Microsoft 70-640 TS: Windows Server 2008 Active Directory, Configuring

Microsoft 70-640

TS: Windows Server 2008 Active Directory,

Configuring Version: 1.3

Microsoft 70-640 Exam

Topic 1, Exam Set 1

QUESTION NO: 1

You have a single Active Directory domain. All domain controllers run Windows Server 2008 and

are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone.

You need to ensure that outdated DNS records are automatically removed from the DNS zone.

What should you do?

A. From the properties of the zone, modify the TTL of the SOA record.

B. From the properties of the zone, enable scavenging.

C. From the command prompt, run ipconfig /flushdns.

D. From the properties of the zone, disable dynamic updates.

Answer: B

Explanation:

To remove the outdated DNS records from the DNS zone automatically, you should enable

Scavenging through Zone properties. Scavenging will help you clean up old unused records in

DNS. Since "clean up" really means "delete stuff" a good understanding of what you are doing and

a healthy respect for "delete stuff" will keep you out of the hot grease. Because deletion is involved

there are quite a few safety valves built into scavenging that take a long time to pop. When

enabling scavenging, patience is required.

Reference: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-

a6bbce0a4304&ID=211

QUESTION NO: 2

Your network consists of a single Active Directory domain. All domain controllers run Windows

Server 2008 R2. The Audit account management policy setting and Audit directory services

access setting are enabled for the entire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged

changes must include the old and new values of any attributes.

What should you do?

A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

B. From the Default Domain Controllers policy, enable the Audit directory service access setting

and enable directory service changes.

C. Enable the Audit account management policy in the Default Domain Controller Policy.

D. Run auditpol.exe and then enable the Audit directory service access setting in the Default

www.certify-me.co.uk 2


Domain policy.

Answer: A

Explanation:

To make sure the changes made to active directory objects are logged and the logs show the old

and new values of any attribute, you should run audipol.exe and configure the security settings for

the domain controllers Organizational Unit.

QUESTION NO: 3

Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by

a WAN link. Contoso has an Active Directory forest that contains a single domain named

ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the

main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is

configured as a standard primary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the

event that a WAN link fails.

What should you do?

A. Create a new stub zone named ad.contoso.com on DC2.

B. Create a new standard secondary zone named ad.contoso.com on DC2.

C. Configure the DNS server on DC2 to forward requests to DC1.

D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Answer: D

Explanation:

To make sure that the DNS service on TK2 can update records and resolve DNS queries in the

event of a MAN link failure, you should convert maks.contoso.com on TK1 to an Active Directory-

integrated zone. Active Directory-integrated DNS offers two pluses over traditional zones. For one,

the fault tolerance built into Active Directory eliminates the need for primary and secondary

nameservers. Effectively, all nameservers using Active Directory-integrated zones are primary

nameservers. This has a huge advantage for the use of dynamic DNS as well: namely, the wide

availability of nameservers that can accept registrations. Recall that domain controllers and

workstations register their locations and availability to the DNS zone using dynamic DNS. In a



traditional DNS setup, only one type of nameserver can accept these registrations—the primary

server, because it has the only read/write copy of a zone. By creating an Active Directory-

integrated zone, all Windows Server 2008 nameservers that store their zone data in Active

Directory can accept a dynamic registration, and the change will be propagated using Active

Directory multimaster replication.

Reference: http://safari.adobepress.com/9780596514112/active_directory-integrated_zones

QUESTION NO: 4

Your company has a server that runs an instance of Active Directory Lightweight Directory Service

(AD LDS).

You need to create new organizational units in the AD LDS application directory partition.

What should you do?

A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.

B. Use the Active Directory Users and Computers snap-in to create the organizational units on the

AD LDS application directory partition.

C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.

D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application

directory partition.

Answer: D

Explanation:

To create new OUs in the AD LDS application directory partition, you should use ADSI Edit snap-

in. ADSI Edit is a snap-in that runs in a Microsoft Management Console (MMC). The default

console containing ADSI Edit is AdsiEdit.msc. If this snap-in is not added in your MMC, you can do

it by adding through Add/Remove Snap-in menu option in the MMC or you can open AdsiEdit.msc

from a Windows Explorer.

QUESTION NO: 5

Your company has an Active Directory domain. The company has two domain controllers named

DC1 and DC2. DC1 holds the Schema Master role.

