcprep command on any computer in the forest to prepare the forest before installing the new Windows Server 2008 domain controller. This command is used to prepare the forest to install a Read Only Domain Controller (RODC). This command can be used on any computer in the forest. You should not run the adprep /domainprep /gpprep command on the infrastructure master to prepare the domain before installing the new Windows Server 2008 domain controller. This command is used to prepare a Windows 2000 Server domain, and not a Windows Server 2003 domain, to install a new Windows Server 2008 domain controller.
Item: 3 (Ref:Cert-70-640.6.2.4)
You are the network administrator for your company. Your company's network has a single domain. All servers and domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure that maintains a subordinate enterprise Certification Authority (CA), which issues certificates on behalf of the root CA. All CAs use Windows Server 2008. Your company uses a proprietary application that tracks customer shipments and orders. You want to ensure that the code in the application has not been tampered with. The AppUsers group monitors the application for flaws. You want to achieve the following: Have a code-signing certificate automatically issued to the AppUsers group. Ensure that the certificate utilizes Suite B cryptography settings. What should you do to achieve the objective? (Drag the steps from the Choices area and place them sequentially in the Correct Order area. It may not be necessary to use all the steps provided.)
Page 3 of 173
Explanation:
You should do the following:
To create a new certificate template, you can use the Certificate Template snap-in. You can highlight the appropriate certificate template and duplicate the existing template. You should create the duplicate based on an existing template that is closest in function to the target template. Although most settings in the certificate template can be edited after the template is duplicated, you cannot change the subject type, such as Code Signing, Web, or Exchange User. If you use an existing certificate template, such as Code Signing, you will not be able to edit most of the settings.
Page 4 of 173
You should create the template using Windows Longhorn Enterprise edition as the minimum CA level. Version 3 certificates are issued by Windows Server 2008 servers that are Certification Authorities. Version 3 certificates include the Suite B cryptographic settings in their certificates, which include advanced options for encryption, digital signatures, key exchange, and hashing. These types of certificates can only used by Windows Server 2008 and Vista clients. In this scenario, all computers are either Windows Server 2008 or Windows Vista, and you want to ensure that the certificate utilizes Suite B cryptography settings.
You should not create the template based using Windows Server 2003 Enterprise edition as the minimum CA level. Windows Server 2003 servers that are Certification Authorities issue Version 2 certificates. You are able to edit most settings with Version 2 certificates, but they do not utilize Suite B cryptography settings. A Windows Server 2008 CA server can issue Version 1, Version 2 and Version 3 certificates. A Windows Server 2003 CA can only issue Version 1 and Version 2 certificates. You should assign the AppUsers group the Read, Enroll, and Autoenroll permissions on the template. The Autoenroll permission is needed in addition to the Enroll permission for a user to enroll for a given certificate template.
Page 5 of 173
Item: 4 (Ref:Cert-70-640.4.3.5)
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where all servers run Windows Server 2008 and all client computers run Windows Vista. All client computer accounts reside in the Computers container, and all user accounts reside in the Users container. The company's written security policy dictates that certain restrictions be applied to all client computers and to all users who work on those computers. These restrictions should not apply to any other computers. You create a Group Policy object (GPO) and configure the appropriate user and computer policies in it. Which of the following should you do next?
j k l m n Link the GPO to the Computers container.
j k l m n Link the GPO to the Users container. j k l m n Link the GPO to the Computers container and to the Users container.
j k l m n Move all user accounts to an OU, link the GPO to the OU, and enable the loopback processing mode in the GPO.
j k l m n Move the computer objects for all of the client computers to an OU, link the GPO to the OU, and enable the loopback processing mode in the GPO. j k l m n Link the GPO to the domain and enable Block Policy inheritance for the Domain Controllers OU.
Answer: Move the computer objects for all of the client computers to an OU, link the GPO to the OU, and enable the loopback processing mode in the GPO.
Explanation:
There are two subsets of policies in a GPO: Computer Configuration and User Configuration. The policies in the Computer Configuration folder are computer-specific, and the policies in the User Configuration folder are user specific. Computer-specific
Page 6 of 173
policies apply only to the computer objects that are targeted by the GPO, and user-specific policies apply only to the user objects that are targeted by the GPO. To meet the requirements of this scenario, you must enforce both computer-specific and user-specific policies. The computer-specific policies should apply to all client computers, and the user-specific policies should apply to all users who log on at any of the client computers. You can accomplish this task by enabling the User Group Policy loopback processing mode policy, which is located in the Computer Configuration\Administrative Templates\System\Group Policy folder in the GPO namespace. When this policy is enabled in a GPO that targets computers, the user-specific policies in all GPOs that target those computers are applied to any user who logs on at any of those computers. If you set this policy to Replace, then the GPOs that target the user are not applied to the user. If you set this policy to Merge, then user-specific policies from both those GPOs that target the computer and the GPOs that target the user are applied. If there are any conflicting settings, then the user-specific policy settings from the GPOs that target the computer take precedence. In this scenario, you should create an organizational unit (OU), move all client computer accounts into that OU, link the GPO to that OU and enable the loopback processing mode in the GPO. GPOs can be linked only to sites, domains, and OUs; they cannot be linked to generic Active Directory folders, such as the Computers or Users folders. If you linked the GPO to an OU where only user objects reside, then only the user-specific policies in the GPO would be enforced. If you linked the GPO to the domain and blocked policy inheritance on the Domain Controllers OU, then, in addition to all client computers, the GPO would also apply to member servers.
Item: 5 (Ref:Cert-70-640.6.1.1)
You are the network administrator for a company that makes golf balls and automotive tires. Your network has a single domain with several locations configured as Active Directory sites. All domain controllers run Windows Server 2008 and the functional level of the domain is Windows Server 2008. You want to install a public key infrastructure (PKI) so that users in the domain are automatically issued certificates. What must you configure? (Choose all that apply.)
c d e f g A root CA and an enterprise subordinate CA.
c d e f g A root CA and a standalone subordinate CA.
c d e f g A standalone CA.
c d e f g Create an autoenrollment user template and add the template to the Certificate server. c d e f g Create a group policy that can distribute certificates to users.
c d e f g Install a certification authority Web enrollment agent.
Answer: A root CA and an enterprise subordinate CA. Create an autoenrollment user template and add the template to the Certificate server. Create a group policy that can distribute certificates to users.
Explanation:
You should install a root CA and an enterprise subordinate CA, create an autoenrollment user template and add the template to the Certificate server, and create a group policy to distribute certificates to users. You must have an enterprise subordinate CA to automatically issue certificates to users and computers in Active Directory. You should keep the root CA offline and have the enterprise subordinate CA issue certificates. You must create an autoenrollment user template and add the template to the Certificate server. Your computer must be a member of the domain to use certificate autoenrollment. The autoenrollment process is normally triggered by the Winlogon process. The autoenrollment process is activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. Certificates are issued or automatically renewed on behalf of the specifications in the certificate template. To create a certificate template, perform the following steps:
Page 7 of 173
Launch the Certification Authority Microsoft Management Console (MMC). Expand the Certification Authority folder. Expand the folder for your Certificate Server. Right-click on the Certificate Templates folder and select New Certificate Template to Issue.
Once you add the Certificate Template to be issued, you need to create a group policy that can then distribute user certificates to the users' laptops and desktops automatically. A group policy can distribute the certificates to the users. You can use the Group Policy Mangement Console (GPMC) to edit a group policy. If you want the autoenrollment to apply to the entire domain, perform the following steps: Edit the Default Domain Policy and click Edit. Under the User Configuration container, expand the Windows Settings folder. Expand the Security Settings folder and then click to select the Public Key Policies folder. Right-click the Autoenrollment Settings object and select Properties. Check the Renew Expired Certificates, Update Pending Certificates, and Remove Revoked Certificates options as well as the Update Certificates That Use Certificate Templates option. Click OK.
Page 8 of 173
You cannot have a standalone CA or a subordinate standalone CA issuing certificates. A certificate template must check Active Directory for the user or computer account, and neither standalone CA nor a subordinate standalone CA can query Active Directory. If a certificate template has to check for an existing certificate before issuing another certificate, Active Directory will be queried for an existing duplicate certificate. You do not have to install a certification authority Web enrollment agent. Web enrollment allows users to request certificates via the HTTP protocol or a by using a browser. This agent is helpful when you have computers that are not members of the domain, such as Unix computers, that need to request certificates.
Item: 6 (Ref:Cert-70-640.3.1.2)
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. The network contains an Active Directory Lightweight Directory Services (AD LDS) server to provide Active Directory data to an application named App1, which is accessed by all users on the network. You want to ensure that only managers have rights to modify the App1 database. To achieve this, you want to create a new group in the AD LDS directory and add managers to that group. Which tool should you use to create a new group in the AD LDS application directory partition?
j k l m n Dsmod.exe j k l m n Dsadd.exe
Page 9 of 173
j k l m n Dsa.msc j k l m n Domain.msc
Answer: Dsadd.exe
Explanation:
You should use the Dsadd.exe tool to create a new group in the AD LDS application directory partition. Dsadd.exe is a command-line tool that is built into Windows Server 2008. Dsadd.exe is available if you have the AD DS server role installed. To use Dsadd.exe, you must run the Dsadd command from an elevated command prompt. The Dsadd group command allows you to add a single group to the directory. To add a group to the directory by using Dsadd group command, you should you use the Dsadd group <GroupDN> syntax. <GroupDN> is a required parameter and it is used to specify the distinguished name of the group that you want to add. Lightweight Directory Access Protocol (LDAP)-based directories, such as Active Directory Domain Services (AD DS) and AD LDS, most commonly use OUs to keep users and groups organized. To add an OU to the directory by using Dsadd ou command, you should you use the Dsadd ou <OrganizationalUnitDN> syntax. <OrganizationalUnitDN> is a required parameter and it is used to specify the distinguished name of the OU that you want to add. You cannot use the Dsmod.exe tool to create a new group in the AD LDS application directory partition. Dsmod.exe is a command-line tool built into Windows Server 2008, which can be used to modify an existing object of a specific type in the directory. You cannot use the Dsa.msc tool, known as Active Directory Users and Computers, or Domain.msctool, known as Active Directory Domains and Trusts, to create a new group in the AD LDS application directory partition, because AD LDS is not supported by these domain-oriented tools.
Item: 7 (Ref:Cert-70-640.2.4.4)
Your company, Verigon Incorporated, has a main office and five branch offices. The company has a single domain, and each office is configured as its own site. You have several temporary workers who work on a seasonal basis. You need to create a batch file that will disable the temporary workers' accounts and force replication of the disabled accounts to the domain controllers in the domain. Which commands will the batch file contain? (Choose two.)
c d e f g Reset user
c d e f g Dsmod user c d e f g Dsadd user

c d e f g Repadmin c d e f g Rsnotify
Answer: Dsmod user Repadmin
Explanation:
The batch file will contain the Dsmod user and Repadmin commands. You should use Dsmod user to disable the temporary workers' accounts. The Dsmod.exe command will modify the properties of a user account, such as the password, account expiration date, or any property. The following example uses the Dsmod user command to force the expiration of the accounts for Michelle Smith and Dave Jones in the Verigon corporate network:
Page 10 of 173
dsmod user "CN=Michelle Smith,CN=Users,DC=Verigon,DC=Com" "CN=Dave Jones,CN=Users,DC=Verigon,DC=Com" acctexpires 0 A value of 0 for the -acctexpires parameter sets expiration of the accounts for the end of today. You should also use the Repadmin tool in the batch file to force replication. This tool allows you to force replication with replication partners. The following example uses the replicate operation of the Repadmin tool to make DC5 initiate replication of the domain directory partition for a domain named kaplanit.com from DC1. In this example, DC1 is the source server and DC5 is the destination server. repadmin /replicate dc5.kaplanit.com dc1.kaplanit.com dc=kaplanit,dc=com You should not use the Dsadd user command to disable the temporary workers account. The Dsadd user command is used to add new users in Active Directory. You cannot use this command to modify the properties of existing users. You should not use Reset user. The Reset.exe tool is the Terminal Services reset utility on a Windows Server computer. This utility will not disable an account, nor will it force replication. You should not use Rsnotify.exe. This command is a remote storage recall notification program on a Windows operating system. This command will not disable an account, nor will it force replication.
Item: 8 (Ref:Cert-70-640.3.4.5)
You are the systems administrator for several Windows Server 2008 computers on your company's network. The network contains an Active Directory Federation Services (AD FS) server. The AD FS server is configured to provide Web-based Single Sign-On (SSO) capabilities to users in a partner organization. You want to test which claims the Federation Service sends in AD FS security tokens. What should you do? j k l m n Create a claims-aware application.
j k l m n Configure a resource partner.
j k l m n Configure an account partner. j k l m n Configure a Windows NT token-based Web Agent.
Answer: Create a claims-aware application.
Explanation:
You should create a claims-aware application. AD FS is an identity access solution that allows browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts and applications are located in completely different networks or organizations. In any given federation relationship, the business partners can either be identified as a resource organization or an account organization. The account organization is the one that owns and manages user accounts. The resource organization is the one that owns and manages resources that are accessible from the Internet. Users from the account organization access AD FS-enabled applications in the resource organization. AD FS provides a Web-based SSO solution that authenticates users to multiple Web applications during a single browser session. When you install AD FS, you configure its trust policy by using the AD FS snap-in to specify the list of partners with which you want to federate. AD FS supports three types of claims: organization or identity claims, group claims, and custom claims. Claims are statements about users that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate from either an account store or an account partner. To verify which claims are sent in AD FS security tokens by the Federation Service, you should create a claims-aware application. A claims-aware application is a Microsoft ASP.NET application that uses claims in an AD FS security token to make authorization decisions and provide additional application personalization. The claims-aware application is made up of the following three files: default.aspx web.config default.aspx.cs
Page 11 of 173
You should not configure a resource partner or an account partner. The resource partner is the one that owns and manages resources that are accessible from the Internet. The account organization is the one that owns and manages user accounts. Configuring a resource partner or an account partner will not allow you to test which claims the Federation Service sends in AD FS security tokens. You should not configure a Windows NT token-based Web Agent. The Windows NT tokenbased Web Agent is used on a Web server that hosts a Windows NT tokenbased application to support conversion of AD FS security tokens to impersonation-level, Windows NT access tokens. A Windows NT tokenbased application is an application that uses Windows-based authorization mechanisms. Configuring a Windows NT token-based Web Agent will not allow you to test which claims the Federation Service sends in AD FS security tokens.
Item: 9 (Ref:Cert-70-640.2.2.1)
You are the network administrator for your company. In the company's main office, the domain functional level is set to Windows Server 2008. All client computers run Windows Vista. Your company purchases a rival company that has its own Active Directory domain with the domain functional level set to Windows Server 2003 in a separate forest. The newly acquired company is configured as a branch office, and you create an external trust between both the forests. You want to enable the use of Advanced Encryption Standard (AES) encryption with Kerberos. You want to achieve this objective by involving minimum administrative effort. What should you do? (Choose two. Each correct answer represents part of the solution.) c d e f g Upgrade all domain controllers in the branch office to Windows Server 2008.
c d e f g Upgrade all servers in the branch office to Windows Server 2008. c d e f g Raise the domain functional level to Windows Server 2008.
c d e f g Recreate a two-way shortcut trust between the main office domain and the branch office domain.
Answer: Upgrade all domain controllers in the branch office to Windows Server 2008. Raise the domain functional level to Windows Server 2008.
Explanation:
You should upgrade all domain controllers in the branch office to Windows Server 2008 and raise the domain functional level to Windows Server 2008. AES is a National Institute of Standards and Technology specification for the encryption of electronic data. AES provides more secure encryption than its predecessor, Data Encryption Standard (DES). The security enhancements in Windows Server 2008 and Windows Vista enable the use of AES encryption with Kerberos. This means the base Kerberos protocol in Windows Server 2008 and Windows Vista supports AES for encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys. To be able to configure AES encryption with Kerberos, the domain functional level must be at Windows Server 2008. To raise the domain functional level of a domain to Windows Server 2008, all domain controllers in the domain must be running Windows Server 2008. You should not upgrade all servers in the branch office to Windows Server 2008 because this will require additional administrative effort. To raise the domain functional level to Windows Server 2008, it is only necessary for domain controllers to be running Windows Server 2008. You should not recreate a two-way shortcut trust between the main office domain and the branch office domain. A shortcut trust is configured to allow access to resources between two domains that are logically distant from each other in the Active Directory tree. These domains must reside in the same Active Directory forest. In this scenario, the main office domain and the branch office domain are located in separate forests.
Item: 10 (Ref:Cert-70-640.2.6.8)
Page 12 of 173
You are implementing an Active Directory forest for your company. You install Windows Server 2008 on a computer, name it DC1, and promote it to the first domain controller in a new domain in a new forest. Then, you install Windows Server 2008 on another computer, name it DC2, and promote it to an additional domain controller in the existing domain. Now, you want to create a new domain. You install Windows Server 2008 on a new computer, name it DC3, and start the Active Directory Installation wizard. You specify that DC3 will be a domain controller in a new domain in a new domain tree in the existing forest. You receive an error message that indicates that DC3 cannot be promoted to a domain controller. Your investigation reveals that DC1 has failed due to a hardware problem. The replacement part necessary to bring DC1 back online will be delivered within the next few days. However, you must continue the deployment of Active Directory immediately, and you must promote DC3 to a domain controller in a new domain. Which of the following should you do? j k l m n Promote DC3 to a domain controller in a new child domain.
j k l m n Join DC3 to the existing domain and then promote it to a domain controller in a new tree-root domain.
j k l m n Promote DC3 to an additional domain controller in the existing domain and then join it to a new tree-root domain. j k l m n Configure DC2 to hold all operations master roles and then promote DC3 to a new domain controller in a new tree-root domain.
Answer: Configure DC2 to hold all operations master roles and then promote DC3 to a new domain controller in a new treeroot domain.
Explanation:
In an Active Directory forest, certain types of operations can be performed only on the domain controllers that are designated as operations masters for those types of operations. There are five operations master roles. The schema master and domain naming master are forest-wide roles; the PDC emulator, RID master, and infrastructure master are domain-wide roles. There can be only one schema master and one domain naming master in each forest. Each domain-wide role is unique only in each domain. By default, the first domain controller in a new forest hosts all five operations master roles. The first domain controller in any new domain in a forest, by default, holds the three domain-wide roles for that domain. Subsequently, a forest-wide role can be transferred to another domain controller in the forest, and a domain-wide role can be transferred to another domain controller in the domain. In order for a new domain to be created in a forest, the domain naming master must be available in that forest. It appears that you cannot create a new domain in this scenario because DC1, by default, was configured to hold all five operations master roles. In this scenario DC3 cannot be promoted to a domain controller for the new doman because the domain naming master role is not available. To proceed with the creation of a new tree-root domain, as you originally intended, you should force the transfer of at least the domain naming master role to DC2, which currently is the only remaining domain controller in the existing forest. Once you have forced the transfer of, or seized, the domain naming master role to DC2, the original domain naming master, DC1, should never be brought back online. Instead, when it is repaired, you should perform a fresh installation of Windows Server 2008 on that computer and configure it as a different domain controller or as a member server. Therefore, in this scenario, you should seize all of the operations master roles that were held by DC1. In the absence of the domain naming master, you cannot create a new domain, regardless of whether it is a tree-root or a child domain. Any computer that runs the appropriate edition of Windows Server 2008 can be promoted to become a domain controller in an existing forest, regardless of whether it is a stand-alone server or a member server in a domain in that forest. A domain controller in one domain cannot be directly reconfigured as a domain controller in another domain. First, it must be demoted to a member server or a standalone server. Only then can it be promoted to a domain controller in a different domain.
Item: 11 (Ref:Cert-70-640.1.2.1)
You are the network administrator for the Verigon corporation. The Verigon corporation has a single domain named verigon.com with all domain controllers running the Windows Server 2008 operating system. Your company recently acquired a rival group, Nutex Corporation. Nutex Corporation has a single forest with three domains: nutex.com, east.nutex.com, and west.nutex.com. Each domain in Nutex and Verigon has a Windows Server 2008 DNS server that contains the zone for its respective domain. Nutex and Verigon will continue to act as separate companies from a network standpoint. Nutex users will not need to access any resources in Verigon. However, users in the verigon.com domain will need to access a Web-based application on server5.west.nutex.com. Since Nutex and Verigon are connected by a heavily used WAN link, you want to limit the amount of traffic sent over the WAN link.
Page 13 of 173
Users in verigon.com complain that they cannot access the Web-based application. What should you do? j k l m n Create a secondary zone of nutex.com on the DNS server in the verigon.com domain.
j k l m n Create a secondary zone of west.nutex.com on the DNS server in the verigon.com domain. j k l m n Configure conditional forwarding on the DNS server in the verigon.com domain to forward queries for west.nutex.com to the DNS server in the west.nutex.com domain.
j k l m n Configure conditional forwarding on the DNS server in the west.nutex.com domain to forward queries for verigon.com to the DNS server in the verigon.com domain.
Answer: Configure conditional forwarding on the DNS server in the verigon.com domain to forward queries for west.nutex.com to the DNS server in the west.nutex.com domain.
Explanation:
You should configure conditional forwarding on the DNS server in the verigon.com domain to forward queries for west.nutex.com to the DNS server in west.nutex.com. In Windows Server 2003 and Window Server 2008, a DNS server can be configured to conditionally forward queries. A conditional forwarder is different from a regular forwarder. A regular forwarder forwards any queries that cannot be resolved by any zones that are contained on the DNS server. A conditional forwarder forwards only queries that meet a certain criteria. For example, if you wanted only to forward queries for computers in the west.nutex.com domain, you could specify a conditional forwarder to the west.nutex.com domain.
In Windows Server 2008, you can configure a conditional forwarder by adding the DNS domain of the query that you want to forward in the conditional forwarder settings box. You must also add the IP address or the DNS name of the DNS server to receive the forwarded queries. In this scenario, you should configure the DNS server in the verigon.com domain to forward queries to the IP address or DNS
Page 14 of 173
name of the DNS server in the west.nutex.com domain. You should not create a secondary zone of nutex.com or a secondary zone of west.nutex.com on the DNS server in the verigon.com domain. A secondary zone is a read-only copy of a zone that is pulled from a master DNS server. A secondary zone needs to be periodically updated from the master DNS. Zone transfers from the master DNS to the DNS server that hosts the secondary zone will occur. Although placing a secondary zone of the west.nutex.com on the DNS server in verigon.com will resolve names in the west.nutex.com domain, such as server5.west.nutex.com, it will produce additional traffic across the WAN link. You should not configure conditional forwarding on the DNS server in the west.nutex.com domain to forward queries for verigon.com to the DNS server in the verigon.com domain. In this scenario, you want to resolve queries for west.nutex.com from the verigon.com domain, not to resolve queries for verigon.com from the west.nutex.com domain.
Item: 12 (Ref:Cert-70-640.2.4.15)
You are a network administrator for your company. The corporate network consists of a single Active Directory domain and two sites. Click the Exhibit(s) button to view the Active Directory domain structure. All servers on the network run Windows Server 2008. In Site1, there are three domain controllers, which also provide additional services: DC1 is configured as a DHCP server and a DNS server, DC2 is an application server, and DC3 is a Routing and Remote Access server that provides connectivity with the network in Site2. In Site2, there are two domain controllers, DC4 and DC5. DC4 is a Routing and Remote Access server that provides connectivity with the network in Site1. Users complain that at certain times DC2 becomes very slow or even unresponsive. You determine that DC2's poor performance as an application server coincides with the scheduled inter-site Active Directory replication times. You must improve the performance of DC2 during the times when inter-site replication occurs. Which of the following should you do? j k l m n Designate DC3 as a preferred bridgehead server.
j k l m n Designate DC2 as a preferred bridgehead server. j k l m n Increase the site link cost.
j k l m n Decrease the site link cost.
Answer: Designate DC3 as a preferred bridgehead server.
Explanation:
Active Directory is a distributed database and is hosted on domain controllers. Administrators can make changes to Active Directory on different domain controllers, which will communicate the changes to each other. Replication is the process of synchronizing the
Page 15 of 173
contents of the Active Directory database among domain controllers. The component named Knowledge Consistency Checker (KCC) automatically builds a replication topology. Within the same site, it is assumed that all computers are well connected to each other; therefore, intra-site replication is optimized for speed rather than for bandwidth. Each change to Active Directory is replicated to other domain controllers in the same site within seconds after it occurs. Replication between sites occurs differently. KCC automatically designates a bridgehead server in each site. Changes made in other sites are first replicated between bridgehead servers, which then replicate the changes to other domain controllers in their respective sites during the course of intra-site replication. An administrator can manually designate one or more preferred bridgehead servers for a site, thereby forcing KCC to designate specific bridgehead servers for the site. It appears in this scenario that the deterioration of performance of DC2 during inter-site replication times occurs because DC2 is the bridgehead server in Site1. Currently, inter-site replication traffic is handled inefficiently. DC3 is the RRAS server that provides connectivity with Site2; therefore, all replication traffic from Site2 is directed to DC3. DC3 forwards the replication traffic to DC2, which records the changes in its copy of Active Directory, and then replicates those changes back to DC3 either directly or indirectly through DC1. To offload DC2, you should designate DC3 as the preferred bridgehead server instead of DC2. The changes to Active Directory received from Site2 will then be recorded on DC3 first and propagated to DC1 and DC2 during the course of intra-site replication, which occurs substantially faster than inter-site replication. Thus, DC2 will spend less time processing replication. Site link costs are numeric values that indicate relative preference among multiple alternative replication paths between the same pair of sites. Changing the site link cost would have no effect on replication in this scenario because there are only two sites and, therefore, no alternative replication paths between them.
Item: 13 (Ref:Cert-70-640.1.3.2)
You are the administrator of the Verigon corporation. You have a main office in Birmingham and branch offices in Atlanta and Chicago. The Birmingham office has a DNS server, server1, which has the IP address of 10.10.10.101 and hosts a primary zone. The Atlanta office in has a DNS server, server2, which has the IP address of 10.10.15.112 and hosts a secondary zone. The Chicago office has a DNS server, server3, which has the IP address of 10.10.20.78 and hosts a secondary zone. The DNS configuration of server1 is displayed in the exhibit. (Click on the Exhibit(s) button.) The WAN link to Atlanta is prone to failure over the weekends. You want to ensure that zone information would still be valid on server2 if the WAN link fails on Friday evening and is not restored until Monday morning. What should you configure?
j k l m n On server1, change the Minimum (default) TTL to 72 hours.
j k l m n On server2, change the Minimum (default) TTL to 72 hours. j k l m n On server1, change the Expires After: setting to 72 hours.
j k l m n On server2, change the Expires After: setting to 72 hours.
Answer: On server1, change the Expires After: setting to 72 hours.
Page 16 of 173
Explanation:
You should change the Expires After: setting to 72 hours on the SOA record of server1. The Expires After: setting specifies when zone file information should expire if the secondary server fails to refresh the information. In this scenario, a failure of the WAN link may prevent server2 from pulling a zone transfer from server1. If server2's zone expires, zone data is considered potentially outdated and is discarded. Secondary master servers do not use zone data from an expired zone. Currently the SOA record from the primary zone has the Expires After: setting configured to one day. You can change this setting to a value in minutes, hours, or days. You should ensure that the Expires After: setting is longer than the Refresh Interval and the Retry Interval. The Refresh Interval determines how often the secondary server polls the primary server for updates. The Retry Interval specifies how often the secondary server attempts to contact the primary server if the server does not respond. Consider increasing the value of the Expires After: setting to compensate for slow network connections. In this scenario, you should change this setting to at least three days to cover a WAN outage from Friday to Monday. You should not change the Expires After: setting to 72 hours on the SOA record of server2. This DNS server hosts a secondary zone. A secondary zone is a read-only copy of the primary zone hosted on server1. You will not be able to change the SOA record on server2, only on server1. You should not change the Minimum (default) TTL to 72 hours on server1 or server2. The Minimum (Default) TTL setting specifies how long records from this zone should be cached on other servers. This setting will not determine how quickly records in zone will expire.
Item: 14 (Ref:Cert-70-640.1.3.4)
You are the systems administrator for Verigon Corporation. The company has a single domain with a main office and five branch offices. Each office has its own Active Directory site in a single forest. Each site has a domain controller running Windows Server 2008, and each domain controller has a DNS server with an Active Directory-integrated zone for both the forward lookup and reverse lookup zones for the domain. You add several new file servers at the main office. Later that morning, users in the different branch offices report that they cannot connect to the file servers. You notice that the A records and PTR records for the file servers are in the DNS server at the main office. You want to synchronize replication with all replication partners to ensure that the A records and PTR records are replicated to all DNS
Page 17 of 173
servers in the forest. Which command should you run? j k l m n Have the DNS server at the main office forward to each DNS server in the branch office.
j k l m n Add the DNS servers in the branch offices to the Automatically Notify list for zone updates.
j k l m n Run the Repadmin /syncall command with /e parameter. j k l m n Change the expiration time of the zone on the SOA record.
Answer: Run the Repadmin /syncall command with /e parameter.
Explanation:
You should run the Repadmin /syncall command with /e parameter. In this scenario, you need to ensure that the Active Directory zones on the DNS server at the main office replicate to the other domain controllers that have DNS installed. You can force replication with the Repadmin /syncall command. The /e parameter ensures that replication partners in all sites are included in the replication synchronization. You should not have the DNS server at the main office forward to each DNS server in the branch office. This will not replicate the A records and PTR records for the new file servers to the branch office DNS servers. You should configure a forwarder to resolve queries that you cannot resolve from your own zone. You should not add the DNS servers in the branch offices to the Automatically Notify list for zone updates. You can specify secondary servers to be notified of an update at the master DNS. You can add the IP address of the secondary servers to the Automatically Notify list. This setting does not affect Active Directory-integrated zones. Zone transfers between Active Directory-integrated zones use Active Directory replication. You should not change the expiration time of the zone on the SOA record. The Expires After: setting on a zone specifies when the zone file information should expire if the secondary server fails to refresh the information. This setting will not force Active Directory replication.
Item: 15 (Ref:Cert-70-640.3.2.2)
You are the network administrator for a county government. The county has two offices in a single domain. The servers at the main office run Windows Server 2003 and the servers at the other office run Windows 2000 Server and Windows Server 2003. All domain controllers are Windows Server 2003 and the functional level of the domain is Windows Server 2003. The client computers in both offices have different operating systems, including Windows 2000 Professional, Windows XP Professional, and Windows Vista. You plan to upgrade all Windows Server 2003 domain controllers to Windows Server 2008. Once the domain controllers have been upgraded, you want to deploy Active Directory Rights Management Services (AD RMS) in the main office. You want to ensure that AD RMS is deployed in both offices. You have a limited budget. What should you do to ensure that client computers in both offices can support AD RMS?
j k l m n Upgrade all computers to Windows Vista. j k l m n Ensure that all Windows 2000 Professional computers have Service Pack 4 and that all Windows XP computers have Service Pack 2. Download and install the AD RMS client on all Windows XP and Windows 2000 Professional client computers.
j k l m n Upgrade all Windows 2000 Professional computers to Windows XP with Service Pack 2 (SP2). Download and install the RMS client on all Windows XP computers. j k l m n Ensure that each client computer has the Client IPSec policy and RMS client installed. Ensure that the AD RMS server has the Secure Server IPSec Policy.
Answer:
Page 18 of 173
Ensure that all Windows 2000 Professional computers have Service Pack 4 and that all Windows XP computers have Service Pack 2. Download and install the AD RMS client on all Windows XP and Windows 2000 Professional client computers.
Explanation:
You should download and install the RMS client on all Windows 2000 Professional and XP client computers to achieve the objective in this scenario. The Windows Professional computers must have Service Pack 4 or later, and the Windows XP computers must have Service Pack 2 to support the RMS client. Windows Vista includes the AD RMS client by default. However, operating systems released before Windows Vista and Windows Server 2008 do not have the RMS client installed. To use the AD RMS service on a Windows XP or Windows 2000 Professional computer, you can download and install the RMS client from the Microsoft Download Center (Microsoft Windows Rights Management Services (RMS) with Service Pack 2). By using AD RMS, you can protect the documents for AD RMSenabled applications by providing appropriate user rights and permissions to the documents, such as copy, edit, view, and print permissions. To install AD RMS in Windows Server 2008, perform the following steps: 1. Click Start, click Administrative Tools, and click Server Manager. 2. In the Server Manager window, click Add Roles. 3. Highlight AD RMS and click Next to complete the installation. You should not upgrade all computers to Windows Vista to achieve the objective in this scenario. Upgrading all client computers to Windows Vista will make the AD RMS services available, as Windows Vista includes default RMS client. However, it cannot be done with minimum administrative efforts, and it would strain the limited budget referenced in the scenario. You do not have to upgrade the Windows 2000 Professional computers to Windows XP. The RMS client supports Windows 2000 Professional computers if the computers have Service Pack 4 or later installed. You do not have to ensure that each client computer has the Client IPSec policy and that the AD RMS server has the Secure Server IPSec Policy. Although deploying IPSec on both the client and the server will ensure that the data is secure in transit, it is not a requirement to deploy AD RMS.
Item: 16 (Ref:Cert-70-640.4.3.3)
You are the network administrator for your company. The company has a head office in Atlanta and a branch office in Boston. The head office's network consists of Windows Server 2008 domain controllers, and the branch office network consists of Windows Server 2003 domain controllers. The branch office has 45 users who are members of a single organizational unit (OU). The branch office is connected to the head office by a low bandwidth connection. To ensure efficient user logons to the domain, you plan to enable universal group membership caching. On which Active Directory object should you enable the universal group membership caching?
j k l m n OU
j k l m n domain j k l m n hub site
j k l m n branch office site
Answer: branch office site
Explanation:
You should enable universal group membership caching in the branch office site. Universal group membership caching should be enabled in a site that is connected by a low bandwidth connection or that has hardware limitations on the domain controller, such as low hard disk space, that prohibits installing the global catalog. Enabling universal membership caching provides efficient user logons in
Page 19 of 173
situations with low or no network bandwidth. Another solution would be to install a Windows Server 2008 read-only domain controller (RODC) in the branch office, because universal group membership caching would be enabled by default for that site. You should not enable universal group membership caching in the OU, the domain, or the hub site. Universal group membership caching should only be enabled on a site that is connected to a hub site via a low network bandwidth connection, or in sites that have fewer than 100 users. This ensures efficient user logons to the domain.
Item: 17 (Ref:Cert-70-640.5.1.4)
You are the network administrator of your company. The company has a main office and one branch office. Each office has its own Active Directory domain in a single forest. All servers on the network run Windows Server 2008. Each office contains a domain controller. The domain controller in the main office is named MainDC and the domain controller in the branch office is named BranchDC. The BranchDC contains an Organizational Unit (OU) named SalesOU, which contains some Active Directory groups that have backlinks of Universal and global groups of the main office domain as members of the groups. The branch office administrator reports that the SalesOU has been accidentally deleted. You perform an authoritative restore of the SalesOU. You now want to create an LDAP Data Interchange Format (LDIF) file for recovering the back-links of groups from the main office domain as members in groups of the branch domain for the authoritatively restored objects in the SalesOU. Which utility should you use?
j k l m n Dsamain.exe
j k l m n Wbadmin.exe j k l m n Wecutil.exe j k l m n Ntdsutil.exe
Answer: Ntdsutil.exe
Explanation:
You should use the Ntdsutil.exe command. An authoritative restore process returns a designated object or container of objects to its state at the time of the backup. An authoritative restore marks the OU as authoritative and causes the replication process to restore it to all the domain controllers in the domain. To perform an authoritative restore of Active Directory Domain Services (AD DS), you must first complete a nonauthoritative restore, and ensure that replication does not occur after the nonauthoritative restore. Next, perform the authoritative restore. After performing the authoritative restore of AD DS, you should start the domain controller normally and synchronize replication with all replication partners. If you have authoritatively restored objects that have back-links in another domain, you should create and run an LDIF file against a domain controller in that domain to restore the back-links. To create the LDIF file, you should run the Ntdsutil.exe command. Before creating the LDIF file, you must copy the .txt file that Ntdsutil created on the first domain controller during the authoritative restore to a location on the domain controller where you want to create the LDIF file. You should not use the Dsamain.exe utility. Dsamain.exe, or the data mining tool, can be used to expose snapshot data of a Lightweight Directory Access Protocol (LDAP) server. The Dsamain.exe tool provides a means to compare data as it exists in snapshots that are taken at different times to improve the recovery process. The Dsamain.exe utility cannot be used to create an LDIF file for recovering the back-links for authoritatively restored objects. You should not use the Wbadmin.exe utility. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. The Wbadmin.exe tool cannot be used to create an LDIF file for recovering back-links for authoritatively restored objects. You should not use the Wecutil.exe utility because this utility cannot be used to create an LDIF file for recovering back-links for authoritatively restored objects. Wecutil.exe or the Windows Event Collector Utility is a command-line tool that is used to subscribe and unsubscribe to hardware events.
Item: 18 (Ref:Cert-70-640.6.4.1)
You are a network administrator for a company named Verigon. The network consists of a single Active Directory domain. All servers
Page 20 of 173
run Windows Server 2008, and all client computers run Windows Vista. The network contains an enterprise issuing certification authority (CA) and an offline root CA. Verigon acquires a new company named TelStar that has its own Active Directory domain in a different forest. You want to establish an L2TP/IPSec VPN connection between both company networks. You install a VPN server on your network, install a certificate from your issuing CA, and configure the server for a router-to-router VPN connection. A network administrator at TelStar performs similar actions on the TelStar network. When you test the connection, you receive an error message that indicates that the TelStar certificate is not trusted. You must ensure that a VPN connection between the two companies can be successfully established without producing the error message. What should you do?
j k l m n Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server.
j k l m n Install the TelStar root CA's certificate on the root CA in Verigon. j k l m n Include the TelStar root CA's certificate in Verigon root CA's certificate revocation list.
j k l m n Install the TelStar root CA's certificate on the issuing CA in Verigon.
Answer: Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server.
Explanation:
You should place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server. To make your VPN server trust the TelStar VPN server's certificate, that certificate must be verified to a trusted CA. All certificates on TelStar's network can ultimately be verified to TelStar's root CA. Thus, if your VPN server trusts TelStar's root CA, then it will trust any certificate that is issued by any CAs on TelStar's network. To enable your VPN server to trust TelStar's root CA, you should import TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server. It is a common practice to implement a stand-alone root CA and enterprise subordinate CAs. To provide maximum security for root CAs, they are often kept offline. Standalone CAs are better suited for being kept offline because they are less prone to the various synchronization problems that occur as a result of being disconnected from the network for prolonged periods of time. When you want to allow clients to get certificates from an intermediate CA even when the Trusted CA is offline, you should store the Trusted CA's certificate in the Trusted Root Certification Authorities store on your VPN server store on client computers. You can also make computers trust certificates from external CAs by using a Group Policy object (GPO) that applies to those computers. The GPO should list the appropriate certificates in the Trusted Root Certification Authorities policy. Alternatively, you can add the trusted root CA's certificates to a Certificate Trust List (CTL) and specify that CTL in the GPO. Another possible solution is cross-certification; for example, your root CA could issue a certificate for your partner's root CA and vice versa. If you installed the TelStar root CA's certificate on your root or issuing CA, then only your root or issuing CA, respectively, would trust TelStar's certificates; the scenario requires that your VPN server trust TelStar's certificates. You should not include the TelStar root CA's certificate in the Verigon root CA's certificate revocation list. A certificate revocation list (CRL) contains revoked certificates from a specific CA. When a certificate is revoked, it is included in the CRL on the CA that issued that certificate. You cannot include the TelStar root CA's certificate in your root CA's CRL because that certificate is self-signed; it has been issued by TelStar's root CA, not your root CA.
Item: 19 (Ref:Cert-70-640.4.4.3)
You are the network administrator of your company. All servers on the network run Windows Server 2008. The company's network consists of a single Active Directory domain, and the client computers all run Windows Vista. You create some custom ADMX language-specific files on your Windows Vista administrative workstation. You want to copy all language-specific ADML files to the central store on the domain controller to ensure that the ADML files are automatically available to all Group Policy administrators in the domain. Which tool can you use to perform this task?
Page 21 of 173
j k l m n Ntdsutil.exe j k l m n Group Policy Object Editor

j k l m n Xcopy.exe j k l m n Group Policy Management Console
Answer: Xcopy.exe
Explanation:
You can use the Xcopy.exe tool to copy ADML files from your Windows Vista administrative workstation to the central store on the domain controller. The ADMX files are language-neutral resource files. The other type of registry-based policy settings are known as ADML files, which are language-specific resource files. ADMX and ADML files replace the ADM files that were used in earlier versions of Windows. To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object Editor, you must be running a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual Group Policy Objects (GPOs). If you have a domain environment, you can create a central store location of ADMX files that can be accessed by anyone with permission to create or edit GPOs. The central store is a folder created in the SYSVOL folder of an Active Directory domain controller and is used to provide a centralized storage location for ADMX and ADML files for the domain. In addition to storing the ADMX files shipped in the operating system in the central store, you can also share a custom ADMX file by copying the file to the central store, which makes it available automatically to all Group Policy administrators in a domain. The default location for .ADML files on a domain controller is the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder. For example, the United States English ADMX language-specific file will be stored in the %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us folder. Windows Vista does not contain any user interface for populating the central store in Windows Vista. You can use the Xcopy.exe command-line tool to copy all ADMX language resource files from your Windows Vista administrative workstation to the central store on your domain controller. You should use the following syntax: xcopy %systemroot%\PolicyDefinitions\EN-US\* %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\EN-US\ The options stating Ntdsutil.exe, Group Policy Object Editor, and Group Policy Management Console are incorrect because these tools cannot be used to copy all ADMX language resource files from your Windows Vista administrative workstation to the central store on your domain controller.
Item: 20 (Ref:Cert-70-640.2.3.5)
Your company's corporate network consists of two Active Directory domains that span three sites as shown in the following image:
The network is fully routed. Users from Site2 often have to travel to the office in Site3 with their portable computers. These users report that when they connect to the network in Site3, it takes 5 to 10 minutes to log on to their domain. You want to minimize the time it takes
Page 22 of 173
for users to log on to their domain. Your solution should not involve additional expense and should not reduce the availability and reliability of the existing network services. Which of the following should you do?
j k l m n Merge Site2 and Site3 into a single site. j k l m n Change the cost of the link between Site2 and Site3 to 300.
j k l m n Move a domain controller from Site2 to Site3. j k l m n Reconfigure a domain controller in Site3 to belong to the domain2.com domain.
Answer:
Change the cost of the link between Site2 and Site3 to 300.
Explanation:
Users in Site2 belong to the domain2.com domain. There are no domain controllers for this domain in Site3. Therefore, logon requests to the domain2.com domain are routed from Site3 to Site2. When site links form multiple paths between two sites, logon requests are sent over the path with the lowest total site link cost. In this scenario, the cost of the direct site link between Site2 and Site3 is 200, whereas the combined cost of the alternative route through Site1 is 250. Therefore, the logon requests from Site3 to domain controllers in Site2 are sent over the slow direct communications link. To minimize the logon time for domain2.com users who log on from Site3, their logon requests should be sent over the faster communications links through Site1. To accomplish this task, you should increase the cost of the site link between Site2 and Site3 to a value greater than 250. If you merged Site2 and Site3 into a single site, then logon requests to the domain2.com domain would be routed within that site over the 56-Kbps WAN link. If you moved a domain2.com domain controller from Site2 to Site3, then the domain2.com domain controllers would have to replicate over the slow link between Site2 and Site3. Additionally, if the remaining domain controller in Site2 failed or had to be shut down for maintenance, then users in Site2 would have to log on over the slow link to the domain controller that you moved to Site3. If you reconfigured a domain controller in Site3 to belong to the domain2.com domain, then the reliability and availability of network services for domain1.com users in Site3 might be adversely affected because only one domain1.com domain controller would be left in Site3. If that domain controller failed, then domain1.com users in Site3 would have to connect to a domain controller in Site1 in order to log on. The increased volume of network traffic between Site1 and Site3 might result in increased expenses for the use of the WAN link between these sites.
Item: 21 (Ref:Cert-70-640.2.4.7)
You are the network administrator for the Verigon corporation. Your company consists of a central office in Atlanta and branch offices in Birmingham and Charlotte connected through a private WAN link. Each office has a domain controller that is configured as a global catalog server. Each office has a file server called SRV1 that contains sales records for each office.
There are approximately 1,200 users in each office. The network consists of a single Active Directory forest. Each office is its own
Page 23 of 173
separate domain and a separate site is configured for each office. All servers run Windows Server 2008. Users in Charlotte report that access to spreadsheets on srv1.verigon.com in Atlanta is slow. You monitor the WAN link between Atlanta and Charlotte and discover that the slow network performance occurs during Active Directory replication between the sites. You must minimize the WAN bandwidth use without affecting the ability of branch office users to log on even if the WAN link is temporarily unavailable. What should you do?
j k l m n Reduce the replication interval on the Atlanta to Charlotte site link.
j k l m n Make srv1.chl.verigon.com an additional Global Catalog server in the Charlotte office j k l m n Increase the replication interval on the Atlanta to Charlotte site link.
j k l m n Enable universal group caching in the Charlotte office.
Answer: Increase the replication interval on the Atlanta to Charlotte site link.
Explanation:
You should increase the replication interval on the site link. An Active Directory site is a logical object that represents a group of relatively well-connected computers. A site link is a logical object that represents a physical connection between the sites that are listed in that link. Within a site, replication occurs almost immediately after a change to Active Directory is made. Replication between sites occurs on schedule, which indicates when the site link is available. The replication interval on a site link indicates how often inter-site Active Directory replication will occur during the times that the site link is available. By default, a site link is always available, and the replication interval is set to three hours. To minimize the WAN bandwidth that is used for replication, you should increase the replication interval on the site link so that inter-site replication occurs less frequently. For example, if the replication interval between SiteA and SiteB is 180 minutes, increasing the replication interval to 360 minutes will generate less communication and use less bandwidth. The total amount of Active Directory data that must be replicated between two sites does not depend on replication frequency. However, each replication session involves communication overheads, or additional traffic that is caused by establishing the session. You should not reduce the replication interval on the site link. Reducing the replication interval will cause the replication between both the sites to occur more frequently, which will consume more WAN bandwidth. For example, if the replication interval between SiteA and SiteB is 180 minutes, decreasing the replication interval to 90 minutes will generate more communication and use less bandwidth. When you have multiple sites, reducing the replication interval between a pair of sites will ensure that the data between sites is more up to date as compared to other sites. You should not increase the number of Global Catalog servers in the branch office. For each Active Directory partition, only one domain controller in each of the two sites is designated as a bridgehead, and replication occurs only between those bridgeheads. Therefore, changing the number of Global Catalog servers in any of the sites would not have any effect on the volume of inter-site replication, as long as there was at least one Global Catalog server in each site. Because the domain controllers in different sites belong to different domains in this scenario, the domain partition for the central office domain is replicated between the sites only to Global Catalog servers. Therefore, you could reduce the amount of inter-site replication traffic by removing all Global Catalog servers from the branch office site. To enable users in the branch office to log on in the absence of WAN connectivity, you could configure universal group membership caching for the branch office site. However, it is recommended that at least one Global Catalog server be deployed to each site that has 100 or more users. You should not create an additional site link between the two sites. A site link is a logical object that is intended to represent a physical connection. Creating an additional site link between two sites that are connected through a single WAN link would not reduce the amount of replication traffic that passes through that link.
Item: 22 (Ref:Cert-70-640.2.4.11)
You are the administrator for your company. The company has a single forest with multiple domains and sites, as shown in the exhibit. (Click the Exhibit(s) button.) You create a user account on dc1.domain1.com that will be granted login as a service permission on an application server. You want to immediately force replication to other domain controllers in Site1.
Page 24 of 173
What tool should you use to force replication?