DC1 fails. You log on to Active Directory by using the administrator account.

You are not able to transfer the Schema Master operations role.



You need to ensure that DC2 holds the Schema Master role.

What should you do?

A. Configure DC2 as a bridgehead server.

B. On DC2, seize the Schema Master role.

C. Log off and log on again to Active Directory by using an account that is a member of the

Schema Administrators group. Start the Active Directory Schema snap-in.

D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.

Answer: B

Explanation:

To ensure that DC2 holds the Schema Master role, you should seize the Schema Master role on

DC2. Seizing the schema master role is a drastic step that should be considered only if the current

operations master will never be available again. So to transfer the schema master operations role,

you have to seize it on DC2.

Reference: http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-

ec9a773f7ffb1033.mspx?mfr=true

QUESTION NO: 6

Your company has an Active Directory forest that runs at the functional level of Windows Server

2008.

You implement Active Directory Rights Management Services (AD RMS).

You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration

Web site, you receive the following error message: "SQL Server does not exist or access denied."

You need to open the AD RMS administration Web site.

Which two actions should you perform? (Each correct answer presents part of the solution.

Choose two.)

A. Restart IIS.

B. Manually delete the Service Connection Point in AD DS and restart AD RMS.

C. Install Message Queuing.

D. Start the MSSQLSVC service.

Answer: A,D



Explanation:

To rectify the SQL server problem, you have to restart the internet information server (IIS). The IIS

server will be refreshed. Then you start the MSSQULSVC service to start the SQL server. This will

enable you to access the database from AD RMS administration website.

QUESTION NO: 7

Your network consists of an Active Directory forest that contains one domain named contoso.com.

All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have

two Active Directory-integrated zones: contoso.com and nwtraders.com.

You need to ensure a user is able to modify records in the contoso.com zone. You must prevent

the user from modifying the SOA record in the nwtraders.com zone.

What should you do?

A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.

B. From the Active Directory Users and Computers console, modify the permissions of the Domain

Controllers organizational unit (OU).

C. From the DNS Manager console, modify the permissions of the contoso.com zone.

D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.

Answer: C

Explanation:

To allow the user to modify records in contoso.com and prevent him/her from modifying the SOA

record in contoso.com zone, you should set the permissions of contoso.com through DNS

Manager Console. You set the permissions for the users to modify the records in contoso.com. By

setting permission on one Active directory-integrated zone, you will be preventing the users from

modifying anything else on the other zones.

QUESTION NO: 8

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your

company uses an Enterprise Root certificate authority (CA).

You need to ensure that revoked certificate information is highly available.

What should you do?



A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet

Security and Acceleration Server array.

B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object

(GPO).

C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load

Balancing.

D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the

GPO to the domain.

Answer: C

Explanation:

To ensure that the revoked certificate information is available at all, you should use the network

load balancing and publish an OCSP responder. OCSP is an online responder that can receive a

request to check for revocation of a certificate without the client having to download the entire

CRL. This process speeds up certificate revocation checking and reduces network bandwidth

used for this process. This can be helpful especially when such checking is down over slow WAN

links.

QUESTION NO: 9

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2.

Server1 is configured as an enterprise root certification authority (CA).

You install the Online Responder role service on Server2.

You need to configure Server1 to support the Online Responder.

What should you do?

A. Import the enterprise root CA certificate.

B. Configure the Certificate Revocation List Distribution Point extension.

C. Configure the Authority Information Access (AIA) extension.

D. Add the Server2 computer account to the CertPublishers group.

Answer: C

Explanation:

To configure online responder role service on S1, you should configure AIA extension. The

authority information access extension indicates how to access CA information and services for

the issuer of the certificate in which the extension appears. Information and services may include

on-line validation services and CA policy data. (The location of CRLs is not specified in this

extension; that information is provided by the cRLDistributionPoints extension.) This extension



may be included in subject or CA certificates, and it MUST be non-critical

Reference: datatracker.ietf.org/documents/LIAISON/file315.pdf

QUESTION NO: 10

Your company has an Active Directory domain. A user attempts to log on to a computer that was

turned off for twelve weeks. The administrator receives an error message that authentication has

failed. You need to ensure that the user is able to log on to the computer. What should you do?

A. Run the netsh command with the set and machine options.

B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the

computer to the domain.

C. Run the netdom TRUST /reset command.

D. Run the Active Directory Users and Computers console to disable, and then enable the

computer account.

Answer: B

Explanation:

To ensure that the administrator can log on to the computer, you should disjoin the computer from

the domain and rejoin it again. Reset the computer account too. Due to long inactivity, the

computer was not responding to the authentication query using the Active Directory records. So

when you disjoin and rejoin the computer to the domain and reset the computer account, the

Active Directory refreshes the computer account password. After that the administrator can easily

log on to the computer.

QUESTION NO: 11

Your company has an Active Directory forest that contains a single domain. The domain member

server has an Active Directory Federation Services (AD FS) role installed. You need to configure

AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What

should you do?

A. Add and configure a new account partner.

B. Add and configure a new resource partner.

C. Add and configure a new account store.

D. Add and configure a Claims-aware application.

Answer: C

Explanation: Explanation:



To configure the AD FS trust policy to populate AD FS tokens with employee’s information from

Active directory domain, you need to add and configure a new account store.

AD FS allows the secure sharing of identity information between trusted business partners across

an extranet. When a user needs to access a Web application from one of its federation partners,

the user's own organization is responsible for authenticating the user and providing identity

information in the form of "claims" to the partner that hosts the Web application. The hosting

partner uses its trust policy to map the incoming claims to claims that are understood by its Web

application, which uses the claims to make authorization decisions. Because claims originate from

an account store, you need to configure account store to configure the AD FS trust policy.

: Active Directory Federation Services

http://msdn2.microsoft.com/en-us/library/bb897402.aspx

QUESTION NO: 12

You network consists of a single Active Directory domain. All domain controllers run Windows

Server 2008 R2.

You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

What tool should you use?

A. Active Directory Users and Computers snap-in

B. ntdsutil

C. Local Users and Groups snap-in

D. dsmod

Answer: B

Explanation:

To reset the DSRM password on a single domain controller, you should use ntdsutil utility. You

can use Ntdsutil.exe to reset this password for the server on which you are working, or for another

domain controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm

password.

Reference: http://support.microsoft.com/kb/322672

QUESTION NO: 13



Your company has a main office and a branch office. You deploy a read-only domain controller

(RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that

users at the branch office are able to log on to the domain by using the RODC. What should you

do?

A. Add another RODC to the branch office.

B. Configure a new bridgehead server in the main office.

C. Decrease the replication interval for all connection objects by using the Active Directory Sites

and Services console.

D. Configure the Password Replication Policy on the RODC.

Answer: D

Explanation:

To ensure that the users at the branch office can log on to the domain using RODC, you should

use a Password Replication Policy. RODCs don’t cache any user or machine passwords. You can

change this by adding a policy through each RODC’s unique Password Replication Policy (PRP).

A policy would create a group for each branch office with a RODC and add users in that branch

office. An administrator, then, can allow password replication for the branch-office group.

QUESTION NO: 14

Your company has a single Active Directory domain named intranet.adatum.com. The domain

controllers run Windows Server 2008 and the DNS server role. All computers, including non-

domain members, dynamically register their DNS records. You need to configure the

intranet.adatum.com zone to allow only domain members to dynamically register DNS records.

What should you do?

A. Set dynamic updates to Secure Only.

B. Remove the Authenticated Users group.

C. Enable zone transfers to Name Servers.

D. Deny the Everyone group the Create All Child Objects permission.

Answer: A

Explanation:

To make sure only the domain members are able to register their DNS records dynamically, set

the option Secure only for Dynamic updates. This will let only the domain members to register their

DNS records dynamically.

Reference:

www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx



QUESTION NO: 15


Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a

standard primary zone for contoso.com. A domain controller named DC2 has a standard

secondary zone for contoso.com.

You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose

any zone data.

What should you do?

A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary

zone.

B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers

lists on the secondary zone.

D. On both servers, modify the interface that the DNS server listens on.

Answer: B

Explanation:

To make sure that the replication of the contoso.com zone is encrypted to prevent data loss, you

should convert the primary zone into an active directory zone and delete the secondary zone

QUESTION NO: 16

You are decommissioning domain controllers that hold all forest-wide operations master roles. You

need to transfer all forest-wide operations master roles to another domain controller. Which two

roles should you transfer? (Each correct answer presents part of the solution. Choose two.)