j k l m n Rsnotify j k l m n Replmon
j k l m n Active Directory Domains and Trusts j k l m n gpupdate /force
Answer: Replmon
Explanation:
You should use Replmon to force replication. You can use Repadmin, Replmon, or Active Directory Sites and Services to force intrasite replication. You should not use Rsnotify. This command is a remote storage recall notification program on a Windows operating system. This command will not force replication. You should not use Active Directory Domains and Trusts to force replication of Active Directory. Active Directory Domains and Trusts can be used to raise the functional level of the forest or domain. You can use this tool to create trusts between domains, but you cannot use this tool to force replication. You cannot use the gpupdate /force command to force replication. You can use the gpupdate /force command to force a change from a group policy object or local security on a computer or user.
Item: 23 (Ref:Cert-70-640.3.4.7)
You are the systems administrator for your company, a plastic container manufacturer and distributor. The company's network consists of a single Active Directory forest. The network contains an Internet Information Services (IIS) server that hosts a Web application that allows users to purchase your company's products online. Your company has a partner organization, a graphic design firm that designs your company's products. The partner company has its own Active Directory forest. You are required to enable users in the partner organization to access your Web application without being prompted for secondary credentials. Which Windows Server 2008 server role should you install in your network to provide Web-based Single-Sign-On (SSO) capabilities to users in the partner organization?
j k l m n Active Directory Rights Management Services (AD RMS)
j k l m n Active Directory Federation Services (AD FS)
Page 25 of 173
j k l m n Active Directory Lightweight Directory Services (AD LDS) j k l m n Active Directory Directory Services (AD DS)
Answer: Active Directory Federation Services (AD FS)
Explanation:
You should install the Active Directory Federation Services (AD FS) role service in your network to provide Web-based Single-Sign-On (SSO) capabilities to users in the partner organization. AD FS is an identity access solution that allows browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts and applications are located in completely different networks or organizations. In any given federation relationship, the business partners can be identified as either a resource organization or an account organization. The account organization is the one that owns and manages user accounts. The resource organization is the one that owns and manages resources that are accessible from the Internet. Users from the account organization can access AD FS-enabled applications in the resource organization. AD FS provides a Webbased SSO solution that authenticates users to multiple Web applications during a single browser session. When you install AD FS, you can configure its trust policy by using the AD FS snap-in to specify the list of partners with whom you want to federate. AD FS supports three types of claims: organization or identity claims, group claims, and custom claims. Claims are statements about users that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate from either an account store or an account partner. You should not install the Active Directory Rights Management Services (AD RMS) role service. AD RMS is used to protect information from unauthorized use. AD RMS does not provide Web-based SSO capabilities to enable browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, if the user accounts and applications are located in different networks or organizations. You should not install the Active Directory Lightweight Directory Services (AD LDS) role service. AD LDS provides a store for application-specific data for directory-enabled applications that do not require the infrastructure of Active Directory Domain Services (AD DS). AD LDS does not provide Web-based SSO capabilities to enable browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials. You should not install the AD DS role service. AD DS stores information about objects on the network and makes this information available to users and network administrators. AD DS uses domain controllers to provide network users with access to permitted resources anywhere on the network through a single logon process. AD DS does not provide Web-based SSO capabilities to enable browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, if the user accounts and applications are located in different networks or organizations.
Item: 24 (Ref:Cert-70-640.3.3.4)
You are the network administrator for your company. Your company's network has a single Active Directory domain with over 700 user accounts and 800 computer accounts. You have one main office and four branch offices. Each office is configured as its own Active Directory site. One of the branch offices has a read-only domain controller (RODC). A technician named Mike who usually works in the main office, travels to the branch office which has the RODC. Mike is investigating why the WAN link that connects the branch office to the main office is offline. When Mike attempts to log on to the domain with his portable computer, the logon attempt fails. Mike's user account is configured in the Password Replication Policy. After fixing the WAN link, Mike is able to log on to the domain. If the WAN link goes down again and you have to dispatch another technician, you want the technician to be able to log on to the domain even if the WAN link is down. Your solution must be inexpensive and use little bandwidth. What must you do?
j k l m n Install a global catalog server on the RODC.
j k l m n Have the technician use Repadmin to force replication. j k l m n Have the technician restart the workstation service on his portable compuer and log in again.
j k l m n Prepopulate the password cache of the RODC in the branch office with the password of the technician and the technician's portable computer.
Page 26 of 173
Answer: Prepopulate the password cache of the RODC in the branch office with the password of the technician and the technician's portable computer.
Explanation:
You should prepopulate the password cache of the RODC in the branch office with the password of the technician and the technician's portable computer. The Password Replication Policy lists the accounts that are permitted to be cached, and the accounts that are explicitly denied from being cached. The Password Replication Policy is configured and enforced on a writable domain controller. When the technician logs in at the branch office, the RODC contacts the writable domain controller at the main office. If the Password Replication Policy allows it, the RODC caches the technician's password. However, if the WAN link is offline when the technician attempts to log on, then the technician's logon attempt will fail because the RODC has not yet replicated the password for the account. You can avoid this problem by prepopulating the password cache of the RODC in the branch office with the password of the technician and the technician's computer. Prepopulating the password cache eliminates the need for the RODC to replicate the password from a Windows Server 2008 domain controller over the WAN link. Prepopulating the password cache requires no extra bandwidth. You should not install a global catalog server on the RODC. A global catalog server is a domain controller that provides the ability to locate objects from any domain without having to know the domain name. The global catalog server contains a writable domain directory partition replica of its host domain and also stores a partial, read-only replica of all other domain directory partitions in the forest. Adding a global catalog server to the RODC will not eliminate the problem of the technician's password not being cached if the user has not logged in at the branch office before the WAN link has gone down. Adding a global catalog server will also increase the bandwidth requirements of the WAN link because the global catalog server must replicate with other global catalog servers. You should not have the technician use Repadmin to force replication. You will not be able to force replication if the WAN link is down. You should not have the technician restart the workstation service on his computer and log on again. The workstation service creates and maintains client network connections to remote servers. The error is not occurring because the technician cannot contact the RODC, but because the RODC cannot authenticate the technician.
Item: 25 (Ref:Cert-70-640.3.3.9)
You are the network administrator for your company. The company's network consists of a single Active Directory domain. The servers on the network run Windows Server 2008 and Windows Server 2003. The company's network contains a domain controller, named DC1, which runs Windows Server 2008. The company opens a new branch office that will be used by employees in the Marketing department. The branch office is located in a physically insecure location. You are in the process of installing a server in the branch office. You want to meet the following requirements: Users' logon requests are serviced locally. Users' credentials are not misused if the server is compromised. Network traffic between the main office and the branch office is reduced. What should you do to achieve the desired goals?
j k l m n Install Active Directory Domain Services (AD DS) in the branch office. j k l m n Install a read-only domain controller (RODC) in the branch office.
j k l m n Install Active Directory Federation Services (AD FS) in the branch office.
j k l m n Install Active Directory Lightweight Directory Services (AD LDS) in the branch office.
Answer: Install a read-only domain controller (RODC) in the branch office.
Page 27 of 173
Explanation:
You should install a read-only domain controller (RODC) in the branch office. An RODC is a new type of domain controller in Windows Server 2008 that hosts a read-only replica of the Active Directory database. An RODC allows you to easily deploy a domain controller at locations where physical security cannot be guaranteed, such as branch office locations or an extranet. The RODC provides various new functionalities, such as credential caching, unidirectional replication, and the Read-Only Partial Attribute Set, which can be used to mitigate problems related to physical security, network bandwidth, and so on. The Read-Only Partial Attribute Set is also referred to as the Filtered Partial Attribute Set. Credential caching is the storage of user or computer credentials. You can configure the Password Replication Policy on a writable domain controller to specify whether an RODC should be allowed to cache a password. The Read-Only Partial Attribute Set can be used to prevent replication of sensitive information. Active Directory Domain Services (AD DS) maintains a list of all credentials that are stored on RODCs, which allows an administrator to force a password reset for all user credentials stored on an RODC if the RODC is ever compromised. By allowing caching of credentials, requirement 1 would be met since authentication could then be performed locally on the RODC. By forcing a password reset from the AD DS in the main office, the credentials could be protected to meet requirement 2. By performing logins locally, traffic between the main office and the branch office could be reduced, which would meet requirement 3. You should not install AD DS in the branch office. AD DS hosts a writable Active Directory database. AD DS stores information about objects on the network and makes this information available to users and network administrators. AD DS also replicates this information to other domain controllers, which takes a considerable amount of network bandwidth. In addition, AD DS is not recommended for installation at physically insecure locations. You should not install Active Directory Federation Services (AD FS) in the branch office. AD FS provides simplified, secure identity federation and Web Single-sign-on (SSO) capabilities. AD FS cannot be used to meet the requirements specified in this scenario. You should not install Active Directory Lightweight Directory Services (AD LDS) in the branch office. AD LDS provides a store for application-specific data for directory-enabled applications that do not require the infrastructure of AD DS. AD LDS cannot be used to meet the requirements specified in this scenario.
Item: 26 (Ref:Cert-70-640.3.2.5)
You are the network administrator for a city government. The city government's network has a single domain with Windows 2000 servers, Windows 2003 servers, and Windows 2008 servers. (Click on the Exhibit(s) button.) Client computers are running Windows XP and Windows Vista. All domain controllers run Windows Server 2003 or Windows Server 2008. You want to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication. You have a limited budget. What must you configure to complete the deployment of AD RMS? j k l m n Upgrade all client computers to Windows Vista. Install AD RMS on DC1.
j k l m n Ensure that all Windows XP computers have the latest service pack and install the RMS client on all Windows XP computers. Install AD RMS on DC1. j k l m n Upgrade all client computers to Windows Vista. Install AD RMS on SRV5.
j k l m n Ensure that all Windows XP computers have the latest service pack and install the RMS client on all Windows XP computers. Install AD RMS on SRV5.
Answer: Ensure that all Windows XP computers have the latest service pack and install the RMS client on all Windows XP computers. Install AD RMS on SRV5.
Page 28 of 173
Explanation:
You should ensure that all Windows XP computers have the latest service pack, install the RMS client on all Windows XP computers, and install AD RMS on SRV5 to achieve the objective in this scenario. You can only deploy the AD RMS on a member server in the domain. You cannot deploy AD RMS on a server that does not run the Windows Server 2008 operating system. You can deploy AD RMS on a domain controller, but not on one that is running Windows Server 2003. Windows Vista includes the RMS client by default. However, operating systems released before Windows Vista and Windows Server 2008 do not have the RMS client installed. To use AD RMS service on a Windows XP operating system, you can download and install the RMS client from the Microsoft Download Center (Microsoft Windows RMS with Service Pack 2 (SP2)). By using AD RMS, you can protect the documents for AD RMS-enabled applications by providing appropriate user rights and permissions to the documents, such as copy, edit, view, and print. To install AD RMS in Windows Server 2008, perform the following steps: 1. Click Start, click Administrative Tools, and click Server Manager. 2. In the Server Manager window, click Add Roles. 3. Highlight AD RMS and click Next to complete the installation. You should not upgrade all computers to Windows Vista to achieve the objective in this scenario. Upgrading all client computers to Windows Vista will make the AD RMS services available, as Windows Vista has the default RMS client installed on it. However, it cannot be done with minimum administrative effort, and it would add additional cost.
Item: 27 (Ref:Cert-70-640.4.3.4)
Your corporate network consists of a single Active Directory domain. All client computers run either Windows 2000 Professional or Windows XP Professional. All servers run Windows Server 2008. An organizational unit (OU) exists for each department. In each of the departmental OUs, there are two child OUs; one OU contains the user objects for that department's employees, and the other OU contains the computer objects for the client computers that are assigned to that department. Each user can log on to the domain from different client computers in different departments. To meet the requirements that are stipulated in a written security policy, a logon script must be run whenever a user logs on to the domain. One logon script must be run on all Windows XP computers, and another logon script must be run on all Windows 2000 computers. You have created one Group Policy object (GPO) for each of the two operating systems, and you have named the GPOs XP and W2K. Now you must apply the GPOs to the appropriate computers. You must also minimize the number of links for each GPO. Which of the following should you do?
j k l m n Create two groups named XP and W2K, add the computer accounts of all Windows XP Professional computers to the XP group, and add the computer accounts of all Windows 2000 Professional computers to the W2K group. Assign the Allow - Apply Group Policy permission to each group for the appropriate GPO. Link both GPOs to the domain. j k l m n In each of the GPOs, specify the appropriate WMI filter, link both GPOs to the domain, and do nothing else. j k l m n In each of the GPOs, specify the appropriate WMI filter and enable the loopback processing mode. Link both GPOs to the domain.
j k l m n In each OU that contains departmental client computers, create two child OUs. Move all computer objects for that department's Windows 2000 Professional computers into one child OU, and move all computer objects for that department's Windows XP Professional computers into the other child OU. Link the XP GPO to each child OU that contains Windows XP Professional computers; link the W2K GPO to each child OU that contains Windows 2000 Professional computers.
Answer:
Page 29 of 173
In each of the GPOs, specify the appropriate WMI filter and enable the loopback processing mode. Link both GPOs to the domain.
Explanation:
There are two types of GPO policies: computer-specific and user-specific. By default, computer-specific policies apply to computer objects, and user-specific policies apply to user objects. To apply a GPO, it must be linked to a site, domain, or OU that contains the targeted user or computer objects. The default scope of a GPO can be filtered by assigning the Deny - Apply Group Policy permission for the GPO to the users or computers to which the GPO should not apply. Another means of filtering the default scope of a GPO is Windows Management Instrumentation (WMI) filters. By using WMI Query Language, you can define a filter that will cause a GPO to apply only to specific computers, such as those that run a specific operating system, have specific names, and so on. In this scenario, you are required to target specific computers with a logon script, which is a user-specific policy. This task can be accomplished by using the loopback processing mode, which is an advanced feature that enables you to apply user-specific policies that are configured in GPOs that target computer objects to all users of those computers. You should link both GPOs to the domain so that they apply to all computers in the domain. In the XP GPO, you should specify the WMI filter that targets computers that run Windows XP Professional. Windows 2000 Professional computers cannot read a WMI filter. In the W2K GPO, you should specify the WMI filter that targets computers that do not run Windows XP Professional. The W2K GPO will not apply to the Windows XP Professional computers. In both GPOs, you should enable the User Group Policy loopback processing mode policy. Doing so will apply the logon script policies in the GPOs to all users who log on to the domain from the computers that are targeted by these GPOs. You can set the loopback policy to Replace if you do not want any GPOs that target a current user to be applied. If you want a current user to be subject to user-specific policies in the GPOs that target both the user and the computer, then you should set the loopback policy to Merge. None of the other options in this scenario involves using the loopback processing mode, which is necessary in order to apply a userspecific policy that is configured in a GPO that targets computers.
Item: 28 (Ref:Cert-70-640.2.1.2)
You are the network administrator for a company that manufactures auto parts. Your company has a single forest with multiple domains. All domain controllers run either Windows Server 2003 or Windows 2000 Server. You want to install a Windows Server 2008 domain controller in a child domain. What three actions will you need to perform? (Choose three.) c d e f g Ensure that you are a member of the Enterprise Admins, Schema Admins, and Domain Admins groups.
c d e f g Log on to the schema master and run adprep /forestprep.
c d e f g Log on to the domain naming master and run adprep /forestprep.

c d e f g Log on to the PDC emulator in the domain and run adprep /domainprep /gpprep.
c d e f g Log on to the infrastructure master in the domain and run adprep /domainprep /gpprep.
Answer: Ensure that you are a member of the Enterprise Admins, Schema Admins, and Domain Admins groups. Log on to the schema master and run adprep /forestprep. Log on to the infrastructure master in the domain and run adprep /domainprep /gpprep.
Explanation:
To add a Windows Server 2008 domain controller to a forest that has domain controllers running Windows 2000 Server or Windows Server 2003, you must update the Active Directory schema from the domain controller that hosts the schema master role. You should run adprep /forestprep on the schema master. You must be a member of the Enterprise Administrators group and Schema Administrators group to perform this task. You must also prepare the domain that will have the Windows Server 2008 domain controller installed by running adprep /domainprep /gpprep from the domain controller that hosts the infrastructure master in that domain. You will get an error when
Page 30 of 173
you run adprep /domainprep /gpprep on Windows 2003 domains, but you can ignore this error. The error occurs because you do not need to use the /gpprep parameter when upgrading a Windows Server 2003 domain, but only when upgrading a Windows 2000 Server domain. You must be a member of the Domain Admins group to perform this task. When you run either the adprep /forestprep or adprep /domainprep command, you should not use the command version included in either the Windows 2000 Server or Windows Server 2003 media. You must use the version of adprep included in the Windows Server 2008 media in the \sources\adprep folder. You should copy the folder from this folder to the an existing Windows Server 2003 or Windows Server 2000 domain controller. You should not run adprep /forestprep from the domain naming master. This command must be run from the domain controller that is the schema master in the forest. You should not run adprep /domainprep /gpprep from the PDC emulator. This command must be run from the infrastructure master of that domain.
Item: 29 (Ref:Cert-70-640.2.4.6)
You are the network administrator for your company. The company has a main office and one branch office. The company's network consists of a single Active Directory domain. The domain controller in the main office is named Server1 and the domain controller in the branch office is named Server2. You install Windows Server 2008 on all servers on the network. You want to configure Distributed File System (DFS) Replication between Server1 and Server2. You install the File Services role with the DFS Replication role service on Server1 and Server2. You want to configure Server1 and Server2 as members of a replication group. Which tool can you use to create a replication group?
j k l m n Dfsutil.exe j k l m n Dfscmd.exe
j k l m n Dfsradmin.exe j k l m n Dfsrdiag.exe
Answer: Dfsradmin.exe
Explanation:
You can use the Dfsradmin.exe tool to create a replication group. DFS Replication is a new, state-based, multimaster replication engine that supports replication scheduling and bandwidth throttling. DFS Replication is the successor of the File Replication service (FRS) that was introduced in the Windows 2000 Server operating system. DFS Replication uses several processes to keep data synchronized on multiple servers. Before you can deploy DFS Replication, you must configure your server as follows: Extend the Active Directory Domain Services (AD DS) schema to include Windows Server 2003 R2 or Windows Server 2008 schema additions. Ensure that all members of the replication group are running Windows Server 2008 or Windows Server 2003 R2. Install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group. Install the DFS Management snap-in on a server to manage replication. The server on which you install the DFS Management snap-in cannot run a Server Core installation of Windows Server 2008. Ensure that your antivirus software is compatible with DFS Replication. Ensure that all servers in a replication group are located in the same forest. You cannot enable replication across servers in different forests. Store replicated folders on NTFS volumes. Replication groups and replicated folders are two important components of DFS Replication. The replication group defines which servers participate in replication. A replicated folder is a folder that is kept synchronized on each member. You can use the Dfsradmin.exe tool to deploy replication folders. The Dfsradmin.exe is a command-line tool for the DFS that can be used to administer DFS replication from the command line. The Dfsutil.exe tool is incorrect because this tool cannot be used to create a replication group. The Dfsutil.exe tool allows
Page 31 of 173
administrators to perform advanced DFS tasks, such as enabling root scalability mode, least expensive target selection, and same-site target selection. The Dfsutil.exe tool is also useful for determining the size of a namespace, exporting or importing namespaces, checking the site name of a computer or IP address, adding and removing root targets, and updating site information for root servers. When you install Dfsutil.exe on DFS clients, Dfsutil.exe can be used to view and clear the referral cache (PKT cache), domain cache (SPC cache), and MUP cache. The Dfscmd.exe tool is incorrect because this tool cannot be used to create a replication group. The Dfscmd.exe tool allows administrators to perform and script basic DFS tasks, such as configuring DFS roots, links, and targets. The Dfsrdiag.exe tool is incorrect because this tool cannot be used to create a replication group. Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test, both of which show the state of replication.
Item: 30 (Ref:Cert-70-640.4.6.8)
You are the network administrator for a company that makes cookies and baked goods. Your company has a single domain. The domain controllers are a mixture of Windows 2003 Server and Windows Server 2008 computers. Each department has its own Organizational Unit (OU) in the domain. The users in the Accounting OU need to have different password settings than other departments. What should you configure? (Click and drag the steps on the left to the Correct Order area on the right. It may not be necessary to use all the steps provided.)
Explanation:
You should do the following:
Page 32 of 173
In a domain that has the domain functional level set to Windows Server 2008, you can configure fine-grained passwords. With previous domain functional levels, such as Windows 2000 Server and Windows Server 2003, you could only have a single password policy or account lockout policy for all users in the domain. In this scenario, you must first upgrade all domain controllers to Windows Server 2008. Once this task has been completed, you can raise the functional level of the domain to Windows Server 2008. Once the domain functional level has been configured at Windows Server 2008, then you can create a Password Settings Object (PSO). This PSO will contain attributes for Password Policy Settings or Account Lockout Settings. You can configure the appropriate values for the attributes. You can then link the PSO to a user object or a group object. A user or group object can have multiple linked PSOs, either because the object is a member of multiple groups with different PSOs applied to them, or because multiple PSOs are applied directly to the object. However, only one PSO can be applied as the effective password policy, and only the settings from that PSO can affect the user or group. The settings from other PSOs that are linked to the user or group cannot be merged in any way. To ensure that the PSO that you configured is applied as intended, you can set the rank of the PSOs. The PSO with the highest rank applies to the group or user object. The rank is configured by the msDS-PasswordSettingsPrecedence attribute, which has a value of 1 or greater. The lower the value, the higher the rank. For example, if a PSO that is linked to a user has a value of 1, and a PSO that is linked to a group that a user belongs to has a value of 2, then the password settings in the PSO that has the value of 1 apply to the user. You do not have to create a child domain for the accounting users. You can create a PSO and link it to a group or user to configure fine-grained passwords if the functional level of your domain is configured at Windows Server 2008. With previous domain functional levels such as Windows 2000 Server and Windows Server 2003, you would have to create another domain if you had a department or group that required different password policies or account lockout policies than other departments or groups.
Item: 31 (Ref:Cert-70-640.6.1.4)
You administer your company's network. The network consists of a single Active Directory domain. All servers run Windows Server 2008, and all client computers run Windows Vista. The network contains an enterprise issuing certification authority (CA). The company's written security policy stipulates that certificates for administrators, key recovery agents and EFS recovery agents are restricted; they can be issued only after approval by one of the specially designated administrators. Other types of certificates do not have to be approved. You create a security group named SpecialAdmins and add the accounts of the users who will approve the certificates to the group. You must enforce the company policy. Which of the following should you do? j k l m n Assign the Allow - Full Control permission for the restricted certificate templates to the SpecialAdmins group.
j k l m n Enable role separation for the CA, and assign the SpecialAdmins group to the CAAdministrator role. j k l m n Assign the Allow - Issue and Manage Certificates permission for the CA to the SpecialAdmins group.
j k l m n Enable the Number of authorized signatures option, and specify 1 on the Issuance Requirements tab of the restricted templates' Properties sheets.
Answer: Assign the Allow - Issue and Manage Certificates permission for the CA to the SpecialAdmins group.
Page 33 of 173
Explanation:
By default, the Enterprise Admins group in the forest root domain, the Domain Admins group in the domain to which an enterprise CA belongs, and the local Administrators group on the CA are assigned the Allow - Issue and Manage Certificates and Allow Manage CA permissions for the CA. The latter permission provides the ability to assign permissions for the CA. To enable members of the SpecialAdmins group to approve certificates, you should assign the group the Allow - Issue and Manage Certificates permission for the CA. This permission allows a user to approve certificate enrollment and revocation requests. You should also duplicate the Administrator and EFS Recovery Agent certificate templates because they are version 1 templates, which are read-only and therefore cannot be configured. The duplicates, as well as the Key Recovery Agent template, are version 2 templates, which support the requisite functionality. On the Issuance Requirements tab of the Properties sheets for those templates, you should select CA certificate manager approval. When users submit requests for the certificates that are based on any of those templates, their requests will be considered as pending and will be approved or denied manually by members of the SpecialAdmins group. Members of the SpecialAdmins group do not require any permissions for the restricted certificate templates in order to be able to approve requests for certificates based on those templates. By default, the Manage CA permission allows an administrator to perform any activity on the CA, including assigning permissions for the CA. To maintain proper security, you might want to remove the Issue and Manage Certificates permissions from the groups that are assigned it by default. However, any member of those groups has the authority to assign it to himself or herself again. To prevent this from happening, you might want to enable role separation on the CA. If role separation were enabled, then no more than one role would be permitted for each user. For example, if you assigned the Allow - Manage CA permission to the SpecialAdmins group, then its members would become CA Managers; they would be able to assign permissions for the CA to other users, but they would not be able to approve certificate requests. If they assigned the Allow - Issue and Manage Certificates to themselves, then they would be locked out of the CA and would not be able to perform any activity on the CA. If the Number of authorized signatures option is enabled for a certificate template, then all requests for certificates based on that template must be digitally signed by the users who have the appropriate authority, which is defined by application or issuance policies. The requests without the specified number of authorized signatures are not processed by the CA. The scenario does not require that requests for restricted certificates be signed; it requires that those requests be processed manually by members of the SpecialAdmins group.
Item: 32 (Ref:Cert-70-640.6.2.1)
You are the administrator for Verigon Corporation, which imports antique swords and antique military uniforms for resale. Your company's network has a single domain. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure with a subordinate enterprise Certification Authority (CA) that issues certificates on behalf of the root CA. Your company uses a proprietary application that tracks the inventory that has been imported. All company employees use the application to view inventory levels and run reports. You want to ensure that only users in the AntiqueAdmins global group can perform maintenance on the application. Since the application requires a user certificate to perform maintenance, you want to ensure that the AntiqueAdmins global group are automatically issued a certificate. You configure the certificate template for autoenrollment in the Certification Authority, then you link the group policy object to distribute the certificates to domain. What else should you do to ensure that only the AntiqueAdmins global group can perform maintenance on the application?
j k l m n Configure the AntiqueAdmins global group to have Read and Enroll permissions on the certificate template. Remove permissions from other groups.
j k l m n Configure the AntiqueAdmins global group to have Read permissions on the group policy. j k l m n Configure the AntiqueAdmins global group to have Full Control NTFS permissions for the application directory. Remove permissions from other groups.
j k l m n Change the request handling of the default policy module of the CA.
Answer: Configure the AntiqueAdmins global group to have Read and Enroll permissions on the certificate template. Remove
Page 34 of 173
permissions from other groups.
Explanation:
You should configure the AntiqueAdmins global group to have Read and Enroll permissions on the certificate template and remove permissions from other groups. You can limit who is given permissions for autoenrollment to a particular certificate by limiting the permissions on the certificate template. This can be done by performing the following steps: 1. Open the Certificate Templates snap-in. 2. Right-click the appropriate certificate template that you want to change, and then click Properties. 3. On the Security tab, add the users or groups that you want and, under Allow, select the Read, Enroll, and Autoenroll check boxes. Remove the users or groups that will not have these permissions. On the Request Handling tab of the certificate, you should also click Enroll subject without requiring any user input. This action will ensure that the AntiqueAdmins global group will be able to autoenroll without administrator intervention. You do not have to configure the AntiqueAdmins global group to have Read permissions on the group policy. The authenticated users group is already given Read permissions on a GPO. The GPO will apply to all users because the authenticated users group has permissions. You can limit the GPO by removing the authenticated users group's Read permission and adding the Read permission to the AntiqueAdmins global group. You should not change the request handling of the default policy module of the CA. The policy module on the CA has its request handling configured to automatically issue a certificate based on the rules of the certificate template. If you change the request handling of the CA, then the certificate status of all requests is set to pending. This means that the administrator must approve each certificate. In the scenario, you want to have certificates automatically issued to the AntiqueAdmins global group. If the administrator has to approve each request, then the certificates will not be issued automatically. You can change the request handling behavior of the CA by performing the following steps: 1. In the Certificate Server Snap-in, highlight the Certificate Server. 2. Right-click the server and click Properties. 3. Click the Policy Module tab and click Properties. 4. Change the option to Set request status of certificate to pending. You should not configure the AntiqueAdmins global group to have Full Control NTFS permissions for the application directory and remove permissions from other groups. This action will prevent other users from using the application. The other users must have at least the NTFS Read permission to be able to see the files in the application directory. In the scenario, it states that all users need to use the application. You want to ensure that only the AntiqueAdmins global group can perform maintenance, not block other users' access to the application. The following image shows the permissions available for configuration on the certificate template:
Page 35 of 173
Item: 33 (Ref:Cert-70-640.4.4.1)
You are the network administrator for a company that tracks and distributes royalties to recording artists. Your network has a single domain. The functional level of the domain and the forest domain is Window Server 2003. Your domain controllers run either Windows Server 2003 or Windows Server 2008. You create a GPO to assign applications to users in the Accounting OU. You want this GPO to assign the same applications to users in the Sales OU and Finance OU with the least administrative effort. What should you do?
j k l m n Use the Group Policy Management Console (GPMC) to back up the GPO from the Accounting OU. Import the GPO into a GPO at the Sales OU and Finance OU.
j k l m n Use the GPO in the Accounting OU as a Starter GPO, and create GPOs in the Sales OU and Finance OU based on the GPO in the Accounting OU.
j k l m n Link the GPO in the Accounting OU to the Sales OU and Finance OU. j k l m n Create a global group for the users in the Sales OU and create a global group for the users in the Finance OU. Assign permissions for the global groups to the GPO in the Accounting OU.
Answer: Link the GPO in the Accounting OU to the Sales OU and Finance OU.
Explanation:
You should simply link the GPO in the Accounting OU to the Sales OU and Finance OU. The GPO will apply to users in the container to which it is linked. This GPO will also apply to users in sub-containers if sub-container inheritance is not blocked. By default, the authenticated users group has permissions to the GPO. You could change this permission to limit the GPO to apply to only certain users within a container. You do not have to use the Group Policy Management Console (GPMC) to back up the GPO from the Accounting OU. and import the
Page 36 of 173
GPO into a GPO at the Sales OU and Finance OU. You can use backup function to create a copy of a GPO. You can also use the GPMC to import the settings from the backed up GPO into a new GPO. Typically you would use this functionality to copy a GPO to another forest. In this scenario, however, you can simply link the Accounting GPO to the appropriate OUs. You cannot use the GPO in the Accounting OU as a Starter GPO. A Starter GPO cannot be linked to an OU. A Starter GPO can be used as a template to create new GPOs. In this scenario, the GPO has already been linked to the Accounting OU. This GPO will not appear in the Starter GPO folder. You should not create a global group for the users in the Sales OU and the Finance OU and assign permissions for the global groups to the GPO in the Accounting OU. This solution will not work because the GPO is only linked to the Accounting OU. You need to have the GPO linked at the Sales OU and the Finance OU. By default, the authenticated users group has permissions to the GPO. You can change this permission to limit the GPO to apply to only certain users within a container.
Item: 34 (Ref:Cert-70-640.1.1.7)
You are the network administrator for the Metroil corporation. The company's network contains servers that run Windows Server 2008. A server named SRV1 is configured as a Domain Name System (DNS) server on the network to handle name resolution from users. SRV1 contains an Active Directory-integrated zone that holds DNS data for network users.
You discover that the primary zone on SRV1 contains entries for computers that are unknown to you and not part of your domain. What should you do to prevent this from happening in the future?
j k l m n Right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones option.
j k l m n Select the Enable automatic scavenging of stale records option on the Advanced tab in the Properties dialog box of the DNS server. j k l m n Select the Secure Only option in the properties of the primary zone.
j k l m n Right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records option.
Answer: Select the Secure Only option in the properties of the primary zone.
Explanation:
You should select the Secure Only option in the properties of the primary zone. When the Secure Only option is not selected, computers that are not members of the domain will be allowed to register with DNS. This can result in unknown computer records. Therefore, selecting this option would stop unknown computers from registering in DNS. You should not right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records option. Aging and scavenging is a feature of DNS that provides a mechanism for performing cleanup and removal of stale records, which can accumulate in zone data over time. Aging and scavenging of stale records are features of DNS that are available when you deploy a
Page 37 of 173
DNS server with primary zones. Records are automatically added to zones when computers start on the network if you have configured dynamic updates. However, in some cases, they are not automatically removed when computers leave the network. When you configure aging and scavenging, DNS servers can determine that records have aged to the point of becoming stale and remove them from zone data. You can start scavenging of stale resource records immediately even if you have not configured the aging and scavenging feature. To do this, you should right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records option. However, this will not prevent unknown computers from registering in DNS. You should not right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones option because this option is used to configure aging and scavenging for all DNS zones on a DNS server. Clicking the Set Aging/Scavenging for All Zones option does not prevent unknown computers from registering in DNS. You should not select the Enable automatic scavenging of stale records option on the Advanced tab in the Properties dialog box of the DNS server. This option allows you to enable automatic scavenging of stale records on a DNS server. Selecting the Enable automatic scavenging of stale records option does not prevent unknown computers from registering in DNS.
Item: 35 (Ref:Cert-70-640.1.1.2)
You are the network administrator for a company that manufactures automobiles. You have a showroom in your lobby where guests and employees can access the Internet from their portable computers. The DHCP server grants the user an IP address, a gateway, and a DNS server. Your DNS server is a Windows Server 2008 with an Active Directory-integrated zone named company.com. After investigating your DNS server, you notice that only employees are able to generate A records, but both guest computers and employees are creating PTR records. How can you prevent PTR records from guests from being created without affecting the employees' access to resources?
j k l m n Disable the reverse lookup zone. j k l m n Convert the reverse lookup zone to a secondary zone.
j k l m n Ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to Secure Only.
Page 38 of 173
j k l m n Ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to None.
Answer: Ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to Secure Only.
Explanation:
You should ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to Secure Only. In this scenario, both employees of the company and guests are able to create PTR records in the reverse lookup zone. Since only A records of employees are added to the forward lookup zone, then we can conclude that dynamic updates are set to Secure Only. The reverse lookup zone in this case does not support secure dynamic updates. The reverse lookup zone may not be an Active Directory-integrated zone, or it might be an Active Directory-integrated zone with dynamic updates set to Secure and Nonsecure. Secure dynamic updates only allow computers that are members of the domain to add A records in a forward lookup zone or PTR records in a reverse lookup zone. By configuring the dynamic updates setting to Secure Only, you can configure secure dynamic updates. This will prevent nondomain users, such as guests, from adding PTR records to the reverse lookup zone. You should not disable the reverse lookup zone. Although this would prevent guests from creating PTR records, it would prevent employees from creating PTR records as well. PTR records are reverse lookup records that assist in name resolution. Disabling the reverse lookup zone would disable the name resolution capabilities of the employees. You should not convert the reverse lookup zone to a secondary zone. A secondary zone holds a read-only copy of the zone and pulls an updated copy of the zone from a master server. A secondary zone would prevent the guests from creating PTR records, but would also prevent employees from adding PTR records to this zone. The employee's computers would have to register with the master DNS to add records to this zone. Since employees and guests are given the same IP address of the DNS server through DHCP, they will register with the same DNS. You would have to configure the DHCP server to give different IP addresses for the DNS server to employees and to guests. You should not ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to None. Although this would prevent guests from creating PTR records, it will prevent employees from creating PTR records as well. PTR records are reverse lookup records that assist in name resolution. Setting dynamic updates to None would prevent the name resolution capabilities of the employees.
Item: 36 (Ref:Cert-70-640.4.3.2)
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. All servers run Windows Server 2008. Several application operators belong to a group named AppOperators, and their user objects are located in an organizational unit (OU) named AppOperators. Several application servers belong to the AppServers group, and their computer objects are located in the AppServers OU. You must configure a Group Policy object (GPO) in order to allow the application operators to log on interactively at the application servers. Which of the following should you do?
j k l m n Configure a GPO that assigns the Allow log on locally user right to the AppOperators OU, and link the GPO to the AppServers OU.
j k l m n Configure a GPO that assigns the Allow log on locally user right to the AppServers OU, and link the GPO to the AppOperators OU. j k l m n Configure a GPO that assigns the Allow log on locally user right to the AppOperators group, and link the GPO to the AppServers OU.
j k l m n Configure a GPO that assigns the Allow log on locally user right to the AppServers group, and link the GPO to the AppOperators OU.
Answer: Configure a GPO that assigns the Allow log on locally user right to the AppOperators group, and link the GPO to the AppServers OU.
Page 39 of 173
Explanation:
The ability to log on interactively is controlled by the Allow log on locally user right. All user rights are computer-specific policies. Policies can be configured in GPOs. GPOs are applied to user objects and computer objects. Computer-specific policies in a GPO apply to computers, and user-specific policies in a GPO apply to users. To apply a GPO, an administrator should link it to an OU, domain, or site where the target user or computer objects reside. In this scenario, you should create a GPO and, in that GPO, assign the Allow log on locally user right to the AppOperators user group. To apply the GPO to the appropriate computers, you should link the GPO to the AppServers OU. The Allow log on locally user right can be assigned only to security principals, such as users and user groups; it cannot be assigned to OUs. You should not link the GPO to the AppOperators OU because user rights are computer-specific policies, which are not applied to user objects.
Item: 37 (Ref:Cert-70-640.2.4.17)
You are the network administrator for your company. The company has a main office and five branch offices. Each office has its own Active Directory site, and Active Directory replication is configured between each office. Your company opens a new branch office that has its own Active Directory site. You are required to configure Active Directory replication for the new office. Before configuring Active Directory replication for the new office, you want to view the current replication topology between the main office and all the branch offices in a graphical format. Which tool should you use?
j k l m n Repadmin.exe
j k l m n Replmon.exe j k l m n Ntdsutil.exe j k l m n Wbadmin.exe
Answer: Replmon.exe
Explanation:
You should use the Replmon.exe tool. Replmon.exe is a tool that enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. The Replmon.exe tool must be installed on a computer running Windows Server 2003 or Windows Server 2008. The computer can be a domain controller, member server, member workstation, or stand-alone computer. You should not use the Repadmin.exe tool. Repadmin.exe is a command-line tool that can be used to view the replication information on domain controllers. By using the Repadmin.exe tool, you can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage the Active Directory replication topology for both AD DS and AD LDS replication. You can also use the Repadmin.exe tool to force replication of an entire directory partition or a single object, and list domain controllers in a site. The Repadmin.exe tool cannot be used to view replication topology in a graphical format. You should not use the Ntdsutil.exe tool. Ntdsutil.exe is also a command-line tool that provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. The Ntdsutil.exe tool cannot be used to view replication topology in a graphical format. You should not use the Wbadmin.exe tool. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. The Wbadmin.exe tool cannot be used to view replication topology in a graphical format.
Item: 38 (Ref:Cert-70-640.4.7.1)
You are the network administrator for your company's network. You install a Certificate Authority (CA) to distribute certificates to users
Page 40 of 173
and computers in your domain. You decide that you want to audit the following events on your CA: Backing up and restoring the CA database Changing the CA configuration Changing the CA security settings Issuing and managing certificate requests After seven days, you review the security log, but you cannot find any events related to the CA. What could you do to solve the problem?
j k l m n Check the application log for auditing events related to the CA. j k l m n Enable Audit object access in the local security policy on the computer.
j k l m n Enable Audit policy change in a group policy object.

j k l m n Enable Audit system events in a group policy object.
Answer: Enable Audit object access in the local security policy on the computer.
Explanation:
You should enable Audit object access in the local security policy on the computer or via a group policy object that is applied to the computer. Enabling object access auditing in a policy allows you to specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry in the security log when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry in the security log when a user unsuccessfully attempts to access an object that has a SACL specified. You can use the event viewer tool to view the security log. Only administrators and users that have been delegated the right to view the security log may view the security log on a computer. You should not enable Audit policy change in a group policy object. This policy setting determines whether to audit every incidence of a change to user rights assignment policies, Windows Firewall policies, audit policies, or trust policies. This policy will not affect the auditing of a CA. You should not enable Audit system events in a group policy object. This policy setting audits when a user restarts or shuts down their computer, or when an event occurs that affects either computer security or the Security log. This policy will not affect the auditing of a CA. You should not check the application log for auditing events related to the CA. Audited events will display in the security log, not in the application log. Auditing of the CA will not be successful until you enable object access auditing in a local security policy or group policy object.
Page 41 of 173
Item: 39 (Ref:Cert-70-640.5.2.1)
You are a network administrator for a company named Verigon. The network consists of a single Active Directory domain. All servers run Windows Server 2008, and all client computers run Windows Vista. The network contains an enterprise issuing certification authority (CA) and an offline root CA. Verigon acquires a new company named TelStar that has its own Active Directory domain in a different forest. You want to establish an L2TP/IPSec VPN connection between both company networks. You install a VPN server on your network, install a certificate from your issuing CA, and configure the server for a router-to-router VPN connection. A network administrator at TelStar performs similar actions on the TelStar network. When you test the connection, you receive an error message that indicates that the TelStar certificate is not trusted. You must ensure that a VPN connection between the two companies can be successfully established without producing the error message. What should you do?
j k l m n Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server.
j k l m n Install the TelStar root CA's certificate on the root CA in Verigon. j k l m n Install the TelStar root CA's certificate on the issuing CA in Verigon.
j k l m n Include the TelStar root CA's certificate in Verigon root CA's certificate revocation list.
Answer: Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server.
Explanation:
Page 42 of 173
You should place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server. To make your VPN server trust the TelStar VPN server's certificate, that certificate must be verified to a trusted CA. All certificates on TelStar's network can ultimately be verified to TelStar's root CA. Thus, if your VPN server trusts TelStar's root CA, then it will trust any certificate that is issued by any CAs on TelStar's network. To enable your VPN server to trust TelStar's root CA, you should import TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server. It is a common practice to implement a stand-alone root CA and enterprise subordinate CAs. To provide maximum security for root CAs, they are often kept offline. Standalone CAs are better suited for being kept offline because they are less prone to the various synchronization problems that occur as a result of being disconnected from the network for prolonged periods of time. When you want to allow clients to get certificates from an intermediate CA even when the Trusted CA is offline, you should store the Trusted CA's certificate in the Trusted Root Certification Authorities store on your VPN server store on client computers. You can also make computers trust certificates from external CAs by using a Group Policy object (GPO) that applies to those computers. The GPO should list the appropriate certificates in the Trusted Root Certification Authorities policy. Alternatively, you can add the trusted root CA's certificates to a Certificate Trust List (CTL) and specify that CTL in the GPO. Another possible solution is cross-certification; for example, your root CA could issue a certificate for your partner's root CA and vice versa. If you installed the TelStar root CA's certificate on your root or issuing CA, then only your root or issuing CA, respectively, would trust TelStar's certificates; the scenario requires that your VPN server trust TelStar's certificates. You should not include the TelStar root CA's certificate in the Verigon root CA's certificate revocation list. A certificate revocation list (CRL) contains revoked certificates from a specific CA. When a certificate is revoked, it is included in the CRL on the CA that issued that certificate. You cannot include the TelStar root CA's certificate in your root CA's CRL because that certificate is self-signed; it has been issued by TelStar's root CA, not your root CA.
Item: 40 (Ref:Cert-70-640.6.4.2)
You administer your company's Windows 2008 network. The network consists of 25 Windows Server 2008 computers. The network contains an offline root Certification Authority (CA) located in the main office and five subordinate issuing CAs, located in the main office and each of the remaining four retail locations. One of the four retail locations has been purchased and will operate as a franchise. You must ensure that resources on the company network will not accept certificates from the associated subordinate CA in this retail location after the sale is completed. Your solution must use a minimum amount of administrative effort. What should you do? (Choose three. Each correct answer presents part of the solution.) c d e f g On the company's root CA, revoke the certificate of the subordinate CA.
c d e f g Disconnect the subordinate CA from the network.
c d e f g On the subordinate CA, remove the CA software and remove the CA files.
c d e f g On the subordinate CA, revoke the certificates that it has issued. c d e f g Publish a new Certificate Revocation List.
c d e f g Copy the Edb.log file from the root CA to its Certification Distribution Point on your network.
c d e f g Copy the Edb.log file from the subordinate CA to its Certification Distribution Point on your network. c d e f g Copy the Certificate Revocation List file to the Certificate Distribution Point on your network.
Answer: On the company's root CA, revoke the certificate of the subordinate CA. Publish a new Certificate Revocation List. Copy the Certificate Revocation List file to the Certificate Distribution Point on your network.
Page 43 of 173
Explanation:
You should do the following: On the company's root CA, revoke the certificate of the subordinate CA. Publish a new Certificate Revocation List. Copy the Certificate Revocation List file to the Certificate Distribution Point on your network. Digital certificates are used to establish trust between network objects. The ability to trust is determined by the status of the certificate: whether the chain of trust to the certificate's certifying authority can be verified, and whether the certificate remains in good standing with the certifying authority. When an issuing CA is deployed, it is issued a certificate that ultimately links to the root CA. It is a common practice to implement a stand-alone root CA and enterprise subordinate CAs. To provide maximum security for root CAs, they are often kept offline. Stand-alone CAs are better suited for being kept offline because they are less prone to various synchronization problems that occur as a result of being disconnected from the network for prolonged periods of time. When you want to allow clients to get certificates from an intermediate CA even when the Trusted CA is offline, you should store the Trusted CA's certificate in the Trusted Root Certification Authorities store on your VPN server store on client computers. When you need to ensure that certificates from this issuing CA are no longer valid, you need to perform three primary tasks. First, the issuing CA certificate must be revoked on the on the root CA. This will break the chain of trust for any new certificates issued. To notify objects that currently trust certificates from the issuing CA that these certificates are no longer valid, you should then publish the Certificate Revocation List (CRL). Finally, you should copy the CRL file to the Certificate Distribution Point on your network so that it is distributed to network objects that rely on certificates for authentication. This action will communicate the change in the public key infrastructure (PKI) across the network and will prevent you from having to revoke individual certificates that were issued by the CA. Ultimately, the subordinate CA will be removed from the network when the retail location is sold. You do not have to manually remove the CA or uninstall Certificate Services from the computer. These acts, in and of themselves, will have no effect beyond preventing new certificates from being issued to your users or computers. Steps must be taken to break the chain of trust for the issuing CA, and this change must be communicated throughout the network. Certificate Services uses a database format to store certification transactions. The < CA name > .edb file is the database file, and the Edb.log file is the transaction log file for the CA store. This file is not used as notification to CA clients for PKI changes. This type of information is distributed throughout the enterprise by using the CRL.
Item: 41 (Ref:Cert-70-640.3.4.4)
You are the administrator of a company that manufactures novelty items. Your company has a single domain. All domain controllers are a mixture of Windows Server 2003 and Windows Server 2008. The functional level of the domain and forest are both set to Windows Server 2003. You have entered into a partnership with a company from China to import different novelty items. Your partners will need access to a Web-based inventory control application that is run on one of your servers. The partner's company also has a single domain. The functional level of the partner's domain and forest are both set to Windows Server 2003. You want to give the partner's company access to your Web-based inventory control application, but you do not want to create users or manage users from the partner company because there is lot of personnel turnover in the partner company. What should you configure? (Choose three.)
c d e f g Use Active Directory Federation Services (AD FS) and create a federated trust. c d e f g Install a Federation Service Proxy on a separate server in the perimeter network.
c d e f g Install an Edge Transport Server on a separate server in the perimeter network.
c d e f g Install an AD FS Web agent. c d e f g Install an Edge Transport Server on the same server as the AD FS server.
c d e f g Install a SMTP server to handle outgoing and incoming authentication requests.
Answer:
Page 44 of 173
Use Active Directory Federation Services (AD FS) and create a federated trust. Install a Federation Service Proxy on a separate server in the perimeter network. Install an AD FS Web agent.
Explanation:
You should use Active Directory Federation Services (AD FS) and create a federated trust. AD FS allows users from outside your organization, such as the partners from China, to have access to a Web application that your company hosts. You could have the partners in China create a security group in their own Active Directory of users that need access to the application, and use AD FS to grant access to the application to the security group. When users from the partner's domain attempt to access the Web application, the application uses AD FS to authenticate the users based on their group membership. You will also need to install a Federation Service Proxy on a separate server in the perimeter network. The Federation Service Proxy allows users outside your organization to access your application without exposing your Active Directory forest to the outside world. In this scenario, users from the partners company in China will need to use the Internet to access the Web-based application on your server. This Federation Service Proxy in the perimeter network would relay federation requests from users outside your organization, such as the partners in China, to your federation server. Placing the Federation Service Proxy server in the perimeter network ensures that your federation server is not exposed directly to the outside world. You should install an AD FS Web agent. The Web agent is the mechanism that the Web application users for authenticating external users. The AD FS Web agent manages the security tokens and authentication cookies that are sent to the Web server. There are two different agents: Claims-aware agent: Used for claims-aware application, such as Microsoft ASP .NET. Windows token-based agent: Performs the AD FS security token conversion to Windows NT access token for applications that support Windows NT access tokens. You cannot install the Federation Service Proxy and Active Directory Federation Service on the same server. They must be installed on separate computers. You should not install an Edge Transport Server or an SMTP Server. An Edge Transport server is used to route incoming email messages to a Hub Transport server and handle outgoing email messages from a Hub Transport server. You can place virus and email filtering agents on an Edge Transport server. An Edge Transport server and an SMTP server are not required to configure AD FS.
Item: 42 (Ref:Cert-70-640.1.1.6)
You are the network administrator for Nutex Corporation. Nutex has a single Active Directory domain. Several portable computers, desktop computers, and application servers have been added to the domain. You want a list of all your records in the DNS zone. You want to compare the A records from the DNS server with the IP addresses assigned from the DHCP server to see if any of the IP addresses of the portable computers, desktop computers, or application servers are static addresses. How would you get a list of all the DNS records in the DNS zone?
j k l m n Run the Dnscmd /info command.
j k l m n Run the Dnscmd /config command.