A. Domain naming master

B. Infrastructure master

C. RID master

D. PDC emulator

E. Schema master

Answer: A,E

Explanation:

To transfer all forest-wide operation master roles to another domain, you should transfer Domain



naming master and Schema master. Schema Master: The schema master domain controller

controls all updates and modifications to the schema. To update the schema of a forest, you must

have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master: The domain naming master domain controller controls the addition or

removal of domains in the forest. There can be only one domain naming master in the whole

forest.

Reference: http://support.microsoft.com/kb/324801

QUESTION NO: 17

Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an

Active Directory domain named intranet.fabrikam.com. Fabrikam’s security policy prohibits the

transfer of internal DNS zone data outside the Fabrikam network.

You need to ensure that the Contoso users are able to resolve names from the

intranet.fabrikam.com domain.

What should you do?

A. Create a new stub zone for the intranet.fabrikam.com domain.

B. Configure conditional forwarding for the intranet.fabrikam.com domain.

C. Create a standard secondary zone for the intranet.fabrikam.com domain.

D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.

Answer: B

Explanation:

To enable a fabrikam.com user to resolve names from intranet.fabrikam.com domain, you should

set the conditional forwarding for the intranet.fabrikam.com domain. A conditional forwarding is a

DNS query setting that enables a DNS server to route a request for a particular name to another

DNS server by specifying a name and IP address.

QUESTION NO: 18

An Active Directory database is installed on the C volume of a domain controller. You need to

move the Active Directory database to a new volume. What should you do?

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.

B. Move the ntds.dit file to the new volume by using Windows Explorer.



C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft

Windows PowerShell.

D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

Answer: D

Explanation:

To move the Active Directory database to a new volume, you should move the ntds.dit file to the

new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the

database file, the log files, or both to a larger existing partition. If you are not using Ntdsutil.exe

when moving files to a different partition, you will need to manually update the registry.

Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-

d51707bf01eb1033.mspx?mfr=true

QUESTION NO: 19

Your company has file servers located in an organizational unit named Payroll. The file servers

contain payroll files located in a folder named Payroll. You create a GPO. You need to track which

employees access the Payroll files on the file servers. What should you do?

A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers

organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the

Payroll folder.

B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the

file servers, configure Auditing for the Everyone group in the Payroll folder.

C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On

the file servers, configure Auditing for the Everyone group in the Payroll folder.

D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers,

configure Auditing for the Authenticated Users group in the Payroll folder.

Answer: B

Explanation:

QUESTION NO: 20

Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You

need to implement key archival. What should you do?

A. Configure the certificate for automatic enrollment for the computers that store encrypted files.

B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.

C. Apply the Hisecdc security template to the domain controllers.

D. Archive the private key on the server.



Answer: D

Explanation:

QUESTION NO: 21

Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU

contains an OU for Computers, an OU for Groups, and an OU for Users.

You perform nightly backups. An administrator deletes the Groups OU.

You need to restore the Groups OU without affecting users and computers in the Sales OU.

What should you do?

A. Perform an authoritative restore of the Sales OU.

B. Perform a non-authoritative restore of the Sales OU.

C. Perform an authoritative restore of the Groups OU.

D. Perform a non-authoritative restore of the Groups OU.

Answer: C

Explanation:

QUESTION NO: 22

Your network consists of a single Active Directory domain. The functional level of the forest is

Windows Server 2008 R2. You need to create multiple password policies for users in your domain.

What should you do?

A. From the Group Policy Management snap-in, create multiple Group Policy objects.

B. From the Schema snap-in, create multiple class schema objects.

C. From the ADSI Edit snap-in, create multiple Password Setting objects.

D. From the Security Configuration Wizard, create multiple security policies.

Answer: C

Explanation:

QUESTION NO: 23

You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS

server.



You need to record all inbound DNS queries to the server.

What should you configure in the DNS Manager console?

A. Enable debug logging.

B. Enable automatic testing for simple queries.

C. Configure event logging to log errors and warnings.

D. Enable automatic testing for recursive queries.

Answer: A

Explanation:

QUESTION NO: 24

Your company has a main office and a branch office. The company has a single-domain Active

Directory forest. The main office has two domain controllers named DC1 and DC2 that run

Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain

controller (RODC) named DC3. All domain controllers hold the DNS Server role and are

configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You

need to enable dynamic DNS updates on DC3. What should you do?