j k l m n Use the DNS Manager snap-in to rightclick on the DNS server and choose Configure DNS Server. Choose to export a list of records to a file. j k l m n Use the DNS Manager snap-in to right-click on the zone and choose Export List.
Answer: Use the DNS Manager snap-in to right-click on the zone and choose Export List.
Page 45 of 173
Explanation:
You should use the DNS Manager snap-in to right-click on the zone and choose Export List to get a list of all DNS records in the DNS zone. This action will export all the DNS records to a text file. You can use the text file to compare the IP addresses of the A records in the zone with the IP addresses assigned by the DHCP server. You can also use the Dnscmd /ZoneExport command to export the zone records to a file. Alternatively, you can use the Dnscmd /ZonePrint command to display all records in the zone to the screen. You cannot use the Dnscmd /config command to get a list of the DNS records in the DNS zone. You can use the Dnscmd /config command to change the values in the registry for the DNS server and for individual zones. You cannot use the Dnscmd /info command to get a list of the DNS records in the DNS zone. The Dnscmd /info command displays DNS server level configuration and not zone-level information. To display the configuration for each zone, you must use Dnscmd /zoneinfo command. You cannot use the Configure DNS Server option of the DNS Manager snap-in to get a list of the DNS records in the DNS zone. You can use the Configure DNS Server option to configure forward and reverse lookup zones, configure forwarders, and configure root hints.
Item: 43 (Ref:Cert-70-640.4.7.3)
You are a network administrator for a multinational bank. You administer a contact center for the company in Alaska. The company's network consists of a single Active Directory domain that runs Windows Server 2008. The company's network also consists of 100 Windows Vista client computers. One of the users, named Fred, reported that his computer keeps restarting. You fixed the problem by reinstalling a device driver. You now want to enable an audit policy using the Auditpol.exe command-line tool to track all system restart events on Fred's computer. However, before you run Auditpol.exe to enable a new audit policy, you want to verify all the audit policies currently enabled on Fred's computer. What should you do? j k l m n Run the Auditpol /list /r command.
j k l m n Run the Auditpol /get
Page 46 of 173
command.
j k l m n Run the Auditpol /list command.
j k l m n Run the Auditpol /get /sd command.
Answer: Run the Auditpol /get command.
Explanation:
You should run the Auditpol /get command to verify all audit policies that are currently enabled on Fred's computer. Auditpol.exe is a command-line tool used to set audit policy subcategories and per-user audit policy in Windows Server 2008. In Windows 2000 Server and Windows Server 2003, there is only one audit policy for Active Directory, named Audit Directory Service Access, which controls whether auditing for directory service events are enabled or disabled. In Windows Server 2008, the audit policy is divided into four subcategories: Directory Service Access: Enables users to audit the event of a user accessing an Active Directory objects. Directory Service Changes: Enables users to audit the event of changes that are made to an Active Directory objects, for example, create, modify, or move. Directory Service Replication: Enables users to audit Active Directory replication problems. Detailed Directory Service Replication: Enables detailed tracking of Active Directory replication. Each subcategory is independent for its own usage. To be precise, if you disable one of the subcategories such as Directory Service Access, the event changes generated can still be seen if you have enabled the Directory Service Changes subcategory. Similarly, if you disable the Directory Service Changes subcategory and enable the Directory Service Access subcategory, the Security log events will still be reflected. Since there is no Windows interface tool available for these in Windows Server 2008, you can use the Auditpol.exe command-line tool to view or set audit policy subcategories. You should not run the auditpol / list /r command to verify all audit policies currently enabled on Fred's computer. The auditpol / list /r command is a subcommand to the Auditpol /list command, which is used to display the output in report format as comma-separated values. You should not run the auditpol /list command to verify all audit policies currently enabled on Fred's computer. The /list command parameter in Auditpol.exe is used to display selectable policy elements to create an audit policy. You should not run the auditpol /get /sd command to verify all audit policies currently enabled on Fred's computer. The auditpol /get /sd command in Auditpol.exe is a subcommand to the Auditpol /get command, which is used to retrieve the security descriptor used to delegate access to the audit policy. To verify only the current audit polices enabled, you can use the Auditpol /get command separately.
Item: 44 (Ref:Cert-70-640.4.4.5)
You are the systems administrator of your company. The company's network consists of a single Active Directory domain. The company's network contains servers that run Windows Server 2003 and Windows Server 2008. The client computers on the network run Windows XP Professional and Windows Vista. You create .ADMX and .ADML files to define registry-based policy settings on all client computers in the domain. You want to manage the .ADMX files. What should you do? (Choose two. Each answer is a complete solution.) c d e f g Use Group Policy Object Editor on a Windows XP Professional computer.
c d e f g Use Group Policy Object Editor on a Windows Server 2003 computer. c d e f g Use Group Policy Object Editor or Group Policy Management Console on a Windows Vista computer.
c d e f g Use Group Policy Object Editor or Group Policy Management Console on a Windows Server 2008 computer.
Page 47 of 173
Answer: Use Group Policy Object Editor or Group Policy Management Console on a Windows Vista computer. Use Group Policy Object Editor or Group Policy Management Console on a Windows Server 2008 computer.
Explanation:
You can use Group Policy Object Editor or Group Policy Management Console on either a Windows Vista computer or a Windows Server 2008 computer. Group Policy is used to apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. Over 700 new policy settings are included in Group Policy in Windows Vista, which provides greater coverage of policy settings for easier administration by including Group Policy Management console (GPMC), support for multilingual environments by using ADMX files, and multiple components of Windows Vista. The registry-based policy settings in Windows Vista are defined by using a standards-based XML file format known as ADMX files. The ADMX files are languageneutral resource files. The other type of registry-based policy settings are known as ADML files, which are language-specific resource files. ADMX and ADML files replace the ADM files that were used in earlier versions of Windows. To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object Editor, you must be running a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual Group Policy Objects (GPOs). If you have a domain environment, you can create a central store location of ADMX files that can be accessed by anyone with permission to create or edit GPOs. The central store is a folder created in the SYSVOL folder of an Active Directory domain controller and is used to provide a centralized storage location for ADMX and ADML files for the domain. A central store can be created on a domain controller running Windows Server 2003 R2, Windows Server 2003 Service Pack 1 (SP1), or Windows 2000 Server. The ADMX files supersede the default ADM files that were included in the operating system, such as System.adm and Inetres.adm. Therefore, Group Policy tools exclude the default ADM files. If you have any custom ADM files in your existing environment, Group Policy tools will continue to recognize those ADM files. You can use the Add/Remove Template menu option to add or remove custom ADM files to a GPO. New Windows Vista-based policy settings can only be managed from Windows Vista and Windows Server 2008 based machines by using Group Policy Object Editor or GPMC. Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO. You can use the Group Policy Object Editor or GPMC in Windows Vista and Windows Server 2008 to manage all operating systems that support Group Policy, such as Windows Vista, Windows Server 2003, Windows XP, and Windows 2000. The options stating that you should use Group Policy Object Editor on a Windows XP Professional computer or a Windows Server 2003 computer are incorrect. New Windows Vista-based policy settings can only be managed from Windows Vista-based machines by using Group Policy Object Editor or GPMC. Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO.
Item: 45 (Ref:Cert-70-640.3.3.3)
You are the network administrator for your company. The company has a main office and a branch office. You install Windows Server 2008 on all servers on the network. You install a domain controller named DC1 in the main office and a read-only domain controller (RODC) named RODC1 in the branch office. The offices are connected by a 128-Kbps link. A user named John travels frequently to the branch office and requires access to the branch office network. You want to ensure that John is able to log on to the network in the branch office even if the Wide Area Network (WAN) link to the domain controller is unavailable. To achieve this, you need to prepopulate the password cache of RODC1 with the password of John's user account. What should you do? j k l m n Add John's user account to the Denied List on the Password Replication Policy tab in the Properties dialog box for RODC1.
j k l m n Add John's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1.
j k l m n Add John's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1.
j k l m n Add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for RODC1.
Page 48 of 173
Answer: Add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for RODC1.
Explanation:
You should add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for RODC1. You can prepopulate the cache of an RODC with the passwords of user and computer accounts that will authenticate to that RODC. Prepopulating the RODC password cache triggers the RODC to replicate and cache the passwords for users and computers before the accounts try to log on in the branch office. Prepopulating the password cache is helpful when you want to ensure that a user is able to log on to the network in a branch office even if the WAN link to the writable domain controller is unavailable. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation will fail. You should not add John's user account to the Denied List on the Password Replication Policy tab in the Properties dialog box for RODC1. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. Therefore, you should add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for RODC1. You should not add John's user account to the Accounts that have been authenticated to this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts that have been authenticated to this Read-only Domain Controller list displays all user and computer accounts that are authenticated to an RODC. You cannot manually add a user or a computer account to the Accounts that have been authenticated to this Read-only Domain Controller list. You should not add John's user account to the Accounts whose passwords are stored on this Read-only Domain Controller list in the Advanced Password Replication Policy dialog box for RODC1. The Accounts whose passwords are stored on this Readonly Domain Controller list displays all user or computer accounts whose passwords are stored on that RODC. To view credentials that are cached on an RODC, you should use the Active Directory Users and Computers snap-in. To do so, open the Password Replication Policy tab in the properties sheet for the RODC, and select the Accounts whose passwords are stored on this Readonly Domain Controller option in the Advanced Password Replication Policy dialog box. You cannot manually add a user or a computer account to the Accounts whose passwords are stored on this Read-only Domain Controller list.
Item: 46 (Ref:Cert-70-640.4.4.4)
You are the network administrator for your company. All servers on the network run Windows Server 2008. The company's network consists of a single Active Directory domain. The client computers run Windows Vista. You create .ADMX files to define registry-based policy settings on all client computers in the domain. You want to create a custom domain-based ADMX file that supports the Japanese language in your domain. You want to ensure that the custom ADMX file for the Japanese language is automatically available to all Group Policy administrators in the domain. What should you do? j k l m n Create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder on the domain controller.
j k l m n Create an .ADMX file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions folder on the domain controller.
j k l m n Create an .ADM file and copy it to the %systemroot%\inf folder on all client computers.
j k l m n Create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder on all client computers.
Answer: Create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder on the domain controller.
Explanation:
You should create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder on the domain controller. The ADMX files are language-neutral resource files. The other type of registry-based policy settings are known as ADML files, which are language-specific resource files. ADMX and ADML files replace the ADM files that were used in earlier versions of Windows. To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object Editor,
Page 49 of 173
you must be running a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual Group Policy Objects (GPOs). If you have a domain environment, you can create a central store location of ADMX files that can be accessed by anyone with permission to create or edit GPOs. The central store is a folder created in the SYSVOL folder of an Active Directory domain controller and is used to provide a centralized storage location for ADMX and ADML files for the domain. In addition to storing the ADMX files shipped in the operating system in the central store, you can also share a custom ADMX file by copying the file to the central store, which makes it available automatically to all Group Policy administrators in a domain. The default location for .ADML files on a domain controller is the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder. For example, the United States English ADMX language-specific file will be stored in the %systemroot% \sysvol\domain\policies\PolicyDefinitions\en-us folder. You should not create an .ADMX file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions folder on the domain controller. The ADMX files are language-neutral resource files and cannot be used as a resource for a specific language. You should not create an .ADM file and copy it to the %systemroot%\inf folder on all client computers. The .ADM files were used in earlier versions of Windows that were released prior to Windows Vista. The .ADM files cannot be used as a resource for a specific language. Also, copying the .ADM file to the %systemroot%\inf folder on all client computers will make the file available locally, but it will not ensure that the .ADM is automatically available to all Group Policy administrators in the domain. You should not create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder on all client computers. Copying the .ADML file to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder on all client computers will make the file available locally on client computers, but it will not ensure that the .ADML file is automatically available to all Group Policy administrators in the domain.
Item: 47 (Ref:Cert-70-640.6.3.1)
You administer a domain that includes an enterprise root Certification Authority (CA) and an issuing enterprise subordinate CA. You want each computer in the domain to have a Computer certificate that can be used for IPSec communications. In order to limit the administrative effort required on behalf of the computers' users, you want to enable automatic enrollment for computer certificates in the domain. Which two of the following actions should you take in order to enable all computers in the domain to automatically enroll for computer certificates? (Choose two.)
c d e f g Create a Certificate Trust List (CTL) that allows the use of computer certificates in the domain.
c d e f g Configure a Public Key Group Policy for the domain.

c d e f g Assign the Enroll and Autoenroll permissions to all domain computers for the Computer certificate template. c d e f g Issue Enrollment Agent certificates to all users in the domain.
c d e f g Issue Recovery Agent certificates to all users in the domain.
Answer: Configure a Public Key Group Policy for the domain. Assign the Enroll and Autoenroll permissions to all domain computers for the Computer certificate template.
Explanation:
Automatic enrollment eliminates the need for a user to log on to each computer as the administrator, install Certificate Services, and request a computer certificate on behalf of the computer. Public Key Group Policy must also be configured in order to enable the creation of CTLs for users and computers, the addition of CA certificates for trusted third-party and stand-alone root CAs, and the allocation of Encrypting File System (EFS) Recovery Agent accounts. A Public Key Group Policy can be created for a domain, a site or an organizational unit (OU). You must configure a Public Key Group Policy for the domain and assign the Enroll and Autoenroll permissions to all domain computers for the Computer certificate template. Doing so will enable all domain computers to enable automatic enrollment for certificates that are issued to computers. The configuration of a Public Key Group Policy is not necessary for most uses of certificate
Page 50 of 173
services and the public-key infrastructure. However, you must configure a Public Key Group Policy in order to enable automatic enrollment for certificates that are issued to computers, including Computer, Domain Controller, IPSec and Enrollment Agent (computer) certificates. In order to receive a particular certificate, the Enroll permission for that certificate template must be granted to the requesting party, which can be a computer or a person depending on the type of certificate being requested. Computer certificates can be issued only to computers; thus, in this scenario, each domain computer must be granted the Enroll permission for the Computer certificate template. CTLs are used to designate trusted CAs and the purposes for which the CAs' certificates can be used. Supported CTL purposes can include client authentication, server authentication, code signing, secure e-mail and time-stamping. You cannot create a CTL that explicitly allows the use of Computer certificates in the domain. An EFS Recovery Agent certificate should be issued to the user of a computer on which EFS-encrypted data will be recovered. An Enrollment Agent certificate should be issued to any administrators who obtain certificates for smart card users. The domain computer users do not require either Enrollment Agent certificates or EFS Recovery Agent certificates in order for their computers to obtain Computer certificates.
Item: 48 (Ref:Cert-70-640.6.2.2)
You are a network administrator for a large software company. The company's network consists of three Windows Server 2008 servers and 200 Windows Vista client computers installed in various departments. You are responsible for issuing certificates to all client computers and network devices using Active Directory Certificate Service (AD CS). Several departments have several network switches and routers that need certificates issued to them. What should you do to issue certificates to the network switches and routers?
j k l m n Issue a certificate using Enterprise Public Key Infrastructure (PKI)View. j k l m n Issue a certificate using a restricted enrollment agent.
j k l m n Issue a certificate using the Network Device Enrollment Service (NDES).
j k l m n Issue a certificate using the Web enrollment service.
Answer: Issue a certificate using the Network Device Enrollment Service (NDES).
Explanation:
You should use the Network Device Enrollment Service (NDES) to issue a certificate to the network switches and routers. NDES is the Microsoft implementation of a communications protocol named Simple Certificate Enrollment Protocol (SCEP). SCEP helps to provide X.509 certificates for software running on network devices such as routers and switches. You should not use a restricted enrollment agent to issue a certificate to network devices such as routers and switches. Enrollment agents are generally one or more persons authorized to perform enrollment within an organization. The enrollment agent needs to be issued an enrollment agent certificate that enables the agent to enroll for smart card certificates on behalf of other users for a particular department or section of an organization. Using a restricted enrollment agent in AD CS allows you to set permission limits on users designated as enrollment agents who receive certificates on behalf of other users. You should not use Enterprise Public Key Infrastructure (PKI)-View to issue a certificate to network devices such as switches and routers. Enterprise PKI-View is used to provide the status view of your network's PKI environment, which enables administrators to troubleshoot possible errors by the CA. You should use NDES to issue a certificate to network devices. You cannot use the Web enrollment service to issue a certificate to a network device, such as a router or switch. The Web enrollment service can be used to issue certificates to non-Microsoft client computers that are not a part of the domain. The Web enrollment service can assign certificates to these clients or users who cannot rely on auto-enrollment mechanisms of a certification authority (CA) or the Certificate Request Wizard. The Web enrollment service is a Windows-based CA that allows users to obtain new or renewed certificates over the Internet.
Page 51 of 173
Item: 49 (Ref:Cert-70-640.4.3.7)
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. The organizational unit (OU) structure is shown in the exhibit. (Click the Exhibit(s) button.) The user accounts of all network administrators belong to the NetAdmins OU, the user accounts of all managers belong to the Managers OU, and the user accounts of all other employees in the company belong to the Employees OU. All Help Desk users are members of a security group named Help Desk. The Help Desk personnel should be allowed to reset the passwords of all users, except network administrators and managers, but they should not be assigned any additional privileges in the domain. You must delegate the required level of authority to the Help Desk group. Which of the following should you do?
j k l m n Delegate the Create, delete and manage user accounts task for the Personnel OU and enable the Block Policy inheritance option for the NetAdmins and Managers OUs.
j k l m n Delegate the Reset user passwords and force password change at next logon task for the Employees OU.
j k l m n Delegate the Read all InetOrgPerson information task for the Personnel OU and disable the propagation of inheritable permissions for the NetAdmins and Managers OUs. j k l m n Delegate the Read all user information task for the Employees OU.
Answer: Delegate the Reset user passwords and force password change at next logon task for the Employees
OU.
Explanation:
OUs are used to delegate administration of specific subsets of domain resources, such as users, computers, and groups. In this scenario, you should assign the Help Desk group the permission to reset user passwords for the Employees OU. To accomplish this task, you can run the Delegation of Control wizard on the Employees OU, add the Help Desk group to the list of the users to whom you want to delegate control of the OU, and select the Reset user passwords and force password change at next logon task. Alternatively, you can assign the Help Desk group the Allow - Reset Password permission for the Employees OU and specify that the permission apply to user objects. If you delegated the Create, delete and manage user accounts task for the Personnel OU, then members of the Help Desk group would be able to fully manage the user accounts of all employees in the company, including network administrators and managers. The Block Policy inheritance option is irrelevant to delegation of administration; this option is used to prevent Group Policy objects that are linked to higher-level OUs or to the domain from applying to objects in the current OU. Delegating the Read all InetOrgPerson information task would allow the Help Desk personnel to read all information for the InetOrgPerson objects; it would not allow them to reset the passwords for user objects. InetOrgPerson objects are similar to user objects and are used for compatibility with third-party directory services. Delegating the Read all user information task would not allow the Help Desk personnel to reset user passwords.
Page 52 of 173
Item: 50 (Ref:Cert-70-640.4.2.2)
You are the network administrator at your company. You have set password policies and account lockout policies on the domain, as seen in the exhibit. (Click the Exhibit(s) button.) You have an application that runs on a server. The application uses a domain account named AppLogin to log in to a server on the domain called FS1. AppLogin is granted the log on as a service right on FS1. After working with the application for a few weeks, users complain that they suddenly cannot access the application. How should you fix the problem?
j k l m n Increase the number of attempts for the Account lockout threshold. j k l m n Configure the password on AppLogin to never expire.
j k l m n Decrease the number of minutes for the Reset account lockout counter after policy.
j k l m n Change the Maximum password age setting in the default domain policy to 999.
Answer: Configure the password on AppLogin to never expire.
70-640.4.2b
70-640.4.2c
Page 53 of 173
Explanation:
You should change the properties of the AppLogin account and set the password for the account to never expire. If the account is a domain member, the account is governed by the password policies on the domain. In this scenario, the default setting for the maximum password age in a group policy object is 42 days. Since the AppLogin account will password expires in 42 days, the account will not be able to log in to the domain server, FS1. The AppLogin account logs on as a service. As long as the password is correct initially, the password should work until it expires. You should not change the Maximum password age setting in the default domain policy to 999. This setting determines how long a password is valid. Increasing this number will only delay the problem of the AppLogin account's password expiring. Also, changing any setting in the default domain policy will affect other accounts on the domain. In this scenario, you only want to fix the problem with the AppLogin account. You should not decrease the number of minutes for the Reset account lockout counter after setting. This setting resets the number of invalid login attempts permitted. For example, if the Account lockout threshold was set to 5, and the Reset account lockout counter after was set to 30 minutes, then a user would get 5 attempts to enter the correct password in 30 minutes. If the user did not exceed 5 attempts in 30 minutes, the user's invalid attempt counter would reset to 0. For the next 30 minutes, the user would have another 5 attempts to guess the password. Increasing the number of allowed attempts for the Account lockout threshold will not fix the problem. This setting will affect users who type in their passwords on a daily basis. The AppLogin account has the password configured as a service. As long as the password is correct initially, the password should work until it expires. Changing the Reset account lockout counter after setting will not fix the problem.
Page 54 of 173
Item: 51 (Ref:Cert-70-640.5.1.3)
You are the systems administrator of the Nutex corporation's Active Directory domain. All of the domain controllers use Windows Server 2008. You have a Windows 2008 Server Core editon server name NutexSCore1. NutexSCore1 has a volume named FinancialRecords. Because of a computer operator error, several directories were deleted and old data was copied over new data. You must restore the data for the FinancialRecords volume. Which of the following should you run to restore the volume as quickly as possible? j k l m n Boot from the DVD media, choose Repair your computer, choose System Recovery options, and click Windows Complete PC Restore.
j k l m n From a command-line prompt, run the Wbadmin start sysrecovery command.
j k l m n From a command-line prompt, run the Wbadmin start sysstaterecovery command.
j k l m n From a command-line prompt, run the Wbadmin start recovery command.
Answer: From a command-line prompt, run the Wbadmin start recovery command.
Explanation:
You should run the Wbadmin start recovery command. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. The Wbadmin start recovery command is used to perform a recovery of the specified volumes, applications, or files and folders. The -itemtype parameter in the Wbadmin start recovery command can be used to specify the type of items to recover. The value for this parameter must be one of the following: Volume, App, or File. The backupTarget parameter is used to specify the storage location that contains the backup that you want to recover. You should not boot from the DVD media, choose Repair your computer, choose System Recovery options and click Windows Complete PC Restore. These steps will ensure a complete restore of your computer, but in this scenario you only needed to restore the FinancialRecords volume on NutexSCore1, not all of the operating systems and other volumes. However, if it was required, you could recover the operating system of a failed computer by doing the following:
Page 55 of 173
Insert the Setup media DVD into drive and turn on the computer. From the Setup Wizard, click Repair your computer. The Setup process will search the hard disk drives for an existing Windows installation and then display the results in the System Recovery Options dialog box. Choose the Windows Installation to recover. Click Next. On the System Recovery Options page, click Windows Complete PC Restore. Choose one of the following options, and then click Next: Restore the following backup (recommended) Restore a different backup Depending on the option you choose, you may be asked to provide more details about the backup you want to restore. Click Next. On the Choose how to restore the backup page, install any drivers that you need. Then choose one of the following options, and click Next: Format and repartition disks (to delete existing partitions and reformat the destination disks to be the same as the backup) Restore only system volumes Click Exclude disks, and then check boxes for any disks that are needed for a system restore. Click Next. Confirm the details for the restoration, and then click Finish. Before you can recover your server operating system, you must have Backup installed on the Window Server 2008 server. Your account must be a member of the local administrators group or the backup operators group. You must have a backup available that contains the critical volumes of the server. You should not run the Wbadmin start sysrecovery command. This command is used to perform a full system recovery. In this scenario, you want to restore only a volume. Therefore, the Wbadmin start sysrecovery command need not be used. You should not run the Wbadmin start sysstaterecovery command. The Wbadmin start sysstaterecovery command is used to perform a system state recovery of a Windows Server 2008 computer. In this scenario, you want to restore only a volume. Therefore, the Wbadmin start sysrecovery command need not be used.
Item: 52 (Ref:Cert-70-640.2.6.4)
You are the systems administrator of your company. You install Windows Server 2008 on all servers on your network. A server named DC1 is configured as a domain controller. You want to install a new custom application on DC1 that will be used by all users on the network. This application will store data in Active Directory. The application installation requires modification to some attributes and classes in the Active Directory database. Which tool can you use to modify attributes and classes in the Active Directory database?
j k l m n Dsa.msc j k l m n Schmmgmt.msc
j k l m n Domain.msc j k l m n Adsiedit.msc
Answer: Schmmgmt.msc
Explanation:
You can use the Schmmgmt.msc tool or the Active Directory Schema snap-in to achieve the desired goal. The Active Directory Schema snap-in is an Active Directory administrative tool for managing the schema. It is not available by default on the Administrative Tools menu and must be added manually. To install the Active Directory Schema snap-in, you should register the Schmmgmt.dll dynamic link library (DLL) that is required for the Active Directory Schema snap-in. To register the required DLL file, open a command prompt, type the following command, and press Enter: regsvr32 schmmgmt.dll After registering the Schmmgmt.dll file, you can add the Active Directory Schema snap-in to Microsoft Management Console (MMC). To modify the schema, a user must be member of the Schema Admins group, and the Active Directory Schema snap-in must be installed on the domain controller that is assigned the schema operations master role. Membership of the Schema Admins group is also required to perform tasks such as transferring the schema master role to another computer in the forest, or installing an application
Page 56 of 173
that will install new attributes and classes in the Active Directory database. To just install the Active Directory Schema snap-in, you need to be a member of the Domain Admins group, or equivalent. You cannot use the Dsa.msc tool or the Active Directory Users and Computers snap-in to modify attributes and classes in the Active Directory database. Active Directory Users and Computers is a graphical user interface (GUI) tool that you can use to manage users and computers in Active Directory domains. You cannot use the Domain.msc tool or the Active Directory Domain and Trusts snap-in to modify attributes and classes in the Active Directory database. Active Directory Domains and Trusts provides a graphical interface in which you can view and manage all domains in the forest. This tool can be used to perform tasks such as transferring the domain naming master role to another computer in the forest. You cannot use the Adsiedit.msc tool to modify attributes and classes in the Active Directory database. ADSI Edit or Active Directory Services Interfaces Editor is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight Directory Access Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can also use it to view schema directory partition objects and properties.
Item: 53 (Ref:Cert-70-640.4.3.6)
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where all servers run Windows Server 2008 and all client computers run Windows XP Professional. All users and computers in the Human Resources department belong to the organizational unit (OU) named HR. The Human Resources personnel work only on their assigned client computers. Those users must be subject to certain desktop restrictions. You configure the appropriate user policies in a Group Policy object (GPO) and link the GPO to the HR OU. The technical support personnel from the IT department report that, when they are asked to resolve different technical problems on the client computers in the Human Resources department, they sometimes cannot do so because some desktop features are disabled on those computers, even though the IT personnel use their own user account credentials to log on to the domain. You must ensure that only the Human Resources personnel receive restricted desktops; the IT personnel should not be subject to those restrictions. Which of the following should you do?
j k l m n Assign the Deny - Apply Group Policy permission for the GPO to the IT personnel.
j k l m n Enable the Block Policy inheritance option for the HR OU. j k l m n Disable the loopback processing mode in the GPO.
j k l m n Enable the No Override option for the GPO link.
Answer: Disable the loopback processing mode in the GPO.
Explanation:
There are two groups of policies in a GPO: Computer Configuration and User Configuration. By default, computer-specific policies apply to computers, and user-specific policies apply to users. However, if the User Group Policy loopback processing mode policy is enabled in a GPO that targets computers, then the user-specific policies in the GPOs that target those computers apply to all users on those computers. In this scenario, you have configured user-specific policies that restrict desktop features, and you have linked that GPO to the HR OU, which contains both user and computer objects. If you configured only user-specific policies in the GPO, then it would apply to all users in the HR OU and it would not affect any other users. In this scenario, it appears that you have also enabled the loopback processing mode in that GPO. Therefore, the GPO affects all users, including the IT personnel, when they log on to the domain from the computers in the Human Resources department. The desktop restrictions in this scenario should be imposed on the Human Resources users, regardless of the computers that they use. Therefore, there is no need to enable the loopback processing mode, which is typically used when it is necessary to apply user-specific restrictions to all users on specific computers. The GPO in this scenario targets only users and computers in the HR OU; it does not target the user accounts of IT personnel. Therefore, assigning permissions for that GPO to the IT personnel would have no effect. If you enabled the Block Policy inheritance option for the HR OU, then the GPOs that are linked to the site or domain would not apply to the HR OU. However, this option has no effect on the GPOs that are linked to the HR OU.
Page 57 of 173
If you enabled the No Override option for the GPO link, then, in addition to the HR OU, that GPO would be enforced on any child OUs. However, it would not change the way that the GPO affects the IT personnel when they log on at the computers in the Human Resources department.
Item: 54 (Ref:Cert-70-640.2.6.6)
You are a network administrator for your company. Your corporate network consists of several Active Directory domains in a single forest. All domain controllers in the forest run Windows Server 2008. The domain controller that holds the schema master role must be shut down in order to upgrade its hardware. However, a schema master must always be available because your company uses a lineof-business Active Directory-aware application that routinely makes changes to the Active Directory schema. You must upgrade the hardware as planned while maintaining the continuity of business operations. Which of the following should you do? j k l m n Connect to another domain controller in the forest root domain and seize the schema master role.
j k l m n Connect to another domain controller in any domain in the forest and seize the schema master role. j k l m n Connect to another domain controller in any domain in the forest and transfer the schema master role to that domain controller.
j k l m n Connect to the schema master and transfer the schema master role to another domain controller in the forest root domain.
j k l m n Connect to the schema master and transfer the schema master role to another domain controller in any domain in the forest.
Answer: Connect to another domain controller in any domain in the forest and transfer the schema master role to that domain controller.
Explanation:
Changes to the Active Directory schema can be made only on the domain controller that holds the schema master role. There can be only one schema master in a forest. Initially, the first domain controller in the forest becomes the schema master. When more domain controllers are installed in the forest, the schema master role can be transferred to any domain controller in any domain in the forest. To be able to reassign the schema master role, you must be a member of the Schema Admins universal security group or you must be assigned the Allow - Change Schema Master permission for the schema. You can transfer the schema master role by using Active Directory Schema or the Ntdsutil command-line utility. You must connect to the domain controller to which you want to transfer the schema master role. Seizing is another method that can be used to reassign an operations master role; seizing differs from transferring a role in that seizing is possible only when the original operations master is unavailable on the network. Seizing is an extreme measure and should be used only when transferring is no longer possible. You should seize the schema master, domain naming master or the RID master role only if the original operations master will never be brought back online. To seize the schema master role do the following: Open Command Prompt and type ntdsutil and hit Enter. At the ntdsutil command prompt, type roles and hit Enter. At the fsmo maintenance command prompt, type connections and hit Enter. At the server connections command prompt, type connect to serverDomainController and hit Enter where serverDomainController is the domain controller to which you want to assign the new operations master role. 5. At the server connections prompt, type quit and hit Enter. 6. At the fsmo maintenance command prompt, type seize schema master and hit Enter. 1. 2. 3. 4.
Item: 55 (Ref:Cert-70-640.6.5.6)
You want to configure Online Responders to ensure that when a client requests information about the status of a certificate, only information about the status of the requested certificate is sent to the client. Which edition or editions of Windows Server 2008 can you use to ensure that you correctly configure Online Responders? (Choose all that apply.)
Page 58 of 173
c d e f g Windows Server 2008 Datacenter edition
c d e f g Windows Server 2008 Enterprise edition c d e f g Windows Server 2008 Standard edition
c d e f g Windows Server 2008 Web edition
Answer: Windows Server 2008 Datacenter edition Windows Server 2008 Enterprise edition
Explanation:
Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter editions. Online responders can be used as an alternative to or an extension of certificate revocation lists (CRLs) to provide certification revocation data to clients. In Windows Server 2008, you can use an Online Responder based on the Online Certificate Status Protocol (OSCP) to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal solution. OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. When the OSCP responder receives the request, a definitive, digitally signed response indicating the certificate status is returned to the client. The options stating Windows Server 2008 Standard edition and Windows Server 2008 Web edition are incorrect because Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter editions.
Item: 56 (Ref:Cert-70-640.2.6.1)
You are the network administrator of your company. The company has a main office and a branch office. Each office has its own Active Directory domain in a single forest. The main office network contains two domain controllers, named DC1 and DC2. The branch office network also contains two domain controllers, named DC3 and DC4. All servers on the network run Windows Server 2008. You are decommissioning DC3 to a member server. You want to transfer all of the domain-wide roles from DC3 to DC4 in the branch office. Which two utilities can you to use achieve the objective? (Choose two. Each correct answer represents a complete solution.)
c d e f g Ntdsutil.exe c d e f g Active Directory Schema snapin
c d e f g Active Directory Domains and Trusts snapin

c d e f g Active Directory Users and Computers snapin
Answer: Ntdsutil.exe Active Directory Users and Computers snapin
Explanation:
You can use Ntdsutil.exe or the Active Directory Users and Computers snap-in to transfer all domain-wide operations master role to another domain controller. In an Active Directory forest, certain types of operations can be performed only on the domain controllers that are designated as operations masters for those types of operations. There are five operations master roles. The schema master and domain naming master are forest-wide roles; the PDC emulator, RID master and infrastructure master are domain-wide roles. There can be only one schema master and one domain naming master in each forest.
Page 59 of 173
Each domain-wide role is unique only in each domain. By default, the first domain controller in a new forest hosts all five operations master roles. The first domain controller in any new domain in a forest, by default, holds the three domain-wide roles for that domain. Subsequently, a forest-wide role can be transferred to another domain controller in the forest, and a domain-wide role can be transferred to another domain controller in the domain. In order for a new domain to be created in a forest, the domain naming master must be available in that forest. In the absence of the domain naming master, you cannot create a new domain, regardless of whether it is a tree-root or a child domain. To transfer the domain-wide operations master roles by using Active Directory Users and Computers, you should perform the following steps: 1. Open Active Directory Users and Computers. 2. In the console tree, right-click Active Directory Users and Computers, and then click the Connect to Domain Controller option. In the Enter the name of another domain controller field, type the name of the domain controller that will hold the infrastructure master role. Or, click the domain controller in the list of available domain controllers. 1. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click the Operations Masters option. 2. Click Change on the Infrastructure tab, the PDC tab, or the RID tab. To transfer the domain-wide operations master roles by using Ntdsutil.exe, you should perform the following steps: 1. Type Ntdsutil on a command prompt 2. At the ntdsutil command prompt, type: roles 3. At the FSMO maintenance command prompt, type: connection 4. At the server connections command prompt, type: connect to serverDomainController 5. At the server connections command prompt, type: quit 6. At the FSMO maintenance command prompt, type: transfer RoleName master The Active Directory Schema snap-in and the Active Directory Domains and Trusts snap-in are incorrect because these snap-ins cannot be used to transfer the domain-wide roles. The Active Directory Schema snap-in is used to manage or transfer the schema master role, which is a forest-wide role. The Active Directory Domains and Trusts snap-in is used to manage or transfer the domain naming master role, which is also a forest-wide role.
Item: 57 (Ref:Cert-70-640.3.3.1)
You are the network administrator for Verigon Entertainment Ltd., a company that buys and sells event tickets on the secondary market. Your company has three domains: verigon.com, sportstickets.verigon.com and concerttickets.verigon.com. All of the domain controllers in the sportstickets.verigon.com domain are running either Windows 2000 Server, Windows Server 2003, or Window Server 2008. You want to install a read-only domain controller (RODC) in the sportstickets.verigon.com domain. What must you do to meet the minimum required configuration? (Choose three. Each answer is part of a single solution.)
c d e f g Upgrade all domain controllers in the sportstickets.verigon.com domain to Windows Server 2008.
c d e f g Replace at least one domain controller in the sportstickets.verigon.com domain with Windows Server 2008 domain controllers.
c d e f g Run adprep /rodcprep before you install the RODC. c d e f g Raise the domain level of the sportstickets.verigon.com domain to Windows Server 2008.
c d e f g Raise the domain level of the sportstickets.verigon.com domain to Windows Server 2003.
Answer: Replace at least one domain controller in the sportstickets.verigon.com domain with Windows Server 2008 domain controllers. Run adprep /rodcprep before you install the RODC. Raise the domain level of the sportstickets.verigon.com domain to Windows Server 2003.
Page 60 of 173
Explanation:
To configure the sportstickets.verigon.com domain, you should raise the domain level to Windows Server 2003, ensure that at least one domain controller is upgraded to Windows Server 2008, and run adprep /rodcprep before you install the first RODC. An RODC must be installed on a Windows Server 2008 server computer. The server can run the Enterprise version, Standard version, or even the Server Core edition, but you need at least one writable Windows Server 2008 domain controller to which the RODC can send authentication requests. The functional level of the domain and the forest must be at least Windows Server 2003. To raise the domain's functional level, you will have to ensure that all Windows 2000 Server domain controllers are upgraded to Windows Server 2003 or Windows Server 2008. You cannot have a Windows 2000 Server domain controller running in a domain with the domain level set to Windows Server 2003. Finally, you must run adprep /rodcprep before you install the first RODC. You do not have to upgrade all domain controllers in the sportstickets.verigon.com domain to Windows Server 2008, nor do you have to raise the domain level of the sportstickets.verigon.com domain to Windows Server 2008. You require a minimum domain level of Windows Server 2003 and at least one domain controller running Windows Server 2008.
Item: 58 (Ref:Cert-70-640.5.1.1)
You are the network administrator for Verigon Corporation.Your network has a single domain, and all of the domain controllers run Windows Server 2008. A domain controller in the branch office failed this morning. This domain controller does not hold any other roles. You bring the domain controller back on line, but you need to perform a nonauthoritative restore of the domain controller. You do not have a critical volume backup of the domain controller on hand, but you do have a recent full backup. What should be your first action to perform a nonauthoritative restore of the domain controller?
j k l m n Perform a critical backup of another domain controller. Reboot the failed domain controller into Directory Services Restore Mode (DSRM).
j k l m n Perform a full backup of another domain controller. Reboot the failed domain controller into Directory Services Restore Mode (DSRM).
j k l m n At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter. j k l m n At the command prompt, type bcdedit /set safeboot and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
Answer:
At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type shutdown -t 0 -r and hit Enter.
Explanation:
You should enter the command bcdedit /set safeboot dsrepair and hit Enter, then type shutdown -t 0 -r and hit Enter at the next command prompt. The command bcdedit /set safeboot dsrepair will boot the domain controller into Directory Services Restore Mode (DSRM). You can shut down or restart the computer to complete the nonauthoritative restore process. You can type shutdown -t 0 -r and hit Enter at the command prompt to force a restart. Another option would be to manually shut down the computer, manually restart the computer, and hit the F8 key to force the domain controller into DSRM. You should have a critical-volume backup to perform a nonauthoritative restore of Active Directory Directory Services (AD DS). However, you can perform a nonauthoritative restore of AD DS with a full backup. A critical-volume backup includes all volumes that are reported by System Writers. You can use a full server backup for a nonauthoritative restore if you do not have a critical-volume backup because a full server backup is generally larger and will contain all of the critical volumes. Restoring a full server backup will take longer than restoring a critical backup. The restore of a full server backup rolls back data in AD DS to the time of backup. Unfortunately, it will roll back all data in other volumes. In this scenario, however, restoring the other volumes is not a problem because the domain controller does not hold any other roles, such as a file server or application server. Restoring the other volumes is not necessary to achieve nonauthoritative restore of AD DS in this situation. You can perform a nonauthoritative restore of AD DS by doing the following:
Page 61 of 173
1. At the Windows logon screen, type .\administrator as the user name, type the DSRM password for the server, and then press Enter. 2. Click Start, right-click Command Prompt, and then click Run as Administrator. 3. If you have multiple versions of the backup, you need to find the correct version of the backup. At the command prompt, type the following command, and then press Enter: wbadmin get versions -backuptarget:<targetDrive>: -machine:<BackupComputerName> <targetDrive>: The destination drive where you want to restore your backup to. <BackupComputerName>: If you have multiple computers backed up to the same location, you need to identify which computer's backup you want to restore. 4. Find the version that you want to restore. At the prompt, type the following command, and then press ENTER: wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM> -backuptarget:<targetDrive>: -machine:<BackupComputerName> -quiet You do not have to have a full backup or a critical backup of another domain controller to perform a nonauthoritative restore of the failed domain controller. You can use the existing full backup of the failed domain controller. The full backup will contain the critical volumes and other volumes. Although restoring the other volumes may take longer, a full backup can be used. You should not type bcdedit /set safeboot and hit Enter at the command prompt. The command bcdedit /set safeboot will boot the domain controller into Safe mode, but it will not boot the computer into DSRM. You should type type bcdedit /set safeboot dsrepair and hit Enter at the command prompt, or restart the computer and hit F8, to boot the computer into DSRM.
Item: 59 (Ref:Cert-70-640.5.3.2)
You are the network administrator for a company that manufactures coffee and tea. Your company's network has a single domain. The main office is located in Atlanta, and the company has several branch locations in Tuscaloosa, Gainesville, Tallahassee, and Knoxville. All domain controllers run Windows Server 2008 and the functional level of the domain is Windows Server 2008. Each location is a separate Active Directory site. The Windows Remote Management (WinRM) service is running on all servers running Windows Server 2008. You would like to collect all replication errors from all the domain controllers and view them on a file server in Atlanta. What should you do?
j k l m n On the file server in Atlanta, start the Windows Event Collector service and configure its start mode to Automatic.
j k l m n On the file server in Atlanta, start the Windows Error Reporting service and configure its start mode to Automatic.
j k l m n On the file server in Atlanta, start the Windows System Resource Manager service and configure its start mode to Automatic. j k l m n On the domain controllers in the domain, start the Windows System Resource Manager service and configure its start mode to Automatic.
Answer: On the file server in Atlanta, start the Windows Event Collector service and configure its start mode to
Automatic.
Explanation:
You should start the Windows Event Collector service on the file server in Atlanta and configure its start mode to Automatic. The Windows Event Collector service manages persistent subscriptions to events from remote sources that support WS-Management protocol, such as the domain controllers in the main and branch offices. These events include Windows Vista event logs, hardware events, and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The Windows Event Collector service start mode should be set to Automatic because if this service is stopped or disabled, then event subscriptions cannot be created and forwarded events cannot be accepted. To collect events from remote computers, such as the domain controllers in the domain, these domain controllers must be running the Windows Remote Management (WinRM) service.
Page 62 of 173
You do not have to start the Windows Error Reporting service and configure its start mode to Automatic. This service is started automatically. The Error Reporting service allows errors to be reported to Microsoft when programs stop working or responding, and allows existing solutions to be delivered. It also allows logs to be generated for diagnostic and repair services. Although this service is important, it is not required to forward events. You do not have to start the Windows System Resource Manager (WSRM) service on the file server in Atlanta or the domain controllers in the domain. The WSRM is started by default. This service assigns computer resources to multiple applications running on Windows Vista or Windows Server 2008. You can also configure an event subscription in the Event Viewer. Right click on Subscriptions and choose Create subscription. On the subscription properties you can specify the computers from which logs should be collected and specify what events to collect.
Item: 60 (Ref:Cert-70-640.4.6.3)
You are the network administrator for a company that makes consumer electronics. Your network has a single domain. All file servers, print servers, and application servers run Windows Server 2008. Each department has its own Organizational Unit within the domain. You want to configure users in the Sales OU to have different account lockout settings than the rest of the organization's users. What should you do?
j k l m n Raise the functional level of the domain to Windows Server 2008 and specify fine-grained password policies for the users in the Sales OU.
j k l m n Create a sub-domain for the users in the Sales OU. Configure the default domain policy in the new domain. j k l m n Create a Group Policy Object (GPO) that has the appropriate account lockout settings and link the GPO to the Sales OU.
j k l m n Create a Group Policy Object (GPO) that has the appropriate account lockout settings and link the GPO to the Sales OU. Enable the Block Inheritance setting at the Sales OU.
Page 63 of 173
Answer: Raise the functional level of the domain to Windows Server 2008 and specify fine-grained password policies for the users in the Sales OU.
Explanation:
You should raise the functional level of the domain to Windows Server 2008 and specify fine-grained passwords for the users in the Sales OU. A domain functional level set to Windows Server 2008 is required to configure fine-grained passwords. With pervious domain functional levels, including Windows 2000 Server and Windows Server 2003, you could only have a single password policy or account lockout policy for all users in the domain. In this scenario, you must first upgrade all domain controllers to Windows Server 2008. Once this task has been completed, you can raise the functional level of the domain to Windows Server 2008. Once the domain functional level has been configured to Windows Server 2008, then you can create a Password Settings Object (PSO). A PSO allows you to specify fine-grained passwords for an Active Directory domain. This PSO will contain attributes for Password Policy Settings or Account Lockout Settings. You can configure the appropriate values for the attributes, then link the PSO to a user object or a group object. A user or group object can have multiple linked PSOs, either because the object is a member of multiple groups with different PSOs applied to them, or because multiple PSOs are applied directly to the object. However, only one PSO can be applied as the effective password policy, and only the settings from that PSO can affect the user or group. The settings from other PSOs that are linked to the user or group cannot be merged in any way. To ensure that the PSO that you configured is applied, you can set the rank of the PSOs. The PSO with the highest rank applies. The rank is configured by the msDS-PasswordSettingsPrecedence attribute. This attribute has a value of 1 or greater. The lower the value, the higher the rank. For example, if a PSO that is linked to a user has a value of 1, and the user belongs to a group with a linked PSO that has a value of 2, then the password settings in the PSO with the value of 1 apply to the user. You should not create a sub-domain for the users in the Sales OU and configure the default domain policy in the new domain. Unlike in previous versions of Windows Server, you can create different password and account lockout settings for users in the same Active Directory domain if the functional level of the domain is set to Windows Server 2008. You should not create a Group Policy Object (GPO) that has the appropriate account lockout settings and link the GPO to the Sales OU. Linking another GPO will not necessarily change the password or account lockout settings for domain accounts. The account lockout settings, password settings, and Kerberos ticket settings in a GPO can only be applied at the domain level to domain accounts. However, account lockout settings and password settings in a GPO applied at the OU level can affect local accounts on a computer in that OU, but not the domain account. For example, let us say a GPO linked at the domain level sets the maximum password length to 9, and a GPO linked at the Accounting OU sets the maximum password length to 7. Joe's account is in the Accounting OU, and the computer Server1 is in the Accounting OU. The maximum length of Joe's password is 9, but any local user account that is created on Server1 will have a password length of 7. The GPO at the Accounting OU would take precedence over the domain GPO, but password policies, account lockout policies and Kerberos ticket lifetime policies for domain accounts are governed by a GPO at the domain. A GPO with password or account lockout settings applied to computers in an OU will only affect local accounts on those computers, not domain accounts. The higher-ranked PSO that is linked to a user group determines the account lockout or password policy. If no PSO is obtained from a user or from a group that the user belongs to, then a GPO at the domain level is applied. You should not block inheritance at the Sales OU. The block inheritance setting will not block a GPO linked at the domain level from applying a password policy. If no PSO is obtained from a user or from a group that the user belongs to, then a GPO at the domain level is applied.
Item: 61 (Ref:Cert-70-640.4.7.6)
You are a network administrator for your company. The network consists of a server running Windows Server 2008 and 50 client computers running Windows Vista. Users on the network are experiencing problems in the network, such as loss of connection to the network printer and random computer restarts or shutdowns. You want to enable audit policies for the following: Track events of printer usage Track events of registry edits Track events of network connection Track events on restart and shutdown What should you do?
j k l m n Enable Audit system events, Audit policy change, and Audit privilege use policies.
Page 64 of 173
j k l m n Enable Audit logon events, Audit system events, and Audit privilege use policies. j k l m n Enable Audit system events, Audit object access, and Audit logon events policies.
j k l m n Enable Audit object access, Audit policy change, and Audit privilege use policies.
Answer: Enable Audit system events, Audit object access, and Audit logon events policies.
Explanation:
You should enable Audit system events, Audit object access, and Audit logon events policies to achieve the objectives in this scenario. Following are the objectives of these three audit policies: The Audit system events policy will audit events related to a computer restart or shutdown. The Audit object access policy will audit events when a user accesses an object. Objects include files, folders, printers, registry keys, and Active Directory objects. The Audit logon events policy will audit events related to a user logging on to, logging off from, or making a network connection to the computer configured to audit logon events. Since Audit system events tracks events on restart and shutdown, Audit object access tracks events of printer usage and registry, and Audit logon events tracks events of network connections, enabling these audit policies will fulfill all the stated objectives. You can configure these audit policies in Group Policy Object (GPO) settings either in the Graphical User Interface (GUI) mode or by using the Auditpol.exe command line utility. Once you configure Audit policy and enable the appropriate user permissions, you can link the GPO to the appropriate organizational unit (OU). You should not enable Audit system events, Audit policy change, and Audit privilege use policies to achieve the objectives in this scenario because enabling these three audit policies will not fulfill the objectives stated in this scenario. You should not enable Audit logon events, Audit system events, and Audit privilege use policies to achieve the objectives in this scenario because enabling these three audit policies will not fulfill the objectives stated in this scenario. You should not enable Audit object access, Audit policy change, and Audit privilege use policies to achieve the objectives in this scenario because enabling these three audit policies will not fulfill the objectives stated in this scenario.
Item: 62 (Ref:Cert-70-640.2.3.3)
Your corporate network consists of a single Active Directory domain and three sites, as shown in the following image:
Active Directory replication between the sites is scheduled as shown in the following image:
Page 65 of 173
Users report that the changes to Active Directory that are made in Site1 during normal business hours reach Site3 two days later. You must ensure that all the changes that are made during normal business hours in one site become available in the other sites by the next business day. Which of the following should you do?
j k l m n Change the cost of the site link between Site1 and Site2 to 50.
j k l m n Change the replication frequency for the site link between Site1 and Site2 to 30 minutes.
j k l m n Change the availability of the site link between Site1 and Site2 to 7 P.M. - 1 A.M., and change the availability of the site link between Site2 and Site3 to 2 A.M. - 6 A.M. j k l m n Change the availability of the site link between Site1 and Site2 to 8 P.M. - 2 A.M.
Answer:
Change the availability of the site link between Site1 and Site2 to 8 P.M. - 2 A.M.
Explanation:
Active Directory replication between sites can be scheduled to occur at specified intervals during specified site link availability windows. In this scenario, changes that are made in Site1 during business hours are replicated to Site2 on the following night, every hour, between 2 A.M. and 6 A.M. Those changes start being replicated to Site3 only after the end of the next business day, from 7 P.M. to 1 A.M. Thus, the changes that are made in Site1 become available in Site3 two business days later. To ensure that changes that are made in any site reach all the other sites by the next day, you can change the replication schedule between Site1 and Site2 to 8 P.M. 2 A.M. Then, between 8 P.M. and 1 A.M., both site links will be available simultaneously. Therefore, changes that are made at any site during normal business hours will be replicated to all other sites during this time period on the same night. Changing site link costs would not affect the propagation of Active Directory changes among the sites in this scenario because the replication topology does not include alternative paths between the same sites. Replication frequency defines the duration of the interval between consecutive replication sessions. However, replication over a site link occurs only when that site link is available. Changing the replication interval would not accomplish the task in this scenario. If you changed site link availability schedules so that the site link between Site1 and Site2 is available from to 7 P.M. - 1 A.M., and change the site link between Site2 and Site3 is available from 2 A.M. - 6 A.M, then changes that are made in Site1 would reach Site2 the same night and then reach Site3 by the next morning. However, changes that are made in Site3 would reach Site1 two days later.
Item: 63 (Ref:Cert-70-640.4.6.2)
You are the network administrator for your company's domain. The company has two branch offices with two different Active Directory sites. The default domain policy for the domain is displayed in the exhibit. (Click the Exhibit(s) button.) You want to secure the accounts in your domain. You specifically want to ensure that an account cannot be compromised by a hacker, and that the account would be disabled before the hacker has an opportunity to guess the password. What should you configure?
j k l m n Change the minimum password age to 7 days.
j k l m n Enable store passwords using reverse encryption.
j k l m n Change the account lockout duration to 0. j k l m n Change the account lockout threshold to
Page 66 of 173
7.
Answer: Change the account lockout duration to 0.
70-640.4.2b
70-640.4.6a
Explanation:
You should change the account lockout duration to 0. This setting will lock out an account until the administrator unlocks it. Configuring the account lockout duration setting, along with the account lockout threshold setting and the reset lockout counter setting, can help prevent hackers from guessing the passwords of accounts on the domain. The account lockout threshold setting limits the user's number of attempts to type a correct password. The reset lockout counter sets the length of time that the system remembers the failed attempts. In this scenario, the account lockout threshold setting is set to 4 and the reset lockout counter setting is set to 30 minutes, which means that the user has 4 attempts within 30 minutes to guess the password for the account. If the user has 3 attempts at the password, but comes back more than 30 minutes later, then the user would have another 4 attempts at the password before the
Page 67 of 173
password is locked. You should not increase the account lockout duration to 7. This action will lessen security and will only lock the account for 7 minutes if the number of failed password attempts reaches the threshold. You should not change the minimum password age to 7 days. The minimum password age is the time a password must remain valid before a user can change it. If set the minimum password age to 7 days, then the user must wait a week before changing his/her password. This setting will not stop a hacker from guessing a password, or disable the account if the hacker incorrectly types a password. You should not store passwords using reversible encryption. This policy provides support for legacy applications that use protocols that require knowledge of the user's password for authentication purposes. These types of applications can compromise security. You should never store passwords using reversible encryption setting because storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. The default setting for this policy is disabled.
Item: 64 (Ref:Cert-70-640.3.3.2)
You are the network administrator for your company. The company has three domains in a single forest, named nutex.com, east.nutex.com and west.nutex.com. The west.nutex.com domain consists of three Active Directory sites. All domain controllers in your company are Windows 2003 servers. You want to install a read-only domain controller (RODC) in the west.nutex.com domain. You need to control costs and minimize hardware expansion. What must you do before you install the RODC in the west.nutex.com domain? (Choose two.)
c d e f g Upgrade all domain controllers in the west.nutex.com domain to Windows Server 2008.
c d e f g Upgrade at least one domain controller in the west.nutex.com domain to Windows Server 2008.
c d e f g Upgrade all domain controllers in the nutex.com forest to Windows Server 2008. c d e f g Upgrade at least one domain controller in the west.nutex.com domain, the east.nutex.com domain, and the nutex.com domain to Windows Server 2008.
c d e f g Raise the domain level in the west.nutex.com domain to Windows Server 2008.
c d e f g Raise the forest level in the nutex.com forest to Windows Server 2008. c d e f g Ensure that the domain level in the west.nutex.com domain is set at Windows Server 2003.
Answer: Upgrade at least one domain controller in the west.nutex.com domain to Windows Server 2008. Ensure that the domain level in the west.nutex.com domain is set at Windows Server 2003.
Explanation:
You should ensure that the domain level the west.nutex.com domain is set at Windows Server 2003, and you should upgrade at least one domain controller in the west.nutex.com domain to Windows Server 2008. An RODC must be installed on a Windows Server 2008 computer. The server can run any version of Windows Server 2008, such as Enterprise version, Standard version, or the Server Core edition. You need at least one writable Windows Server 2008 domain controller to which the RODC can send authentication requests. The functional level of the domain and the forest must be Windows Server 2003 or above. You will also have to run the adprep /rodcprep command before you install the first RODC. You should not raise the domain level of the west.nutex.com domain to Windows Server 2008. Although this will support an RODC, it will mandate that all domain controllers in the domain must run Window Server 2008. You should not raise all domain controllers in the nutex.com forest to Windows Server 2008. Only one domain controller in the west.nutex.com domain needs to be running Windows Server 2008. You should not upgrade at least one domain controller in the each of the west.nutex.com, east.nutex.com, and nutex.com domains to Windows Server 2008. Only one domain controller in the west.nutex.com domain needs to be running Windows Server 2008.
Page 68 of 173
You should not raise the forest level in the nutex.com forest to Windows Server 2008. This action would mean that all domain controllers in each domain must run Windows Server 2008 and the domain level in all domains in the forest must be set to Windows Server 2008. Only the domain level of the west.nutex.com domain needs to set at Window Server 2003 or higher. To install an RODC, run dcpromo. The Active Directory Domain Services Installation Wizard lets you choose to install the domain controller as an RODC.
Item: 65 (Ref:Cert-70-640.4.3.12)
You are the network administrator for a company that owns several professional sports franchises. Your company has a single domain with several organizational units (OUs). All marketing personnel are in the Marketing OU. Some of the marketing personnel in the company market tickets and merchandise for a professional basketball team. Other marketing personnel in the company market tickets and merchandise for a professional football team. There are separate ticket application programs that are used by marketing personnel. The BasketballTicketApp is used by marketing personnel that market tickets and merchandise for the professional basketball team. The FootballTicketApp is used by marketing personnel that market tickets and merchandise for the professional football team. A Group Policy Object (GPO) is created, as shown in the exhibit, to install the each of the appropriate applications for the appropriate personnel. (Click the Exhibit(s) button.) You want to ensure that the marketing personnel dedicated to the professional basketball team only receive the BasketballTicketApp and not the FootballTicketApp. You want to ensure that the marketing personnel dedicated to the professional football team only receive the FootballTicketApp and not the BasketballTicketApp. What should you configure?
j k l m n Create two Organizational Units (OUs) under the Marketing OU, named Basketball and Football. Move the appropriate personnel into the appropriate OU.
j k l m n Create two global groups named BasketballGlobalGroup and FootballGlobalGroup. Place the appropriate personnel into the appropriate group. One each GPO, under Security Filtering, remove the Authentiated Users group and add the appropriate global group. j k l m n Create two subdomains, named Basketball and Football. Move the appropriate personnel into the appropriate domains.
j k l m n At the Marketing OU, block inheritance to the BasketballTicketApp GPO for the FootballGlobalGroup and block inheritance to the FootballTicketApp GPO for the BasketballGlobalGroup.
Page 69 of 173
Answer: Create two global groups named BasketballGlobalGroup and FootballGlobalGroup. Place the appropriate personnel into the appropriate group. One each GPO, under Security Filtering, remove the Authentiated Users group and add the appropriate global group.
Explanation:
You should create two global groups named BasketballGlobalGroup and FootballGlobalGroup. Place the appropriate personnel into the appropriate group. On each GPO, under Security Filtering, remove the Authentiated Users group and add the appropriate global group. You can use Security Filtering on a GPO to apply the GPO only to certain users within an OU if you remove the Authentiated Users group. In this scenario, you can limit access to the BasketballTicketApp GPO to only the BasketballGlobalGroup by adding the BasketballGlobalGroup into the Security Filtering window and removing the Authentiated Users group. You can limit access to the FootballTicketApp GPO to only the FootballGlobalGroup by adding the FootballGlobalGroup into the Security Filtering window and removing the Authentiated Users group. You should not create two Organizational Units (OUs) under the Marketing OU, named Basketball and Football, and move the appropriate personnel into the appropriate OU. This will not solve the problem because the GPOs are still applied to the Marketing OU and will still apply to both the Basketball and Football sub-OUs. If you were to create two sub-OUs, you should remove the link from the Marketing OU and link the appropriate GPO to the appropriate sub-OU. For example, you could link the BasketballTicketApp GPO to the Basketball OU and link the FootballTicketApp GPO to the Football OU. You should not create two subdomains named Basketball and Football and move the appropriate personnel into the appropriate domains. This will not solve the problem because the GPOs are still applied to the Marketing OU. The GPOs will not apply to the new domains. You should not block inheritance to the BasketballTicketApp GPO for the FootballGlobalGroup and block inheritance to the FootballTicketApp GPO for the BasketballGlobalGroup. You cannot block inheritance for a particular group or user. You can only block inheritance at a container level, such as an OU. Block inheritance stops GPOs that are applied above from flowing down. The following graphic displays the correctly configured filtering for the BasketballTicketApp GPO:
Page 70 of 173
Item: 66 (Ref:Cert-70-640.4.5.1)
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where all servers run Windows Server 2003 and all client computers run Windows XP Professional. You use a Group Policy object (GPO) to deploy an application on the network. Later, you receive a different application to work with the files that have the same file name extensions instead of the previously deployed application. You must deploy the new application, but users should not have to install it if they choose to use the original application instead of the new one. However, only one of these applications should be installed on the same computer. Which of the following should you do?
j k l m n Assign the new application to computers; specify in the GPO that the original application be removed before the new one is installed.
j k l m n Publish the new application to computers and remove the GPO that deploys the original application.
j k l m n Assign the new application to users and remove the GPO that deploys the original application. j k l m n Publish the new application to users; specify in the GPO that the original application be removed before the new one is installed.
Answer: Publish the new application to users; specify in the GPO that the original application be removed before the new one is installed.
Explanation:
To deploy software by using a GPO, you have three main options: you can assign an application to users, assign it to computers, or publish it to users. An application that is assigned to computers is installed automatically on a target computer when the computer is started. An application that is assigned to users is advertised in the Start menu when a target user logs on, and it is installed automatically when the user activates the shortcut on the Start menu or attempts to open a file whose file name extension is associated with the application. An application that is published to users is advertised in Add or Remove Programs in Control Panel when a target user logs on; the user can install the application from Control Panel; or, optionally, the GPO can be configured to install the application automatically when the user attempts to open a file whose file name extension is associated with the application.
Page 71 of 173
In this scenario, you should publish the new application to users. On the Upgrades tab of the Properties sheet for the package in the GPO, you should indicate that this package is intended to upgrade the original application. You should click Add, specify the GPO where the package for the original application is defined, and select the Uninstall the existing package, then install the upgrade package option. On the Upgrades tab, you should leave the Required upgrade for existing packages option disabled because the scenario stipulates that the upgrade should not be mandatory. Users will be able to continue using the original application or install the new application from Control Panel. If a user chooses to install the new application on a computer where the original application is installed, the original application will be removed before the installation of the new one starts. If you assigned the new application to computers, then the application would be installed automatically at computer startup. If you assigned the new application to users, then the Auto-install this application by the extension activation option on the Deployment tab would become unavailable and the application would install automatically when a user attempted to open a file whose file name extension is associated with the application. Applications cannot be published to computers.
Item: 67 (Ref:Cert-70-640.1.1.5)
You are the network administrator for the Metroil corporation. The company's network contains servers that run Windows Server 2008. A server named SRV1 is configured as a Domain Name System (DNS) server on the network to handle name resolution from users. SRV1 contains a primary zone that holds DNS data for network users.
You notice that the zone has records for computers that were decommissioned weeks ago. You want to immediately remove any stale records from metroil.com. What should you do to start scavenging stale resource records immediately?
j k l m n Right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones option. j k l m n From the command prompt type dnscmd srv1.metroil.com /AgeAllRecords
j k l m n Select the Scavenge stale resource records option in the Zone Aging/Scavenging Properties dialog box.
j k l m n From the command prompt type dnscmd srv1.metroil.com /StartScavenging
Answer: From the command prompt type dnscmd srv1.metroil.com /StartScavenging
Explanation:
You can start scavenging stale resource records immediately, even if you have not configured the aging and scavenging feature. To do this, you can type dnscmd srv1.metroil.com /StartScavenging . You can also do this from the DNS Manager snap-in by right-clicking the DNS server node in the DNS Manager snap-in and clicking the Scavenge Stale Resource Records option. Aging and scavenging is a feature of DNS that provides a mechanism for performing cleanup and removal of stale records, which can accumulate in zone data
Page 72 of 173
over time. Aging and scavenging of stale records are DNS features that are available when you deploy a DNS server with primary zones. Stale records are automatically added to zones when computers start on the network if you have configured dynamic updates. However, in some cases, they are not automatically removed when computers leave the network. When you configure aging and scavenging, DNS servers can determine that records have aged to the point of becoming stale and remove them from the zone data. You should not right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones option because this option is used to configure aging and scavenging for all DNS zones on a DNS server. Clicking the Set Aging/Scavenging for All Zones option does not immediately start the scavenging of stale resource records. You should not type dnscmd srv1.metroil.com /AgeAllRecords from the command prompt. This command is used for backward compatibility with previous releases of DNS in which aging and scavenging are not supported. The /AgeAllRecords switch adds a time stamp with the current time to records that do not have a time stamp. This switch will not force the scavenging of records on a zone. You should not select the Scavenge stale resource records option in the Zone Aging/Scavenging Properties dialog box. This option is used to configure scavenging settings for a specific DNS zone. Selecting the Scavenge stale resource records option does not immediately start the scavenging of stale resource records.
Item: 68 (Ref:Cert-70-640.4.6.1)
You are your company's network administrator. Your company's network consists of a single Active Directory domain. All servers run Windows Server 2008, and all client computers run Windows XP Professional and Windows Vista. The company's written security policy stipulates that after three unsuccessful logon attempts that have occurred within one hour, the user's account must be locked out for two hours. You must configure a Group Policy to enforce this requirement. To perform this task, select the appropriate settings in the left pane and place them to the correct locations in the right pane.
This graphic is not available in print format.
Explanation:
If a user attempts to log on with the correct user name but an incorrect password, then the logon fails. After each unsuccessful logon attempt, the lockout counter on the user's account is increased by one. When the user logs on successfully or if within the time period that is specified in the Reset account lockout counter after policy no unsuccessful logon attempts occur on the user's account, the lockout counter is reset to zero. When the lockout counter value becomes equal to the value that is specified in the Account lockout threshold policy, the user's account is locked out for the time period that is specified in the Account lockout duration policy. If the account lockout duration is set to zero, then the account is locked out permanently, and only an administrator can unlock it. In this scenario, you should set the account lockout threshold to three unsuccessful logon attempts that can occur within a 60-minute period. Once this threshold has been reached, the account must be locked out for 120 minutes.
Item: 69 (Ref:Cert-70-640.2.6.3)
You are the network administrator of your company. Your company has a main office and a branch office. The main office network consists of a single Active Directory domain. You want to create a new domain for the branch office in the same forest as the main office domain. Which operations master role must be available in the forest for you to create a new domain for the branch office successfully?
Page 73 of 173
j k l m n Schema master
j k l m n Domain naming master j k l m n Relative ID (RID) master

j k l m n Primary domain controller (PDC) emulator master
j k l m n Infrastructure master
Answer: Domain naming master
Explanation:
The domain naming master role must be available in the forest for you to create a new domain. In an Active Directory forest, certain types of operations can be performed only on the domain controllers that are designated as operations masters for those types of operations. There are five operations master roles. The schema master and domain naming master are forest-wide roles; the PDC emulator, RID master, and infrastructure master are domain-wide roles. There can be only one schema master and one domain naming master in each forest. The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. The infrastructure master is responsible for updating references from local objects to objects in other domains. The PDC emulator appears as a Windows NT primary domain controller to legacy client operating systems, such as Windows NT and Windows 9x/ME. The RID master assigns batches of relative IDs to other domain controllers, which in turn assign those IDs to new security principal objects that are being created in the domain. Each domain-wide role is unique only in each domain. By default, the first domain controller in a new forest hosts all five operations master roles. The first domain controller in any new domain in a forest, by default, holds the three domain-wide roles for that domain. Subsequently, a forest-wide role can be transferred to another domain controller in the forest, and a domain-wide role can be transferred to another domain controller in the domain. In order for a new domain to be created in a forest, the domain naming master must be available in that forest. In the absence of the domain naming master, you cannot create a new domain, regardless of whether it is a tree-root or a child domain. The options stating schema master, RID master, PDC emulator master, and infrastructure master are incorrect because the domain controller holding the domain naming master role controls the addition or removal of domains in the forest. Therefore, you cannot create a new domain unless the domain naming master role is available in the forest in which you want to create the new domain.
Item: 70 (Ref:Cert-70-640.2.2.4)
You are a network administrator for your company. The functional level of your corporate Active Directory forest is Windows Server 2003. You have created a shared folder on a file server named Server1 in one of the child domains in your forest. You must give a group of employees in a partner company access to this shared folder. Those users belong to an Active Directory child domain in another forest. You do not want users from the partner company to be able to access any other resources in your forest. Which of the following should you do? j k l m n Create an external trust with domain-wide authentication.
j k l m n Create an external trust with selective authentication.
j k l m n Create a forest trust with domain-wide authentication.

j k l m n Create a forest trust with selective authentication.
Answer: Create an external trust with selective authentication.
Page 74 of 173
Explanation:
An external trust is a one-way or two-way non-transitive trust between a local domain and a domain in another forest or between a local domain and a Windows NT domain. A forest trust is a one-way or two-way transitive trust between two forests whose functional level is Windows Server 2003. In this scenario, you must enable users from a single domain in another forest to access a resource in one domain in your forest. Therefore, you should create an outgoing external trust from the domain where the file server is located to the partner's domain where users require access to a resource in your forest. With the external trust, users from the partner's domain will authenticate directly to your resource domain. If you created a forest trust, then the authentication path would involve all parent domains of your resource domain and all parent domains of the partner's user account domain, which would cause the authentication process to take more time. A forest trust would be appropriate if users from multiple domains in one forest required access to resources in multiple domains in another forest. Additionally, the scenario does not stipulate that the functional level of the partner's forest is Windows Server 2003. With outgoing forest and external trusts, you can specify either selective or domain-wide authentication. Domain-wide authentication provides users from a trusted domain the same level of access to local resources being provided to users from the local forest. Selective authentication allows users from a trusted domain to authenticate only to those resources to which they are explicitly allowed to authenticate. For example, in this scenario, you should configure selective authentication on the trust and assign the Domain Users group from the trusted domain the Allow - Allowed to Authenticate permission for the Server1 computer object in Active Directory in your trusting domain. You should also configure the appropriate share and NTFS permissions for the shared folder on Server1 that those users need to access. Users from the partner's domain will then be able to access shared resources only on Server1. They will not be able to access resources on any other computers in the trusting domain, even if share and NTFS permissions for those resources allow access to everyone. If you configured domain-wide authentication on the trust, then users from the trusted domain would be able to access any resources on any computers in the trusting domain for which the Authenticated Users or Everyone group is assigned sufficient permissions.
Item: 71 (Ref:Cert-70-640.4.2.1)
Your corporate network consists of a single Active Directory domain. Your company has recently acquired another company. You have created several hundred user accounts for the new employees in the Users container in Active Directory. Now, you must move each user account to the organizational unit (OU) that corresponds to the user's department. You request that the Human Resources department provide you with information about the department affiliations of the new employees. The Human Resources department maintains employee data in a custom application. A Human Resources employee exports the requested information from that application to a text file in a comma-separated values (CSV) format. The file contains each employee's first and last names, department affiliation, and phone number. Every month, the Human Resources department will provide you with a CSV file in the same format that includes updates to employee department affiliations. You must update the users' Department attribute in Active Directory, and you must move the appropriate users to the appropriate OUs. You must accomplish these tasks by using the least administrative effort. Which of the following should you do?
j k l m n In Active Directory Users and Computers, create a custom filter that returns the user accounts of employees from a specified department, select those user objects, and drag them and drop them into the appropriate OU.
j k l m n Create a script that will read the CSV files and use ADSI to update Active Directory.
j k l m n Create LDAP queries that will return the user accounts of employees from each department and save those queries. In Active Directory Users and Computers, select the user accounts that are returned by each saved query, and drag them and drop them into the appropriate OUs. j k l m n Create a Group Policy that will automatically move users to the appropriate OUs based on the contents of a specified CSV file.
Answer: Create a script that will read the CSV files and use ADSI to update Active Directory.
Explanation:
Active Directory Service Interfaces (ADSI) is a set of programming interfaces that can be used to manipulate data programmatically in Active Directory. To accomplish the tasks in this scenario, you can create a VBScript or Jscript script that will parse the data from the CSV files provided by the Human Resources department, identify the user objects in Active Directory that correspond to the employees referenced in those files, update the appropriate attributes of those user objects in Active Directory, and move those user objects to the
Page 75 of 173
appropriate OUs. Please note that the location of a user object in a specific OU is defined by the user object's distinguished name, not by the value of the user object's Department attribute. Alternatively, you can use Active Directory Users and Computers to perform the required tasks manually, which would require substantially more effort than creating a script once and running it every month. You should not create a custom filter that returns the user accounts of employees from a specified department, select those user objects, and drag them and drop them into the appropriate because an LDAP filter or a saved query would return the user objects of employees from a specific department based on their currently registered department affiliations. Similarly, you should not create LDAP queries that will return the user accounts of employees from each department and save those queries, select the user accounts that are returned by each saved query, and drag them and drop them into the appropriate OUs because an LDAP filter or a saved query would return the user objects of employees from a specific department based on their currently registered department affiliations. In this scenario, you are required to move user objects to the appropriate OUs based on their new department affiliations, which are specified in the CSV files provided by the Human Resources department. Group Policies cannot be used to automatically update user objects based on the information in a CSV file. Therefore, you should not create a Group Policy that will automatically move users to the appropriate OUs based on the contents of a specified CSV file.
Item: 72 (Ref:Cert-70-640.2.4.16)
You are the systems administrator of Verigon Corporation. The company has a main office and ten branch offices. Each office has its own Active Directory site in a single forest. A domain controller running Windows Server 2008 in each site contains user accounts in an Organizational Unit (OU) for that site. An administrator from one of the branch offices reports that the OU containing the branch office user accounts has been accidentally deleted. You perform an authoritative restore of the OU. Next, you want to synchronize replication with all replication partners to ensure that the restored OU is replicated to all domain controllers in the forest. Which command should you run? j k l m n Run the Repadmin /syncall command with the /e parameter.
j k l m n Run the Repadmin /syncall command with the/d parameter. j k l m n Run the Repadmin /syncall command with the/A parameter.
j k l m n Run the Repadmin /syncall command with the/P parameter.
Answer: Run the Repadmin /syncall command with the /e parameter.
Explanation:
You should run the Repadmin /syncall command with /e parameter. An authoritative restore process returns a designated object, or container of objects, to its state at the time of the backup. When you restore a domain controller from backup, the normal or nonauthoritative restore process will not restore the deleted OU, because after the restore process, the restored domain controller is updated to the current status of its replication partners, which deleted the OU. Therefore, recovering the deleted OU requires an authoritative restore. An authoritative restore marks the OU as authoritative and causes the replication process to restore it to all domain controllers in the domain. To perform an authoritative restore of AD DS, you must complete a nonauthoritative restore and ensure that replication does not occur after the nonauthoritative restore. To prevent the replication from occurring after the nonauthoritative restore, and to perform the authoritative restore portion of the operation, you must restart the domain controller in Directory Services Restore Mode or disconnect the network cable, and perform the authoritative restore at the domain controller that you are restoring. After performing the authoritative restore of AD DS, you should start the domain controller normally and synchronize replication with all replication partners. To synchronize replication, run the Repadmin /syncall DCName command, where DCName is the Domain Name System (DNS) name of the domain controller on which you want synchronize replication with all partners. The /e parameter ensures that replication partners in all sites are included in the replication synchronization. You should not run the Repadmin /syncall command with /d parameter. The /d parameter is used to identify servers by distinguished name in messages. Using the /d parameter in the Repadmin /syncall command will not ensure that the restored OU is replicated to all domain controllers in the forest. You should not run the Repadmin /syncall command with /A parameter. The /A parameter specifies that all directory partitions that are held on the home server should be synchronized. Using the /A parameter in the Repadmin /syncall command will not ensure that the
Page 76 of 173
restored OU is replicated to all domain controllers in the forest. You should not run the Repadmin /syncall command with /P parameter. The /P parameter is used to push changes outward from the home server. Using the /P parameter in the Repadmin /syncall command will not ensure that the restored OU is replicated to all domain controllers in the forest.
Item: 73 (Ref:Cert-70-640.2.3.2)
Your corporate network currently consists of a single Active Directory domain and a single site. Your company opens a new branch office to expand its business operations. In the central office, you install a domain controller named DC1 in a new domain and deploy Windows XP Professional on new client computers that will be used in the branch office. The central office and the branch office are connected by a dedicated WAN link. You create a new Active Directory site named Site2. When DC1 and the new client computers are delivered to the branch office, you want to configure them to belong to Site2. Which of the following should you do? (Choose two. Each correct answer is part of the complete solution.)
c d e f g Move the DC1 server object to Site2.
c d e f g Move the computer objects for the new client computers to Site2.
c d e f g Create a subnet object in Site2 and assign DC1 an IP address from the range of that subnet. c d e f g Create a subnet object in Site2 and assign the new client computers IP addresses from the range of that subnet.
c d e f g In a GPO linked to the new domain, configure a policy that assigns the new client computers to Site2.
c d e f g In a GPO linked to the Domain Controllers organizational unit, configure a policy that assigns DC1 to Site2.
Answer:
Move the DC1 server object to Site2. Create a subnet object in Site2 and assign the new client computers IP addresses from the range of that subnet.
Explanation:
To assign a domain controller to a specific Active Directory site, the server object that represents that domain controller must be moved to the Servers container in the appropriate site. To move DC1 to Site2 in this scenario, you should use Active Directory Sites and Services to move the DC1 server object to the Servers container that is a child of the Site2 container. Client computers and member servers are not assigned to sites explicitly. Their site affiliations are determined automatically from the IP addresses assigned to those computers. In this scenario, you should use Active Directory Sites and Services to create a new subnet object in Site2 and specify an IP address for that subnet. When the new client computers are physically connected to the network in the branch office, you should assign them IP addresses that belong to the new subnet. Site affiliations cannot be configured in Group Policy objects (GPOs).
Item: 74 (Ref:Cert-70-640.4.7.8)
You are network administrator for a pharmaceutical company. The network is configured with one Windows Server 2008 server. The network also contains 200 Windows Vista client computers installed in various departments. The client computers in each department are located in a separate organizational unit (OU). You install new software on all computers in the sales department in an OU named Sales. Three users from the same department now report that their computers restart every five minutes. You want to enable a Group Policy Object (GPO) policy to identify the cause of the problem. What should you do?
Page 77 of 173
j k l m n Implement the Audit logon events policy and link GPO to the Sales OU. j k l m n Implement the Audit system events policy and link GPO to the Sales OU.
j k l m n Implement the Audit account logon events policy and link GPO to the Sales OU.
j k l m n Implement the Audit process tracking policy and link GPO to the Sales OU.
Answer: Implement the Audit system events policy and link GPO to the Sales OU.
Explanation:
You should implement the Audit system events policy and link the GPO to the Sales OU to identify the cause of the problem in this scenario. By enabling the Audit system events policy, you can audit events related to a computer restart or shutdown. This setting is not enabled for any operating system except for Windows Server 2003 or Windows Server 2008 domain controllers, which are configured to audit successes of these events. It is considered a best practice to configure this level of auditing for all computers on the network. You can configure the Audit system events policy in GPO settings. To access group policy and configure Audit system events policy, perform the following steps: 1. Click Start, type gpedit.msc in the Run dialog box, and press the Enter key. This will open the Group Policy window. 2. Under the group policy menu, scroll down to the following node: Computer Configuration\Security Settings\Local Policies\Audit Policy. 3. In the right pane, right-click Audit system events and click Properties. 4. Under the Properties Window, you can configure Success or Failure audit events. 5. Once you configure the Audit policy, you can link the GPO to the appropriate OU. You should not implement the Audit logon events policy and link the GPO to the Sales OU to identify the cause of the problem in this scenario. An Audit logon events policy will audit events related to a user logging on to, logging off from, or making a network connection to the computer configured to audit logon events. This audit policy will not audit a computer that keeps restarting or shutting down.
You should not implement the Audit account logon events policy and link the GPO to the Sales OU to identify the cause of the problem in this scenario. By enabling the Audit account logon events policy, you can audit each time a user is logging on or off from another computer in which the computer performing the auditing is used to validate the account. This audit policy will not audit a computer that keeps restarting or shutting down. You should not implement the Audit process tracking policy and link the GPO to the Sales OU to identify the cause of the problem in this scenario. An Audit process tracking policy will audit events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access. This audit policy will not audit a computer that keeps restarting or shutting down.
Item: 75 (Ref:Cert-70-640.3.2.4)
You are the administrator of your company. Your company's network has a single forest with one Active Directory domain. All the domain controllers run Windows Server 2008. Your account is a member of the Domain Admins group. You attempt to install Active Directory Rights Management Services (AD RMS) for the first time. You receive the following error: "Event ID 190 AD RMS Service Connection Point Registration" What could have caused the error?
j k l m n You are not a member of the Schema Admins group, or have not been delegated the appropriate permissions to the schema. j k l m n You are not a member of the local AD RMS Enterprise Administrators group, or have not been delegated the appropriate permissions.
Page 78 of 173
j k l m n You are not a member of the Windows Authorization Access group. j k l m n An AD RMS SCP already exists in the forest.
Answer: You are not a member of the local AD RMS Enterprise Administrators group, or have not been delegated the appropriate permissions.
Explanation:
You need to be a member of the local AD RMS Enterprise Administrators group and a member of the Enterprise Admins group to install AD RMS. AD RMS clients use a service connection point (SCP) to automatically discover the AD RMS cluster. The error message means that the AD RMS installation failed to register the AD RMS SCP in Active Directory Domain Services (AD DS). After the installation, you can register the SCP by using the AD RMS console if your user account is a member of the member of the local AD RMS Enterprise Administrators group and the AD DS Enterprise Admins group. In this scenario, the user installing AD RMS does not have the appropriate permissions. You do not have to be a member of the Schema Admins group or have been delegated the appropriate permissions to the schema, nor do you have to be a member of the Windows Authorization Access group. Members of the Schema Admins group have the ability to edit the Active Directory schema. Members of the Windows Authorization Access group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. Neither group will allow you register a SCP. To register a SCP by using the AD RMS console, the user account must be a member of the local AD RMS Enterprise Administrators group and the AD DS Enterprise Admins group. The error was not caused by a pre-existing AD RMS SCP in the forest. This is the first time that you have installed AD RMS. There should not be a SCP already in existence, since AD RMS has not been installed.
Item: 76 (Ref:Cert-70-640.4.4.8)
You are the network administrator for the Nutex Company, a woman's shoe manufacturer. Your company's network has a single domain. All domain controllers use Windows Server 2008. The functional level and domain level are set at Window Server 2003. You have Group Policy Objects (GPOs) deployed in your domains that set the login and desktop environment for users in that domain. Your company purchases a company that makes shoes for men. The new company's network also has a single domain. All domain controllers are a mixture of Windows Server 2008 and Window Server 2003. There are no plans to integrate both companies' Active Directory domain structures. However, you want to use the deployed GPOs in your network in the new company's network. How should you do this?
j k l m n At a domain controller for Nutex, use gpresult to export the appropriate GPOs to a file. At the domain controller at the new company, use gpresult to import the GPO to the appropriate container.
j k l m n At a domain controller for Nutex, use gpupdate to export the appropriate GPOs to a file. At the domain controller at the new company, use gpupdate to import the GPO to the appropriate container. j k l m n At a domain controller for Nutex, use the Group Policy Management Console (GPMC) to back up the appropriate GPO. At a domain controller at the new company, use the GPMC to import the GPO to the appropriate container.
j k l m n Create a two-way forest trust between the root domains. At a domain controller for Nutex, use gpupdate to export the appropriate GPOs to a file. At the domain controller at the new company, use gpupdate to import the GPO to the appropriate container.
Answer: At a domain controller for Nutex, use the Group Policy Management Console (GPMC) to back up the appropriate GPO. At a domain controller at the new company, use the GPMC to import the GPO to the appropriate container.
Explanation:
You should use the Group Policy Management Console (GPMC) to back up the appropriate GPO in the Nutex domain. You should use the GPMC to import the GPO to the appropriate container on a domain controller in the new forest. You can export the settings of a GPO by using the backup function of the GPMC. You can import the settings into a new domain by using the import function. The
Page 79 of 173
import operations transfer settings from the backup GPO into a new GPO in the new domain. You do not need a cross-domain or crossforest trust relationship. You do need access to the file system where the backup of the GPO resides. The backup and import operations are ideally suited for copying GPOs that you created on a test environment into a production environment. You cannot use gpresult or gpupdate to import or export GPOs from one domain to another. The gpresult utility is used to display what GPOs have been applied to a user or computer. The gpupdate utility is used to force the application of a GPO on a user or computer. You can back up a GPO using the GPMC by following these steps: Highlight the GPO that you want to backup. Right click the GPO and choose Back up. Specify the location to back up and choose Back Up. You can import a GPO using the GPMC by following these steps: Highlight the GPO where you want to import the settings from the backup of the original GPO. Right-click and choose Import Settings. The Import Wizard will prompt you for the location of the backup copy. Choose the GPO that you want to import.
Item: 77 (Ref:Cert-70-640.2.4.18)
You are the network administrator for your company. The company has a main office and a branch office. All servers on the network run Windows Server 2008. You install a domain controller named DCMain in the main office and a domain controller named DCBranch in the branch office. You configure each office to have its own Active Directory site. You want to configure Active Directory replication between both the offices. Which tool or tools can you use to configure Active Directory replication between DCMain and DCBranch? (Choose all that apply. Each correct answer is a complete solution.)
Page 80 of 173
c d e f g Active Directory Sites and Services c d e f g Active Directory Domains and Trusts
c d e f g Repadmin.exe c d e f g Ldp.exe
c d e f g Wbadmin.exe c d e f g Ntdsutil.exe
Answer: Active Directory Sites and Services Repadmin.exe
Explanation:
You can use the Active Directory Sites and Services snap-in or the Repadmin.exe tool to configure Active Directory replication. The Active Directory Sites and Services snap-in runs on domain controllers and it is installed automatically when you install Active Directory. The Active Directory Sites and Services snap-in provides a view into the Sites container of the configuration directory partition and can be used to manage Active Directory replication topology. Repadmin.exe is a command-line tool that can be used to view the replication information on domain controllers. By using the Repadmin.exe tool, you can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology for both AD DS and AD LDS replication. You can also use the Repadmin.exe tool to force replication of an entire directory partition or a single object, and list domain controllers in a site. You cannot use Ntdsutil.exe to configure Active Directory replication. Ntdsutil.exe can be used to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory You cannot use Active Directory Domains and Trusts, Ldp.exe, or Wbadmin.exe to configure Active Directory replication. Active Directory Domains and Trusts is a Microsoft Management Console (MMC) snap-in that can be used to create and manage trusts between domains and sites. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. The Ldp.exe tool is a Lightweight Directory Access Protocol (LDAP) tool that can be used to view and modify Active Directory Lightweight Directory Services (AD LDS) data.
Item: 78 (Ref:Cert-70-640.6.1.2)
You are the network administrator for a company that makes golf trophies and awards. Your network has a single domain with several locations configured as Active Directory sites. All domain controllers run Windows Server 2008 and the functional level of the domain is Windows Server 2008. User accounts are distributed to different Organizational Units that are based on departments. All domain controllers are placed in the Domain Controllers OU. All servers are placed in the Servers OU. You create a public key infrastructure by installing a root Certification Authority (CA). You create a subordinate enterprise CA to issue certificates to users and computers. You take the root CA offline. You create a certificate template on the CA to issue user certificates. (Click the Exhibit(s) button to view the configuration of the CA.) What must you do to ensure user certificates are automatically issued to domain users when they log in?
j k l m n Install a certification authority Web enrollment agent.
j k l m n Create a group policy that can distribute certificates to users and link the GPO to the domain.
j k l m n Create a group policy that can then distribute certificates to users and link the GPO to the Servers OU. j k l m n Change the settings on the Request Handling tab of the CA.
Page 81 of 173
Answer: Create a group policy that can distribute certificates to users and link the GPO to the domain.
70-640.6.1c
70-640.6.1b
Page 82 of 173
Explanation:
You should create a group policy that can distribute certificates to users and link the GPO at the domain. You can configure autoenrollment of certificates for domain users or computers through group policy. You must have an subordinate enterprise CA to issue the certificates to the users or computers, and the CA must be able to check Active Directory to validate the user or computer. You cannot use a standalone CA to issue certificates for autoenrollment. In this scenario you have added the certificate template to the Certification Authority server and the user's computer is a member of the domain. The autoenrollment process is normally triggered by the Winlogon process. The autoenrollment process is activated and managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for machines and users. To automatically issue user certificates, you must edit the group policy object (GPO). Go to User Configuration Security Settings Public Key Policies. Highlight and edit the Certificate Services Client - auto enrollment option. To automatically issue computer certificates, you must edit the group policy object (GPO). Go to Computer Configuration Security Settings Public Key Policies. Highlight and edit the Certificate Services Client - auto enrollment option. You should not link the GPO that distribute certificates to users to the Servers OU. In this scenario, you want the users in the domain to automatically receive certificates. If you link the GPO to the Servers OU, only user accounts in and beneath the Servers OU will receive certificates. You should link the GPO to the domain to ensure that all users in the domain receive certificates. You do not have to install a certification authority Web enrollment agent. This service allows users to request certificates via the HTTP protocol or a by using a browser. This agent is helpful when you have computers that are not members of the domain, such as Unix
Page 83 of 173
computers, that need to request certificates. You should not change the settings on the Request Handling tab of the CA. The current settings are configured to follow the settings in the certificate template. The template will determine if the user or computer should receive a certificate. If you change the settings to Set the certificate status to pending, then the administrator will have to determine if the user and computer receive a certificate. The scenario required that the user certificates be distributed automatically. You can use the Group Policy Mangement Console (GPMC) to edit a group policy. If you want the autoenrollment to apply to the entire domain, do the following: Edit the Default Domain Policy and click Edit. Under the User Configuration container, expand the Windows Settings folder. Expand the Security Settings folder and then click to select the Public Key Policies folder. Right-click the Autoenrollment Settings object and select Properties. Check the Renew Expired Certificates, Update Pending Certificates, and Remove Revoked Certificates options as well as the Update Certificates That Use Certificate Templates option. Click OK.
Item: 79 (Ref:Cert-70-640.3.2.6)
You are a network administrator for your company. The company has one main office and two branch offices. The servers at the main office run Windows Server 2008 at the Windows Server 2003 functional level and all servers at the branch office network are running Windows Server 2003. The client computers in the main office run Windows XP Professional, and client computers in branch offices run Windows Vista. You deploy Active Directory Rights Management Services (AD RMS) in the main office. However, you notice that the client computers in the main office are unable to protect their documents using the AD RMS service. What should you do to fix the problem with minimal administrative efforts?
j k l m n Upgrade all computers to Windows Vista. j k l m n Raise the functional level to Windows Server 2008.
j k l m n Download and install the RMS client on all XP client computers. j k l m n Flush the RMS Message Queuing queue.
Answer: Download and install the RMS client on all XP client computers.
Explanation:
You should download and install RMS client on all client computers running Windows XP to achieve the objective in this scenario. Windows Vista includes the RMS client by default. Operating systems released before Windows Vista and Windows Server 2008 do not have the RMS client installed. To use AD RMS service in Windows XP computer, you must download and install the RMS client from the Microsoft Download Center (Microsoft Windows RMS with Service Pack 2 (SP2)). With AD RMS, you can protect the documents for AD RMS enabled applications by providing appropriate user rights and permissions to the documents such as copy, edit, view, and print. To install AD RMS in Windows Server 2008, follow these steps: 1. Click Start, click Administrative Tools and click Server Manager 2. Under Server Manager window, click Add Roles 3. Highlight AD RMS and click Next You should not upgrade all computers to Windows Vista to achieve the objective in this scenario. Upgrading all client computers to Windows Vista will make the AD RMS services available, however, it will be entail more administrative effort than installing the RMS client and will cost additional money. Hence, upgrading all computers to Windows Vista will not be the right choice in this scenario. You should not raise the functional level to Windows Server 2008 to achieve the objective in this scenario. All servers in this scenario are using Windows Server 2003 as the functional level, which is enough to deploy AD RMS in your company's network.
Page 84 of 173
You should not flush the RMS Message Queuing queue to achieve the objective in this scenario. You should flush the RMS Message Queuing queue when you want to ensure that all messages are written to the RMS logging database when you are upgrading from RMS to AD RMS.
Item: 80 (Ref:Cert-70-640.4.3.8)
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. Click the Exhibit(s) button to view the organizational unit (OU) structure of the domain. The user accounts of all network administrators belong to the NetAdmins OU. The user accounts of all Help Desk personnel belong to a security group named Help Desk. The Help Desk personnel should be allowed to reset the passwords of all users, except network administrators. You must delegate only the appropriate level of authority to the Help Desk group; you should not assign them excessive privileges. Your actions should not affect any existing permissions and privileges for any users. Which of the following should you do?
j k l m n Disable permission inheritance and remove the existing permissions for the Personnel OU; then assign the Help Desk group the permission to reset the users' passwords for the Personnel OU.
j k l m n Assign the Help Desk group the permissions to manage user accounts for the Managers and Employees OUs. j k l m n Disable permission inheritance and copy the existing permissions for the NetAdmins OU; then assign the Help Desk group the permission to reset the users' passwords for the Personnel OU.
j k l m n Create a GPO that assigns the Generate security audits user right to the Help Desk group and link the GPO to the Personnel OU. Place the Help Desk group into the NetAdmins OU, and enable Block Policy inheritance for the NetAdmins OU.
Answer: Disable permission inheritance and copy the existing permissions for the NetAdmins OU; then assign the Help Desk group the permission to reset the users' passwords for the Personnel OU.
Explanation:
By default, permissions are propagated from parent OUs to all of their child OUs. To prevent the Help Desk personnel from being able to reset passwords on network administrators' accounts, you should first disable permission inheritance for the NetAdmins OU. On the Security tab of the Properties sheet for the NetAdmins OU, you should click Advanced. On the Permissions tab of the Advanced Security Settings for NetAdmins sheet, disable Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. You will then be prompted to copy or remove the permissions that the NetAdmins OU inherited from its parent. You should click Copy to preserve all of the permissions for the NetAdmins OU that are currently in effect. Next, you should assign the Help Desk group the permission to reset user passwords for the Personnel OU. To accomplish this task, you can run the Delegation of Control wizard on the Personnel OU, add the Help Desk group to the list of the users to whom you want to delegate control of the OU and select the Reset user passwords and force password change at next logon task. Alternatively, you can assign the Help Desk group the Allow - Reset Password permission for the Personnel OU and specify that the permission apply to user objects. The permission will apply to all user objects in the Managers and Employees OUs and will not apply to the user objects in the NetAdmins OU. If you assigned the Help Desk group the permission to reset the users' passwords for the Personnel OU, then the Help Desk personnel would be able to reset the passwords of all users, including network administrators. Additionally, by removing inherited
Page 85 of 173
permissions for the Personnel OU, you would change some of the existing permissions and privileges of some of the network administrators. If you assigned the Help Desk group the permission to manage user accounts for the Managers and Employees OUs, then the Help Desk personnel would have excessive privileges; particularly, they would be able to create, delete, and fully manage user accounts in these OUs. You should not create a GPO that assigns the Generate security audits user right to the Help Desk group and link the GPO to the Personnel OU, place the Help Desk group into the NetAdmins OU, and enable Block Policy inheritance for the NetAdmins OU. These actions are not feasible and irrelevant to this scenario.
Item: 81 (Ref:Cert-70-640.3.3.8)
You are the systems administrator for your company. The company's network consists of a single Active Directory forest. The company has a main office and two branch offices, named Branch1 and Branch2. Each office has its own Active Directory domain. Both branch offices contain a read-only domain controller (RODC). You configure the RODCs to cache user passwords. You suspect that the security of the RODC in Branch1 has been compromised. To prevent misuse of domain users' credentials, you want to reset the current credentials that are cached on the RODC in Branch1. Which is the minimum group membership that you will require to be able to reset the current cached credentials on the RODC?
j k l m n Enterprise Admins
j k l m n Schema Admins
j k l m n Domain Admins j k l m n Local Administrators group on RODC
Answer: Domain Admins
Explanation:
You will require membership in the Domain Admins group to reset the current cached credentials on the RODC in Branch1. Credential caching is the storage of user or computer credentials. You can configure the Password Replication Policy on a writable domain controller to specify if an RODC should be allowed to cache a password. Password caching enables an RODC to directly service a user's request to log on if the user's credentials are cached on the RODC. When you suspect that the security of an RODC has been compromised or if the RODC has been stolen, you can reset the password for all user accounts that are cached on that RODC. Resetting the password for a given user is the mechanism to securely clear the cached password for that user. You must be a member of the Domain Admins group to reset the current credentials that are cached on an RODC. The options stating Enterprise Admins and Schema Admins, are incorrect because granting membership in those groups would grant more permissions than necessary to reset the current cached credentials on the RODC. The local Administrators group on the RODC is incorrect because that does not grant sufficient permissions to reset the current cached credentials on the RODC. A user must be a member of the Domain Admins group to reset the current credentials that are cached on an RODC.
Item: 82 (Ref:Cert-70-640.2.5.2)
You are the systems administrator for your company. The company has a main office and a branch office; all administrators are located at the main office. The network consists of a single Active Directory domain. The main office contains a domain controller named DC1. You install a read-only domain controller (RODC) named RODC1 in the branch office due to its reduced management requirements. You want to prevent the replication of sensitive information between DC1 and RODC1. What should you do?
Page 86 of 173
j k l m n Configure a Filtered Partial Attribute Set. j k l m n Disable the Krbtgt account on RODC1.
j k l m n Configure the Password Replication Policy on RODC1.
j k l m n Disable the Replicator user group on RODC1.
Answer: Configure a Filtered Partial Attribute Set.
Explanation:
You should configure a Filtered Partial Attribute Set. An RODC is a new type of domain controller in Windows Server 2008 that hosts read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, except for account passwords. Each RODC has a unique account, named Krbtgt, which is used for Kerberos authentication. By default, an RODC does not store any user or computer credentials except its own computer account and the Krbtgt account. When you want to prevent the replication of sensitive information, you should configure a Filtered Partial Attribute Set. A Filtered Partial Attribute Set is a set of attributes that you can configure in the schema to ensure that these attributes are not replicated to an RODC. You should not disable the Krbtgt account on RODC1. The Krbtgt account is used by an RODC for Kerberos authentication. Disabling the Krbtgt account will not prevent sensitive information from being replicated between a writable domain controller and an RODC. You should not configure the Password Replication Policy on RODC1. The Password Replication Policy determines if an RODC should be allowed to cache a password. The Password Replication Policy lists the accounts that are permitted to be cached, and the accounts that are explicitly denied from being cached. The Password Replication Policy is configured and enforced on a writable domain controller. For example, to prevent the Administrator password from replicating from the Main office to the Branch office RODC, a Password Replication Policy would need to be implemented on the DC in the Main office. This would prevent the password from replicating to the RODC in the Branch office. You should not disable the Replicator user group on RODC1. The Replicator user group supports file replication in a domain. Disabling the Replicator user group will not ensure that sensitive information is not replicated between a writable domain controller and an RODC.
Item: 83 (Ref:Cert-70-640.4.2.5)
You are the network administrator of your company. You create an account for a user named Michelle Smith. Click the Exhibit(s) button to see the properties of the account. Michelle is able to successfully store and retrieve files from the file server. A few days later, however, Michelle is not able to log in with her password. What should you do to correct the problem with Michelle's account?
j k l m n Select Unlock the account and change the expiration date.
j k l m n Select Unlock the account and clear User must change password at next logon. j k l m n Select Unlock the account and reset Michelle's password.
j k l m n Select Unlock the account and select Password never expires.
Answer: Select Unlock the account and change the expiration date.
Page 87 of 173
Explanation:
You should select Unlock the account and change the expiration date. In this scenario, Michelle was able to log in with her account. After a few days, the account stopped working. Her account has an expiration date set. When an account expires, the account is not deleted from Active Directory. You can unlock the account and configure another expiration date, or set the account to never expire. You should not clear User must change password at next logon. This setting is used after resetting a password or setting a user's password for the first time. This setting forces the user to change the password when he/she logs in. This setting is not the reason Michelle is locked out. You should not reset Michelle's password. Michelle's password is not the problem. Michelle was not able to log on with her password after a week. The problem is that the account has expired. You should not select Password never expires. This setting will lessen security. You should have users change their passwords periodically to enforce security. Michelle's password is not the problem; the problem is that the account has expired.
Item: 84 (Ref:Cert-70-640.4.3.11)
You are the security administrator of VisionWorx Corporation. The network of the company consists of a single Active Directory domain, named visionworx.com. The servers on the network run Windows Server 2008. The client computers run Windows Vista. The organizational unit (OU) structure of the company is shown in the exhibit. (Click the Exhibit(s) button.) You employ an assistant administrator named Adam. You want to enable Adam to only apply Group Policy Objects (GPOs) to desktop client computers. What should you do?
j k l m n Add Adam's user account to the Group Policy Creator Owners group.
j k l m n Add Adam's user account to the Managed By tab in the properties sheet for the Desktop Clients
Page 88 of 173
OU.
j k l m n Run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Desktop Clients OU.
j k l m n Run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Client Computers OU.
Answer: Run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Desktop Clients OU.
Explanation:
You should run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Desktop Clients OU. Windows Server 2008 allows you to delegate the following three Group Policy tasks independently: Creating Group Policy objects. Managing Group Policy links for a site, domain, or organizational unit. Editing Group Policy objects. To delegate a user with the rights to manage Group Policy links for a site, domain, or OU, you should use the Delegation of Control Wizard. To run the Delegation of Control Wizard, you should right-click the appropriate container and select the Delegate Control option. The Group Policy tab in the site, domain, or organizational unit's Properties page allows you to specify which Group Policy objects are linked to this site, domain, or organizational unit. This property page stores the user's choices in two Active Directory properties called gPLink and gPOptions. The gPLink property contains the prioritized list of Group Policy object links and the gPOptions property contains the Block Policy Inheritance policy setting for domains or organizational units. The Block Policy Inheritance policy setting is not available for sites. If non-administrators have Read and Write access to the gPLink and gPOptions properties, they can manage the list of Group Policy objects linked to that site, domain, or organizational unit. To give a user Read and Write access to these properties, you should use the Delegation of Control Wizard and select the Manage Group Policy links predefined task. You should not add Adam's user account to the Group Policy Creator Owners group. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Adding a nonadministrator user to the Group Policy Creator Owners group allows the user to create Group Policy objects. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those Group Policy objects that the user creates or those explicitly delegated to that user. It does not give the user full control of any other Group Policy objects, and does not allow the user to link Group Policy objects to sites, domains, or organizational units. In this scenario, you only want to enable Adam to apply Group Policy Objects (GPOs) to desktop client computers only. Therefore, adding Adam's user account to the Group Policy Creator Owners group will not allow Adam to link a GPO at the Desktop Clients OU only. You should not add Adam's user account to the Managed By tab in the properties sheet for the Desktop Clients OU. When you add a user as a manager in the Managed By tab in the properties sheet of an OU, the user does not get any permissions for the OU. This setting is only informational. The other fields on the tab display the manager's properties and not the OU's properties. You should not run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Client Computers OU. This will allow Adam to apply Group Policy Objects (GPOs) only to all computers whose computer accounts are located in the Client Computers OU, Desktop Clients OU, and the Portable Clients OU.
Page 89 of 173
Item: 85 (Ref:Cert-70-640.2.4.5)
You are the network administrator for your company. A user reports that their password has expired. You investigate and determine that the user account has been locked out. The user needs to log on immediately, and you need to replicate the change in account status to all domain controllers. What are three ways that you can force replication of the account status? (Choose three. Each answer is a complete solution.)
c d e f g Use Repadmin.
c d e f g Use Replmon.
c d e f g Use Rsnotify. c d e f g Use Active Directory Domains and Trusts. Click NTDS Settings for the server where you want to force replication.
c d e f g Use Active Directory Sites and Services. Click NTDS Settings for the server that you want to force replication. c d e f g Use Active Directory Users and Computers. Choose the Domain Controllers OU and force replication.
Answer: Use Repadmin. Use Replmon. Use Active Directory Sites and Services. Click NTDS Settings for the server that you want to force replication.
Explanation:
You can use the Repadmin tool or the Replmon tool to force replication in Active Directory. You can also use Active Directory Sites and Services and click NTDS Settings for the server that you want to force replication. In this scenario, you need to force the replication of the change in account status of an unlocked account to all domain controllers. Eventually this change will replicate to all domain controllers based on the replication schedule. You can use the the Repadmin tool , the Replmon tool, or Active Directory Users and Computers to force replication. You should not use Rsnotify.exe. This command is a remote storage recall notification program on a Windows operating system. This command will not force replication. You should not use Active Directory Domains and Trusts to force replication of Active Directory. Active Directory Domains and Trusts can be used to raise the functional level of the forest or domain. You can use this tool to create trusts between domains, but you cannot use this tool to force replication. You cannot use Active Directory Users and Computers to force replication by selecting the domain controllers OU and forcing replication. You cannot force replication at the OU level with Active Directory Users and Computers. You can use the the Repadmin tool, the Replmon tool, or Active Directory Sites and Services to force replication.
Item: 86 (Ref:Cert-70-640.3.1.3)
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. A computer running Windows Server 2008 has both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) roles installed. The AD LDS server contains an instance with the default name that is used by several applications that access data from and write data to the AD LDS database. Over time, users report to you that the AD LDS applications have become slow. To resolve this problem, you want to defragment the AD LDS database. What should you do to perform an offline defragmentation of AD LDS database? (Choose all that apply. Each correct answer is part of a single solution.)
Page 90 of 173
c d e f g Restart the domain controller in Directory Services Restore Mode. c d e f g Run the Net stop Adam_instance1 command.
c d e f g Run the Net stop Ntds command.
c d e f g Use the Ntdsutil command with the appropriate parameters to defrag the database. c d e f g Run the Net start Adam_instance1 command.
c d e f g Run the Net start Ntds command.
Answer: Run the Net stop Adam_instance1 command. Use the Ntdsutil command with the appropriate parameters to defrag the database. Run the Net start Adam_instance1 command.
Explanation:
You should run the Net stop Adam_instance1 command, use the Ntdsutil command with the appropriate parameters to defrag the database, and run the Net start Adam_instance1 command. When you perform offline defragmentation of the directory database file, a new, compacted version of the database file is created in a different location. In Windows Server 2008, you can use the Net.exe command-line tool to perform tasks such as offline defragmentation of the AD DS database without restarting the domain controller. Restartable AD DS is a new feature in Windows Server 2008 that allows you to perform offline operations quickly because it does not require you to restart the domain controller in Directory Services Restore Mode. In Windows Server 2008, you can perform offline defragmentation of the AD LDS directory database by stopping the AD LDS service, performing the defragmentation, and restarting the AD LDS service. The scenario states that the AD LDS instance is installed with the default name, which would be Instance1. Therefore, to stop the AD LDS service, you should run the Net stop Adam_instance1 command. You should then run the Defrag command with the appropriate parameters. Finally, you should start the AD LDS service with the Net start Adam_instance1 command. You should not restart the domain controller in Directory Services Restore Mode. Restarting the domain controller in Directory Services Restore Mode is required for Windows 2000 Server Active Directory and Windows Server 2003 Active Directory. In Windows Server 2008, however, you can perform offline defragmentation by stopping AD LDS instead of restarting the domain controller in Directory Services Restore Mode. You should not run the Net stop Ntds command or the Net start Ntds command because these commands will stop and start the AD DS service. In this scenario, you want to perform offline defragmentation of the AD LDS database. Therefore, you should stop the AD LDS service instead of AD DS service.
Item: 87 (Ref:Cert-70-640.5.1.2)
You are the systems administrator of the Nutex corporation. The company's network consists of a single Active Directory domain. The network contains a Server Core installation of Windows Server 2008 on a computer named NutexCoreSrv1. You want to create a daily backup schedule for NutexCoreSrv1. You want to ensure that only volumes that contain system state data are included in the backup. The backups should be able to viewed by all adminstrators in the network infrastructure. Which three commands can you run? (Choose three. Each correct answer presents a complete solution.)
c d e f g Wbadmin enable backup allCritical
c d e f g Wbadmin enable backup include c d e f g Wbadmin enable backup addtarget
c d e f g Wbadmin start backup -
Page 91 of 173
include
c d e f g Wbadmin start backup allCritical
c d e f g start /w ocsetup WindowsServerBackup c d e f g start /w ocsetup DFSR-InrastructureServerEdition
Answer: Wbadmin enable backup -allCritical Wbadmin start backup -allCritical
start /w ocsetup WindowsServerBackup
Explanation:
Windows Server Backup is not installed by default on the Windows Server 2008 Core Edition or any other version of Windows Server 2008. You must install type start /w ocsetup WindowsServerBackup to install the Windows Backup Utility. You must have the Windows Backup utility to use the Wbadmin command. You can either run the Wbadmin enable backup -allCritical command or the Wbadmin start backup -allCritical command. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. The Wbadmin enable backup command can be used to create a daily backup schedule or to modify an existing backup schedule. When this command is run without any parameters, it displays the currently scheduled backup settings. The -allCritical parameter ensures that all critical volumes that contain system state data are automatically included in the backup. The Wbadmin start backup command is used to run a backup by using specified parameters. The -allCritical parameter ensures that all critical volumes that contain system state data are automatically included in the backup. You should use the -allCritical parameter with the Wbadmin start backup command only when the -backupTarget parameter is also specified. The -backupTarget parameter is used to specify the storage location for a backup. You must have a backup available that contains the critical volumes of the server to recover to recovery the operating system of your server. You can recover the operating system of a failed computer by doing the following: Insert the Setup media DVD into drive and turn on the computer. From the Setup Wizard, click Repair your computer. The Setup process will search the hard disk drives for an existing Windows installation and then display the results in the System Recovery Options dialog box. Choose the Windows Installation to recover. Click Next. On the System Recovery Options page, click Windows Complete PC Restore. Choose one of the following options, and then click Next: Restore the following backup (recommended) Restore a different backup Depending on the option you choose, you may be asked to provide more details about the backup you want to restore. Click Next. On the Choose how to restore the backup page, install any drivers that you need. Then choose one of the following options, and click Next: Format and repartition disks (to delete existing partitions and reformat the destination disks to be the same as the backup) Restore only system volumes Click Exclude disks, and then check boxes for any disks that are needed for a system restore. Click Next. Confirm the details for the restoration, and then click Finish. You should not run the Wbadmin enable backup -include command or the Wbadmin start backup -include command because the include parameter specifies a comma-delimited list of volume drive letters, volume mount points, or GUID-based volume names to include in the backup. To ensure that the system state data is backed up, you should use the -allCritical parameter. You should not run the Wbadmin enable backup -addtarget command because the -addTarget parameter is used to specify the storage location for backups, and cannot be used to include the system state data in backups. You should not run start /w ocsetup DFSR-Inrastructure-ServerEdition. This will install the Distributed File System Replication service. This service will not allow you to use the Wbadmin command to backup volumes.
Page 92 of 173
Item: 88 (Ref:Cert-70-640.4.7.4)
You are the network administrator for Northern Corporation. The company's network contains servers that run Windows Server 2008. The company's network consists of a single Active Directory domain. You are creating audit policies using the Auditpol.exe command-line tool. You set up a per user audit policy. You now want to set Full Privilege Auditing. Which command should you run?
j k l m n auditpol /set /category:fullprivilegeauditing j k l m n auditpol /set /option:fullprivilegeauditing
j k l m n auditpol /set /include:fullprivilegeauditing j k l m n auditpol /set /subcategory:fullprivilegeauditing
Answer: auditpol /set /option:fullprivilegeauditing
Explanation:
You should run the auditpol /set /option:fullprivilegeauditing command to create a per user audit policy with Full Privilege Auditing. Auditpol.exe is a command-line tool used to set subcategories audit policy and per-user audit policy in Windows Server 2008. In Windows 2000 Server and Windows Server 2003, there is only one audit policy, called the Audit directory service access, which controls whether auditing for directory service events are enabled or disabled. However, in Windows Server 2008, the audit policy is divided into four subcategories: Directory Service Access: Enables users to audit the event of a user accessing an Active Directory objects. Directory Service Changes: Enables users to audit the event of changes that are made to an Active Directory objects, for example, create, modify, and move. Directory Service Replication: Enables users to audit Active Directory replication problems. Detailed Directory Service Replication: Enables detailed tracking of Active Directory replication. Each subcategory is independent for its own use. Since there is no Windows interface tool available in Windows Server 2008, you can use the Auditpol.exe command-line tool to view or set audit policy subcategories. For example, type the following command to set the per-user audit policy for all subcategories under the Detailed Tracking category to audit the user's successful attempts (the name of the user in this command is Amy): Auditpol /set /user:amy /category:"Detailed Tracking" /include /success:enable In the given command, the /user field indicates the name of the user, the /category field implies the audit category, the /include field states that the user's per-user policy will generate an audit even if the audit policy is not specified by a system audit policy, and the /success field specifies success audit events to be audited. You should not run the auditpol /set /category:fullprivilegeauditing command to create a per user audit policy with Full Privilege Auditing. The auditpol /set /category command is used to specify only the audit categories. You should not run the auditpol /set /include:fullprivilegeauditing command to create a per user audit policy with Full Privilege Auditing. When you use the /include field with the /set command, it states that the user's per-user policy will generate an audit log even if the audit policy is not specified by a system audit policy. You should not run auditpol /set /subcategory:fullprivilegeauditing command to create a per user audit policy with Full Privilege Auditing. The auditpol /set /subcategory command is used to specify only the audit subcategories.
Item: 89 (Ref:Cert-70-640.2.6.7)
You are an administrator of an Active Directory domain. All servers in the domain run Windows Server 2008, and all client computers in the domain run Windows XP Professional. All domain operations master roles are currently assigned to DC1, which is the first domain controller in the domain. DC1 is due for routine maintenance, and network users will not be able to access it for several hours. There is
Page 93 of 173
another domain controller named DC2 in the domain. Recently, your company has acquired another company. As a result, several thousand new user accounts must be created in the domain as soon as possible. You must comply with the server maintenance schedule and also ensure that another administrator can create the new user accounts at the same time that you will be performing maintenance on DC1. You want to take only the minimum steps that are necessary to attain these two goals. Which of the following should you do? (Choose two. Each correct answer is part of the complete solution.) c d e f g Connect to DC1.
c d e f g Connect to DC2.
c d e f g Transfer the infrastructure master role to DC2. c d e f g Seize the infrastructure master role and assign it to DC2.
c d e f g Transfer the PDC emulator role to DC2.