A. Run the Dnscmd.exe /ZoneResetType command on DC3.

B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.

C. Create a custom application directory partition on DC1. Configure the partition to store Active

Directory-integrated zones.

D. Run the Ntdsutil.exe > DS Behavior commands on DC3.

Answer: B

Explanation:

QUESTION NO: 25

Your company has an Active Directory domain named ad.contoso.com. The domain has two

domain controllers named DC1 and DC2. Both domain controllers have the DNS server role

installed.

You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure

DC1 to forward all unresolved name requests to DNS1.contoso.com.

You discover that the DNS forwarding option is unavailable on DC2.



You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com

server.


Choose two.)

A. Clear the DNS cache on DC2.

B. Configure conditional forwarding on DC2.

C. Configure the Listen On address on DC2.

D. Delete the Root zone on DC2.

Answer: B,D

Explanation:

QUESTION NO: 26

Your company has an organizational unit named Production. The Production organizational unit

has a child organizational unit named R&D. You create a GPO named Software Deployment and

link it to the Production organizational unit.

You create a shadow group for the R&D organizational unit. You need to deploy an application to

users in the Production organizational unit.

You also need to ensure that the application is not deployed to users in the R&D organizational

unit.

What are two possible ways to achieve this goal? (Each correct answer presents a complete

solution. Choose two.)

A. Configure the Block Inheritance setting on the R&D organizational unit.

B. Configure the Enforce setting on the software deployment GPO.

C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the

R&D security group.

D. Configure the Block Inheritance setting on the Production organizational unit.

Answer: A,C

Explanation:

QUESTION NO: 27

Your company has a branch office that is configured as a separate Active Directory site and has



an Active Directory domain controller.

The Active Directory site requires a local Global Catalog server to support a new application.

You need to configure the domain controller as a Global Catalog server.

Which tool should you use?

A. The Server Manager console

B. The Active Directory Sites and Services console

C. The Dcpromo.exe utility

D. The Computer Management console

E. The Active Directory Domains and Trusts console

Answer: B

Explanation:

QUESTION NO: 28

Your company has a main office and three branch offices. The company has an Active Directory

forest that has a single domain. Each office has one domain controller. Each office is configured

as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You

need to decrease the replication latency between the domain controllers. What should you do?

A. Decrease the replication schedule for the DEFAULTIPSITELINK object.

B. Decrease the replication interval for the DEFAULTIPSITELINK object.

C. Decrease the cost between the connection objects.

D. Decrease the replication interval for all connection objects.

Answer: B

Explanation:

QUESTION NO: 29

Your company has two Active Directory forests named contoso.com and fabrikam.com. Both

forests run only domain controllers that run Windows Server 2008. The domain functional level of

contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows

Server 2003 Native mode. You configure an external trust between contoso.com and

fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do?

A. Raise the forest functional level of fabrikam.com to Windows Server 2008.

B. Raise the domain functional level of fabrikam.com to Windows Server 2008.



C. Raise the forest functional level of contoso.com to Windows Server 2008.

D. Create a new forest trust and enable forest-wide authentication.

Answer: B

Explanation:

QUESTION NO: 30

All consultants belong to a global group named TempWorkers.

You place three file servers in a new organizational unit named SecureServers. The three file

servers contain confidential data located in shared folders.

You need to record any failed attempts made by the consultants to access the confidential data.


Choose two.)

A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny

access to this computer from the network user rights setting for the TempWorkers global group.

B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit

privilege use Failure audit policy setting.

C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object

access Failure audit policy setting.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab.

Configure the Failed Full control setting in the Auditing Entry dialog box.

E. On each shared folder on the three file servers, add the TempWorkers global group to the

Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.

Answer: C,E

Explanation:

QUESTION NO: 31

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2.

Server1 is configured as an Enterprise Root certification authority (CA).

You install the Online Responder role service on Server2.

You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root

CA.



Which two tasks should you perform? (Each correct answer presents part of the solution. Choose

two.)

A. Import the enterprise root CA certificate.

B. Import the OCSP Response Signing certificate.

C. Add the Server1 computer account to the CertPublishers group.

D. Set the Startup Type of the Certificate Propagation service to Automatic.

Answer: A,B

Explanation:

QUESTION NO: 32

Your company has an Active Directory forest. The forest includes organizational units

corresponding to the following four locations:

London

Chicago

New York

Madrid

Each location has a child organizational unit named Sales. The Sales organizational unit contains

all the users and computers from the sales department.

The offices in London, Chicago, and New York are connected by T1 connections. The office in

Madrid is connected by a 256-Kbps ISDN connection.

You need to install an application on all the computers in the sales department.


Choose two.)

A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.

Link the GPO to each Sales organizational unit.

B. Disable the slow link detection setting in the Group Policy Object (GPO).

C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy

Object (GPO).

D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the

computers. Link the GPO to each Sales organizational unit.



Answer: B,D

Explanation:

QUESTION NO: 33

Your company has a domain controller server that runs the Windows Server 2008 R2 operating

system. The server is a backup server. The server has a single 500-GB hard disk that has three

partitions for the operating system, applications, and data. You perform daily backups of the

server.

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You

restart the computer on the installation media. You select the Repair your computer option.

You need to restore the operating system and all files.

What should you do?

A. Select the System Image Recovery option.

B. Run the Imagex utility at the command prompt.

C. Run the Wbadmin utility at the command prompt.

D. Run the Rollback utility at the command prompt.

Answer: C

Explanation:

QUESTION NO: 34

You need to remove the Active Directory Domain Services role from a domain controller named

DC1.

What should you do?

A. Run the netdom remove DC1 command.

B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.

C. Run the nltest /remove_server: DC1 command.

D. Reset the Domain Controller computer account by using the Active Directory Users and

Computers utility.

Answer: B

Explanation:



QUESTION NO: 35

Your company has an Active Directory forest. The company has branch offices in three locations.

Each location has an organizational unit. You need to ensure that the branch office administrators

are able to create and apply GPOs only to their respective organizational units. Which two actions

should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch

organizational units to the branch office administrators.

B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners

Group.

C. Modify the Managed By tab in each organizational unit to add the branch office administrators

to their respective organizational units.

D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the

branch office administrators.

Answer: A,B

Explanation:

QUESTION NO: 36

Your company has an Active Directory domain.

A user attempts to log on to the domain from a client computer and receives the following

message: "This user account has expired. Ask your administrator to reactivate the account."

You need to ensure that the user is able to log on to the domain. What should you do?

A. Modify the properties of the user account to set the account to never expire.

B. Modify the properties of the user account to extend the Logon Hours setting.

C. Modify the default domain policy to decrease the account lockout duration.

D. Modify the properties of the user account to set the password to never expire.

Answer: A

Explanation:

QUESTION NO: 37

You have an existing Active Directory site named Site1. You create a new Active Directory site

and name it Site2.

You need to configure Active Directory replication between Site1 and Site2. You install a new



domain controller.

You create the site link between Site1 and Site2.

What should you do next?

A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move

the new domain controller object to Site2.

B. Use the Active Directory Sites and Services console to configure a new site link bridge object.

C. Use the Active Directory Sites and Services console to decrease the site link cost between

Site1 and Site2.

D. Use the Active Directory Sites and Services console to configure the new domain controller as

a preferred bridgehead server for Site1.

Answer: A

Explanation:

QUESTION NO: 38

Your company has an Active Directory forest. Each branch office has an organizational unit and a

child organizational unit named Sales. The Sales organizational unit contains all users and

computers of the sales department. You need to install an Office 2007 application only on the

computers in the Sales organizational unit. You create a GPO named SalesApp GPO. What

should you do next?

A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO

to the Sales organizational unit in each location.

B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO

to the domain.

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to

the Sales organizational unit in each location.

D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to

the Sales organizational unit in each location.

Answer: A

Explanation:

QUESTION NO: 39

Your network consists of an Active Directory forest that contains one domain. All domain

controllers run Windows Server 2008 R2 and are configured as DNS servers. You have an Active

Directory- integrated zone.



You have two Active Directory sites. Each site contains five domain controllers.

You add a new NS record to the zone.

You need to ensure that all domain controllers immediately receive the new NS record.

What should you do?

A. From the DNS Manager console, reload the zone.

B. From the DNS Manager console, increase the version number of the SOA record.

C. From the command prompt, run repadmin /syncall.

D. From the Services snap-in, restart the DNS Server service.

Answer: C

Explanation:

QUESTION NO: 40

Your company has a single Active Directory domain named intranet.contoso.com. All domain

controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and

the forest functional level is Windows 2000.