c d e f g Seize the PDC emulator role and assign it to DC2. c d e f g Transfer the RID master role to DC2.
c d e f g Seize the RID master role and assign it to DC2.
Answer: Connect to DC2. Transfer the RID master role to DC2.
Explanation:
All domain controllers in an Active Directory domain host the same domain directory partition. All instances of the domain directory partition are writeable; most types of changes to the domain directory partition can be made on any domain controller in the domain. However, certain types of changes are allowed only on one domain controller in the domain. In each domain, the infrastructure master, PDC emulator and RID master operations master roles can be assigned to the same domain controller or to different domain controllers. Each operations master controls certain types of operations. The infrastructure master is responsible for updating references from local objects to objects in other domains. The PDC emulator appears as a Windows NT primary domain controller to legacy client operating systems, such as Windows NT and Windows 9x/ME. The RID master assigns batches of relative IDs to other domain controllers, which in turn assign those IDs to new security principal objects that are being created in the domain. The RID master does not have to be online when new user accounts are being created as long as the domain controller where the user accounts are being created has not exhausted its pool of available RIDs. In this scenario, a large number of RIDs will be required in order to create several thousand new user accounts. Therefore, you should transfer the RID master role to another domain controller in the domain in order to ensure that domain controllers do not run out of RIDs during the creation of new user accounts. To transfer the RID master role to DC2, you should connect to DC2 by using either Active Directory Users and Computers or the Ntdsutil command-line tool and then initiate the transfer. Seizing is also referred to as forcing the transfer of an operations master role. Seizing an operations master role is an extreme measure that is possible only if the original operations master is unavailable. You should not seize the RID master role unless you are absolutely sure that the original RID master will never be brought back online. The temporary absence of a PDC emulator can be tolerated in this scenario because no computers in the domain run legacy operating systems. The temporary absence of the infrastructure master can also be tolerated because the scenario does not indicate that any relevant activity, such as renaming or moving user accounts or modifying group memberships, is expected to be performed during the next few hours.
Item: 90 (Ref:Cert-70-640.2.2.3)
You are the network administrator of your company. You install Windows Server 2008 on all servers on the network. All client computers are configured to run Windows Vista. You want to be able to use Advanced Encryption Standard (AES) with Kerberos for encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys. What is the minimum domain functional level that is required to support AES encryption with Kerberos?
j k l m n Windows 2000 Server
Page 94 of 173
mixed
j k l m n Windows 2000 Server native
j k l m n Windows Server 2003 j k l m n Windows Server 2008
Answer: Windows Server 2008
Explanation:
The option stating Windows Server 2008 is correct. AES is a National Institute of Standards and Technology specification for the encryption of electronic data. AES provides more secure encryption than its predecessor, Data Encryption Standard (DES). The security enhancements in Windows Server 2008 and Windows Vista enable the use of AES encryption with Kerberos. This means the base Kerberos protocol in Windows Server 2008 and Windows Vista supports AES for encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys. To be able to configure AES encryption with Kerberos, the domain functional level must be at Windows Server 2008. To raise the domain functional level of a domain to Windows Server 2008, all domain controllers in the domain must be running Windows Server 2008. The option stating Windows Server 2003, Windows 2000 Server mixed, and Windows 2000 Server native are incorrect because to be able to configure AES encryption with Kerberos, the domain functional level must be at Windows Server 2008.
Item: 91 (Ref:Cert-70-640.1.2.3)
You are responsible for administering your company's DNS servers. The corporate network consists of a single Active Directory forest. All DNS servers run Windows Server 2008. Lately, users have started to complain that they receive an unusually large number of error messages that indicate name resolution problems. You want to monitor DNS traffic, and you want to record and analyze individual queries. Which of the following should you do? j k l m n On the Monitoring tab of a DNS server's Properties sheet, specify the types of tests to run and an interval between the tests.
j k l m n Enable logging on the Debug Logging tab of a DNS server's Properties sheet.
j k l m n Select the appropriate level of logging on the Event Logging tab of a DNS server's Properties sheet. j k l m n In Performance Logs and Alerts, run a counter log to capture DNS-related counters.
Answer: Enable logging on the Debug Logging tab of a DNS server's Properties sheet.
Explanation:
On the Debug Logging tab of a DNS server's Properties sheet, you should select Log packets for debugging in order to configure the DNS server to begin capturing debug packet information. This information is stored in the DNS debug log, which is named Dns.log. The Dns.log file can be opened only when the DNS Server service is stopped. You can use debug logging to record queries, transfers, updates, and notifications. You can specify whether to record the information about incoming or outgoing DNS packets, DNS requests or responses, or DNS packets sent by using TCP or UDP. You can specify whether detailed information about each packet must be recorded, and you can specify whether packets must be filtered according to IP addresses. On the Monitoring tab, you can configure a DNS server to perform two types of functionality testing. A simple query test verifies whether individual records can be read from zone data on the server. A recursive test verifies whether the server can communicate with
Page 95 of 173
Internet root DNS servers. Performing these tests, however, would not allow you to record and analyze individual queries and meet the requirements of the scenario. On the Event Logging tab of a DNS server's Properties sheet, you can specify the types of events, such as errors and warnings, to be recorded in the DNS event log. Although event logging can provide useful information about possible problems, the DNS event log does not record individual queries. A counter log in Performance Logs and Alerts can be used to gather quantitative, or performance, data; it cannot be used to record and analyze individual queries.
Item: 92 (Ref:Cert-70-640.6.5.2)
You are the systems administrator for your company. The company's network consists of a single Active Directory domain and several branch locations. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure which contains a Windows Server 2008 computer, which is a subordinate enterprise Certification Authority (CA) that issues certificates on behalf of the root CA. You want another Windows Server 2008 computer to manage and distribute the revocation status of certificates to clients spread out in different locations that connect via the Internet. What must you configure or install? (Choose three.) c d e f g Install the Online Certificate Status protocol (OCSP).
c d e f g Install the certification authority Web enrollment service. c d e f g Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP).
c d e f g Install IIS.
c d e f g Install Sharepoint 3.0. c d e f g Check the Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension boxes on the Extensions tab of the subordinate enterprise CA.
Page 96 of 173
c d e f g Check the Include in the AIA extension of issued certificates box on the Extensions tab of the subordinate enterprise CA.
Answer: Install the Online Certificate Status protocol (OCSP). Install IIS.
Check the Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension boxes on the Extensions tab of the subordinate enterprise CA.
Explanation:
You should choose the following answers: Install the Online Certificate Status protocol (OCSP). Install IIS. Check the Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension boxes on the Extensions tab on the subordinate enterprise CA. Online Responders can be used as an alternative to or an extension of certificate revocation lists (CRLs) to provide certification revocation data to clients. In Windows Server 2008, you can use an Online Responder based on the Online Certificate Status Protocol (OSCP) to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal solution. OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. When the OSCP responder receives the request, a definitive, digitally signed response indicating the certificate status is returned to the client. You should install the Online Certificate Status protocol on a Windows Server 2008 computer by using Server Manager. Open Server Manager and choose Manage Roles. Select Select Server Roles, check Active Directory Certificate Services, and click Next. Check Online Certificate Status Protocol and click Next. You will also be prompted to install the IIS role services. Click Add Required Role Services to install the required IIS services, and click Next. On the Confirm Installation Options page, click Install. Before configuring a CA to support the Online Responder service, you must ensure that the following conditions are met: IIS must be installed on the computer before the Online Responder can be installed. An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment must be used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed. The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status. You should not install Sharepoint 3.0. Sharepoint 3.0 is not a prerequisite for installing an Online Responder. You must have IIS installed. You should not install the Microsoft Simple Certificate Enrollment Protocol (MSCEP). MSCEP, referred to in some documents as Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP, which was developed by Cisco Systems Inc. to support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a communication protocol that allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA. MSCEP is not required to install an Online Responder. You should not install the certification authority Web enrollment service on the Windows Server 2008 computer. The certification authority Web enrollment service allows users to enroll and receive certificates via HTTP or a browser. This service will not allow you to manage and distribute revocation status of certificates. On the CA, you must have enabled both the Include in the AIA extension of issued certificates and the Include in the online certificate status protocol (OCSP) extension boxes on the Extensions tab of the subordinate enterprise CA. To configure the CA Authority Information Access extension, perform the following actions: Open the Certification Authority snap-in, right-click the name of the issuing CA, and then click Properties. Click the Extensions tab. In the Select extension list, click Authority Information Access (AIA) and then click Add. In the dialog box, type the full URL of the Online Responder, which should be in the following form: http : //<DNSServerName>/<vDir>. When installing the Online Responder, the default virtual directory used in IIS is OCSP.
Page 97 of 173
Select the location from the Locations list. Select the Include in the AIA extension of issued certificates and Include in the online certificate status protocol (OCSP) extension check boxes, and then click OK.
Page 98 of 173
Item: 93 (Ref:Cert-70-640.6.5.4)
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure that has a subordinate enterprise Certification Authority (CA), which issues certificates on behalf of the root CA. You have a certificate template that allows users to autoenroll, and a group policy object that distributes the certificates to users. All users are able to automatically obtain certificates. You now want routers and other network devices are able to obtain certificates from the CA. What should you do?
j k l m n Assign the routers and network devices the Autoenroll permission in a certificate template. j k l m n Change the Publish Delta CRL to 1 hour so expired certificates for routers and network devices are published in Active Directory.
j k l m n Install the Online Certificate Status Protocol (OCSP) role service for AD CS.
j k l m n Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
Answer: Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
Explanation:
You should install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service. MSCEP, also referred to in some documents as Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP, which was developed by Cisco
Page 99 of 173
Systems Inc. to support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a communication protocol that allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA. You should not install the Online Certificate Status Protocol (OSCP). OSCP is used by an online responder. Online Responders can be used as an alternative to or an extension of certificate revocation lists (CRLs) to provide certification revocation data to clients. In Windows Server 2008, you can use an Online Responder based on the Online Certificate Status Protocol (OSCP) to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal solution. OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. When the OSCP responder receives the request, a definitive, digitally signed response indicating the certificate status is returned to the client. Before configuring a CA to support the Online Responder service, you must ensure that the following conditions are met: IIS must be installed on the computer before the Online Responder can be installed. An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment must be used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed. The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status. The OSCP will not help a network device such as a router receive a certificate. You do not have to change the Publish Delta CRL setting. This setting, along with the Publish CRL Interval setting, determines how often a Certificate Revocation List (CRL) is published. The Publish Delta CRL setting determines how often changes to the CRL are published. CAs can have large numbers of certificate revocations that need to be downloaded by clients frequently. Clients can instead download the most current delta CRL, which has all the changes since the last base CRL was published via the Publish CRL Interval setting. The base CRL can become very large. To minimize frequent downloads of large CRLs, delta CRLs can be published. Clients can combine the downloaded delta CRL with the most current base CRL to have a complete list of revoked certificates. In this scenario, you should have the MSCEP role service installed to issue certificates to network devices. You should not assign the routers and network devices the Autoenroll permission in a certificate template. You can only assign Active Directory objects permissions in a certificate template. A router or network device would not be an Active Directory object.
Item: 94 (Ref:Cert-70-640.4.6.5)
You are the network administrator of your company. The company's network consists of a single Active Directory domain. You install Windows Server 2008 on all servers on the network. You want to configure multiple password policies in the domain. To achieve this, you want to configure fine-grained password policies. What is the minimum domain functional level that is required for configuring fine-grained policies? j k l m n Windows 2000 Server native
j k l m n Windows Server 2003 mixed
j k l m n Windows Server 2003 native j k l m n Windows Server 2008
Answer: Windows Server 2008
Explanation:
The option stating Windows Server 2008 is correct. Windows Server 2008 allows you to define different password and account lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies within a single domain. Fine-grained password policies apply only to user objects and global security groups. To configure fine-grained password policies, the domain functional level must be Windows Server 2008. If you do not create fine-grained password policies for different sets of users, the Default Domain Policy settings apply to all users in the domain.
Page 100 of 173
Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a finegrained password policy. You can add users of the OU as members of the newly created shadow group, and then apply the finegrained password policy to this shadow group. The options stating Windows 2000 Server native, Windows Server 2003 mixed, and Windows Server 2003 native are incorrect. To configure fine-grained password policies, the domain functional level must be Windows Server 2008.
Item: 95 (Ref:Cert-70-640.2.4.9)
You are the network administrator for your company. The company's logical network design consists of a single Active Directory domain. All servers run Windows Server 2008, and all client computers run Windows XP Professional with Service Pack 2. The company has Active Directory sites configured as shown in the exhibit. (Click the Exhibit(s) button.) On dc3, you create a new Group Policy object (GPO) named ExcelInstall. You configure the ExcelInstall GPO to assign Microsoft Excel to users who receive the policy settings. The GPO is then linked to the domain. Users in Site2 report that the assigned software is not advertised on the Start menu. You verify that all users in Site2 are receiving the same result. However, users in Site1 report that Microsoft Excel is advertised from the Start menu. You must ensure that all users in the domain have the ability to access the assigned software. Your solution should provide the least amount of disruption to network users. What should you do?
j k l m n Instruct all users in Site2 to restart their computers.
j k l m n From dc3, link the ExcelInstall GPO to the Site2 container.
j k l m n From Site1, manually force replication between Site1 and Site2.

j k l m n Instruct all users in Site2 to run gpupdate from the command line on their computers. j k l m n Modify the ExcelInstall GPO to publish the application to all computers in the domain.
Answer: From Site1, manually force replication between Site1 and Site2.
Explanation:
You should manually force replication between Site1 and Site2. The software is successfully distributed in the site where the Group Policy object (GPO) is assigned, but the settings are not being received by users in the remote site. This indicates that the settings, which for Software Installation policies are stored in both Active Directory and the SYSVOL folder, are not being replicated to domain controllers in the site.
Page 101 of 173
The Group Policy container is located in Active Directory, while Group Policy templates and scripts are stored in the SYSVOL folder. If changes are being made to GPOs and the new settings are not being applied to users or computers in remote sites, replication could be the problem. You can use Active Directory Sites and Services or Repadmin with the appropriate switches to force replication. It is important to remember that you cannot force replication of the SYSVOL folder. If the Group Policy Container in Active Directory and the SYSVOL folder become unsynchronized, the Software Installation policy will be available to site clients, but the installation of the specified software will fail until the SYSVOL folder is replicated. You can use the Repadmin tool in a batch file to force replication. This tool allows you to force replication with replication partners. The following example uses the replicate operation of the Repadmin tool to make a server named DC4 initiate replication of the domain directory partition for kaplanit.com from a server named DC2. In this example, DC2 is the source server and DC4 is the destination server: repadmin /replicate dc4.kaplanit.com dc2.kaplanit.com dc=kaplanit,dc=com You should not instruct all users in Site2 to restart their computers. Because the Software Installation policy settings are not being applied to all users in the site, a replication problem is indicated. Restarting all computers will be disruptive to network users and is unlikely to resolve the problem. You should not link the ExcelInstall GPO to the Site2 container from dc3. This option will produce duplicate settings from the domain and site linkages and will still rely on replication for the software to be properly distributed. You should not instruct all users in Site2 to run gpupdate from the command line on their computers. If the Software Installation policy settings are not being replicated, using gpupdate to reapply group policy settings will not provide the desired outcome. You cannot modify the ExcelInstall GPO to publish the application to all computers in the domain. Using group policy, software can be published to users, assigned to users, or assigned to computers. You cannot publish software to computers.
Item: 96 (Ref:Cert-70-640.1.3.6)
You are the senior network administrator for your company, which has a main office in Portland and a branch office in Seattle. The company's network consists of a single Active Directory domain. You install Domain Name System (DNS) on a Windows Server 2008 computer in the main office, named DNS1, which contains the primary zone. You install a new UNIX DNS server in the Seattle branch office. You are in the process of configuring DNS1 for interoperability with the UNIX DNS server. You are required to ensure that DNS1 is able to replicate DNS zones with the UNIX server in the branch office. To achieve this, you want to disable the fast zone transfer method on DNS1 so that DNS1 transfers only one record per packet during zone transfer. What should you do? j k l m n Configure DNS1 to use Windows Internet Name Service (WINS) resolution.
j k l m n Disable netmask ordering on DNS1.
j k l m n Configure the refresh interval on the Start of Authority (SOA) tab on the DNS1 properties sheet to one hour.
j k l m n Enable Berkeley Internet Name Domain (BIND) secondaries on DNS1.
Answer: Enable Berkeley Internet Name Domain (BIND) secondaries on DNS1.
Explanation:
You should enable Berkeley Internet Name Domain (BIND) secondaries on DNS1. Enabling the BIND secondaries option disables the fast zone transfer method on Windows Server 2008, which enables the server to make successful zone transfers to DNS servers that support BIND versions earlier than version 4.9.4. Windows Server 2008 supports two types of zone file replication, namely full zone transfer (AXFR) and incremental zone transfer (IXFR). In AXFR, the entire zone file is replicated. In IXFR, only records that have been modified are replicated. Berkeley Internet Name Domain (BIND) version 4.9.3 and earlier DNS server software, such as UNIX DNS and Windows NT 4.0 DNS, only support full zone
Page 102 of 173
transfers. There are two types of AXFR: one requires a single record per packet, and the other allows multiple records per packet. Windows Server 2008 DNS service supports both types of zone transfer and uses multiple records per packet by default. Therefore, to configure your Windows Server 2008 DNS server to successfully work and replicate with a UNIX DNS server, you should disable the fast zone transfer method by selecting the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for DNS1. You should not configure DNS1 to use Windows Internet Name Service (WINS) resolution. Configuring a DNS server to use WINS resolution enables the DNS service to look up names that are not found in the DNS domain namespace by checking the NetBIOS namespace managed by WINS. Configuring DNS1 to use WINS resolution will not disable the fast zone transfer method on DNS1. You should not disable netmask ordering on DNS1. Netmask ordering allows you to use one host name for multiple IP addresses. Disabling netmask ordering will not disable the fast zone transfer method on DNS1. You should not configure the refresh interval on the Start of Authority (SOA) tab on the Properties sheet of DNS1 to one hour. The refresh interval on the Start of Authority (SOA) tab determines how often the secondary server polls the primary server for updates. Configuring the refresh interval will not disable the fast zone transfer method on DNS1.
Item: 97 (Ref:Cert-70-640.4.3.9)
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where all servers run Windows Server 2008 and all client computers run Windows XP Professional. Users in the Sales department must use restricted desktops where certain features are disabled. You place all Sales users into an organizational unit (OU) named Sales, configure a Group Policy object (GPO) with the appropriate user policies that restrict user desktops, and link that GPO to the Sales OU. Later, several supervisors in the Sales department complain that they cannot perform some of their job-related tasks because the desktops on their computers are restricted. You must ensure that all Sales users, except supervisors, receive restricted desktops. The Sales supervisors should receive normal, unrestricted desktops. Which of the following should you do?
j k l m n In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Enable the Block Policy inheritance option for the child OU. j k l m n In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Create a new GPO where all desktop restriction policies are set to Not configured and link that GPO to the child OU.
j k l m n Filter the scope of the GPO, create a group named Supervisors, add the supervisors' user accounts to that group, and assign the Allow - Apply Group Policy permission for the GPO to the Supervisors group.
j k l m n In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Link the original GPO where the desktop restriction policies are configured to the child OU and enable the Enforced option for this link.
Answer: In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Enable the Block Policy inheritance option for the child OU.
Explanation:
For the policies that are configured in a GPO to take effect, the GPO must be linked to an Active Directory container, such as a site, domain, or OU. User-specific policies in a GPO apply to user objects, and computer-specific policies apply to computer objects in those Active Directory containers. By default, a GPO that is linked to a parent container also applies to all child containers of that parent container. If multiple GPOs apply to the same user or computer, then the GPOs that are linked to a higher-level container are applied before the GPOs that are linked to lower-level containers. If configured policy settings in multiple GPOs are in conflict, then the settings in the GPOs that are applied later will overwrite the settings that were applied earlier. Policies that are not configured in a GPO are ignored; they do not conflict with configured policies in other GPOs. The Block Policy inheritance option for a domain or OU and the Enforced option for a GPO link can be used to change the default order of GPO precedence. If Block Policy inheritance is enabled for a child container, then the GPOs that are linked to parent containers do not apply to that child container. If Enforced is enabled for a GPO link, then that GPO applies all the way down the hierarchy, even if Block Policy inheritance is enabled for any child containers. In this scenario, to prevent the GPO with desktop restriction policies from applying to the supervisors' user accounts, you can create a child OU in the Sales OU, place the supervisors' user accounts into the child OU, and enable Block Policy inheritance for the child OU. Another possible solution is to filter the scope of the GPO so that it would not apply to the supervisors' user accounts. To filter the scope of the GPO, you can create a group named Supervisors, add the supervisors' user accounts to that group, and assign the Deny - Apply Group Policy permission for the GPO to the Supervisors group. You should not assign the Allow - Apply Group Policy permission for the GPO to the Supervisors group. The Allow - Apply Group Policy permission for the GPO to the Supervisors group
Page 103 of 173
would apply the restrictive desktop policy of the GPO. If, in an attempt to override the original GPO that contains the configured desktop restriction policies, you created a GPO with no configured policies in it, then that new GPO would have no effect, regardless of the container to which it was linked and regardless of the Enforced option. Policies that are not configured do not conflict with configured policies in other GPOs. Linking the original GPO both to the Sales OU and to a child OU and enabling Enforced for the link to the child OU would not be feasible in this scenario because all users in the Sales and child OUs would still be subject to the same desktop restrictions.
Item: 98 (Ref:Cert-70-640.2.4.3)
You are the network administrator for your company. The company has a main office and a branch office. All servers on the network run Windows Server 2008. Each office has its own Active Directory domain. The domain controller in the main office is named DC1 and the domain controller in the branch office is named DC2. Each office is configured as a separate Active Directory site. You want to configure Active Directory replication between both the sites. Which tool or tools can you use to configure Active Directory replication between DC1 and DC2? (Choose all that apply. Each correct answer represents a complete solution.)
c d e f g Active Directory Sites and Services c d e f g Active Directory Domains and Trusts
c d e f g Repadmin.exe c d e f g Ldp.exe
c d e f g Wbadmin.exe c d e f g Ntdsutil.exe
Answer: Active Directory Sites and Services Repadmin.exe
Explanation:
You can use the Active Directory Sites and Services snap-in or Repadmin.exe to configure Active Directory replication. The Active Directory Sites and Services snap-in runs on domain controllers and is installed automatically when you install Active Directory. The Active Directory Sites and Services snap-in provides a view into the Sites container of the configuration directory partition, and can be used to manage Active Directory replication topology. Repadmin.exe is a command-line tool that can be used to view the replication information on domain controllers. By using the Repadmin.exe tool, you can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, view object metadata, manage Active Directory replication topology both for AD DS and AD LDS replication, and identify the current bridgehead servers. A bridgehead server is a domain controller in a site that has been either assigned or automatically chosen, if not assigned, to replicate changes collected from other domain controllers in the site to bridgehead servers in other sites. You can also use the Repadmin.exe tool to force replication of an entire directory partition or a single object, and to list domain controllers in a site. Ntdsutil.exe is also a command-line tool that provides management capabilities for Active Directory. You can use Ntdsutil.exe to remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. This ensures a smaller amount of data to replicate. You can also use Ntdsutil.exe to perform Active Directory database maintenance and to manage and control single-master operations. You cannot use Ntdsutil.exe to force a replication of Active Directory data, The options stating Active Directory Domains and Trusts, Ldp.exe, and Wbadmin.exe are incorrect because these tools cannot be used to configure Active Directory replication. Active Directory Domains and Trusts is a Microsoft Management Console (MMC) snap-in that can be used to create and manage trusts between domains and sites. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. The Ldp.exe tool is a Lightweight Directory Access Protocol (LDAP) tool that can be used to view and modify Active Directory Lightweight Directory Services (AD LDS) data.
Page 104 of 173
Item: 99 (Ref:Cert-70-640.1.3.3)
You are the systems administrator of Verigon Corporation. The company has a single domain with a main office and five branch offices. Each office has its own Active Directory site in a single forest. Each site has a domain controller running Windows Server 2008, and each domain controller has DNS server with an Active Directory-integrated zone for the domain. Several users from a branch office reported that they were unable to log on to several intranet Web servers. You investigated, and discovered that an A record had been created for the Web servers in the DNS server at the main office. You now want to synchronize replication with all replication partners, while ensuring that all directory partitions that are held on the DNS server at the main office are synchronized with other domain controllers in the forest. Which command should you run?
j k l m n Run the Repadmin /syncall command with /P parameter.
j k l m n Run the Repadmin /syncall command with /d parameter. j k l m n Run the Repadmin /syncall command with /e parameter.
j k l m n Run the Repadmin /syncall command with /A parameter.
Answer: Run the Repadmin /syncall command with /A parameter.
Explanation:
You should run the Repadmin /syncall command with /A parameter. You need to replicate the Active Directory zone from the main office to the other branch offices. The /A parameter ensures that all directory partitions that are held on the home server are synchronized. You should not run the Repadmin /syncall command with /P parameter. The /P parameter is used to push changes outward from the home server. Using the /P parameter in the Repadmin /syncall command will not ensure that all directory partitions that are held on the home server are synchronized. You should not run the Repadmin /syncall command with /d parameter. The /d parameter is used to identify servers by distinguished name in messages. Using the /d parameter in the Repadmin /syncall command will not ensure that all directory partitions that are held on the affected domain controller are synchronized with other domain controllers in the forest. You should not run the Repadmin /syncall command with /e parameter. The /e parameter ensures that replication partners in all sites are included in the replication synchronization. Using the /e parameter will not ensure that all directory partitions held on the affected domain controller are synchronized with other domain controllers in the forest.
Item: 100 (Ref:Cert-70-640.2.3.4)

Your corporate network consists of a single Active Directory domain that spans three sites, as shown in the following image:
Page 105 of 173
There are no domain controllers in Site1, and you want users in Site1 to log on by using domain controllers only from Site2. Which of the following should you do?
j k l m n Change the cost of the site link between Site1 and Site3 to 50. j k l m n Change the cost of the site link between Site1 and Site2 to 150.
j k l m n Configure the subnet object that corresponds to the IP address range of the client computers in Site1 to belong to Site2.
j k l m n Move the computer objects for the client computers from Site1 to Site2.
Answer:
Configure the subnet object that corresponds to the IP address range of the client computers in Site1 to belong to Site2.
Explanation:
If there are no domain controllers in a site, then the client computers in that site will send user logon requests to the site or sites with the lowest site link cost where domain controllers are available. To ensure that users in Site1 authenticate to domain controllers only from Site2 in this scenario, you can either reduce the cost of the site link between Site1 and Site2 or configure the client computers in Site1 to belong to Site2. You should use Active Directory Sites and Services to reconfigure the subnet object that corresponds to the IP address range of the client computers in Site1 to belong to Site2. You can then delete Site1 altogether because, once you have configured all its computers to belong to Site2, Site1 will be left empty. Only server objects for domain controllers can be explicitly moved between sites; computer objects for member servers and client computers cannot be moved between sites because their site affiliations are determined automatically based on their IP addresses. Computer objects for member servers and client computers do not appear in Active Directory Sites and Services.
Item: 101 (Ref:Cert-70-640.4.1.1)

You are the network administrator for your company. Your company's network has a single forest with three domains. All domain controllers in your forest run Windows Server 2008. You will be expanding the personnel in one of your domains by an additional 200 users. You have created a spreadsheet with the properties of the new user accounts. You want to import the spreadsheet into Active Directory. What should you do?
j k l m n Run CSVDE to import the accounts and REPADMIN to replicate the accounts to the other domain controllers.
j k l m n Export the spreadsheet to a comma delimited text file. Use Active Directory Users and Computers to import the file into the appropriate domain. Use REPADMIN to replicate the accounts to the other domain controllers.
Page 106 of 173
j k l m n Export the spreadsheet to a comma delimited text file. Use Active Directory Users and Computers to import the file into the appropriate domain. Use RSDIAG to replicate the accounts to the other domain controllers. j k l m n Run CSVDE to import the accounts and RSDIAG to replicate the accounts to the other domain controllers.
Answer: Run CSVDE to import the accounts and REPADMIN to replicate the accounts to the other domain controllers.
Explanation:
You should use CSVDE to import the accounts. The CSVDE utility can be used to import a comma-delimited file in Active Directory. However, this utility can be used to import only new objects; it cannot be used to modify existing objects. The LDIFDE utility can be used to import new or modified objects in Active Directory. However, LDIFDE does not use comma-delimited or tab-delimited files; it uses a special file format named the LDAP directory interchange file (LDIF). You cannot use Active Directory Users and Computers to import accounts from a file. You should use REPADMIN to force replication of the newly imported accounts to other domain controllers. You can use either the Repadmin or Replmon command-line tools to manually force the replication of a specific directory partition to other domain controllers. You cannot use RSDIAG to force replication of the newly imported accounts to other domain controllers. This tool is a command-line tool that examines Remote Storage (HSM) databases and displays diagnostic information in text format about migration jobs, managed volumes of the version of the NTFS file system used in Windows Server 2003, and physical media, as well as other Remote Storage information used for system analysis. RSDIAG does not replicate Active Directory information.
Item: 102 (Ref:Cert-70-640.1.3.1)

You are a network administrator for your company. The network consists of a single Active Directory domain that contains five Windows Server 2008 computers, 500 Windows Vista computers, and 250 Windows XP Professional computers. The network includes an internal DNS server named DNS1INT and an external DNS server named DNS1Ext. DNS1Ext hosts only the records for your company's Web, FTP, and mail servers. These servers handle a high volume of connections from both intranet and Internet sources and are configured with static IP addresses. Multiple secondary DNS servers are being deployed on the external segment of the network to improve name resolution performance for Internet-based users. You monitor the newly deployed servers by using System Monitor and notice that the Transfer SOA Requests Sent value is high. You want to minimize the bandwidth required for the zone transfer SOA requests sent by all secondary DNS servers. You also want to ensure that only authorized servers can receive copies of this zone file. What modifications should you perform on DNSExt1? (Choose two. Each correct answer presents part of the solution.) c d e f g Disable dynamic updates.
c d e f g Increase the time to live for the SOA record.
c d e f g Decrease the time to live for the SOA record. c d e f g Increase the value of the Refresh interval in the SOA record.
c d e f g Decrease the value of the Refresh interval in the SOA record.

c d e f g Configure the notify list to include the secondary DNS servers.
Answer: Increase the value of the Refresh interval in the SOA record. Configure the notify list to include the secondary DNS servers.
Page 107 of 173
Explanation:
Zone transfers are always initiated by requests sent by secondary DNS servers. These requests typically occur when the DNS Service on the secondary server is started, when the refresh interval expires, and when new changes are made and saved in the primary zone file. To ensure that the primary DNS server, which hosts the primary zone file, will only respond to zone file transfer requests from authorized DNS servers, you should configure the notify list on DNS1Ext to include all authorized secondary DNS servers. You can also reduce the number of requests sent by increasing the value of the Refresh interval in the start of authority (SOA) record. Increasing the value of the Refresh interval in the SOA record will cause the secondary DNS servers to request updates less frequently, resulting in a decrease in network traffic. However, decreasing this value ensures that the DNS data is updated more frequently, and could possibly result in an increase in network traffic for the transfer of SOA records. You should not disable dynamic updates on DNSExt1. Dynamic DNS (DDNS) updates allow DNS clients to automatically register their host (A) and PTR records in the master zone file. This feature should not be enabled on an externally placed DNS server. The status of this service will have no effect on zone file transfer behavior. You should not increase or decrease the TTL for the SOA record on DNSExt1. A DNS server caches a query result for a specified amount of time, called the time to live (TTL). A longer TTL will increase the time that records, such as the SOA record, are allowed to be cached by servers and applications. Increasing the TTL will decrease network traffic associated with DNS queries. However, this setting will have no effect on zone file transfer behavior. You should not decrease the value of the Refresh interval in the SOA record on DNSExt1. Decreasing this value ensures that the DNS data is updated more frequently, and could result in an increase in network traffic for the transfer of SOA records.
Item: 103 (Ref:Cert-70-640.2.5.1)

You are the network administrator for you company. The company has a head office in Atlanta and a branch office in Boston. The head office network consists of Windows Server 2008 domain controllers and the branch office network consists of Windows Server 2003 domain controllers. The branch office has 45 users that are member of a single organizational unit (OU). The branch office is connected to the head office by using a low bandwidth connection. To ensure efficient user log on to the domain, you plan to enable universal group membership caching. On which Active Directory object should you enable the universal group membership caching?
j k l m n OU j k l m n domain
j k l m n hub site j k l m n branch office site
Answer:
branch office site
Explanation:
You should enable the universal group membership caching in the branch office site. Universal group membership caching should be enabled in a site that is connected by a low bandwidth connection or that has hardware limitations on the DC such as low hard disk space that prohibits installing the global catalog. Enabling universal membership caching provides efficient user log on in situations of low or no network bandwidth. If you install a Windows Server 2008 read-only domain controller (RODC) in a branch office, universal group membership caching is enabled by default for that site. You should not enable universal group membership caching in the OU, the domain or the hub site. Universal group membership caching should only be enabled on a site that is connected to a hub site via low network bandwidth or in sites that have less than 100 users. This ensures efficient user log on to the domain.
Page 108 of 173
Item: 104 (Ref:Cert-70-640.5.3.1)

You are the network administrator for a company that manufactures cricket equipment and sports apparel. Your company's network has a single domain with several different locations. All domain controllers run Windows Server 2008 and the functional level of the domain is Windows Server 2008. You want a file server in main office, called FS1, to collect all replication errors and warnings from all domain controllers at the main office and other locations. What should you do? (Choose two.)
c d e f g On all domain controllers, start the Windows Error Reporting service and configure its start mode to Automatic. c d e f g On FS1, start the Windows Event Collector service and configure its start mode to Automatic.
c d e f g On all domain controllers, start the Windows Remote Management (WinRM) service and configure its start mode to Automatic.
c d e f g On FS1, install and start the Network Monitor service.

c d e f g On all domain controllers, install and start the Network Monitor Agent service.
Answer: On FS1, start the Windows Event Collector service and configure its start mode to Automatic. On all domain controllers, start the Windows Remote Management (WinRM) service and configure its start mode to Automatic.
Explanation:
You should start the Windows Event Collector Service on FS1 and configure its start mode to Automatic, and start the Windows Remote Management (WinRM) service on all domain controllers and configure its start mode to Automatic. The Windows Event Collector service manages persistent subscriptions to events from remote sources, such as the domain controllers in the main offices and other locations, that support WS-Management protocol. These events include Windows Vista event logs, hardware events, and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The Window Event Collector service's start mode should be set to Automatic because if this service is stopped or disabled, event subscriptions cannot be created and forwarded events cannot be accepted. You should start the Windows Remote Management (WinRM) service on FS1 and configure its start mode to Automatic. The Windows Remote Management (WinRM) service implements a standard Web services protocol called WS-Management that is used for software and hardware management. The WinRM service provides access to WMI data and enables event collection. For event collection and subscription to events to function, the service must be running. The WinRM service needs to be configured with a listener using either the winrm.cmd command-line tool or Group Policy in order for it to listen over the network. You do not have to start the Windows Error Reporting service and configure its start mode to Automatic. This service is started automatically. The Error Reporting service allows errors to be reported to Microsoft when programs stop working or responding, and allows existing solutions to be delivered. It also allows logs to be generated for diagnostic and repair services. Although this service is important for general functioning, it is not required to forward events. You should not install the Network Monitor service on FS1 or install the Network Monitor Agent service on the domain controllers. The Network Monitor service and Network Monitor Agent service allow you to capture packets and analyze traffic. You cannot use Network Monitor to collect replication errors. You can configure an event subscription in the Event Viewer. Right click on Subscriptions and choose Create subscription. In the subscription Properties dialog box, you can specify the computers from which logs should be collected, and define what events to collect.
Page 109 of 173
Item: 105 (Ref:Cert-70-640.4.2.9)