You need to ensure the UPN suffix for contoso.com is available for user accounts.

What should you do first?

A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.

B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.

C. Add the new UPN suffix to the forest.

D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object

(GPO) to contoso.com.

Answer: C

Explanation:

QUESTION NO: 41

You have a Windows Server 2008 R2 Enterprise Root CA. Security policy prevents port 443 and

port 80 from being opened on domain controllers and on the issuing CA.



You need to allow users to request certificates from a Web interface. You install the Active

Directory Certificate Services (AD CS) server role.


A. Configure the Online Responder Role Service on a member server.

B. Configure the Online Responder Role Service on a domain controller.

C. Configure the Certificate Enrollment Web Service role service on a member server.

D. Configure the Certificate Enrollment Web Service role service on a domain controller.

Answer: C

Explanation:

QUESTION NO: 42

You need to relocate the existing user and computer objects in your company to different

organizational units. What are two possible ways to achieve this goal? (Each correct answer

presents a complete solution. Choose two.)

A. Run the move-item command in the Microsoft Windows PowerShell utility.

B. Run the Active Directory Users and Computers utility.

C. Run the Dsmod utility.

D. Run the Active Directory Migration Tool (ADMT).

Answer: B,C

Explanation:

QUESTION NO: 43

Your network consists of an Active Directory forest named contoso.com. All servers run Windows

Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS

zone is stored in the ForestDnsZones Active Directory application partition.

You have a member server that contains a standard primary DNS zone for dev.contoso.com.

You need to ensure that all domain controllers can resolve names for dev.contoso.com.

What should you do?

A. Modify the properties of the SOA record in the contoso.com zone.

B. Create a NS record in the contoso.com zone.



C. Create a delegation in the contoso.com zone.

D. Create a standard secondary zone on a Global Catalog server.

Answer: C

Explanation:

QUESTION NO: 44

Your company has a single Active Directory domain. All domain controllers run Windows Server

2003.

You install Windows Server 2008 R2 on a server.

You need to add the new server as a domain controller in your domain.


A. On a domain controller run adprep /rodcprep.

B. On the new server, run dcpromo /adv.

C. On the new server, run dcpromo /createdcaccount.

D. On a domain controller, run adprep /forestprep.

Answer: D

Explanation:

QUESTION NO: 45

Your company has a main office and three branch offices. Each office is configured as a separate

Active Directory site that has its own domain controller. You disable an account that has

administrative rights. You need to immediately replicate the disabled account information to all

sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete


A. From the Active Directory Sites and Services console, configure all domain controllers as global

catalog servers.

B. From the Active Directory Sites and Services console, select the existing connection objects

and force replication.

C. Use Repadmin.exe to force replication between the site connection objects.

D. Use Dsmod.exe to configure all domain controllers as global catalog servers.

Answer: B,C

Explanation:



QUESTION NO: 46


Server 2008 R2. You need to capture all replication errors from all domain controllers to a central

location. What should you do?

A. Start the Active Directory Diagnostics data collector set.

B. Start the System Performance data collector set.

C. Install Network Monitor and create a new a new capture.

D. Configure event log subscriptions.

Answer: D

Explanation:

QUESTION NO: 47

Your company has an Active Directory forest that contains client computers that run Windows

Vista and Microsoft Windows XP. You need to ensure that users are able to install approved

application updates on their computers. Which two actions should you perform? (Each correct

answer presents part of the solution. Choose two.)

A. Set up Automatic Updates through Control Panel on the client computers.

B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to

automatically search for updates on the Microsoft Update site.

C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the

Windows Server Update Services (WSUS) server for approved updates.

D. Install the Windows Server Update Services (WSUS). Configure the server to search for new

updates on the Internet. Approve all required updates.

Answer: C,D

Explanation:

QUESTION NO: 48

Your company has an Active Directory domain that has an organizational unit named Sales. The

Sales organizational unit contains two global security groups named sales managers and sales

executives. You need to apply desktop restrictions to the sales executives group. You must not

apply these desktop restrictions to the sales managers group. You create a GPO named

DesktopLockdown and link it to the Sales organizational unit. What should you do next?