You are the systems administrator of your company. The company's network consists of a single Active Directory domain. There are 1,000 client computers on the network that run Windows Vista. Each department has its own Organizational Unit (OU) in the domain that contains users and computers for the department. You want to change the computer names for 150 client computers in the Sales department without altering the computers' location in the directory tree. Which command-line tool can you use?
j k l m n Dsmod
j k l m n Dsmove j k l m n Dsadd j k l m n Dsrm
Answer: Dsmove
Explanation:
You should use the Dsmove command-line tool to rename an object without altering its location in the directory tree. Dsmove is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server roles installed. Dsmove can be used to move a single object, within a domain, from its current location in the directory to a new location, or to rename a single object without moving it in the directory tree. The option stating Dsmod is incorrect. The Dsmod command-line utility can be used to modify attributes of Active Directory objects. However, Dsmod cannot be used to rename an object without altering its location in the directory tree.
Page 110 of 173
The option stating Dsadd is incorrect. The Dsadd command-line utility can be used to add objects to Active Directory. You cannot use Dsadd to rename an object without altering its location in the directory tree. The option stating Dsrm is incorrect. The Dsrm utility is used to delete objects from the directory. You cannot use Dsrm to rename an object without altering its location in the directory tree.
Item: 106 (Ref:Cert-70-640.1.1.1)

You are the network administrator for Verigon Corporation. The company has a single domain. You have a main office in Houston and branch offices in Atlanta and Chicago. The main office has a DNS server named DNS1 with the IP address 10.10.10.101. The Atlanta office has a DNS server named DNS2 with the IP address 10.10.15.112. The Chicago office has a DNS server named DNS3 with the IP address 10.10.20.78. The DNS configuration of the Atlanta office server, DNS2, is displayed in the exhibit. (Click on the Exhibit(s) button.) You employ several contractors in the Atlanta office who use portable computers. The contractors need access to shares on different servers and to several intranet resources. The portable computers are generating host records in the zone, and these records are now showing up on the DNS servers in other offices in the company. You want to ensure that only computers from the Verigon domain create records in the zone. What should you configure on DNS2?
j k l m n Allow zone transfers to only the servers listed on the Name Servers tab.
j k l m n Allow zone transfers to only the IP address of 10.10.10.101. j k l m n Change dynamic updates to Secure Only.
j k l m n Change the replication scope to All DNS servers in the forest.
Answer: Change dynamic updates to Secure Only.
70-640.1.1a
Page 111 of 173
70-640.1.1b
Explanation:
You should configure the zone to allow only dynamic updates that are Secure Only. In this scenario, contractors in the branch office are able to add records to the zone because the Dynamic Updates setting is set to Nonsecure and Secure. This configuration allows non-domain computers to add records to the zone. An Active Directory zone allows you to have secure dynamic updates and non-
Page 112 of 173
secure dynamic updates. Secure dynamic updates only allow computers that are members of the domain to add host (A) records in a forward lookup zone or PTR records in a reverse lookup zone. By selecting Secure Only in the Dynamic Updates field of the verigon.com Properties dialog box, you can configure secure dynamic updates. You do not have to configure the Allow zone transfers setting to prevent the contractors from adding records into the zone. The Allow zone transfers setting can be used to restrict zone transfers to secondary servers and prevent people outside your company from viewing zone information with commands such as NSLOOKUP. You can restrict zone transfers to specific DNS servers by enabling the Allow zone transfers check box on the Zone Transfers tab, choosing Only to the following servers, and adding the specific IP addresses of those DNS servers. You can also restrict zone transfers to DNS servers listed on the Name Servers tab. Restricting zone transfers will not prevent computers that are not members of the domain, such as the contractors' computers, from adding records to the zone. You should not change the replication scope to All DNS servers in the forest. This setting will replicate zone data to all DNS servers running on domain controllers in the Active Directory forest. If you want DNS servers running on domain controllers with the Windows 2000 Server operating system to load an Active Directory zone, you must set the Replication scope type on the General tab to All domain controllers in the Active Directory domain. None of the replication scope settings will prevent computers that are not part of the domain from adding records to the zone.
Item: 107 (Ref:Cert-70-640.4.7.7)

You are a network administrator for TXGlobal Corporation. There are three file servers in the network, named File-1, File-2, and File-3, that run Windows Server 2003. All file servers are connected to the domain, named txglobal.com. The domain controller is running Windows Server 2008. You install a new application on all three file servers. After the installation, the File-1 server restarts at random. You fix the problem by uninstalling and reinstalling the new application. However, you want to track all restart events on the client computers and all the files that users are accessing on the three file servers. What should you do?
j k l m n Activate Audit system events and Audit object access policies.
j k l m n Activate Audit logon events and Audit privilege use policies. j k l m n Activate Audit policy change and Audit account management policies.
j k l m n Activate Audit process tracking and Audit account logon events policies.
Answer: Activate Audit system events and Audit object access policies.
Explanation:
You should activate Audit system events and Audit object access policies to track restart events and file access on the three file servers in this scenario. These two audit policies perform the following roles: Audit system events policy: Audits events related to a computer restart or shutdown. Audit object access policy: Audits when a user accesses an object. The objects include files, folders, printers, registry keys, and Active Directory objects. You can configure these audit policies in Group Policy Object (GPO) settings either in the Graphical User Interface (GUI) mode or by using the Auditpol.exe command-line utility. The GPO must be linked to the appropriate organizational unit (OU) after you create the audit policy. You should not activate Audit logon events and Audit privilege use policies to achieve the objectives in this scenario. These two policies perform the following roles: Audit logon events policy: Audits each event related to a user logging on to, logging off from, or making a network connection to the computer configured to audit logon events. Audit privilege use policy: Audits each event related to a user performing a task that is controlled by a User Rights Assignment
Page 113 of 173
in group policy. You should not activate Audit policy change and Audit account management policies to achieve the objectives in this scenario. These two policies perform the following roles: An Audit policy change policy: Audits events related to a change to one of the three policy areas on a computer. These policy areas include: User Rights Assignment Audit Policies Trust relationships An Audit account management policy: Audits events related to a user managing an account, such as user, group, or computer. You should not activate Audit process tracking and Audit account logon events policies to achieve the objectives in this scenario. These two policies perform the following roles: Audit process tracking policy: Audits the events that are related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access. Audit logon events policy: Audits the events that are related to a user logging on to, logging off from, or making a network connection to the computer configured to audit logon events.
Item: 108 (Ref:Cert-70-640.3.4.3)

You are the systems administrator for the Windows Server 2008 computers on your company's network. The network contains an Active Directory Federation Services (AD FS) server. The AD FS server is configured to provide Web-based Single Sign-On (SSO) capabilities to users in a partner organization. You want to create a claims-aware application to verify which claims are sent in AD FS security tokens by the Federation Service. Which three files should you create for the claims-aware application? (Choose three. Each correct answer represents part of the solution.)
c d e f g Default.aspx c d e f g ApplicationHost.config c d e f g Web.config
c d e f g Metabase.xml c d e f g Default.aspx.cs
Answer: Default.aspx Web.config Default.aspx.cs
Explanation:
You should create the Default.aspx, Web.config, and Default.aspx.cs files. AD FS is an identity access solution that allows browserbased clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts and applications are located in completely different networks or organizations. In any given federation relationship, the business partners can either be identified as a resource organization or an account organization. The account organization is the one that owns and manages the user accounts. The resource organization is the one that owns and manages resources that are accessible from the Internet. Users from the account organization access AD FS-enabled applications in the resource organization. AD FS provides a Web-based SSO solution that authenticates users to multiple Web applications during a single browser session. When you install AD FS, you configure its trust policy by using the AD FS snap-in to specify the list of partners with which you want to federate. AD FS supports three types of claims: organization or identity claims, group claims, and custom claims. Claims are statements about users that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate from either an account store or an account partner. To verify which claims are sent in AD FS security tokens by the Federation Service, you should create a claims-aware application. A claims-aware application is a Microsoft ASP.NET application that uses claims in an AD FS security token to make authorization decisions and provide additional application personalization. The claims-aware application is made up of the following three files:
Page 114 of 173
default.aspx web.config default.aspx.cs The options stating ApplicationHost.config and Metabase.xml are incorrect because these files are not required to create a claimsaware application.
Item: 109 (Ref:Cert-70-640.4.7.5)

You are the network administrator for a new company. You deploy Windows Server 2008 and Windows Vista computers on the company network. You configure Active Directory Domain Services (AD DS) to manage users and other network resources. You want to set an audit policy to audit any user who accesses an Active Directory object. Which audit policy should you enable?
j k l m n Enable the Audit object access policy
j k l m n Enable the Audit system events policy j k l m n Enable the Directory Service Access policy
j k l m n Enable the Directory Service Changes policy
Answer: Enable the Directory Service Access policy
Explanation:
You should enable the Directory Service Access policy to ensure that a user accessing an Active Directory object is audited. Windows Server 2008 retains the global Audit directory service access policy from Windows Server 2003, but also adds the following four subcategories of AD DS auditing: Directory Service Access: Audits the event of a user accessing an Active Directory object. Directory Service Changes: Provides the ability to audit changes to Active Directory objects, such as create, modify, move, and undelete operations that are performed on an Active Directory object. Directory Service Replication: Audits the replication of computer and user accounts and other Active Directory objects from one domain controller to other domain controllers of the same domain, providing enterprise-wide authentication. Detailed Directory Service Replication: Audits the replication of specified computer and user accounts and other Active Directory objects from one domain controller to other domain controllers of the same domain. To view or set these audit policy sub-categories, you should use the AUDITPOL.EXE command-line tool. This tool allows you to modify, enable, or disable the audit policies. You should not enable the Audit object access policy to ensure that the event of a user accessing an Active Directory object is audited. Enabling the Audit object access policy will audit the event of a user accessing an object such as a file, folder, registry key, or printer. This policy does not audit the event of a user accessing an Active Directory object. You should not enable the Audit system events policy to ensure that the event of a user accessing an Active Directory object is audited. Enabling the Audit system events policy will ensure that auditing is enabled for system events such as a computer restart or shutdown, or events that affect either the system security or the security log. You cannot enable this policy to audit the event of a user accessing an Active Directory object. You should not enable the Directory Service Changes policy to ensure that the event of a user accessing an Active Directory object is audited. The Directory Service Changes policy audits change operations to Active Directory objects, such as file modifications or undeletions.
Page 115 of 173
Item: 110 (Ref:Cert-70-640.1.1.3)

You are the network administrator of the Nutex corporation. You install Windows Server 2008 on all servers in the network. You are in the process of configuring a Domain Name System (DNS) server on a server named DNS1 to provide name resolution services to users. You are required to ensure that the following: The DNS zone contains only entries for computers that are members of the domain. The DNS zone should not contain any stale records What should you configure on the zone to achieve these objectives? (Choose two. Each correct answer represents a complete solution.)
c d e f g Create a Primary Zone and store the zone in Active Directory
c d e f g Create a Stub Zone and store the zone in Active Directory

c d e f g Create a Secondary Zone and store the zone in Active Directory c d e f g Set aging/scavenging properties on the zone
c d e f g Ensure that all domain computers are members of DnsUpdate Proxy group
Answer:
Create a Primary Zone and store the zone in Active Directory Set aging/scavenging properties on the zone
Explanation:
You should create a Primary Zone and Store the zone in Active Directory. You should also configure the aging/scavenging properties on the zone. You can create either a primary zone or an Active Directory-integrated zone to configure aging and scavenging. You must have the zone be stored in Active Directory to force secure dynamic updates. When secure dynamic updates is configured on a zone only computers that are members of the domain can create a host (A) record in the zone. Aging and scavenging is a DNS mechanism for performing cleanup and removal of stale records, which can accumulate in zone data over time. Aging and scavenging of stale records are available when you deploy a DNS server with primary zones. Records are automatically added to zones when computers start up on the network if you have configured dynamic updates. However, in some cases, they are not automatically removed when computers leave the network. When you configure aging and scavenging, DNS servers can determine that records have aged to the point of becoming stale and remove them from the zone data. You can begin scavenging stale resource records immediately even if you have not configured the aging and scavenging feature. To do this, right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records option. To configure aging and scavenging settings for all DNS zones on a DNS server, right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones option. To enable automatic scavenging of stale records on a DNS server, select the Enable automatic scavenging of stale records option on the Advanced tab in the Properties dialog box of the DNS server. You should not create a Stub Zone and store the zone in Active Directory. A stub zone is used to store the name server (NS) records and host (A) records of DNS servers that host a zone. The records are used to identify which DNS server is authoritative for that zone. A stub zone only creates (A) records for the DNS servers that are authoritative for that zone and does not create (A) records for any other computers. You should not create a Secondary Zone and store the zone in Active Directory. A secondary zone is a read only copy of another zone. You cannot store a Secondary Zone in Active Directory. You should not create a secondary zone or stub zone because the aging and scavenging features are available when you deploy your server with primary zones. You can configure aging and scavenging for Active Directory-integrated zones because only primary zones can be directory-integrated zones. You should not ensure that all domain computers are members of DnsUpdate Proxy group. This group allows DNS clients to perform a
Page 116 of 173
dynamic update for a computer that is not a member of the domain such as a DHCP server or a Web server. This group will not scavenge state records either.
Item: 111 (Ref:Cert-70-640.4.2.7)

Your company consists of a central office and five branch offices. All servers on the network run Windows Server 2008. The corporate network consists of a single Active Directory forest with a functional level of Windows Server 2008. A separate domain and a separate site exist for each office. Each office has a department named Marketing. All employees in the Marketing departments should be allowed access to a shared folder named Products, which is located on a file server in the forest root domain. You must provide employees in the Marketing departments in each office with access to the Products shared folder. What should you do? j k l m n In each domain, create a global security group named Marketing and add the user accounts of employees in the Marketing department to this group. Create a domain local distribution group named MktgPermissions in the forest root domain, assign the appropriate permissions for the Products folder to the MktgPermissions group, and add all of the Marketing global groups to the MktgPermissions group.
j k l m n In each domain, create a global security group named Marketing and add the user accounts of employees in the Marketing department to this group. Create a domain local security group named MktgPermissions in the forest root domain, assign the appropriate permissions for the Products folder to the MktgPermissions group, and add all of the Marketing global groups to the MktgPermissions group.
j k l m n In each domain, create a global distribution group named Marketing and add the user accounts of employees in the Marketing department to this group. Create a domain local security group named MktgPermissions in the forest root domain, assign the appropriate permissions for the Products folder to the MktgPermissions group, and add all of the Marketing global groups to the MktgPermissions group.
j k l m n In each domain, create a global distribution group named Marketing and add the user accounts of employees in the Marketing department to this group. Create a domain local distribution group named MktgPermissions in the forest root domain, assign the appropriate permissions for the Products folder to the MktgPermissions group, and add all of the Marketing global groups to the MktgPermissions group.
Page 117 of 173
Answer: In each domain, create a global security group named Marketing and add the user accounts of employees in the Marketing department to this group. Create a domain local security group named MktgPermissions in the forest root domain, assign the appropriate permissions for the Products folder to the MktgPermissions group, and add all of the Marketing global groups to the MktgPermissions group.
Explanation:
To streamline the administration of user access rights, you should add users to security groups and assign permissions to the security groups rather than to individual user accounts. One possible strategy is to use global security groups for organizing user accounts that reside in the same domain and must be assigned the same permissions. You can put those global security groups into appropriate domain local security groups and assign permissions to the domain local security groups. In this scenario, you should do the following: 1. 2. 3. 4. 5. In each domain, create a global security group named Marketing. Add the user accounts of employees in the Marketing department of the domain to Marketing. Create a domain local security group named MktgPermissions in the forest root domain. Assign the appropriate permissions for the Products folder to the MktgPermissions group. Add all the Marketing global groups to the MktgPermissions group.
Distribution groups can be used by Active Directory-aware messaging applications, such as Exchange Server 2007, to send e-mail messages to multiple users simultaneously. Unlike security groups, distribution groups are not security principals and, therefore, cannot be assigned permissions explicitly or implicitly through membership in other groups. Therefore, you cannot use distribution groups to provide users with access to resources.
Item: 112 (Ref:Cert-70-640.2.4.13)

You are a network administrator for your company. Your corporate network consists of a single Active Directory forest. (Click on the Exhibit(s) button.) The network is fully routed; all computers in the forest can communicate with each other. However, you notice that certain changes to Active Directory do not replicate between Site1 and Site3. You must correct the problem. Which of the following should you do? j k l m n Enable bridging of the site links.
j k l m n Reduce the costs of the site links.
j k l m n Designate dc2.domain2.com as a preferred bridgehead server.

j k l m n Reconfigure the IP addressing scheme so that computers in Site1 and Site3 will belong to the same IP subnet.
Answer: Enable bridging of the site links.
Page 118 of 173
Explanation:
The domain controllers in Site1 and Site3 belong to a different domain from the domain controllers in Site2. Therefore, changes to the domain1.com domain directory partition are not replicated between Site1 and Site2 and between Site2 and Site3. To enable replication of the domain1.com partition between Site1 and Site3, you should enable bridging of the existing site links. You can either enable bridging of all site links or create the necessary bridges manually. By default, all site links are bridged, but it appears that in this scenario bridging has been disabled. A bridge between two site links that have at least one site in common enables transitive connectivity through the common site or sites. Bridging will work only if physical connectivity exists between the sites that are included in the bridged site links. In this scenario, bridging will work because the network is fully routed; that is, computers in each site can communicate with computers in any other site. Site link costs are values that represent the relative preference of the site links that form a topology with alternative paths between the same destinations. The site links in this scenario do not provide alternative replication paths. Therefore, reducing the costs of the existing site links would not result in any changes in the functionality of Active Directory replication. The dc2.domain2.com domain controller does not host the domain1.com domain directory partition; therefore, it cannot participate in replication of that partition with domain controllers in Site1 and Site3, even if you designate it as a preferred bridgehead server. Networks in Site1 and Site3 probably cannot belong to the same IP subnet because Site1 and Site3 are connected through routers that are located in Site2. Furthermore, the scenario does not indicate that the existing IP addressing scheme is invalid or that there are any network connectivity problems.
Item: 113 (Ref:Cert-70-640.4.5.2)

You are a network administrator for your company. The corporate network consists of a single Active Directory domain where all servers run Windows Server 2008 and all client computers run Windows XP Professional. Five member servers run Terminal Server. All terminal servers are located in an organizational unit (OU) named TS. Sales users require a custom database application to maintain sales information. The application includes a native Windows Installer package. User accounts of all Sales personnel are located in the OU named Sales. You are planning to use a Group Policy object (GPO) to deploy the database application to Sales users on the terminal servers. Which of the following should you do?
j k l m n In the User Configuration folder in the GPO, define a software installation policy that assigns the application; link the GPO to the TS OU.
j k l m n In the User Configuration folder in the GPO, define a software installation policy that publishes the application; link the GPO to the Sales OU. j k l m n In the Computer Configuration folder in the GPO, define a software installation policy that assigns the application; link the GPO to the Sales OU.
j k l m n In the Computer Configuration folder in the GPO, define a software installation policy that assigns the application; link the GPO to the TS OU.
Answer: In the Computer Configuration folder in the GPO, define a software installation policy that assigns the application; link the GPO to the TS OU.
Page 119 of 173
Explanation:
To deploy software by using GPOs, you can define a software installation policy in the User Configuration folder in order to assign or publish the software to users, and you can define a software installation policy in the Computer Configuration folder in order to assign the software to computers. There are special considerations for deploying programs to Terminal Server users because each application that is installed on a terminal server becomes available to all Terminal Server users. To function correctly in a multi-session environment, applications must be installed and configured in a specific manner. The preferred method to correctly install an application on a terminal server is to install it locally by using Add or Remove Programs in Control Panel. If you want to use a GPO to deploy an application to multiple terminal servers, then you should assign the application to computers, rather than users. If you assigned the application to users and linked the GPO to the TS OU, which contains only computers, or if you assigned the application to computers and linked the GPO to the Sales OU, which contains only users, then the GPO would have no effect because user-specific policies apply only to users, and computer-specific policies apply only to computers. Additionally, it is not recommended that applications that are to be used on terminal servers be assigned to users. The applications that are assigned to users might not be correctly configured to function properly in a multi-session environment. You cannot deploy an application to terminal servers by publishing the applications in GPOs; Terminal Server does not support published applications.
Item: 114 (Ref:Cert-70-640.6.1.3)

You administer your company's network. The network consists of a single Active Directory domain. All servers run Windows Server 2008, and all client computers run Windows Vista. The company's written security policy stipulates that employees must use certificates for remote access and secure e-mail. Only designated administrators are authorized to approve users' requests for certificates, issue certificates, and revoke certificates. You install Certificate Services on several servers and configure them as enterprise certification authorities (CAs). You must assign the appropriate privileges to the designated administrators in accordance with the company policy. Which of the following should you do?
j k l m n Issue an Enrollment Agent certificate to each designated administrator. j k l m n Assign the designated administrators to the Certificate Manager role on each CA.
j k l m n Assign the Allow - Enroll permission for each certificate template to the designated administrators.
j k l m n Assign the Allow - Write permission for each CA to the designated administrators.
Answer: Assign the designated administrators to the Certificate Manager role on each CA.
Explanation:
Windows Server 2008 Certificate Services supports role-based administration. Each role is associated with specific permissions or user rights. Members of the Certificate Manager role can issue, approve, deny, renew and revoke certificates. They can also retrieve archived private keys to binary files for subsequent key recovery. To assign the designated administrators to the Certificate Manager role, you should assign them the Allow - Issue and Manager Certificates for each CA. This permission allows a user to approve certificate enrollment and revocation requests. By default, the Enterprise Admins, Domain Admins and local Administrators groups are assigned the Allow - Manage CA permission for CAs. This permission provides membership in the CA Administrator role, which enables its members to control other users' permissions for the CAs. To fully comply with company policy, you should enable role separation for each CA in order to ensure that CA Administrators cannot assign themselves to the Certificate Manager role. If role separation is enabled for a CA, then a user can perform the tasks that are associated with only one role on that CA. If a user is accidentally or intentionally assigned to more than one role on a CA, then that user cannot perform any tasks on that CA. A certificate that is based on the Enrollment Agent certificate template enables a user to request certificates on behalf of other users. Generally, enrollment agents are not authorized to approve certificate requests, to revoke certificates or perform other tasks that are associated with the Certificate Manager role. The Allow - Enroll permission for a certificate template enables a user to request a certificate that is based on that template. By default, the Domain Users group is assigned this permission for most templates on all
Page 120 of 173
enterprise CAs in their domain. The available permissions for a CA are Read, Issue and Manage Certificates, Manage CA and Request Certificates. There is no Write permission for a CA. The Allow - Manage CA permission provides limited write access to a CA database.
Item: 115 (Ref:Cert-70-640.6.5.3)

You are the systems administrator for your company. The company's network consists of a single Active Directory domain. You install Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. The AD CS server is configured as an enterprise certification authority (CA). You want another computer to be an Online Responder to provide certification revocation data to clients. You install the IIS and the Online Responder service on a Windows Server 2008 server. You test the Online Responder, but the Online Responder fails. What must do to ensure the Online Responder works correctly? (Choose two.)
c d e f g Add the Windows Server 2008 server to the Certificate Publishers group. c d e f g Install Microsoft Simple Certificate Enrollment Protocol (MSCEP) on the server.
c d e f g Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA.
c d e f g Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA. c d e f g Lower the Publish Delta CRL and the Publish CRL Interval settings on the CA so that expired certificates are published in Active Directory.
Answer: Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA. Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA.
Explanation:
You should do the following: Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA. Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA. The error is occurring because the CA has not been fully configured to support an Online Responder. Before configuring a CA to support the Online Responder service, you must ensure that the following conditions are met: IIS must be installed on the computer before the Online Responder can be installed. An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment must be used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed. The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status. You should not install the Microsoft Simple Certificate Enrollment Protocol (MSCEP). MSCEP, referred to in some documents as Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP, which was developed by Cisco Systems Inc. to support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a communication protocol that allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA. Installing MSCEP is not a requirement for configuring an Online Responder. You should not add the Windows Server 2008 server to the Certificate Publishers group. Certificate Publishers is a global group that includes all computers that are running an enterprise certificate authority. Certificate publishers are authorized to publish certificates for user objects in Active Directory. Adding the Online Responder to the Certificate Publishers group will not allow the Online Responder to publish a CRL.
Page 121 of 173
You do not have to change the Publish Delta CRL setting or the Publish CRL Interval setting on the CA. The Publish Delta CRL setting determines how often changes to the Certificate Revocation List (CRL) are published. CAs can have lots of certificate revocations and will need to be downloaded by clients frequently. Clients can download the most current delta CRL, which contains all the changes from the last base CRL that was published via the Publish CRL Interval setting. The base CRL can become very large. To minimize the frequent downloads of large CRLs, delta CRLs can be published and clients can combine the downloaded delta CRL with the most current base CRL to create a complete list of revoked certificates. In this scenario, the error is occurring because the CA has not been fully configured to support an Online Responder.
Item: 116 (Ref:Cert-70-640.3.3.5)

You are the network administrator for your company. Your company has a single Active Directory domain with over 700 user accounts and 800 computer accounts. You have a main office and three branch offices. Each office is configured as its own Active Directory site. You will be opening another branch office in a new city. The new branch office will only have a dozen people. You want to add a readonly domain controller (RODC) in the new branch. You only want the accounts used by the people in the new branch office to be cached on the RODC. What must you do?
j k l m n Add the dozen accounts to a Global group and change permissions on the Global group to not replicate passwords.
j k l m n On each of the accounts in the branch office, set Account is sensitive and cannot be delegated.
j k l m n Add the dozen accounts in the branch office to a Password Replication Policy in the allowed list, and add all other accounts in the company to the denied list. j k l m n Create a GPO that allows the accounts to be cached and apply it to the site that has the new branch office.
Answer: Add the dozen accounts in the branch office to a Password Replication Policy in the allowed list, and add all other accounts in the company to the denied list.
Explanation:
You should add the dozen accounts in the branch office to a Password Replication Policy in the allowed list and add all other accounts in the company to the denied list. The Password Replication Policy determines if an RODC should be allowed to cache a password. The Password Replication Policy lists the accounts that are permitted to be cached, and the accounts that are explicitly denied from being cached. The Password Replication Policy is configured and enforced on a writable domain controller. For example, to prevent the Administrator password from replicating from the main office to the branch office RODC, a Password Replication Policy would need to be implemented on the DC in the main office. This would prevent the password from replicating to the RODC in the branch office. You should not add the dozen accounts to a Global group and change permissions on the Global group to not replicate passwords. There is no property on a Global group or an account to allow the user to cache his/her password on an RODC. You should not configure the Account is sensitive and cannot be delegated setting on each of the accounts in the branch office. This setting allows control over a user account that is designed to be a guest or temporary account. This option can be used if this account cannot be assigned for delegation by another account. This setting will not allow the user to cache his/her password on an RODC. You should not create a GPO that allows the accounts to be cached and apply it to the site that has the new branch office. Although you can link a GPO at the site level in Active Directory, you cannot configure a user account to cache his/her password on an RODC. You can only do this via a Password Replication Policy configured on a writable domain controller.
Item: 117 (Ref:Cert-70-640.5.3.3)

You are a network administrator for your company. The company's network consists of a single Active Directory domain that contains servers running Windows Server 2008. A server named File1 is configured as a file server. Users who access File1 server report that some important files are missing and
Page 122 of 173
some files have been misused. You want to track all logon attempts made to the File1 server. What should you do?
j k l m n Implement an Audit system events policy. j k l m n Implement an Audit privilege use policy.
j k l m n Implement an Audit account logon events policy.

j k l m n Implement an Audit logon events policy.
Answer: Implement an Audit logon events policy.
Explanation:
You should implement an Audit logon events policy to achieve the objective in this scenario. An Audit logon events policy will audit each event related to a user logging on to, logging off from, or making a network connection. You can configure the Audit logon events policy in Group Policy Object (GPO) settings either in Graphical User Interface (GUI) mode or by using the Auditpol.exe command-line utility. To access group policy and configure an Audit logon events policy on a domain controller, perform the following steps: 1. Click the Start button, type gpedit.msc in the Run dialog box, and press the Enter key. This will open the group policy window. 2. Under Group Policy menu, scroll down to the following node: Computer Configuration\Security Settings\Local Policies\Audit Policy. 3. In the right pane, right-click Audit logon events and click Properties. 4. Under the Properties Window, you can configure Success or Failure audit events. 5. After configuring an Audit policy, link the GPO to the appropriate organizational unit (OU) and enable the appropriate user permissions. You should not implement an Audit system events policy to achieve the objective in this scenario. Enabling an Audit system events policy will only audit those events which are related to a computer restart or shutdown. You should not implement an Audit privilege use policy to achieve the objective in this scenario. Enabling an Audit privilege use policy will only audit events related to a user performing a task that is controlled by a User Rights Assignment in group policy. You should not implement an Audit account logon events policy to achieve the objective in this scenario. Enabling an Audit account logon events policy will only audit the events when a user is logging on or off the domain.
Item: 118 (Ref:Cert-70-640.2.4.2)

You are the network administrator of your company. The company has a main office and a branch office. You want to configure Distributed File System (DFS) Replication on the network. Which requirements should you follow to be able to deploy DFS Replication? (Choose two. Each correct answer represents part of the solution.)
c d e f g Ensure that members of the replication group are running operating system version Windows Server 2003 or higher. c d e f g Install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group.
c d e f g Install the DFS Management snap-in to manage replication on a server running Windows Server 2008 or a Server Core installation of Windows Server 2008.
c d e f g Ensure that all servers in a replication group are located in the same forest.
Page 123 of 173
Answer: Install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group. Ensure that all servers in a replication group are located in the same forest.
Explanation:
You should install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group, and ensure that all servers in a replication group are located in the same forest. DFS Replication is a new, state-based, multimaster replication engine that supports replication scheduling and bandwidth throttling. DFS Replication is the successor of the File Replication service (FRS) that was introduced in the Windows 2000 Server operating system. DFS Replication uses several processes to keep data synchronized on multiple servers. Before you can deploy DFS Replication, you must configure your server as follows: Extend the Active Directory Domain Services (AD DS) schema to include Windows Server 2003 R2 or Windows Server 2008 schema additions. Ensure that all members of the replication group are running Windows Server 2008 or Windows Server 2003 R2. Install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group. Install the DFS Management snap-in on a server to manage replication. The server on which you install the DFS Management snap-in cannot run a Server Core installation of Windows Server 2008. Ensure that your antivirus software is compatible with DFS Replication. Ensure that all servers in a replication group are located in the same forest. You cannot enable replication across servers in different forests. Store replicated folders on NTFS volumes. The options stating ensure that members of the replication group are running Windows Server 2003 or higher operating system version incorrect because members of the replication group must be running Windows Server 2003 R2 or Windows Server 2008. The options stating install the DFS Management snap-in to manage replication on a server running Windows Server 2008 or a Server Core installation of Windows Server 2008 is incorrect. The server on which you install the DFS Management snap-in cannot run a Server Core installation of Windows Server 2008.
Item: 119 (Ref:Cert-70-640.4.1.2)

You are the network administrator for your company. Your company's network has a single forest with three domains. All domain controllers in your forest are Windows Server 2008. Each domain is configured to be a separate site. Recently the telephone company has changed the telephone number of a department in the location of one of your company's domains. There are 55 accounts that are affected by the telephone number change. You need to change the telephone number property in the 55 different accounts. You want to perform the update as quickly as possible. What should you do?
j k l m n Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number and use CSVDE to import the accounts.
j k l m n In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will return the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their accounts' properties. j k l m n Create a saved LDAP query that will return user accounts of the 55 user accounts. Export the results to a tab-delimited file, modify the expiration date in the file and use the LDIFDE utility to import the file into Active Directory. j k l m n In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will return the 55 user accounts. Export the results to a comma-delimited file, modify the expiration date in the file and use the CSVDE utility to import the file into Active Directory.
Answer: In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will return the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their accounts' properties.
Page 124 of 173
Explanation:
You should create a LDAP query in Active Directory Users and Computers by selecting Find from the Action menu and creating a LDAP query that will return the 55 user accounts. You can then select the user accounts returned by the query and simultaneously modify the telephone number in their accounts' properties. This method will allow you to easily update the telephone number property on the 55 user accounts. In Active Directory Users and Computers, you can select the domain node, select Find from the Action menu, and specify the same LDAP query that will return the 55 user accounts. However, you can only modify properties of the returned accounts individually; the Properties command is unavailable for a selection if multiple accounts are selected. Also, you cannot export the results of that query. You can only export the results of a saved query to a comma-delimited or tab-delimited text file. That file can be edited in any text editor. The CSVDE utility can be used to import a comma-delimited file in Active Directory. However, this utility can only be used to import new objects; it cannot be used to modify existing objects. The LDIFDE utility can be used to import new or modified objects in Active Directory. However, LDIFDE does not use comma-delimited or tab-delimited files; it uses a special file format named the LDAP directory interchange file (LDIF).
Item: 120 (Ref:Cert-70-640.3.3.7)

You are the systems administrator for your company, which has a main office and one additional branch office. The company's network consists of a single Active Directory forest. The network contains servers running Windows Server 2008 and Windows Server 2003. You install a domain controller running Windows Server 2008 in the main office. You are required to install a read-only domain controller (RODC) in the branch office. You want to enable the RODC to replicate the Domain Name system (DNS) partition. Which two steps should you perform? (Choose all that apply. Each answer is part of a single solution.)
c d e f g Run the Adprep /domainprep command in the domain.
c d e f g Copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema master.
c d e f g Run the Adprep /rodcprep command before installing the RODC. c d e f g Run the Adprep /rodcprep command after installing the RODC.
Answer: Copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema master. Run the Adprep /rodcprep command before installing the RODC.
Explanation:
You should copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema master and run the Adprep /rodcprep command before installing the RODC. Before deploying an RODC, you must ensure that the forest functional level is Windows Server 2003 so that linked-value replication is available. You must copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema master and then run the Adprep /rodcprep command before installing the first RODC. This step is required to enable RODC to replicate DNS partitions. If you are creating a new forest that has only Windows Server 2008 domain controllers, then this step is not required. An RODC is a new type of domain controller in Windows Server 2008 that hosts read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds, except for account passwords. RODCs provide various new functionalities, such as credential caching, unidirectional replication, and the Filtered Partial Attribute Set, which can be used to mitigate problems related to physical security, network bandwidth, and so on. The Filtered Partial Attribute Set is also referred to as the Read-Only Partial Attribute Set. Credential caching is the storage of user or computer credentials. You can configure the Password Replication Policy on a writable domain controller to specify if an RODC should be allowed to cache a password. A Filtered Partial Attribute Set is a set of attributes that you can configure in the schema to ensure that these attributes are not replicated to an RODC. Configuring the Filtered Partial Attribute Set is useful when you want to prevent
Page 125 of 173
replication of sensitive information. You should not run the Adprep /domainprep command in the domain. This command is required when the RODC will also be a global catalog server. When you run the adprep /domainprep command in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server. Running the Adprep /domainprep command is not required to enable RODC to replicate Domain Name system (DNS) partition. You should not run the Adprep /rodcprep command after installing the RODC. The Adprep /rodcprep command must be run before installing the first RODC.
Item: 121 (Ref:Cert-70-640.1.2.7)

You are the network administrator for your company. The company has a main office and a branch office. The servers on the company's network run Windows Server 2008. The main office has its own Active Directory domain. You upgrade a member server in the branch office to a domain controller. Users report that their client computers take a long time to log on to the domain. You investigate and discover that the Service (SRV) Records for the domain controller are not registered in the DNS zone of the branch office domain. Which service should you restart on the domain controller to re-register the SRV records of the domain controller in the DNS zone?
j k l m n the DNS Client service
j k l m n the DNS Server service j k l m n the Netlogon service

j k l m n the Server service
Answer: the Netlogon service
Explanation:
You should restart the Netlogon service. The SRV records of a domain controller in the domain play an important role in Active Directory. Active Directory cannot work without a DNS server. The DNS server in Active Directory is used to locate domain controllers in the forest or domain with the help of SRV records. When you promote a member server to a domain controller, the SRV records are registered specifically for domain controllers. The Netlogon service on domain controller is responsible for registering SRV records. If the SRV records for a domain controller are not registered in the DNS server, you can re-register them by restarting the Netlogon service on the domain controller. You should not restart the DNS Client service, DNS Server service, or the Server service because these services are not responsible for registering SRV records on the domain controller.
Item: 122 (Ref:Cert-70-640.5.2.4)

You are the systems administrator for your company. All servers on the network run Windows Server 2008. You install Active Directory Domain Services (AD DS) on a server named DC1. The AD DS database contains information about all the resources in the domain. Over time, you discover that Active Directory searches have become slow. You investigate and discover that DC1 is running low on disk space. You decide to perform an offline defragmentation of the Active Directory database. You are concerned about the amount of free disk space that is required to perform the offline defragmentation. You decide to free some disk space on DC1 to ensure that offline defragmentation is completed successfully. What is the minimum amount of disk space that you should free up on DC1 to successfully perform the offline defragmentation locally on DC1?
j k l m n Five percent (5%) of the current size of the AD DS database
Page 126 of 173
j k l m n 10 percent (10%) of the current size of the AD DS database j k l m n 15 percent (15%) of the current size of the AD DS database
j k l m n Equivalent to the current size of the AD DS database (100%)
Answer: 15 percent (15%) of the current size of the AD DS database
Explanation:
You should free up at least 15 percent (15%) of the current size of the AD DS database to perform a local offline defragmentation. In Windows Server 2008, you can perform offline defragmentation of an AD DS database by stopping the AD DS service, performing the offline defragmentation with the Ntdsutil.exe utility, and restarting the AD DS service. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory directory services. The Ntdsutil.exe tool can be used to perform AD DS database maintenance, to manage and control single master operations, and to remove metadata left behind by domain controllers that were remove from the network without being properly uninstalled. Follow these steps to perform offline defragmentation of AD DS database: 1. Run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command. 2. Delete all of the log files in the log directory by typing the Del drive:\pathToLogFiles\*.log command. 3. Manually copy the compacted database file to its original location. 4. Perform the integrity check on the database. 5. Restart the AD DS service. To perform offline defragmentation of AD DS database by compacting the database file locally on the domain controller, you should have free disk space equal to at least 15 percent of the current size of the AD DS database. Therefore the options stating that you require 5% or 10% of the current database size are both incorrect because they are insufficient. The option stating that you require an amount of free disk space equivalent to the current size of the AD DS database is incorrect, because this amount of free disk space is required when you compact the AD DS database on a remote computer. In this scenario, you want to perform the offline defragmentation locally on DC1. Therefore, you should free up 15 percent of the current size of the AD DS database.
Item: 123 (Ref:Cert-70-640.4.6.4)

You are the network administrator of your company. You install Windows Server 2008 on all servers on the network. The company's network consists of a single Active Directory domain with the Windows Server 2008 domain functional level. You want to configure multiple password policies in the domain. To achieve this, you want to configure fine-grained password policies. Which group membership will you require for configuring fine-grained policies? j k l m n Enterprise Admins group
j k l m n Domain Admins group
j k l m n Schema Admins group
j k l m n Local Administrators group on the domain controller
Answer: Domain Admins group
Explanation:
Page 127 of 173
By default, only members of the Domain Admins group can set fine-grained password policies. Windows Server 2008 allows you to define different password and account lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies within a single domain. Fine-grained password policies apply only to user objects and global security groups. To configure fine-grained password policies, the domain functional level must be Windows Server 2008. If you do not create fine-grained password policies for different sets of users, the Default Domain Policy settings apply to all users in the domain. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a finegrained password policy. You can add users of the OU as members of the newly created shadow group, and then apply the finegrained password policy to this shadow group. The options stating Enterprise Admins group, Schema Admins group, and local Administrators group on the domain controller are incorrect because only members of the Domain Admins group can set fine-grained password policies by default.
Item: 124 (Ref:Cert-70-640.5.1.7)

You are the network administrator for your company. All servers on the network run Windows Server 2008. A server named DC1 is configured as a domain controller. You have configured a scheduled backup to be performed every day on DC1. Some users report that searching resources in Active Directory takes a considerable amount of time. To resolve this problem, you plan to perform an offline defragmentation of the Active Directory database. What are the steps you should take? (To answer, choose the appropriate steps on the left and arrange them in correct order on the right. It may not be necessary to use all the steps provided.)
Explanation:
When you perform offline defragmentation of the directory database file, a new compacted version of the database file is created in a different location. In Windows Server 2008, you can perform offline defragmentation of the AD DS directory database by stopping the AD DS service, performing the offline defragmentation, and starting the AD DS service. To perform an offline defragmentation of the AD DS database, you should first stop the AD DS service. The Restartable AD DS feature in Windows Server 2008 allows you to perform tasks, such as offline defragmentation of the AD DS database, without restarting the domain controller in Directory Services Restore Mode. You should run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.ditfile at the location specified in the Compact to command. You can specify a folder on the local computer or a shared folder on a remote computer in the Compact to command. If defragmentation completes successfully, you should delete all of the log files in the log directory by typing the Del drive:\pathToLogFiles\*.log command. You should then manually copy the compacted database file to its original location. After copying the compacted Ntds.dit file to its original location, you should perform the integrity check on the database. If the integrity check succeeds, you can restart the AD DS service.
Page 128 of 173
You should not restart the server in Directory Services Restore Mode because it is not required in Windows Server 2008. The Restartable AD DS feature in Windows Server 2008 allows you to perform an offline defragmentation of the AD DS database without restarting the domain controller in Directory Services Restore Mode. You should perform the following steps in this order to perform an offline defragmentation of AD DS in Windows Server 2008:
Item: 125 (Ref:Cert-70-640.3.2.3)

You are the administrator of your company. Your company's network has a single forest with one Active Directory domain. All of the domain controllers run Windows Server 2008. You have two SQL 2005 Server instances running on a server that is installed with Windows Server 2003. You attempt to install Active Directory Rights Management Services (AD RMS) for the first time on a server that runs Windows Server 2008. Your account is has permissions to install AD RMS. You receive the following error: " AD RMS is unable to validate the database name during installation." What could have caused the error?
j k l m n The AD RMS is already installed on a domain controller.
j k l m n The SQL 2005 Server and the AD RMS server are installed on the same server. j k l m n The SQL Browser Service for the SQL 2005 Server that contains the database failed to start.
j k l m n The SQL Agent Service for the SQL 2005 Server that contains the database failed to start.
Answer:
Page 129 of 173
The SQL Browser Service for the SQL 2005 Server that contains the database failed to start.
Explanation:
The error was caused because the SQL Browser Service for the SQL Server that contains the database failed to start. During AD RMS installation, you recieved the error message " AD RMS is unable to validate the database name during installation." because you cannot validate the AD RMS database. First you should check if the SQL Server service for the SQL instance is started. If the SQL Server service is not started, you will not be able to connect to the database. You can type one of the following commands to start the SQL Server service: net start "SQL Server ( instancename )" -ornet start MSSQL$ instancename Once you have verified that the SQL Server service is started, you should ensure that the SQL Browser service is running on the database server. If the SQL Browser service is not running, other services, such as AD RMS, may not see the SQL Server instance. The error was not caused because the AD RMS was installed on a domain controller. AD RMS should be installed on a member server. The error was caused because the AD RMS cannot recognize the SQL Server. The error was not caused because the SQL Server and the AD RMS server are installed on the same server. Although you should separate the SQL Server and the AD RMS server for performance reasons, this will not cause the error you received. The error was caused because the AD RMS cannot recognize the SQL Server. The error was not caused because the SQL Agent Service for the SQL Server that contains the database failed to start. The SQL Agent service is important to the SQL Server. The Agent service controls jobs and alerts for the SQL Server and it should be started. However, the failure of the SQL Agent service to start will not cause the database from being accessed. In this scenario, it could have been caused by the SQL Server service for the instance failing to start, or it could have been caused by the SQL Browser service for the instance failing to start.
Item: 126 (Ref:Cert-70-640.5.1.6)

You are the systems administrator for your company. The company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2003, and a server named DC1 is configured as a domain controller. A help desk technician in the branch office accidentally deletes an Organizational Unit (OU) that contains several user accounts. You want to perform an authoritative restore of AD DS on DC1. What should you do? (To answer, choose the appropriate steps on the left and arrange them in correct order in the answer area on the right.)
Page 130 of 173
Explanation:
You should perform the following actions to accomplish an authoritative restore on a Windows Server 2008 domain controller:
An authoritative restore process returns a designated object or container of objects to its state at the time of the backup. When you restore a domain controller from backup, the normal or nonauthoritative restore process does not restore the inadvertently deleted OU. This is because after the restore process, the restored domain controller is updated to the current status of its replication partners, which deleted the OU. Therefore, recovering the deleted OU requires an authoritative restore. An authoritative restore marks the OU as authoritative and causes the replication process to restore it to all the domain controllers in the domain. To perform an authoritative restore of AD DS, you must first boot your domain controller in Directory Services Restore Mode (DSRM). You must type in the DSRM password to log in. Then, you must complete a nonauthoritative restore. Replication will not occur after the nonauthoritative restore because the AD DS is stopped After the nonauthoritative restore is finished, do not restart the domain controller because you do not want to replicate the information yet. You should perform the authoritative restore at the domain controller that you are restoring by using the ntdsutil authoritative restore command to mark an object or objects as authoritative. After performing the authoritative restore of AD DS, you should start the domain controller normally and synchronize replication with all replication partners. You should not stop the AD DS service because this will not allow you to perform an authoritative restore of AD DS. To perform an authoritative restore of AD DS, you must complete a nonauthoritative restore, which requires restarting the domain controller in Directory Services Restore Mode. If the server were Windows Server 2008, this would be a possible solution since the ability to restart the Active Directory DS service without restarting the server is one of the new features of Server 2008.
Page 131 of 173
Item: 127 (Ref:Cert-70-640.3.4.2)

You are the systems administrator for your company. The company's network consists of a single Active Directory forest. Your company has a partner organization that designs your company's products. The partner company has its own Active Directory forest. You are required to enable users in the partner organization to access resources in your network without being prompted for secondary credentials. To achieve this, you want to install the Active Directory Federation Services (AD FS) in your network to provide Web-based Single-Sign-On (SSO) capabilities to users in the partner organization. Which two roles should you install that will be required by AD FS? (Choose two. Each correct answer represents part of the solution.) c d e f g Web Server (IIS) role
c d e f g Network Policy and Access Services (NPAS) role c d e f g Active Directory Certificate Services (AD CS) role
c d e f g Windows Process Activation Service role service
c d e f g Windows SharePoint Services role
Answer: Web Server (IIS) role Windows Process Activation Service role service
Explanation:
You should install the Web Server (IIS) role and Windows Process Activation Service role service. AD FS is an identity access solution that allows browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts and applications are located in completely different networks or organizations. In any given federation relationship, the business partners can either be identified as a resource organization or an account organization. The account organization is the one that owns and manages user accounts. The resource organization is the one that owns and manages resources that are accessible from the Internet. Users from the account organization access AD FS-enabled applications in the resource organization. AD FS provides a Web-based SSO solution that authenticates users to multiple Web applications during a single browser session. While installing the Active Directory Federation Services role, you should select the Federation Service role service on the Select Role Services page. If the Web Server (IIS) role or Windows Process Activation Service role services are not installed, you will be prompted to install them. You should select the Add Required Role Services button to install these additional role services. The options stating NPAS, AD CS, and Windows SharePoint Services role are incorrect because these roles are not required by AD FS to be installed. Network Policy and Access Services allows you to provide local and remote network access and to define and enforce policies for network access authentication, authorization, and client health using a Network Policy Server (NPS). The Windows SharePoint Services role allows teams to create Web sites for information sharing and document collaboration. Active Directory Certificate Services is an Identity and Access Control security technology that creates and manages public key certificates.
Item: 128 (Ref:Cert-70-640.4.7.2)

You are the network administrator for your company's network. You install a Certificate Authority (CA) to distribute certificates to users and computers in your domain. All servers are stored in the Servers OU in your domain. You link the GPO1 group policy object at the Servers OU as seen in the exhibit. (Click the Exhibit(s) button.) You want to audit the following on your CA: Certificate requests from your CA Revoked certificates Published Certificate Revocation Lists (CRL)
Page 132 of 173
What should you configure to have these items appear in the security log on the CA?
j k l m n In Group Policy Management Editor, enable audit policy change in GPO1.
j k l m n In Group Policy Management Editor, enable audit process tracking in GPO1. j k l m n On the CA, enable auditing and choose the appropriate settings to audit.
j k l m n On the CA, choose the Policy Module tab, and choose the appropriate settings to audit.
Answer: On the CA, enable auditing and choose the appropriate settings to audit.
Explanation:
You should enable auditing on the CA. To enable auditing, open the Certificate Server snap-in and highlight the Certificate server, rightclick on the Certificate server, and choose the Auditing tab. You can configure the following items to audit: A back up or a restore of the CA database A change in the CA configuration A change in the security settings of the CA Certificate requests that are issued or managed from the CA Certificates that have been revoked from the CA Certificate Revocation Lists (CRL) that have been published Archive Keys that have been retrieved or stored If Active Directory Certificate Servers has been stopped or started These events cannot be logged into the security log until Audit object access is enabled in a group policy. In this scenario, GPO1 has Audit object access enabled. You do not have to enable Audit process tracking or Audit policy change in GPO1 to enable auditing on the CA. The Audit process tracking setting determines whether to audit detailed tracking information for events such as program activation, process exit, and handle duplication. The Audit policy change setting determines whether to audit every incidence of a change to user rights assignment policies, Windows Firewall policies, or audit policies. You do not need these settings enabled to configure auditing on a CA. You need to have the Audit object access setting enabled and the appropriate settings enabled under the Auditing tab on the CA enabled. You cannot enable auditing on the CA from the Policy Module tab. You should choose the Auditing tab to configure the settings that you want to audit.
Page 133 of 173
Item: 129 (Ref:Cert-70-640.3.4.1)

You are the systems administrator of your company. The company's network consists of a single Active Directory forest. You install Windows Server 2008 on all servers on the network. Your company has a partner organization that has its own Active Directory forest. The users in the partner organization need to access resources in your network. To achieve this, you want to install the Active Directory Federation Services (AD FS) on a server named Server1 in your network. Which software must be installed on Server1 to ensure that you are able to install the Federation Service on it? (Choose three. Each correct answer represents part of the solution.)
c d e f g Internet Information Services (IIS)
c d e f g MSXML 6.0 c d e f g Microsoft ASP.NET 2.0
c d e f g Windows Installer 3.1

c d e f g Microsoft .NET Framework 2.0 c d e f g Microsoft Management Console 3.0
Answer: Internet Information Services (IIS) Microsoft ASP.NET 2.0 Microsoft .NET Framework 2.0
Page 134 of 173
Explanation:
You should ensure that Internet Information Services (IIS), Microsoft ASP.NET 2.0, and Microsoft .NET Framework 2.0 are installed. AD FS is an identity access solution that allows browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts and applications are located in completely different networks or organizations. The AD FS role requires the Web Server (IIS) role and Windows Process Activation Service role service for successful installation. The following software must be installed on computers running the Federation Service: Windows Server 2003 R2, Enterprise Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2008 Enterprise; or Windows Server 2008 Datacenter IIS Microsoft ASP.NET 2.0 Microsoft .NET Framework 2.0 The options stating MSXML 6.0, Windows Installer 3.1, and Microsoft Management Console 3.0 are incorrect because these software are not required by AD FS to be installed. MSXML 6.0 is a set of services that allow applications written in JScript, VBScript, and Microsoft development tools to build Windows-native XML-based applications. Windows Installer 3.1 is an application installation and configuration service. Microsoft Management Console 3.0 is a framework that unifies system management tasks on Windows by providing common navigation, menus, toolbars, and workflow across diverse tools.
Item: 130 (Ref:Cert-70-640.5.2.5)

You are the systems administrator for your company. The company's network consists of a single Active Directory domain. A server named DC1 has Active Directory Domain Services (AD DS) installed. The AD DS database contains information about all the resources in the domain. Over time, you discover that Active Directory searches have become slow. You decide to perform an offline defragmentation of the AD DS database. You begin by stopping the AD DS service. Next, you want to compact the AD DS database. Which utility should you use to compact the AD DS database?
j k l m n Fsutil.exe
j k l m n Ntdsutil.exe j k l m n Dsamain.exe j k l m n Wbadmin.exe
Answer: Ntdsutil.exe
Explanation:
You should use the Ntdsutil.exe utility to compact the AD DS database. When you perform offline defragmentation of the directory database file, a new compacted version of the database file is created in a different location. In Windows Server 2008, you can perform offline defragmentation of AD DS database by stopping the AD DS service, performing the offline defragmentation, and then starting the AD DS service. In Windows Server 2008, the Restartable AD DS feature allows you to perform an offline defragmentation of AD DS database without restarting the domain controller in Directory Services Restore Mode. To perform the offline defragmentation of the AD DS database, you should use the Ntdsutil.exe utility. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory directory services. The Ntdsutil.exe tool can be used to perform AD DS database maintenance, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. Follow these steps to perform offline defragmentation of AD DS database: 1. You should stop the AD DS service by stopping the AD DS service. 2. Run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command. 3. Delete all of the log files in the log directory by typing the Del drive:\pathToLogFiles\*.log command. 4. Manually copy the compacted database file to its original location. 5. Perform the integrity check on the database.
Page 135 of 173
6. Restart the AD DS service. You should not use the Fsutil.exe utility. Fsutil.exe is a command-line utility that can be used to perform many FAT and NTFS file system related tasks, such as managing reparse points, managing sparse files, dismounting a volume, or extending a volume. The Fsutil utility cannot be used to perform an offline defragmentation of AD DS database. You should not use the Dsamain.exe utility. Dsamain.exe or the data mining tool can be used to expose snapshot data of a Lightweight Directory Access Protocol (LDAP) server. The Dsamain.exe tool provides a means to compare data as it exists in snapshots that are taken at different times to improve the recovery process. Dsamain.exe tool helps administrators decide which data to restore after data loss. The Dsamain.exe utility cannot be used to perform an offline defragmentation of AD DS database. You should not use the Wbadmin.exe utility because this utility cannot be used to perform an offline defragmentation of AD DS database. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt.
Item: 131 (Ref:Cert-70-640.2.4.10)

You are the network administrator for the Nutex corporation. The company has recently reorganized. You are now required to add three new members to the Accounting group. You do so with the following command: dsadd group "CN=Accounting,OU=Distribution Lists,DC=nutex,DC=com" -addmbr "CN=John Smith,CN=Users,DC=nutex,DC=com" "CN=Jane Jones,CN=Users,DC=nutex,DC=com" "CN=Jim Hernandez,CN=Users,DC=nutex,DC=com" You want the new membership list of this group to be quickly recognized throughout domain. What should you do?
j k l m n From Active Directory Sites and Services, highlight the site and add universal group membership caching.
j k l m n From Active Directory Sites and Services, highlight the site and add a global catalog server.
j k l m n From Active Directory Domains and Trusts, expand the domain, right-click the NTDS connections, and force replication. j k l m n From Active Directory Sites and Services, expand the site, highlight the domain controller, right-click the NTDS connections, and force replication.
Answer: From Active Directory Sites and Services, expand the site, highlight the domain controller, right-click the NTDS connections, and force replication.
Explanation:
You should use Active Directory Sites and Services to replicate Active Directory information. From Active Directory Sites and Services, expand the site and highlight a domain controller in the site. Expand the NTDS settings. You will see all the connection objects for the domain controller. If you right-click the connect object, you can force replication on the connection object between the domain controllers that are being connected. You should not add universal group membership caching. This allows members of universal groups to log on at a site and have their credentials validated locally, saving bandwidth and ensuring functionality in the case of a loss of connection with other sites. Universal group membership caching will not force replication. You should not add a global catalog server. A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its own domain, and a partial copy of all objects for all other domains in the forest. Global catalog servers replicate with other global catalog servers in the forest based on the replication schedule. Adding a global catalog server will not force replication. You should not use Active Directory Domains and Trusts to force replication of Active Directory. Active Directory Domains and Trusts can be used to raise the functional level of the forest or domain. You can use this tool to create trusts between domains, but you cannot use this tool to force replication.
Page 136 of 173
Item: 132 (Ref:Cert-70-640.4.2.6)

You are the network administrator of your company. You need to add 100 user accounts to the Sales OU in your domain. You also need to modify the account properties of 20 user accounts in the Accounting OU. You have a single Active Directory domain. What tools will you use?
j k l m n Create a CSV file for the 100 new user accounts for the Sales OU. Create a CSV file containing the changes for the 20 user accounts in the Accounting OU. Use CSVDE to import the two files.
j k l m n Create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU. Create a CSV file containing the changes for the 20 user accounts in the Accounting OU. Use CSVDE to import the two files.
j k l m n Create a script that uses the DSMOD command to import the 100 new user accounts for the Sales OU. Create a CSV file containing the changes for the 20 user accounts in the Accounting OU. Use CSVDE to import the two files.
j k l m n Create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU. Create a script that uses the DSMOD command to change the 20 user accounts in the Accounting OU.
Answer: Create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU. Create a script that uses the DSMOD command to change the 20 user accounts in the Accounting OU.
Explanation:
You should create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU, and create a script that uses the DSMOD command to change the 20 user accounts in the Accounting OU. You can use the DSADD command to import computers, users, groups, OUs, or quotas. You can use the DSMOD command to change the properties of users, groups, computers, OUs, or quotas. You cannot use the DSMOD command to add objects into Active Directory. The following example uses the Dsmod user command to force the expiration of the accounts of Michelle Smith and Dave Jones. dsmod user "CN=Michelle Smith,CN=Users,DC=Verigon,DC=Com" "CN=Dave Jones,CN=Users,DC=Verigon,DC=Com" acctexpires 0 A value of 0 for -acctexpires sets expiration of the accounts at the end of today. You cannot use the CSVDE utility to modify the 20 user accounts in the Accounting OU. The CSVDE utility can be used to import a comma-delimited file in Active Directory. However, this utility can be used to import only new objects; it cannot be used to modify existing objects.
Item: 133 (Ref:Cert-70-640.5.2.2)

You are the systems administrator for your company. The company's network contains servers that run Windows Server 2008. One of the servers is configured as a domain controller. During a routine investigation of the servers, you discover that the domain controller is running low on disk space. To ensure that domain services are not affected by low disk space, you decide to move the Active Directory database to another server. You attempt to move the database to a new location by using the Ntdsutil.exe utility, but the database becomes corrupt during the move. You attempt to recover the Active Directory Domain Services (AD DS) database by using the Ntdsutil.exe utility, but the recovery procedure fails due to inconsistency in the database. Which other utility can you use to recover the AD DS database?
j k l m n Wbadmin.exe
j k l m n Esentutl.exe j k l m n Fsutil.exe j k l m n Dsamain.exe
Page 137 of 173
Answer: Esentutl.exe
Explanation:
You can use the Esentutl.exe utility to recover the AD DS database. Active Directory database files are usually relocated for reasons of hardware maintenance or low disk space. If the growth of the Active Directory database or log files are causing low disk space, you should either expand the partition on the disk that currently stores the database file or move the database file to a bigger partition by using the Ntdsutil.exe utility. To relocate the Active Directory database, you should restart the server in Directory Services Restore Mode. If the path to the database file or log files will change as a result of moving the files, using the Ntdsutil.exe utility is recommended because Ntdsutil updates the registry with the new path. The Ntdsutil.exe utility can also be used to recover Active Directory database. However, if the procedure for recovering the Active Directory database by using the Ntdsutil.exe utility fails, you can use the Esentutl.exe utility to perform database recovery. Esentutl.exe is a command-line utility that provides database utilities for the Extensible Storage Engine for Microsoft Windows. To perform database recover by using the Esentutl.exe utility, run the Esentutl /r PathTo\ntds.dit command. The Wbadmin.exe utility cannot be used to recover the AD DS database. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a command prompt. You cannot use the Fsutil.exe utility. Fsutil.exe is a command-line utility that can be used to perform many FAT and NTFS file system related tasks, such as managing reparse points, managing sparse files, dismounting a volume, or extending a volume. The Fsutil utility cannot be used to recover the AD DS database. The Dsamain.exe utility cannot be used to recover the AD DS database. Dsamain.exe or the data mining tool can be used to expose snapshot data of a Lightweight Directory Access Protocol (LDAP) server. The Dsamain.exe tool provides a means to compare data as it exists in snapshots that are taken at different times to improve the recovery process.
Item: 134 (Ref:Cert-70-640.3.2.1)

You are the network administrator for your company, which has a single domain. The domain controllers are a mixture of Windows 2000 Server and Windows Server 2003 computers. You will be adding a Windows 2008 Server computer to the domain, and will install Active Directory Rights Management Server on the Windows Server 2008 machine. What must you do to ensure that you can install Active Directory Rights Management (AD RMS) in your domain with minimum administrative effort? (Choose two. Each answer is part of a single solution.)
c d e f g Ensure that Service Pack 4 is installed on all Windows 2000 Server domain controllers. c d e f g Upgrade all Windows 2000 Server domain controllers to Windows Server 2003.
c d e f g Ensure all domain controllers are running Windows Server 2008 by upgrading or replacing older ones.
c d e f g Ensure that the domain functional level of the domain is set to Windows Server 2003. c d e f g Ensure that the domain functional level of the domain is set to Windows Server 2008.
Answer: Upgrade all Windows 2000 Server domain controllers to Windows Server 2003. Ensure that the domain functional level of the domain is set to Windows Server 2003.
Explanation:
You should ensure that the domain functional level is set to Windows Server 2003, and you should upgrade all Windows 2000 Server domain controllers to Windows Server 2003. You must have a minimum domain functional level and a minimum forest functional level of Windows Server 2003. Only domain controllers that use Windows Server 2003 or Windows Server 2008 can support a domain functional level of Windows Server 2003 or a forest functional level of Windows Server 2003. Because of this fact, you cannot have any Windows 2000 Server domain controllers. These domain controllers must be upgraded to Windows Server 2003, or later. You should not ensure that Service Pack 4 is installed on all Windows 2000 Server domain controllers. A Windows 2000 Server domain
Page 138 of 173
controller cannot exist in a domain where the functional level has been configured to Windows Server 2003. You do not have to ensure all domain controllers are running Windows Server 2008. You can install AD RMS with Windows Server 2003 domain controllers. However, you must ensure that the minimum domain functional level is Windows Server 2003 and the minimum forest functional level is Windows Server 2003. You do not have to ensure the functional level of the domain is Windows Server 2008. You can install AD RMS with Windows Server 2003 domain controllers. However, you must ensure that the minimum domain functional level is Windows Server 2003 and the minimum forest functional level is Windows Server 2003.
Item: 135 (Ref:Cert-70-640.2.1.1)

You are the network administrator for a company that handles ticket transactions for several theatres and concert halls. Your company has a single forest with three domains as shown in the exhibit. All domain controllers in the forest run Windows Server 2003. (Click the Exhibit(s) button.) You want to upgrade some of the domain controllers in each domain to Windows Server 2008. You also want to install a Windows Server 2008 Read Only Domain Controller (RODC) in the child2.company.com domain. What minimal configurations must you perform to prepare for upgrading the domain controllers and installing the RODC? (Choose five. Each correct answer is part of the complete solution.)
c d e f g Ensure that each domain is at the Windows Server 2003 functional level.
c d e f g Ensure that each domain is at the Windows Server 2008 functional level. c d e f g Ensure that the forest is at the Windows Server 2003 functional level.
c d e f g Ensure that the forest is at the Windows Server 2008 functional level.
c d e f g Log on to the domain naming master and run adprep /forestprep. c d e f g Log on to the schema master and run adprep /forestprep.
c d e f g Log on to the PDC emulator in the child2.company.com domain and run adprep /rodcprep.
c d e f g Log on to the infrastructure master in the child2.company.com domain and run adprep /domainprep. c d e f g Log on to the domain naming master in the child2.company.com domain and run adprep /domainprep.
Answer: Ensure that each domain is at the Windows Server 2003 functional level. Ensure that the forest is at the Windows Server 2003 functional level. Log on to the schema master and run adprep /forestprep. Log on to the PDC emulator in the child2.company.com domain and run adprep /rodcprep. Log on to the infrastructure master in the child2.company.com domain and run adprep /domainprep.
Page 139 of 173
Explanation:
You should log on to the schema master and run adprep /forestprep. To add a Windows Server 2008 domain controller to a forest that has domain controllers running Windows 2000 Server or Windows Server 2003, you must update the Active Directory schema from the domain controller that hosts the schema master role. You must be a member of the Enterprise Administrators group and Schema Administrators group to perform this task. You should log on to the infrastructure master in the child2.company.com domain and run adprep /domainprep. After running adprep/forestprep on the schema master, you must run the adprep /domainprep command on the infrastructure master in each domain in the forest. You must run adprep /rodcprep. It is not necessary to be logged on to the PDC emulator in the child2.company.com domain to run adprep /rodcprep; you can run adprep /rodcprep on any computer in the forest. Typically, this command is run on the schema master after the adprep /forestprep command is run. However, you must run this command before installing the first RODC. This step is required to enable RODC to replicate DNS partitions, unless you are creating a new forest that has only Windows Server 2008 domain controllers, then this step is not required. You can copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema master and run the Adprep /rodcprep command before installing the RODC. You should ensure the forest is at the Windows Server 2003 functional level before deploying an RODC. The forest functional level of Windows Server 2003 allows linked-value replication. The function level of the forest does not need to be set at Windows Server 2008 to deploy a RODC. You should ensure the domain is at the Windows Server 2003 functional level before deploying an RODC. The domain functional level must be at least Windows Server 2003 so that Kerberos constrained delegation is available. The functional level of the domain does not need to be set at Windows Server 2008 to deploy a RODC. You should not run adprep /forestprep from the domain naming master. This command must be run from the domain controller that is the schema master in the forest. You should not log on to the domain naming master in the child2.company.com domain and run adprep /domainprep. The Domain Naming Master role processes all changes to the namespace. There is only one Domain Naming Master role in the entire forest, typically in the forest root domain along with the Schema Master role. You must have a domain master available before adding a child domain to the forest. Therefore, you should log on to the infrastructure master in the child2.company.com domain and run adprep /domainprep.
Item: 136 (Ref:Cert-70-640.2.4.14)

You are designing a site link topology for your company. Your corporate network consists of four sites, which are connected through WAN links. (Click the Exhibit(s) button.) The network is fully routed, but the WAN links between Site1 and Site2 and between Site3 and Site4 are slow; therefore, you do not want Site2 to replicate directly with Site4. All the other sites should be able to replicate directly with each other. Which of the following steps should you take? (Select all that apply.)
c d e f g Create three site links: one link that includes Site1 and Site2, another link that includes Site1 and Site3 and a third link that includes Site3 and Site4.
Page 140 of 173
c d e f g Disable the default bridging of all site links. c d e f g Create a site link that includes Site1, Site2, and Site3, and create another site link that includes Site1, Site3, and Site4.
c d e f g Delete the default site link.
c d e f g Create a single site link bridge that includes all four sites. c d e f g Create a site link bridge that includes Site1, Site2, and Site3, and create another site link bridge that includes Site1, Site3, and Site4.
c d e f g Create three site link bridges: one bridge that includes Site1 and Site2, another bridge that includes Site1 and Site3 and a third bridge that includes Site3 and Site4.
Answer: Disable the default bridging of all site links. Create a site link that includes Site1, Site2, and Site3, and create another site link that includes Site1, Site3, and Site4. Delete the default site link.
Explanation:
Site links are logical objects that usually represent physical connectivity among sites. The component named Knowledge Consistency Checker (KCC) uses site links to create a replication topology automatically. Initially, a single default site link is automatically created that includes all of the existing sites. KCC assumes that all domain controllers in the sites that belong to the same site link can directly communicate with each other. If the actual WAN topology does not support direct connectivity among all domain controllers on the network or if you want to control the replication topology and sequence, then you can delete the default site link and create the site links that are appropriate for your network. You can bridge those site links that include at least one common site. Bridging makes site links transitive. For example, if sites A and B belong to the site link named AB, sites B and C belong to the site link named BC and you create a bridge that includes site links AB and BC, then sites A and C can replicate with each other, provided that the schedules for those site links overlap. By default, all site links are bridged. To meet the requirements of this scenario, you should delete the default site link and disable the Bridge all site links option, which is enabled by default. Additionally, you should create two site links: one site link should include Site1, Site2, and Site3 and the other site link should include Site1, Site3, and Site4. The sites that belong to the same site link will be able to replicate with each other directly; that is, domain controllers in Site1, Site2, and Site3 will be able to replicate with each other directly, and domain controllers in Site1, Site3, and Site4 will be able to replicate with each other directly. The sites that do not belong to the same site link will not be able to replicate directly; that is, domain controllers in Site2 will not be able to directly replicate with domain controllers in Site4. Another possible solution is to create three site links: one link between Site1 and Site2, one link between Site1 and Site3 and one link between Site3 and Site4. Then, you should create two bridges: one that includes the site link between Site1 and Site2 and the site link between Site1 and Site3 and another that includes the site link between Site1 and Site3 and the site link between Site3 and Site4. If you did not delete the default site link, then all four sites would be able to replicate with each other directly. If you created site links and did not disable the default bridging of all site links, then all four sites would be able to replicate with each other directly. Bridges can include only site links; they cannot include sites. Therefore, all choices that involve the creation of site link bridges that include sites are incorrect.
Page 141 of 173
Item: 137 (Ref:Cert-70-640.3.4.6)

You are the administrator of a company that manufactures high-performance engines for race cars. Your company's network has a single domain. All domain controllers are a mixture of Windows Server 2003 and Windows Server 2008 server computers. The functional level of the domain and forest are set to Windows Server 2003. You have entered into a partnership with another company that makes chassis for race cars. Your partners will need access to a Webbased application that is run on one of your servers. The partners company has a single domain. The functional level of the partner's domain and forest are set to Windows Server 2003. You plan to create a federated trust between your company and the partner company. You install an Active Directory Federation server on your internal network. You install an Active Directory Federation Proxy server in the perimeter network. There is lot of personnel turnover in the partner company. You want to give the partner company access to the Web-based inventory control application, but you do not want to create user accounts or manage the users from the partner company. You decide to install an Active Directory Federation Service (AD FS) Web agent, as the Web agent is a claims-aware agent that is used for the claims-aware inventory control application. When configuring the AD FS Web agent, you receive an error. You notice in the application log that the error is listed as Event ID 613. The Web Agent fails to start. What should you do to fix the problem?
j k l m n Add the Federation Service URL in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\WebSso\Parameters.
j k l m n Add the Federation Service URL to the web.config file. j k l m n Add the Federation Service URL in the ADFSSetup.log.
j k l m n Upgrade all of the domain controllers in your domain to Windows Server 2008 and raised the functional level of the domain to Windows Server 2008.
Answer: Add the Federation Service URL to the web.config file.
Explanation:
You should add the Federation Service Uniform Resource Locator (URL) to the web.config file. The error is due to the fact that the AD FS Web Agent for claims-aware applications cannot find the Federation Service URL that is configured in web.config. A claims-aware application must have the return URL typed correctly in the application's web.config file and it must match the application URL that is specified in the trust policy of the Federation Service. You do not add the Federation Service URL in the registry. This must be specified in the web.config file. You should not add the Federation Service URL in the ADFSSetup.log file. This log file is created after the setup of AD FS. It will not affect the Federation Service URL. You do not have to upgrade all domain controllers in your domain to Windows Server 2008 and raised the functional level of the domain to Windows Server 2008. AD FS can operate properly if the functional level of the domain is set at Windows Server 2003. The error is occurring because the AD FS Web Agent for claims-aware applications cannot find the Federation Service URL in the web.config file.
Item: 138 (Ref:Cert-70-640.6.5.5)

You are the systems administrator for your company. The company's network consists of a single Active Directory domain. You install Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. The AD CS server is configured as an enterprise certification authority (CA). You want to configure the CA to support the Online Responder service so that clients are not required to download complete Certification Revocation Lists (CRLs). What should you do before you configure the CA to support the Online Responder service?
Page 142 of 173
(Choose three. Each correct answer presents a part of the solution.)

c d e f g Install Internet Information Services (IIS) on the computer.
c d e f g Install .NET Framework 2.0 on the computer. c d e f g Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA.
c d e f g Create a certificate revocation list (CRL) on the CA. c d e f g Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA.
Answer: Install Internet Information Services (IIS) on the computer. Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA. Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA.
Explanation:
You should install Internet Information Services (IIS), configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA, and include the URL for the Online Responder in the Authority Information Access (AIA) extension of certificates issued by the CA. Online responders can be used in place of or as extensions of CRLs to provide certification revocation data to clients. In Windows Server 2008, you can use an Online Responder based on the OSCP to manage and distribute revocation status information where the user of conventional CRLs is not an optimal solution. OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. After the OSCP responder receives the request, it returns a definitive, digitally signed response to the client indicating the certificate status. Before configuring a CA to support the Online Responder service, you must ensure that the following conditions are met: IIS must be installed on the computer before the Online Responder can be installed. An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment must be used to issue an OCSP Response Signing certificate to the computer on which the Online Responder will be installed. The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used by the Online Responder client to validate certificate status. You should not install .NET Framework 2.0 on the computer because this is not required for the Online Responder service to be installed. You should not create a CRL on the CA because a CRL is not a prerequisite for installing the Online Responder service.
Item: 139 (Ref:Cert-70-640.2.3.1)

You are the network administrator of Verigon Corporation. Your company has a main office and a branch office. The company's network consists of a single Active Directory domain named verigon.com. Each office has its own Active Directory site. You install a read-only domain controller (RODC), named RODC1, in the branch office. A user named Adam in the branch office reports that he is facing difficulty logging on to the network. You want to verify whether Adam's credentials are cached on RODC1. What should you do? (Select the appropriate steps on the left and place them in the correct order on the right. It may not be necessary to use all the steps provided.)
Page 143 of 173
Explanation:
You should perform the following steps to verify whether Adam's credentials are cached on RODC1 :
An RODC is a new type of domain controller supported by Windows Server 2008, which stores a read-only copy of the Active Directory database. After deploying the RODC, you must configure the Password Replication Policy on its respective writable domain controller. The Password Replication Policy acts as an access control list (ACL), determining whether the RODC should be permitted to cache a password or not. When the RODC receives a logon request, it refers to the Password Replication Policy. If the policy specifies that the user account password must be cached, the RODC caches the password, allowing the same account to perform subsequent logons more efficiently. To view credentials that are cached on an RODC, you should use the Active Directory Users and Computers snap-in. You should open the Password Replication Policy tab in the properties sheet for the RODC, and select the Accounts whose passwords are stored on this Read-Only Domain Controller option in the Advanced Password Replication Policy dialog box. Selecting this option displays the user and computer accounts whose credentials are cached on the RODC. You should not open the Active Directory Sites and Services snap-in because this snap-in cannot be used to view credentials that are cached on an RODC.
Page 144 of 173
You should not click the Computers OU under the verigon.com node because RODC1 is a domain controller, and the computer accounts for domain controllers are located in the Domain Controllers OU by default. You should not select the Accounts that have been authenticated to this Read-Only Domain Controller option in the drop-down list because selecting this option displays a list of user and computer accounts that have been authenticated to an RODC.
Item: 140 (Ref:Cert-70-640.5.2.3)

You are the network administrator for your company. The company's network consists of a single Active Directory domain. All servers on the network run Windows Server 2008. A server named Server1 is configured as a domain controller. Users report that Active Directory searches have become slow. You discover that Server1 is running low on disk space due to the gradual growth of the Active Directory database file. You decide to move the Active Directory database and log files to a single partition on another server, named Server2. What is the minimum free disk space that will be required to permanently move Active Directory database and log files to Server2?
j k l m n At least 15 percent (15%) of the size of the combined Ntds.dit and log files or 500 MB, whichever is greater
j k l m n At least 15 percent (15%) of the size of the combined Ntds.dit and log files or 1 GB, whichever is greater
j k l m n At least 20 percent (20%) of the size of the combined Ntds.dit and log files or 500 MB, whichever is greater j k l m n At least 20 percent (20%) of the size of the combined Ntds.dit and log files or 1 GB, whichever is greater
Answer: At least 20 percent (20%) of the size of the combined Ntds.dit and log files or 1 GB, whichever is greater
Explanation:
You will require at least 20 percent (20%) of the size of the combined Ntds.dit and log files, or 1 GB, whichever is greater. Relocating the Active Directory database file is usually done due to hardware maintenance or low disk space. If the growth of the Active Directory database or log files are causing low disk space, you should either expand the partition on the disk that currently stores the database file, or move the database file to a bigger partition with the Ntdsutil.exe utility. To relocate the Active Directory database, you should restart the server in Directory Services Restore Mode. If the path to the database file or log files will change as a result of moving the files, it is recommended that you use the Ntdsutil.exe utility because Ntdsutil updates the registry with the new path. You should also perform a system state backup as soon as the move is complete so that the restore procedure uses the correct path. When you are permanently relocating only the Active Directory database file to a new location, the minimum free disk space required is the size of the database file plus 20 percent of the Ntds.dit file, or 500 MB, whichever is greater. When you are permanently relocating only the log files to a new location, the minimum free disk space required is the size of the combined log files plus 20 percent of the combined logs, or 500 MB, whichever is greater. When you want to relocate both database and logs permanently to a new location, the minimum free disk space required is at least 20 percent of the combined Ntds.dit and log files, or 1 GB, whichever is greater. The other three options are incorrect. When you want to relocate both database and logs permanently to a new location, the minimum free disk space required is the greater of 1 GB or a volume equivalent to at least 20 percent of the combined Ntds.dit and log files.
Item: 141 (Ref:Cert-70-640.1.1.4)

You are the systems administrator for QualityTech Corporation. All servers on the network run Windows Server 2003. The network includes two Domain Name System (DNS) servers, named DNS1 and DNS2. DNS1 is located in the perimeter network, and DNS2 is located in the internal network. DNS1 handles name resolution between the perimeter network and the Internet. Your company is planning to upgrade the server from Windows Server 2003 to Windows Server 2008. However, before you perform the upgrade, you want to gather information about the current configuration of each zone in the DNS1 server. What command should you run?
Page 145 of 173
j k l m n Dnscmd /info j k l m n Dnscmd /config j k l m n Dnscmd /zoneinfo

j k l m n Dnscmd /statistics
Answer:
Dnscmd /zoneinfo
Explanation:
You should run the Dnscmd /zoneinfo command to gather current configuration of each zone in DNS1. The Dnscmd /zoneinfo command displays the zone-level configuration for a particular zone. Follow the syntax given below to run the Dnscmd /zoneinfo command: dnscmd [ServerName] /zoneinfo ZoneName In the above syntax, the [ServerName] is the DNS server name that you specified and ZoneName is the name of the zone for which you want the configuration to be displayed. You can also run the Dnscmd /zoneexport command if you want to store all of the resource records in a DNS zone to a text file. Use the following syntax to run the Dnscmd /zoneexport command: dnscmd [ServerName] /zoneexport ZoneName ZoneExportFile In the above syntax, the [ServerName] is the DNS server name that you specified, ZoneName is the name of the zone for which you want the configuration to be copied to the text file, and ZoneExportFile specifies the name of the file to create. You should not run the Dnscmd /info command to gather the current configuration of each zone in DNS1. The Dnscmd /info command displays DNS server level configuration information, and not zone-level information. To display the configuration for each zone, you must use the Dnscmd /zoneinfo command. You should not run the Dnscmd /config command to gather the current configuration of each zone in DNS1. You can use the Dnscmd /config command to change the values in the registry for the DNS server or for individual zones. You should not run the Dnscmd /statistics command to gather the current configuration of each zone in DNS1. You can use the Dnscmd /statistics command to display or clear the data for a specified DNS server.
Item: 142 (Ref:Cert-70-640.5.1.5)

You are the systems administrator for your company. The company's network consists of a single Active Directory domain. You are in the process of restoring a deleted Organizational Unit (OU) on a domain controller. You are required to perform a nonauthoritative restore before performing the authoritative restore of the OU. Which type of backup is required before you perform a nonauthoritative restore of AD DS without affecting other data stored on the domain controller?
j k l m n A full server backup j k l m n A critical-volume backup
j k l m n Backup of the volume that contains the operating system
j k l m n Backup of the %SystemRoot%\Windows\NTDS folder
Answer: A critical-volume backup
Page 146 of 173
Explanation:
You should perform a critical-volume backup before performing a nonauthoritative restore of the Active Directory Domain Services (AD DS) database. An authoritative restore process returns a designated object, or container of objects, to its state at the time of the backup. An authoritative restore marks the OU as authoritative and causes the replication process to restore it to all domain controllers in the domain. To perform an authoritative restore of AD DS, you must first complete a nonauthoritative restore and ensure that replication does not occur after the nonauthoritative restore. To perform a nonauthoritative restore of AD DS, you will require at least a critical-volume backup. A critical-volume backup includes all volumes that are reported by System Writers. To prevent the replication from occurring after the nonauthoritative restore, and to perform the authoritative restore portion of the operation, you must restart the domain controller in Directory Services Restore Mode and perform the authoritative restore at the domain controller that you are restoring. After performing the authoritative restore of AD DS, you should start the domain controller normally and synchronize replication with all replication partners. You should not perform a full server backup because restoring a full server backup not only rolls back data in AD DS to the time of backup, it also rolls back all data in other volumes. Using a full server backup for nonauthoritative restore is an option when you do not have a critical-volume backup due to either human error or hardware failure You should not perform backup of the volume that contains the operating system because this will also affect other data stored on the domain controller. You should not perform a backup of the %SystemRoot%\Windows\NTDS folder because this will also affect other data stored on the domain controller. Also, Windows Server 2008 does not allow you to back up only a particular folder.
Item: 143 (Ref:Cert-70-640.4.2.8)

You administer a domain controller running Windows Server 2008. The domain controller contains 1,000 user accounts. A user named Paul has left your company. You want to delete Paul's user account from Active Directory. Which tool can you use to achieve the objective?
j k l m n Dsmod j k l m n Dsmove j k l m n Dsadd
j k l m n Dsrm
Answer: Dsrm
Explanation:
The Dsrm tool is correct. The Directory Service command-line utilities include Dsadd, Dsget, Dsmod, Dsmove, Dsquery, and Dsrm. The Dsrm utility is used to delete objects from the directory. The option stating Dsmod is incorrect. The Dsmod command-line utility can be used to modify attributes of Active Directory objects, but it cannot be used to delete objects from the directory. The option stating Dsmove is incorrect. The Dsmove command-line utility can be used to move a single object, within a domain, from its current location in the directory to a new location, or to rename a single object without moving it in the directory tree. The Dsmove command-line utility cannot be used to delete objects from the directory. The option stating Dsadd is incorrect. The Dsadd command-line utility can be used to add objects to Active Directory, but it cannot be used to delete objects from the directory.
Item: 144 (Ref:Cert-70-640.4.2.3)

You are the administrator for your company's Active Directory domain. You install a SQL 2005 Server as a back-end database server for an application. You create a domain account called SQL_Agent to be used with the SQL Agent Service to handle backup and maintenance issues with the SQL Server.
Page 147 of 173
After 42 days, the backup jobs and maintenance jobs on the SQL 2005 server begin to fail. What should you do to fix the problem?
j k l m n Unlock the account and reset the password.
j k l m n Unlock the account and set the password to never expire.

j k l m n Unlock the account and change the Maximum password age setting in the default domain policy to 999. j k l m n Unlock the account and change the Minimum password age setting in the default domain policy to 999.
Answer: Unlock the account and set the password to never expire.
Explanation:
You should unlock the account and set the password to never expire. The SQL Agent service in SQL 2005 Server manages backup jobs and maintenance jobs. Typically this account is a member of the local administrators group on the server. The SQL Agent service can have an account that is a domain member. If the account is a domain member, the account is governed by the password policies on the domain. In this scenario, the default setting for the maximum password age in a group policy object is 42 days. Since the SQL_Agent account will be used for SQL Agent service on the SQL 2005 Server and not as a regular account to log in from client workstations, you should set the password to never expire. You should not reset the password. Resetting the password will not prevent the problem from occurring again in the next 42 days. The problem is that the account is governed by a password policy on the domain. You should set the password to never expire on the account. You should not change the Maximum password age or Minimum password age in the default domain policy. Increasing the maximum password age will delay the problem of the SQL_Agent's password from expiring. The minimum password age sets the number of days a password has to remain active before changing it. This setting will not help the problem of the password expiring. Also, changing any setting in the default domain policy will affect other accounts on the domain. In this scenario, you only want to fix the problem with the SQL_Agent account.
Page 148 of 173
Item: 145 (Ref:Cert-70-640.4.3.1)

You are the network administrator of a US-based company that has several branch offices across the US. All branch offices in the US are connected to the company's head office by high-speed WAN links. The company ventures into the European region and opens two new branch offices there. These branch offices are connected to the company's US-based head office by a 56 kbps network connection. You plan to enable universal group membership caching for the two branch office sites. Which statement is NOT true for enabling the universal group membership caching in both the branch offices?
j k l m n Enabling universal group membership caching will provide faster logon times for branch office users.
j k l m n Enabling universal group membership caching will require a considerable amount of hardware change.
j k l m n Enabling universal group membership caching will reduce network bandwidth usage. j k l m n Enabling universal group membership caching will not cause global catalog queries to port 3268 to be intercepted.
Answer: Enabling universal group membership caching will require a considerable amount of hardware change.
Explanation:
The option stating that enabling universal group membership caching will require a considerable amount of hardware change is not true. Enabling universal group membership caching gathers the user information from the remote catalog server and stores it locally on the branch office domain controller. This user information that is stored locally does not require a lot of storage space. Therefore, to enable universal group membership caching, you do not need to upgrade the existing hardware of domain controllers, which would probably be required when hosting a global catalog. The option stating that enabling universal group membership caching will provide faster logon times for branch office users is true. Enabling universal group membership caching ensures efficient and faster user logon. Once the user information is stored locally on the branch office domain controllers, the authentication request is no longer sent to the remote global catalog located at the head office to obtain universal group membership information, ensuring faster logon time. The option stating that enabling universal group membership caching will require minimum network bandwidth usage is true. Since user information is stored locally at the branch office after enabling universal group membership caching, the branch office domain controllers will not require high network usage to log on branch offices users to the domain. Moreover, when universal group membership caching is enabled and the WAN link between the branch office and head office sites is offline, then the branch office domain controller will be able to successfully log users on to the domain. The option stating that enabling universal group membership caching will not cause global catalog queries to port 3268 to be intercepted is true. If an application in the branch office site is sending global catalog queries to port 3268, then enabling universal group membership caching will not reduce the usage of the WAN link to resolve these queries. The only way to reduce bandwidth usage for applications sending queries to port 3268 is to host the global catalog in those sites.
Item: 146 (Ref:Cert-70-640.6.5.1)

You are the network administrator for Verigon Corporation, which manufactures shoes and equipment for joggers and runners. The company's network has a single domain. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure with a subordinate enterprise Certification Authority (CA) that issues certificates on behalf of the root CA, as shown in the exhibit. (Click on the Exhibit(s) button.) You have an business application that must authenticate users via a certificate. Only the users in the global group AppUsers can access the application. You create a new certificate template for a user certificate. You grant the AppUsers group the Read, Enroll, and AutoEnroll permissions. You create and link a group policy object to automatically distribute the certificates to users in the AppUsers group. Users in the AppUsers group receive an "Access Denied" error when they attempt to receive a certificate from the CA.
Page 149 of 173
What should you do to correct the problem?
j k l m n Assign the AppUsers group the Read Permission on the subordinate enterprise CA.
j k l m n Assign the Authenticated Users group the Request Certificates permission on the subordinate enterprise CA.
j k l m n Change the Publish Delta CRL value to 1 hour so expired certificates for AppUsers are published in Active Directory. j k l m n Change the Publish CRL Interval value to 1 hour so expired certificates for AppUsers are published in Active Directory.
Answer: Assign the Authenticated Users group the Request Certificates permission on the subordinate enterprise CA.
Explanation:
You should assign the Authenticated Users group the Request Certificates permission, or add an entry for the AppUsers group and assign them the Request Certificates permission. A user must have the appropriate permissions to request a certificate from a CA. To verify the client has permission to request from the CA, open CertSrv.msc on the CA, right-click the name of the CA, and open the Security tab. By default, Authenticated Users should have the Request Certificates permission. If the Authenticated Users group does not have this permission, you must make sure that the client requesting the certificate is a member of some group that does have this permission. You can give this permission to the AppUsers group. In addition to having the Request Certificates permission on the CA, the user requesting the certificate must have the permissions of Read, Enroll, and Automatically Enroll on the certificate template, and also have permissions to the group policy object that is linked at the domain or other container that is used to distribute the certificates. You do not need to assign the AppUsers group the Read Permission on the subordinate enterprise CA. You can delegate the permissions of Read, Issue and Manage Certificates, Manage CA, and Request Certificates on a CA. Read - Allows users to read records from the CA database.
Page 150 of 173
Issue and Manage Certificates - Allows users to approve certificate enrollment and revocation requests. Assigning this permission to a user makes the user a Certificate Manager. Manage CA - Allows users to configure and maintain the CA. Assigning this permission to a user makes the user a CA administrator. This is a separate role from the local administrator. The CA administrator has the ability to assign all other roles and renew the CA certificate. Request Certificate - Allows users to request certificates from the CA. The error is occurring because the AppUsers group does not have the Request Certificates permission on the CA, or users in that group do not have those permissions through some other group that they belong to, such as Authenticated Users. You do not have to change the Publish Delta CRL setting or the Publish CRL Interval setting. The Publish Delta CRL setting determines how often changes to the Certificate Revocation List (CRL) are published. CAs can have lots of certificate revocations and will need to be downloaded frequently by clients. Clients can download the most current delta CRL, which contains all the changes since the last base CRL was published via the Publish CRL Interval setting. The base CRL can become very large. To minimize the frequent downloads of large CRLs, delta CRLs can be published instead. Clients combine the downloaded delta CRL with the most current base CRL to generate a complete list of revoked certificates. In this scenario, the "Access Denied" error is not occurring because of a revoked certificate that appears on the CRL list. The error is occurring because the AppUsers group does not have the request certificates permission on the CA or users in that group do not have those permissions through some other group membership, such as Authenticated Users. The following image shows that the Authenticated Users group has the Request Certificates permission:
Item: 147 (Ref:Cert-70-640.4.2.10)

You are a network administrator for a company named Northern Travel. The company's network consists of a single Active Directory forest that contains five domains. The root domain is named northerntravel.com. All domains operate at the Windows 2003 domain functional level. You must assign access to a shared folder named Customers. The Customers folder is located on a file server named FS1 in the root
Page 151 of 173
domain. You create a domain local group named Confidential_Access in northerntravel.com and assign the appropriate permissions for Customers to this group. Users in each domain who require access to the Customers folder have been placed in global groups. You must define an access strategy that provides all forest users with the required access. Your solution must minimize administrative effort and network traffic. What should you do? (Choose three. Each correct answer represents a part of the solution.)
c d e f g Create a new security group in the root domain. c d e f g Create a new distribution group in the root domain.
c d e f g Configure the new group as a universal group, and add each global group to this group.
c d e f g Configure the new group as a global group, and add each global group to this group. c d e f g Configure the new group as a local group on FS1, and add each global group to this group.
c d e f g Add the new group to the Confidential_Access domain local group.
Answer: Create a new security group in the root domain. Configure the new group as a universal group, and add each global group to this group.
Add the new group to the Confidential_Access domain local group.
Explanation:
You should create a new security group in the root domain, and configure the scope of this group as universal. Each global group that contains users who require access to Customers should be added to this universal group. The new universal group should then be added to the Confidential_Access domain local group. In order to create universal groups, a domain must operate at either the Windows 2000 Server native domain functional level or the Windows Server 2003 domain functional level. Universal groups are stored in the global catalog and require that all changes to their membership be replicated. If the domain is operating at the Windows Server 2003 functional level, only the changed attributes of the group will be replicated. To reduce the amount of network traffic, you can add users to global groups and then add the global groups to a universal group to gain the benefits of universal group membership. By using this method, universal group replication will occur only if global groups are added to or removed from the universal group. You can add or remove users from global groups that are nested in universal groups without initiating replication. You should not create a distribution group in this scenario. Distribution groups are used to organize users into groups for messaging purposes. A distribution group can be used for sending e-mail messages, but it cannot be used for assigning access for resources. You should not configure the new group as the global group. Global groups can contain members only from within the local domain. Membership in global groups cannot span domains. You should create global groups when you need to combine users from a domain who share the same job profile or the same set of properties. You should not configure the new group as a local group on FS1, and add each global group to this group. Although a local group on a file server can have global groups from other domains as members, you cannot add the local group as a member of a domain local group. A domain local group can include users, global groups or universal groups from any trusted domain. A domain local group can contain other domain local groups from the same domain as a member, but a domain local group cannot contain a local group from Windows NT, Windows 2000 Professional, Windows 2000/2003 Server, Windows XP or Windows Vista computers.
Item: 148 (Ref:Cert-70-640.4.6.7)

Your company's corporate network consists of a single Active Directory domain in which all domain controllers run Windows Server 2008. You are the network administrator. The company's written security policy dictates that all user passwords be changed every 45 days. All users, including administrators, must comply with this requirement. You configure the appropriate password policy in a new Group Policy object (GPO) that is linked to the domain. All users are now periodically prompted to change their passwords. Three months later, you perform maintenance on a domain controller; you restart it in Directory Services Restore Mode (DSRM) and notice that the administrative password is still valid. You must change the DSRM password on that domain controller.
Page 152 of 173
What should you do? j k l m n Use Computer Management to reset the password for the local Administrator account.
j k l m n Use the Ntdsutil utility to reset the DSRM password. j k l m n Configure the password policy in the Default Domain Policy GPO.
j k l m n Configure the password policy in the Default Domain Controllers Policy GPO.
Answer: Use the Ntdsutil utility to reset the DSRM password.
Explanation:
DSRM is a special mode in which a domain controller is started as a stand-alone computer and the Active Directory directory service is not activated. DSRM is used to troubleshoot or to perform maintenance on the Active Directory database. During Active Directory installation, an administrator can set a password that a user must provide in order to log on to the computer in DSRM. To reset this password, you can use the Ntdsutil command-line utility when the domain controller is operating in normal mode. The DSRM password cannot be reset when a computer is started in DSRM. You cannot use the password policy in the Default Domain Policy GPO or the Default Domain Controllers Policy GPO to change the DSRM password on the domain controller. Password policies that are configured in GPOs cannot be used to specify passwords and do not affect DSRM passwords on domain controllers. In Windows Server 2008, you can define different password and account lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies within a single domain. Fine-grained password policies apply only to user objects and global security groups. To configure fine-grained password policies, the domain functional level must be Windows Server 2008. You should not use Computer Management to reset the password for the local Administrator account. No local user accounts exist on domain controllers. Therefore, the Local Users and Groups node does not appear in Computer Management when this console is connected to a domain controller.
Item: 149 (Ref:Cert-70-640.3.1.1)

You administer a server named Server1 that runs Windows Server 2008. Server1 has the Active Directory Lightweight Directory Services (AD LDS) role installed. You install an instance of AD LDS named HRApp1 on Server1 to provide Active Directory data to an application used by the human resource department. To organize AD LDS users, you want to create a new Organizational Unit (OU) in the AD LDS application directory partition. Which two tools can you use to perform the required task? (Choose two. Each correct answer represents a complete solution.)
c d e f g Dsadd.exe
c d e f g Dsmod.exe c d e f g Adsiedit.msc c d e f g Ntdsutil.exe
Answer: Dsadd.exe Adsiedit.msc
Explanation:
You can use both the Dsadd.exe and Adsiedit.msc tools to create a new OU in the AD LDS application directory partition. AD LDS is usually used to store information about users, organizations, and the groups that they belong to. Lightweight Directory Access Protocol
Page 153 of 173
(LDAP)-based directories, such as Active Directory Domain Services (AD DS) and AD LDS, most commonly use OUs to keep users and groups organized. To create a new OU in AD LDS, you can use either the Adsiedit.msc or Dsadd.exe tools. Active Directory Services Interfaces Editor (ADSI Edit) is a low-level editor for AD DS and AD LDS. ADSI Edit can be used to view, modify, create, and delete any object in AD DS and AD LDS. Dsadd.exe is a command-line tool that is built into Windows Server 2008. Dsadd.exe is available if you have the AD DS server role installed. To use Dsadd.exe, you must run the Dsadd command from an elevated command prompt. The Dsadd ou command allows you to add a single OU to the directory. To add an OU to the directory with the Dsadd ou command, you should follow this syntax: Dsadd ou <OrganizationalUnitDN> <OrganizationalUnitDN> is a required parameter which specifies the distinguished name of the OU that you want to add. You cannot use the Dsmod.exe tool to create a new OU in the AD LDS application directory partition. Dsmod.exe is a command-line tool built into Windows Server 2008, which can be used to modify an existing object of a specific type in the directory. You cannot use the Ntdsutil.exe tool to create a new OU in the AD LDS application directory partition. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory directory services. Ntdsutil.exe tool can be used to perform AD DS database maintenance, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
Item: 150 (Ref:Cert-70-640.5.2.6)

You are the network administrator for your company. All servers on the network run Windows Server 2008. A server named Srv1 is configured as a domain controller. You have configured a scheduled backup to be performed every day on Srv1. Over a period of time, users report that searching resources in the Active Directory takes longer and longer. What should you do to resolve this problem?
j k l m n Perform an online defragmentation of the AD DS database. j k l m n Perform an offline defragmentation of the AD DS database.
j k l m n Stop and then restart the AD DS service.
j k l m n Restart the domain controller.
Answer: Perform an offline defragmentation of the AD DS database.
Explanation:
You should perform an offline defragmentation of the AD DS database. Offline defragmentation of the AD DS database is used to defragment the fragmented database. When you perform offline defragmentation of the directory database file, a new compacted version of the database file is created in a different location. In Windows Server 2008, you can perform offline defragmentation of AD DS database by stopping the AD DS service, performing the offline defragmentation, and restarting the AD DS service. In Windows Server 2008, the Restartable AD DS feature allows you to perform tasks, such as offline defragmentation of AD DS database, without restarting the domain controller in Directory Services Restore Mode. To perform offline defragmentation, you should stop the AD DS server by stopping the AD DS service. Once the AD DS is stopped should run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the Ntds.dit file at the location specified in the Compact to command. You can specify a folder on the local computer, or a shared folder on a remote computer, in the Compact to command. If defragmentation completes successfully, you should delete all of the log files in the log directory by typing the Del drive:\pathToLogFiles\*.log command. You should then manually copy the compacted database file to its original location. After copying the compacted Ntds.dit file to its original location, you should perform the integrity check on the database. If integrity check succeeds, you should restart the AD DS service. You should not perform an online defragmentation of the AD DS database. When a server or database is used for a long time, it becomes fragmented. This fragmentation causes the server or database to respond slowly to user queries. To resolve this problem, you should regularly defragment the server or the database. Active Directory automatically performs online defragmentation of the database at certain intervals, which is every 12 hours by default, as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file, but instead optimizes data storage in the database and reclaims space in the directory for new
Page 154 of 173
objects. You should not stop and then restart the AD DS service or restart the domain controller. In this scenario, the problem is the fragmented AD DS database. Restarting the AD DS service or the domain controller will not defragment the AD DS database.
Item: 151 (Ref:Cert-70-640.1.2.2)

You are the network administrator for the Nutex corporation. The Nutex corporation has its main office in Atlanta, where you work, and has branch offices in New Orleans, Birmingham, Knoxville, and Charlotte. Nutex has a single Active Directory domain and each office is configured as a separate Active Directory site. All DNS servers are located on domain controllers in each office and contain an Active Directory-integrated zone named nutex.com. The domain controllers in the company are a mixture of Windows Server 2008, Windows Server 2003, and Windows 2000 Server operating systems. Nutex has enrolled employees at each branch office in online training classes provided by Kaplan IT. However, they are having problems downloading the materials from the Kaplan IT Web site. In an effort to resolve queries to kaplanit.com, you create a conditional forwarder on the DNS server in the Atlanta office, as shown in the exhibit. (Click on the Exhibit(s) button.) DNS administrators in the other offices complain that the conditional forwarder setting is not configured on the DNS servers of their respective offices. What should you configure?
j k l m n Increase the Number of seconds before forward queries time out to 15. j k l m n Use Repadmin to force replication between each site.
j k l m n Configure the conditional forwarder setting to replicate to All DNS servers in the domain.
j k l m n Configure the conditional forwarder setting to replicate to All domain controllers in this domain.
Answer: Configure the conditional forwarder setting to replicate to All domain controllers in this domain.
Page 155 of 173
Explanation:
You should configure the conditional forwarder setting to replicate to All domain controllers in this domain. A conditional forwarder can be used to forward specific queries to a specific DNS server. In this scenario, you want to forward all requests to kaplanit.com to the IP address 206.17.132.250. For other branch office DNS servers to contain this setting, you should select the Store this conditional forwarder in Active Directory, and replicate it as follows: setting. This setting can be configured as follows: All DNS servers in the forest: Replicates the setting to all DNS servers in the forest that are domain controllers running Windows Server 2008 or Windows Server 2003. This setting will not replicate to DNS servers that are pre-Windows 2003 domain controllers. All DNS servers in the domain: Replicates the setting to all DNS servers in the domain that are domain controllers running Windows Server 2008 or Windows Server 2003. This setting will not replicate to DNS servers that are pre-Windows 2003 domain controllers. All domain controllers in this domain: Replicates to all domain controllers in the domain. This setting should be used if you have DNS servers that are pre-Windows 2003 domain controllers. Since the domain controllers in your company are a mixture of Windows Server 2008, Windows Server 2003, and Windows 2000 Server, and some DNS servers may be using Windows 2000 Server, you should select All domain controllers in this domain. You should not configure the conditional forwarder setting to replicate to All DNS servers in the domain. This setting will replicate the conditional forwarder setting only to DNS servers that are domain controllers running Windows Server 2008 and Windows Server 2003. In this scenario, the domain controllers are a mixture of Windows Server 2008, Windows Server 2003, and Windows 2000 Server, and some DNS servers may be using Windows 2000 Server. You should not increase the Number of seconds before forward queries time out value to 15. This setting will only change timeout value of the query. This setting will not allow replication throughout Active Directory. You should not use Repadmin to force replication between each site. Repadmin.exe is a command-line tool that assists administrators in diagnosing replication problems between Windows domain controllers. Replication is not the problem in the scenario. The conditional forwarder setting is not being replicated because you have not selected the Store this conditional forwarder in Active Directory, and replicate it as follows: setting. You should configure All domain controllers in this domain.
Item: 152 (Ref:Cert-70-640.4.2.4)

You are the administrator for a company that makes golf equipment. Your company hires seasonal workers who work on site twice a
Page 156 of 173
year, during the spring and fall seasons. You create user accounts for 12 seasonal employees. You want to ensure that the employees are not able to access resources in the domain during the periods when they are not actively employed by the company. What should you do?
j k l m n In Active Directory Users and Computers, select Find from the Action menu and create an LDAP query that will return the seasonal user accounts. Select all of the user accounts returned by the query and simultaneously set an expiration date. j k l m n At the end of the spring or fall season, use Active Directory Users and Computers, select Find from the Action menu, and create an LDAP query that will return the seasonal user accounts. Select all of the user accounts returned by the query and lock their accounts. j k l m n Create a comma-delimited file for the seasonal accounts. Configure an expiration date for the accounts in the file. Use the CSVDE utility to import the file.
j k l m n At the end of the spring or fall season, create a comma-delimited file for the seasonal accounts. Configure the accounts to be locked. Use the CSVDE utility to import the file.
Answer: In Active Directory Users and Computers, select Find from the Action menu and create an LDAP query that will return the seasonal user accounts. Select all of the user accounts returned by the query and simultaneously set an expiration date.
Explanation:
You should create a Lighweight Directory Access Protocol (LDAP) query in Active Directory Users and Computers by selecting Find from the Action menu and creating an LDAP query that will return the seasonal user accounts. You then select the user accounts returned by the query and simultaneously modify the expiration dates in their accounts' properties. This method will allow you to easily update the expiration date on the user accounts, which will disable their access to the domain when they are no longer employed. You cannot use an LDAP query return the seasonal user accounts and lock the accounts. There is no setting to lock an account. You can only set an expiration date on the account. An account can be locked if a user fails to type the correct password a specific number of times. This setting is configured in the account lockout policy. Depending on what is configured in the account lockout policy, the lockout can be for a certain period of time, such as 30 minutes or until the account is unlocked by an administrator. You should not use the CSVDE utility to change the settings of an existing account. The CSVDE utility can be used to import a commadelimited file in Active Directory. However, this utility can be used to import only new objects; it cannot be used to modify existing objects.
Item: 153 (Ref:Cert-70-640.4.4.7)

You are the network administrator of a company that manufactures golf equipment. Your company's network has a single domain. All domain controllers use Windows Server 2008. The functional level and domain level are set at Window Server 2003. You have Group Policy Objects (GPOs) deployed in your domains that set folder redirection all for users in the domain. Your company purchases a company that manufactures bowling equipment. This company's network also has a single domain. All domain controllers use Windows Server 2008. The functional level and domain level are set at Window Server 2003. You export the settings of a Group Policy Object (GPO) from the golf company's domain. You want to import the settings of this GPO into a GPO in the bowling company's domain. How could you retain the settings from the golf company's GPO with the least amount of administrative effort?
j k l m n Use the CreateGPOs.wsf script to import the settings. j k l m n Use the ImportGPOs.wsf script to import the settings.
j k l m n Create a two-way trust between the domains. Use the CreateGPOs.wsf script to import the settings.
j k l m n Create a two-way trust between the domains. Use the ImportGPOs.wsf script to import the settings.
Answer: Use the ImportGPOs.wsf script to import the
Page 157 of 173
settings.
Explanation:
You should use the ImportGPOs.wsf script to import the settings from one GPO into a GPO into the bowling company's domain. You can use the ImportGPOs.wsf script to use a backup of a GPO and import the settings from the backup GPO into a new specified GPO. You do not need to establish a trust relationship between the domains if the domains are in different forests. You need require read access to the location that contains the source file. The syntax for the ImportGPOs.wsf script is as follows: ImportGPO.wsf <BackupLocation> <BackupID> [TargetGPO] [/MigrationTable:<FilePath>] [/CreateIfNeeded] [/Domain:<DNSDomainName>] You can use the GPO name or GPO ID for the BackupID parameter. Doing this will only import the most recent backup of the GPO if multiple backups exist. To import an earlier version of a GPO's backup, you must specify the unique backup ID for the specific backup. This is the string that uniquely identifies the backup within its backup directory. You would have to run the QueryBackupLocation.wsf script to retrieve the unique backup IDs for all GPOs in a specific backup location. You can use the TargetGPO parameter to specify the target GPO where the settings should be imported. The MigrationTable switch is optional and is used to map security principals and paths across domains when importing a GPO. The CreateIfNeeded switch is used to create a new GPO if the specified target GPO does not exist. ImportGPO.wsf f:\backup BowlingGPO GolfGPO /CreateIfNeeded You should not use the CreateGPOs.wsf script. This script will only create new GPOs, and will not import settings from an existing GPO. You do not need to create a two-way trust between the forests. As long as you have read access to the source location of the GPO and have permissions in the destination domain, you can use the ImportGPO.wsf script to import it.
Item: 154 (Ref:Cert-70-640.1.3.5)

You are the network administrator for your company, which has a main office and a branch office. The company's network consists of a single Active Directory domain. You install Domain Name System (DNS) on a Windows Server 2008 computer in the main office, named DNS1, which contains the primary zone. You also install a UNIX DNS server in the branch office. You want to prevent interoberability-related problems between the DNS servers in each office. What should you do? j k l m n Select the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for DNS1.
j k l m n Clear the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for DNS1.
j k l m n Clear the Enable round robin option in the Server options list on the Advanced tab in the properties sheet for DNS1.
j k l m n Clear the Enable netmask ordering option in the Server options list on the Advanced tab in the properties sheet for DNS1.
Answer: Select the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for DNS1.
Explanation:
You should select the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for DNS1. Windows Server 2008 support two types of zone file replication: full zone transfer (AXFR) and incremental zone transfer (IXFR). In AXFR, the entire zone file is replicated. In IXFR, only records that have been modified are replicated. Berkeley Internet Name Domain (BIND) version 4.9.3 and earlier DNS server software, such as UNIX DNS and Windows NT 4.0 DNS, only support full zone transfers. There are two types of the AXFR: one requires a single record per packet, and the other allows multiple records per packet. The Windows Server 2008 DNS service supports both types of zone transfer and uses multiple records per packet by default. Therefore, to configure your Windows Server 2008 DNS server to successfully work and replicate with a UNIX DNS server, you should enable BIND secondaries. Enabling the BIND secondaries option disables the fast zone transfer method on Windows Server 2008, which enables
Page 158 of 173
the server to make successful zone transfers to DNS servers that support BIND versions prior to version 4.9.4. You should not clear the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for DNS1. Clearing the BIND secondaries option enables the fast zone transfer method, which is not supported by DNS servers that have BIND version 4.9.4 or earlier, such as UNIX DNS servers. You should not clear the Enable round robin option in the Server options list on the Advanced tab in the properties sheet for DNS1. Round robin is a local load balancing mechanism used by DNS servers to share and distribute network resource loads. Disabling round robin will not ensure that Windows Server 2008 DNS server and UNIX DNS server do not have interoperability-related problems. You should not clear the Enable netmask ordering option in the Server options list on the Advanced tab in the properties sheet for DNS1. Netmask ordering allows you to use one host name for multiple IP addresses. Disabling netmask ordering will not ensure that Windows Server 2008 DNS server and UNIX DNS server do not have interoperability-related problems.
Item: 155 (Ref:Cert-70-640.2.4.12)

You are the network administrator for your company. Your account is a member of the Enterprise Admins, Domain Admins, and Schema Admins groups. You have three sites in three different cities as shown in the exhibit. (Click the Exhibit(s) button.) You have moved some user accounts from the Lost and Found Organizational Unit (OU) to the Accounting OU on DC3. You have an assistant, a user named Jeff, who had been delegated permissions in Site2 to use Active Directory Sites and Services to force replication to other directory partitions. Jeff receives the following error: "Access Denied" The replication fails. The Active Directory information must be replicated. What can you do to force replication to other directory partitions? j k l m n Have Jeff use Rsnotify.
j k l m n Use Rsnotify yourself to force replication.
j k l m n Have Jeff use Repadmin to force replication.

j k l m n Use Repadmin yourself to force replication.
Answer: Use Repadmin yourself to force replication.
Explanation:
Since your account is a member of the Enterprise Admins group, you should use Repadmin to force replication, not Jeff. In this scenario, Jeff used Active Directory Sites and Services on DC3 to force replication. Active Directory Sites and Services initiates
Page 159 of 173
replication on all common directory partitions between the replication partners of DC3. Jeff can only force manual replication for containers on which he has been assigned the Replication Synchronization permission. The replication of other directory partitions for which Jeff does not have the Replication Synchronization permission will fail, causing the "Access Denied" error. An Enterprise Administrator has the Replication Synchronization permission throughout the forest. You can use either the Repadmin or Replmon command-line tools to manually force the replication of a specific directory partition. Neither you nor Jeff should use Rsnotify to force replication. This command is a remote storage recall notification program on a Windows operating system. This command will not force replication.
Item: 156 (Ref:Cert-70-640.3.3.6)

You are the systems administrator for your company. The company has a main office and a branch office, and each office has its own Active Directory domain in a single forest. The branch office network contains a read-only domain controller (RODC) that is configured to cache passwords for all domain users. A user named Adam is moving to the main office from the branch office. You want to clear Adam's user account password that is cached on the RODC. What should you do?
j k l m n Delete Adam's user account from the Password Replication Policy tab in the properties dialog box for the RODC.
j k l m n Add Adam's user account to the Denied List in the Password Replication Policy. j k l m n Select the User must change password at next logon option in the properties dialog box for Adam's user account.
j k l m n Reset the password for Adam's user account.
Answer: Reset the password for Adam's user account.
Explanation:
You should reset the password for Adam's user account. Credential caching is the storage of user or computer credentials. You can configure the Password Replication Policy on a writable domain controller to specify if an RODC should be allowed to cache a password. Password caching enables an RODC to directly service a user's request to log on if the user's credentials are cached on the RODC. A list of all credentials stored on RODCs is also maintained by Active Directory Domain Services (AD DS), which allows an administrator to force a password reset for all user credentials stored on an RODC if the RODC is ever compromised. Resetting the password for a given user is the mechanism to securely clear the cached password for that user. You should not delete Adam's user account from the Password Replication Policy tab in the properties dialog box for the RODC, or add Adam's user account to the Denied List in the Password Replication Policy. The Password Replication Policy tab contains a list of groups that are allowed or denied for replication to an RODC. Only passwords for accounts that are in the Allow groups can be replicated to the RODC, not passwords for accounts in the Deny groups. In this scenario, the password for Adam's user account is already cached on the RODC in the branch office. Therefore, to clear the cached password for Adam's user account, you should reset the password for Adam's user account. You should not select the User must change password at next logon option in the properties dialog box for Adam's user account. This option forces a user to change his or her password the next time he or she attempts to log on to the domain. The mechanism to securely clear the cached password for a given user on an RODC is to reset the password.
Item: 157 (Ref:Cert-70-640.4.4.6)

You are the systems administrator of your company. The network of the company consists of a single Active Directory domain. The client computers on the network run Windows XP, Windows 2000, and Windows Vista. Two Windows Server 2003 computers named WinDC1 and WinFile1 are configured as a domain controller and a file server, respectively. You create .ADMX and .ADML files to define registry-based policy settings on all client computers in the domain. You want to create a central store to provide a centralized storage location for all .ADMX and .ADML files for the domain. First, you must ensure that you have met the minimum requirements to create a central store.
Page 160 of 173
What should you do? (Choose two. Each correct answer represents part of the solution.) c d e f g Upgrade WinDC1 from Windows Server 2003 to Windows Server 2003 R2.
c d e f g Upgrade WinDC1 from Windows Server 2003 to Windows Server 2008. c d e f g Create a folder in the SYSVOL folder on WinDC1.
c d e f g Create a folder on the NETLOGON folder on WinDC1.

c d e f g Create a shared folder on WinFile1.
Answer: Upgrade WinDC1 from Windows Server 2003 to Windows Server 2003 R2. Create a folder in the SYSVOL folder on WinDC1.
Explanation:
You should upgrade WinDC1 from Windows Server 2003 to Windows Server 2003 R2 and create a folder in the SYSVOL folder on WinDC1. Group Policy is used to apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. Over 700 new policy settings are included in Group Policy in Windows Vista, which provides greater coverage of policy settings for easier administration by including Group Policy Management console (GPMC), support for multilingual environments by using ADMX files, and providing support for multiple components of Windows Vista. The registry-based policy settings in Windows Vista are defined by using a standards-based XML file format known as ADMX files. The ADMX files are language-neutral resource files. The other type of registry-based policy settings are known as ADML files, which are language-specific resource files. ADMX and ADML files replace the ADM files that were used in earlier versions of Windows. To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object Editor, you must be running a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual Group Policy Objects (GPOs). If you have a domain environment, you can create a central store location of ADMX files that can be accessed by anyone with permission to create or edit GPOs. The central store is a folder created in the SYSVOL folder of an Active Directory domain controller, and provides a centralized storage location for ADMX and ADML files for the domain. A central store can be created on a domain controller running Windows Server 2003 R2, Windows Server 2003 Service Pack 1 (SP1), or Windows 2000 Server. The ADMX files supersede the default ADM files that were included in the operating system, such as System.adm and Inetres.adm. Therefore, Group Policy tools exclude the default ADM files. If you have any custom ADM files in your existing environment, Group Policy tools will continue to recognize those ADM files. You can use the Add/Remove Template menu option to add or remove custom ADM files to a GPO. New Windows Vista-based policy settings can only be managed from Windows Vista-based machines by using the Group Policy Object Editor or GPMC. The Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO. You can use the Group Policy Object Editor or GPMC in Windows Vista to manage all operating systems that support Group Policy, such as Windows Vista, Windows Server 2003, Windows XP, and Windows 2000. You should not upgrade WinDC1 from Windows Server 2003 to Windows Server 2008 or create a shared folder on WinFile1. The central store is a folder created in the SYSVOL folder of an Active Directory domain controller, not a file server. The creation of the central store does not require Windows Server 2008. You should not create a folder on the NETLOGON folder on WinDC1. The central store must be created in the SYSVOL folder of an Active Directory domain controller. You do not need to manually create a shared folder on WinDC1. The central store must be created in folder called SYSVOL that is already shared on an Active Directory domain controller.
Item: 158 (Ref:Cert-70-640.2.6.5)

You install Windows Server 2008 on a server on your network. The server is configured as a domain controller. You want to install a new custom application that will be used by all users on the network. This application will store data in Active Directory. You are required to install some new attributes and classes in the schema to successfully install the application. To achieve this, you want to install the Active Directory Schema snap-in on the domain controller. What is the minimum group membership that you will require for installing the Active Directory Schema snap-in?
Page 161 of 173
j k l m n Membership of the Domain Admins group. j k l m n Membership of the Schema Admins group.
j k l m n Membership of the Enterprise Admins group.
j k l m n Membership of the Administrators group on the domain controller.
Answer: Membership of the Domain Admins group.
Explanation:
You will require membership of the Domain Admins group. The Active Directory Schema snap-in is an Active Directory administrative tool for managing the schema. It is not available by default on the Administrative Tools menu and must be added manually. To install the Active Directory Schema snap-in, you should register the Schmmgmt.dll dynamic link library (DLL) that is required for the Active Directory Schema snap-in. You should open a command prompt and enter the following command to register the required DLL file: regsvr32 schmmgmt.dll After registering the Schmmgmt.dll file, you can add the Active Directory Schema snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in, membership in the Domain Admins group, or equivalent, is the minimum requirement. The options stating membership of the Schema Admins group, membership of the Enterprise Admins group, and membership of the Administrators group on the domain controller are all incorrect. Membership of the Schema Admins group is required when you want to perform a task that requires modification in the schema, such as transferring the schema master role to another computer in the forest, or installing an application that will install new attributes and classes in the Active Directory database. To install the Active Directory Schema snap-in, the membership of the Domain Admins group, or equivalent, is the minimum requirement.
Item: 159 (Ref:Cert-70-640.6.2.3)

You are a network administrator for one of the branch offices of your company. All client computers are connected to the Windows Server 2008 domain. You are issuing certificates to all client computers by using Active Directory Certificate Service (AD CS) on your server. One of the clients in another branch uses the Linux operating system, and you want to choose the best method to issue a certificate to this client. What should you do?
j k l m n Issue a certificate using the Network Device Enrollment Service (NDES).
j k l m n Issue a certificate using Enterprise Public Key Infrastructure (PKI)View. j k l m n Issue a certificate using the Web enrollment service.
j k l m n Issue a certificate using a restricted enrollment agent.
Answer: Issue a certificate using the Web enrollment service.
Explanation:
You should use the Web enrollment service to issue certificates to non-Microsoft client computers that are not part of the domain. It can be used to assign certificates to these clients which cannot rely on the auto-enrollment mechanisms of a certification authority (CA) or the Certificate Request Wizard. The Web enrollment service is a Windows based CA, which allows users to obtain new or renewed certificates over the Internet.
Page 162 of 173
In Windows Server 2008, using AD CS certificate revocation is a necessary part of the process of managing certificates issued by CAs. The most common method of communicating certificate status in Windows Server 2008 is distributing certificate revocation lists (CRLs). In Windows Server 2008, where the use of conventional CRLs is not the most optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information or make the revoked certificates highly available. The CRLs used to provide validity checking for certificates include the serial numbers of all certificates that are still within their validity period but should no longer be trusted. For example, if an employee has a certificate with an expiration date of December 1, 2008, but the employee leaves the organization on October 1, 2007, the serial numbers of the employee's certificates would be placed on the CRL. The CRL would be made highly available at multiple CRL Distribution Points (CDPs) as described, in either HTTP or Lightweight Directory Access Protocol (LDAP) paths. You cannot use the Network Device Enrollment Service (NDES) to provide certificates to non-Microsoft client computers. NDES is Microsoft implementation of a communications protocol named Simple Certificate Enrollment Protocol (SCEP). SCEP helps provide X.509 certificates for software running on network devices such as routers and switches. You cannot use Enterprise PKI-View to provide certificates to non-Microsoft client computers. Enterprise PKI-View provides a status view of your network's PKI environment, which enables administrators to troubleshoot possible errors by the CA and easily fix the errors. You cannot use a restricted enrollment agent to provide certificates to non-Microsoft client computers. Using restricted enrollment agents in AD CS allows you to limit permissions to users who are designated as enrollment agents and receive certificates on behalf of other users in the network.
Item: 160 (Ref:Cert-70-640.5.3.4)

You are network administrator for United Sales Corporation. The organization's network contains five servers running Windows Server 2008 in an Organizational Unit (OU) named US-security. All five servers are part of the domain, which is named usales.com. You notice that some unauthorized network connection attempts have been made by users to connect to all five servers. You want to track all network connection events across the five servers in the US-security OU. What should you do?
j k l m n Activate the Audit logon events policy. j k l m n Activate the Audit process tracking policy.
j k l m n Activate the Audit object access policy.
j k l m n Activate the Audit account logon events policy.
Answer: Activate the Audit logon events policy.
Explanation:
You should activate the Audit logon events policy to achieve the objective in this scenario. An Audit logon events policy will audit each event related to a user logging on, logging off, or making a network connection. The events in this level of audit are logged when a user logs on interactively to a workstation with a domain user account. You can configure the Audit logon events policy in Group Policy Object (GPO) settings either in Graphical User Interface (GUI) mode or by using the Auditpol.exe command line utility. To access group policy and configure Audit logon events policy on a domain controller, perform the following steps: 1. Click the Start button, type gpedit.msc in the Run dialog box, and press the Enter key. This will open the group policy window. 2. Under Group Policy menu, scroll down to the following node: Computer Configuration\Security Settings\Local Policies\Audit Policy. 3. In the right pane, right-click Audit logon events and click Properties. 4. Under the Properties Window, you can configure Success or Failure audit events. 5. Once you configure the Audit policy, you can link the GPO to the appropriate OU. You should not activate the Audit process tracking policy to achieve the objective in this scenario. An Audit process tracking policy will audit events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect object access.
Page 163 of 173
You should not activate the Audit object access policy to achieve the objective in this scenario. An Audit object access policy will audit events when a user attempts to access an object. Objects include files, folders, printers, registry keys, and Active Directory objects. You should not activate Audit account logon events policy to achieve the objective in this scenario. An Audit account logon events policy audits each time a user is logging on or off the domain.
Item: 161 (Ref:Cert-70-640.4.6.6)

You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. The company's written security policy dictates that all Human Resources personnel must use strong passwords because they handle confidential data. No other users are required to have strong passwords. What should you do to configure a separate password policy for Human Resource personnel with minimal administrative effort?
j k l m n Move the user accounts of the Human Resources employees to an OU. Create and link a GPO to that OU.
j k l m n Move the computer objects for the client computers of the Human Resources employees to a new domain. Create and link a GPO to that domain. j k l m n Move the computer objects for the client computers of the Human Resources employees to an OU. Create and link a GPO to that OU.
j k l m n Create a global security group for the Human Resource employees and apply a fine-grained password policy.
Answer: Create a global security group for the Human Resource employees and apply a fine-grained password policy.
Explanation:
You should create a global security group for the Human Resource employees and apply a fine-grained password policy. In a Windows Server 2008 environment you can define different password and account lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies within a single domain. Fine-grained password policies apply only to user objects and global security groups. To configure fine-grained password policies, the domain functional level must be Windows Server 2008. If you do not create fine-grained password policies for different sets of users, the Default Domain Policy settings apply to all users in the domain. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a finegrained password policy. You would add users of the OU as members of the newly created shadow group, and then apply the finegrained password policy to this shadow group. You should not move the user accounts of the Human Resources employees to an OU, and create and link a GPO to that OU. Performing these steps would require more administrative effort than creating a global security group and applying a fine-grained password policy. You should not move the computer objects for the client computers of the Human Resources employees to a new domain, and create and link a GPO to that domain. Performing these steps would require more administrative effort than necessary. You should not move the computer objects for the client computers of the Human Resources employees to an OU, and create and link a GPO to that OU because performing these steps would require more administrative effort than necessary.
Item: 162 (Ref:Cert-70-640.1.2.5)

You are the network administrator for your company. The network contains three Windows Server 2008 computers configured as domain controllers, named DC1, DC2, and DC3. Another Windows Server 2008 computer, named DNS1, is configured as the DNS server for the network. Users complain that they are unable to access some resources on DC3. When you troubleshoot the problem, you discover that the appropriate service (SRV) records for DC3 have not been registered on DNS1. You need to ensure that the appropriate SRV records
Page 164 of 173
for DC3 are registered. What should you do? (Choose two. Each correct answer presents a unique solution.)
c d e f g Restart the NetLogon service on DC3. c d e f g Restart the NetLogon service on DNS1.
c d e f g Restart DC3.
c d e f g Restart DNS1. c d e f g Restart the DNS client service on DC3.
c d e f g Restart the DNS server service on DNS1.
Answer: Restart the NetLogon service on DC3. Restart DC3.
Explanation:
You should either restart the NetLogon service on DC3 or restart DC3. Either of these choices will cause the domain controller to register its SRV records with the DNS server. When the NetLogon service starts, the service attempts to register some or all SRV resource records. You should not restart the NetLogon service on DNS1 or restart DNS1. The problem in this scenario is not caused by the DNS server. If the DNS server were the problem, you would have experienced trouble with the records for other computers, not only DC3. You should not restart the DNS client service on DC3. The DNS client service is not responsible for registering the SRV records for a domain controller. You should not restart the DNS server service on DNS1. The DNS server service is not responsible for registering the SRV records for a domain controller.
Item: 163 (Ref:Cert-70-640.2.6.2)

You are the network administrator of the Nutex corporation. Nutex has a single forest with three domains: nutex.com, west.nutex.com, and east.nutex.com. A domain controller in east.nutex.com is taken offline. You run a script to create several accounts in all three domains. Accounts in nutex.com and west.nutex.com are created without error. Accounts in east.nutex.com are not created and generate errors. You suspect that a Flexible Single Master Operation (FSMO) role is not available. Which FSMO role is NOT available?
j k l m n Schema Master
j k l m n Domain Naming Master j k l m n RID Master
j k l m n Global Catalog server
Answer: RID Master
Page 165 of 173
Explanation:
The RID master role is not available. The RID master, infrastructure master, and PDC emulator are FSMO roles for a domain. The RID master role is the single domain controller within a domain that is responsible for processing RID Pool requests from all domain controllers within a given domain. The RID master is responsible for assigning Security Identifiers (SIDs) to objects such as users and groups. In this scenario, the domain controller in the east.nutex.com that was taken offline was the RID master. Since the RID master is offline, the user account creation in the east.nutex.com domain failed. You can transfer the RID master functionality to another domain controller in the east.nutex.com domain with Active Directory Users and Computers if the RID master is offline, or by using the ntdsutil utility if the RID master is online. To transfer the RID Master role to another domain controller in the east.nutex.com domain, you should connect to other domain controller in the east.nutex.com domain using either Active Directory Users and Computers or the ntdsutil command-line tool, and then initiate the transfer. If the RID master has failed and cannot be brought back online, you can use the ntdsutil utility to seize the role. Seizing a FSMO role allows another domain controller to assume the FSMO role of a failed domain controller. Seizing an operations master role is an extreme measure that is possible only if the original operations master is unavailable. You should not seize the RID master role unless you are absolutely sure that the original RID master will never be brought back online. To transfer the RID master role to DC2, you should connect to DC2 by using either Active Directory Users and Computers or the Ntdsutil command-line tool, and then initiate the transfer. Seizing is also referred to as forcing the transfer of an operations master role. The temporary absence of a PDC emulator can be tolerated in this scenario because no computers in the domain run legacy operating systems. The temporary absence of the infrastructure master can also be tolerated because the scenario does not indicate that any relevant activity, such as renaming or moving user accounts or modifying group memberships, is expected to be performed during the next few hours. The schema master and domain naming master are forest FSMO roles and not domain FSMO roles. A schema master is the single domain controller in the forest that is responsible for updates to the schema. A domain naming master is the single domain controller in the forest that is responsible for making changes to the forest-wide domain name space of the directory. You cannot add or remove a domain without contacting the domain naming master. A global catalog server is not a FSMO role. A global catalog is a domain controller that stores a copy of all Active Directory objects in a forest. The global catalog stores a full copy of all objects in the directory for its own domain, and a partial copy of all objects for all other domains in the forest. Global catalog servers replicate with other global catalog servers in the forest based on the replication schedule.
Item: 164 (Ref:Cert-70-640.1.2.6)

You are the network administrator of your company. The servers on the company's network run Windows Server 2008. The company's network consists of a single Active Directory domain. A server named DNS1 is configured as a Domain Name System (DNS) server and stores the directory-integrated DNS zone for your company. You promote a member server to a domain controller, but you discover that the Service Record (SRV) for the new domain controller is not created in the Active Directory-integrated DNS zone. What should you do to create an SRV record for the new domain controller, involving the least administrative effort?
j k l m n Restart the DHCP Client service.
j k l m n Restart the Netlogon service. j k l m n Configure the properties for forward lookup zone to allow only secure updates.
j k l m n Manually add an SRV record for the new domain controller.
Answer: Restart the Netlogon service.
Explanation:
You should restart the Netlogon service. The SRV records of a domain controller in the domain play an important role in Active Directory. Active Directory cannot work without a DNS server. The DNS server in Active Directory is used to locate domain controllers in the forest or domain with the help of SRV records. When you promote a member server to a domain controller, the SRV records are registered specifically for domain controllers. The Netlogon service on domain controllers is responsible for registering SRV records. If
Page 166 of 173
the SRV records for a domain controller are not registered in the DNS server, you can re-register them by restarting the Netlogon service on the domain controller. You should not restart the Dynamic Host Configuration Protocol (DHCP) Client service because the Netlogon service on domain controller is responsible for registering SRV records. The DHCP Client service is responsible for registering and updating IP addresses and DNS records for the computer on which it is running. You should not configure the properties for forward lookup zone to allow only secure updates. When the Allow dynamic updates setting on the parent Active Directory-integrated DNS server is set to Only Secure Updates, registration of SRV records may not work. You should not manually add an SRV record for the new domain controller because this will involve more administrative effort than restarting the Netlogon service on the domain controller.
Item: 165 (Ref:Cert-70-640.1.2.4)

You are the network administrator for a large distribution company. You want to determine who is accessing the DNS server in the domain. You want to log packets sent from a specific IP address to the DNS server, and from the DNS server to the specific IP address. What should you configure on your DNS server's Properties sheet?
j k l m n On the Debug Logging tab, enable Log Packets for Debugging and configure a filter for the Filter packets by IP address setting.
j k l m n On the Debug Logging tab, enable Log Packets for Debugging and configure both the Outgoing and Incoming setting for Packet Direction. j k l m n On the Event Logging tab, set the Log the following events: option to All Events.
j k l m n On the Monitoring tab, enable both simple queries and recursive queries.
Answer: On the Debug Logging tab, enable Log Packets for Debugging and configure a filter for the Filter packets by IP address setting.
Explanation:
You should enable Log Packets for Debugging on the Debug Logging tab, and configure a filter for the Filter packets by IP address setting. Once you enable the Log packets for debugging setting, you can configure the DNS server to begin capturing debug packet information. You can use the Filter packets by IP address setting to log packets sent from specific IP addresses to a DNS server, or from a DNS server to specific IP addresses. In this scenario, you want to log packets sent from a specific IP address to the DNS server and from the DNS server to that IP address. You can use the Filter button to specify the IP addresses that you want to log packets to or from. This information is stored in the DNS debug log, named Dns.log. The Dns.log file can be opened only when the DNS Server service is stopped. You can use debug logging to record queries, transfers, updates, and notifications. You can specify whether to record the information about incoming or outgoing DNS packets, DNS requests or responses, or DNS packets sent by using TCP or UDP. You can specify whether detailed information about each packet must be recorded, and you can specify whether packets must be filtered according to IP addresses. You should not just enable Log Packets for Debugging on the Debug Logging tab and configure both the Outgoing and Incoming setting for Packet Direction. The Outgoing setting logs all packets that are sent by the DNS server. The Incoming setting logs all packets that received by the DNS server. To log packets sent from a specific IP address to the DNS server and from the DNS server to that IP address, you will also have enable the Filter packets by IP address setting and configure the IP addresses that you want to filter. On the Monitoring tab, you can configure a DNS server to perform two types of functionality testing. A simple query test verifies whether individual records can be read from zone data on the server. A recursive test verifies whether the server can communicate with Internet root DNS servers. Performing these tests, however, would not log packets sent from a specific IP address to the DNS server and from the DNS server to the specific IP address. On the Event Logging tab of a DNS server's Properties sheet, you can specify the types of events, such as errors and warnings, to be recorded in the DNS event log. Although event logging can provide useful information about possible problems, the DNS event log does not record individual queries, and so would not solve the problem in this scenario.
Page 167 of 173
Item: 166 (Ref:Cert-70-640.2.4.1)

You are a network administrator for your company. The corporate network consists of a single Active Directory domain and three sites that are presented in the following exhibit.
There are two domain controllers in each of the sites, and one domain controller in each site is designated as a preferred bridgehead server. The network is not fully routed, and the default bridging of all site links is disabled. You want changes made to Active Directory in any of the sites to be propagated to the other sites even if any one domain controller in each site fails. Which of the following should you do?
j k l m n Bridge the two site links.
j k l m n Create a site link between Site1 and Site3. j k l m n Designate both domain controllers in Site2 as preferred bridgehead servers.
j k l m n Reconfigure each site so that there are no preferred bridgehead
Page 168 of 173
servers.
Answer:
Reconfigure each site so that there are no preferred bridgehead servers.
Explanation:
One domain controller in each site is automatically designated as a bridgehead server for that site. Changes to Active Directory that are made on a particular domain controller in a particular site are first replicated to other domain controllers within that site. When the bridgehead server for that site receives those changes, it then replicates them to bridgehead servers in other sites, and each of those bridgehead servers replicates the changes to other domain controllers in its respective site. If the bridgehead server in a site fails, then another domain controller in that site is automatically designated as the bridgehead server for that site. An administrator can control which domain controllers are designated as bridgehead servers. If an administrator designates one or more domain controllers in a site as preferred bridgehead servers for that site, then only one of those domain controllers can become the bridgehead server for that site. If that domain controller fails, then another preferred bridgehead server in that site is automatically designated as the bridgehead server for that site. If there are no more preferred bridgehead servers in the site, then replication between that site and other sites will not occur. To provide the required replication fault tolerance in this scenario, you should reconfigure the domain controllers so that there are no preferred bridgehead servers in any of the sites. Alternatively, you can configure all domain controllers as preferred bridgehead servers in their respective sites. Bridging the existing two site links would have no effect in this scenario because the network is not fully routed. Thus, domain controllers in Site1 cannot directly communicate with domain controllers in Site3. Therefore, creating a site link between Site1 and Site3 would also have no effect in this scenario. If you designated both domain controllers in Site2 as preferred bridgehead servers, then Site2 would be able to replicate with other sites should any one of the domain controllers in Site2 fail. However, Site1 and Site3 would be able to replicate with Site2 if the bridgehead servers in Site1 and Site3 failed.
Item: 167 (Ref:Cert-70-640.2.4.8)

You are the head network administrator of your company. The company has a main office and one branch office. The main office contains 1500 users and the branch office contains 15 users. All servers on the network run Windows Server 2008. The network consists of a single Active Directory domain. You have configured a separate Active Directory site for each office. The branch office network contains one domain controller and 15 client computers. The two offices are connected through a 56-Kbps dial-up link. The Active Directory replication between the sites consumes a substantial portion of the available bandwidth of the dial-up link, and users in the branch office report that access to resources in the central office is slow. You must utilize the bandwidth on the dial-up link more efficiently for uninterrupted resource access. What should you do?
j k l m n Replace the IP site link with an SMTP site link.
j k l m n Increase the replication interval on the site link.
j k l m n Reduce the cost of the site link. j k l m n Move the branch office resources to the main office site, and remove the branch office site.
Answer: Increase the replication interval on the site link.
Explanation:
You should increase the replication interval on the site link. There are several ways to provide more bandwidth on the slow inter-site connection in this scenario. Among the presented choices, the best is to increase the replication interval on the site link. The replication frequency of a site link determines how often replication occurs over that site link. The default replication frequency for a site link is 180 minutes. You can set the replication frequency for a site link from 15 minutes to 10,080 minutes by using the Active Directory Sites and Services snap-in. The total amount of data associated with the Active Directory changes that must be replicated between sites does not depend on replication frequency. Less frequent replication sessions will generate less communication overhead, such as the traffic that
Page 169 of 173
is necessary to establish each session. When you have multiple sites, decreasing the replication interval between a pair of sites will ensure that the data between sites is more up to date. For example, if the replication interval between SiteA and SiteB is 180 minutes, decreasing the replication interval to 90 minutes will ensure that both sites are more up to date. Increasing the replication interval to 360 minutes will generate less communication and use less bandwidth. Another possible solution is to configure the inter-site replication to occur after business hours. Because there are fewer than 100 users in the branch office, you should consider removing the domain controller from that site. The logon traffic across the dial-up link might require less bandwidth than replication. If you demoted the domain controller to a member server, and if that server hosted some network resources, then branch office users might be unable to access those resources by using their domain user accounts if the dial-up link to the central office became unavailable. In the single-domain environment in this scenario, you could conserve some WAN bandwidth by configuring Universal group membership caching in a remote site instead of having a domain controller in the branch office as a Global Catalog server. Universal group membership caching should be enabled in a site that is connected by a low bandwidth connection or that has hardware limitations on the domain controller, such as limited hard disk space, that would prohibit installing the global catalog. Enabling universal membership caching provides efficient user logon in situations of low or no network bandwidth. You should not replace the IP site link with an SMTP site link in this scenario. An SMTP site link does not support the replication of domain directory partitions; therefore, it cannot be used for replication between domain controllers that belong to the same domain. You should not reduce the cost of the site link. Site link costs are numerical values that indicate relative preference among alternative site link paths between the same pair of sites. Changing the cost of the only site link in this scenario would not have any effect on replication. You should not move the branch office resources to the main office site, and remove the branch office site. If you merged the two sites into a single site, then replication between the domain controllers in the main office and the domain controller in the branch office would occur continuously and the replicated data would not be compressed. Additionally, branch office logon requests would be processed by any domain controller, not only by the one in the branch office. Therefore, the WAN bandwidth usage would increase.
Item: 168 (Ref:Cert-70-640.4.4.2)

You are the network administrator for a company that manufactures golf equipment. Your company has a single domain. Every department has their own Organizational Unit (OU). The functional level of the domain and forest is Windows Server 2008. Your company purchases another company that makes cricket equipment. This company has a single domain. All domain controllers in this domain are Windows Server 2003. The domain functional level and forest functional level of the acquired company are set to Windows 2003. The cricket equipment company will remain a separate forest. You want to accomplish the following: Create several similar GPOs in the golf equipment domain and link them to different OUs. Take the settings from the GPO linked to the Accounting OU in the golf domain and copy it to the Tax OU in the cricket equipment company's domain. What should you do? (Choose two. Each correct answer represents part of the solution.)
c d e f g In the golf equipment company's domain, create a Starter GPO. Create GPOs based on the Starter GPO and link them to the appropriate OUs.
c d e f g In the golf equipment company's domain, create a Starter GPO. Link the GPO to the appropriate OUs.
c d e f g In the golf equipment company's domain, use the Group Policy Management Console (GPMC) to back up the appropriate GPO from the Accounting OU. At a domain controller at the cricket equipment company's domain, use the GPMC to import the GPO to the appropriate container.
c d e f g Create a two-way trust between the two forests. In the golf equipment company's domain, use the Group Policy Management Console (GPMC) to back up the appropriate GPO from the Accounting OU. At a domain controller at the cricket equipment company's domain, use the GPMC to import the GPO to the appropriate container in the Tax OU.
Answer: In the golf equipment company's domain, create a Starter GPO. Create GPOs based on the Starter GPO and link them to the appropriate OUs. In the golf equipment company's domain, use the Group Policy Management Console (GPMC) to back up the appropriate GPO from the Accounting OU. At a domain controller at the cricket equipment company's domain, use the GPMC to import the GPO to the appropriate container.
Page 170 of 173
Explanation:
You should create a Starter GPO in the golf equipment company's domain. You should then create GPOs based on the Starter GPO and link GPOs to the appropriate OUs. A Starter GPO allows you to create a baseline from which you can build GPOs. You can configure settings in the Administrative Template for the Computer Configuration and User Configuration of a GPO. When you create a new GPO, you can use the previously created Starter GPO to prepopulate settings for the new GPO. In this scenario, you can create a Starter GPO to ensure all GPOs have similar settings. You can differentiate each GPO according to the requirements of each department. You should use the Group Policy Management Console (GPMC) to back up the appropriate GPO from the Accounting OU in the golf equipment company's domain. Once the GPO is backed up, you should go to a domain controller at the cricket equipment company's domain and use the GPMC to import the GPO to the appropriate container. You can export the settings of a GPO by using the backup function of the GPMC. You can import the settings into a new domain by using the import function. The import operations transfer settings from the backup GPO into a new GPO in the new domain. You do not need to have a cross-domain or cross-forest trust relationship. You do need to have access to the file system where the backup of the GPO resides. The backup and import operations are ideally suited for copy GPOs that you created on a test environment into a production environment. To back up a GPO by using the GPMC, follow these steps: Highlight the GPO that you want to back up. Right-click and choose Back up from the menu. Specify the location for to back up and click the Back Up button. To import a GPO by using the GPMC, follow these steps: Highlight the GPO to receive the imported settings from the backup of the GPO. Right click the GPO and choose Import Settings. The Import Wizard will prompt you for the location of the backup from which settings should be imported. Choose the GPO that holds the settings that you want to import. You should not attempt to link a GPO from the Starters GPO. You cannot link GPOs from the Starters GPO. You can only use GPOs in the Starters GPO as baselines for new GPOs. You do not require a trust relationship between domains to import GPO settings from a backup. You only need to have read permissions to the location where the backup resides. The following graphic shows how to create new GPOs from a Starter GPO:
Page 171 of 173
Item: 169 (Ref:Cert-70-640.4.3.10)

You are the security administrator of Verigon Corporation. The network of the company consists of a single Active Directory domain named verigon.com. The servers on the network run Windows Server 2008. The client computers run Windows Vista. The organizational unit (OU) structure of the company is shown in the exhibit. (Click the Exhibit(s) button.) You create a Group Policy Object (GPO) named GPO1 to apply standard desktop settings to all desktop and portable client computers that are joined to the network. GPO1 is linked to the Client Computers OU. You have an assistant administrator named Paul. You want to enable Paul to edit only GPO1 , and not any other group policy object? What should you do?
j k l m n Add Paul's user account to the Delegation tab in the properties sheet for GPO1 and assign him the permission to Edit settings.
j k l m n Add Paul's user account to the Managed By tab in the properties sheet for Client Computers OU.
j k l m n Run the Delegation of Control Wizard and delegate Paul the right to manage Group Policy links for the Client Computers OU. j k l m n Run the Delegation of Control Wizard and delegate Paul the right to manage Group Policy links for the domain.
Answer: Add Paul's user account to the Delegation tab in the properties sheet for GPO1 and assign him the permission to Edit settings.
Page 172 of 173
Explanation:
You should add Paul's user account to the Delegation tab in the properties sheet for GPO1 and assign him the permission to Edit settings. Windows Server 2008 allows you to delegate the following three Group Policy tasks independently: Managing Group Policy links for a site, domain, or organizational unit. Creating Group Policy objects. Editing Group Policy objects. To edit a Group Policy object, the user must be one of the following: An administrator. A Creator Owner. A user with delegated access to the Group Policy object. That is, an administrator or the Creator Owner must have delegated access to this user by opening the Security tab in the Group Policy object Properties page, adding them to the Delegation tab in the properties sheet for GPO1, and assigning them permission to Edit settings or Edit settings, delete, modify security. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those Group Policy objects that the user creates or those explicitly delegated to that user. It does not give the user full control of any other Group Policy objects, and does not allow the user to link Group Policy objects to sites, domains, or organizational units. You should not add Paul's user account to the Managed By tab in the properties sheet for the Client Computers OU. When you add a user in the Managed By tab in the properties sheet of an OU as a manager, the user does not get any permissions for the OU. This setting is only informational. The other fields on the tab display the manager's properties and not the OU's properties. You should not run the Delegation of Control Wizard and delegate Paul the right to manage Group Policy links for the Client Computers OU or for the domain. The Delegation of Control Wizard can used to delegate a user with the rights to manage Group Policy links for a site, domain, or OU. Delegating Paul the right to manage Group Policy links for the Client Computers OU will only enable Paul to manage links for Group Policies that are applied to the Client Computers OU or the domain. This will not enable Paul to edit GPO1.
Page 173 of 173

70 640

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

70 640

Enviado por

Direitos autorais:

Formatos disponíveis

Page 1 of 173

Answer: Configure a one-way external trust where dreamsuites.com trusts verigon.com.

c d e f g Install a certification authority Web enrollment agent.

c d e f g Dsmod user c d e f g Dsadd user

Answer: Dsmod user Repadmin

j k l m n Configure an account partner. j k l m n Configure a Windows NT token-based Web Agent.

Answer: Create a claims-aware application.

Answer: Designate DC3 as a preferred bridgehead server.

Answer: On server1, change the Expires After: setting to 72 hours.

Answer: Run the Repadmin /syncall command with /e parameter.

j k l m n branch office site

Answer: branch office site

j k l m n Ntdsutil.exe j k l m n Group Policy Object Editor

What tool should you use to force replication?

j k l m n Active Directory Federation Services (AD FS)

Answer: Active Directory Federation Services (AD FS)

Answer: Install a read-only domain controller (RODC) in the branch office.

c d e f g Log on to the domain naming master and run adprep /forestprep.

permissions from other groups.

j k l m n Enable Audit policy change in a group policy object.

j k l m n Run the Dnscmd /config command.

j k l m n Run the Auditpol /get /sd command.

Answer: Run the Auditpol /get command.

c d e f g Configure a Public Key Group Policy for the domain.

c d e f g Issue Recovery Agent certificates to all users in the domain.

j k l m n Issue a certificate using the Web enrollment service.

Answer: Configure the password on AppLogin to never expire.

j k l m n From a command-line prompt, run the Wbadmin start recovery command.

Answer: Disable the loopback processing mode in the GPO.

c d e f g Windows Server 2008 Datacenter edition

c d e f g Active Directory Domains and Trusts snapin

Answer: Ntdsutil.exe Active Directory Users and Computers snapin

Answer: Change the account lockout duration to 0.

j k l m n From the command prompt type dnscmd srv1.metroil.com /StartScavenging

Answer: From the command prompt type dnscmd srv1.metroil.com /StartScavenging

This graphic is not available in print format.

j k l m n Domain naming master j k l m n Relative ID (RID) master

Answer: Domain naming master

j k l m n Create a forest trust with domain-wide authentication.

Answer: Create an external trust with selective authentication.

Answer: Run the Repadmin /syncall command with the /e parameter.

Answer: Active Directory Sites and Services Repadmin.exe

j k l m n Domain Admins j k l m n Local Administrators group on RODC

Answer: Domain Admins

j k l m n Disable the Replicator user group on RODC1.

Answer: Configure a Filtered Partial Attribute Set.

c d e f g Wbadmin start backup -

c d e f g start /w ocsetup WindowsServerBackup c d e f g start /w ocsetup DFSR-InrastructureServerEdition

Answer: Wbadmin enable backup -allCritical Wbadmin start backup -allCritical

start /w ocsetup WindowsServerBackup

j k l m n auditpol /set /include:fullprivilegeauditing j k l m n auditpol /set /subcategory:fullprivilegeauditing

Answer: auditpol /set /option:fullprivilegeauditing

c d e f g Transfer the PDC emulator role to DC2.

c d e f g Seize the RID master role and assign it to DC2.

Answer: Connect to DC2. Transfer the RID master role to DC2.

j k l m n Windows Server 2003 j k l m n Windows Server 2008

Answer: Windows Server 2008

j k l m n Windows Server 2003 native j k l m n Windows Server 2008

Answer: Windows Server 2008

Page 100 of 173

j k l m n From Site1, manually force replication between Site1 and Site2.

Page 101 of 173