A. Configure the Deny Apply Group Policy permission for Authenticated Users on the

DesktopLockdown GPO.



B. Configure the Deny Apply Group Policy permission for the sales executives on the


C. Configure the Allow Apply Group Policy permission for Authenticated Users on the


D. Configure the Deny Apply Group Policy permission for the sales managers on the


Answer: D

Explanation:

QUESTION NO: 49

Your company network has an Active Directory forest that has one parent domain and one child

domain. The child domain has two domain controllers that run Windows Server 2008. All user

accounts from the child domain are migrated to the parent domain. The child domain is scheduled

to be decommissioned. You need to remove the child domain from the Active Directory forest.

What are two possible ways to achieve this goal? (Each correct answer presents a complete


A. Run the Computer Management console to stop the Domain Controller service on both domain

controllers in the child domain.

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust

relationship between the parent domain and the child domain.

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active

Directory domain services role.

D. Run the Dcpromo tool that has individual answer files on each domain controller in the child

domain.

Answer: C,D

Explanation:

QUESTION NO: 50

Your network consists of a single Active Directory domain. The domain contains 10 domain

controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS

servers.

You plan to create a new Active Directory-integrated zone.

You need to ensure that the new zone is only replicated to four of your domain controllers.




A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.

B. Create a new delegation in the ForestDnsZones application directory partition.

C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.

D. Create a new delegation in the DomainDnsZones application directory partition.

Answer: A

Explanation:

QUESTION NO: 51

You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured

as a DNS Server for contoso.com.

You install the DNS Server role on a member server named Server1 and then you create a

standard secondary zone for contoso.com.

You configure DC1 as the master server for the zone.

You need to ensure that Server1 receives zone updates from DC1.

What should you do?

A. On DC1, modify the permissions of contoso.com zone.

B. On Server1, add a conditional forwarder.

C. On DC1, modify the zone transfer settings for the contoso.com zone.

D. Add the Server1 computer account to the DNSUpdateProxy group.

Answer: C

Explanation:

QUESTION NO: 52


company runs an Enterprise Root certification authority (CA).

You need to ensure that only administrators can sign code.


two.)



A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage

Trusted Publishers.

B. Modify the security settings on the template to allow only administrators to request code signing

certificates.

C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates

and allow only administrators to apply the policy.

D. Publish the code signing template.

Answer: B,D

Explanation:

QUESTION NO: 53

Your company has an Active Directory forest. You plan to install an Enterprise certification

authority (CA) on a dedicated stand-alone server.

When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find

that the Enterprise CA option is not available.

You need to install the AD CS (Certificate Services) server role as an Enterprise CA.


A. Add the DNS Server role.

B. Add the Active Directory Lightweight Directory Service (AD LDS) role.

C. Add the Web server (IIS) role and the AD CS role.

D. Join the server to the domain.

Answer: D

Explanation:

QUESTION NO: 54

Your company has an Active Directory domain named contoso.com. The company network has

two DNS servers named DNS1 and DNS2.

The DNS servers are configured as shown in the following table.



Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to

connect to Internet Web sites.

You need to enable Internet name resolution for all client computers.

What should you do?

A. Update the list of root hints servers on DNS2.

B. Create a copy of the .(root) zone on DNS1.

C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.

D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

Answer: C

Explanation:

QUESTION NO: 55


Server 2003. You upgrade all domain controllers to Windows Server 2008. You need to configure

the Active Directory environment to support the application of multiple password policies. What

should you do?

A. Raise the functional level of the domain to Windows Server 2008.

B. On one domain controller, run dcpromo /adv.

C. Create multiple Active Directory sites.

D. On all domain controllers, run dcpromo /adv.

Answer: A

Explanation:

QUESTION NO: 56

Your company has two Active Directory forests named contoso.com and fabrikam.com.



The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers

are configured as shown in the following table.

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred

DNS server. All other computers use DNS1 as the preferred DNS server.

Users from the fabrikam.com domain are unable to connect to the servers that belong to the

contoso.com domain.

You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.

What should you do?

A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to

DNS3.

B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.

C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.

D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.

Answer: D

Explanation:

QUESTION NO: 57

Your company, Contoso, Ltd., has offices in North America and Europe. Contoso has an Active

Directory forest that has three domains. You need to reduce the time required to authenticate

users from the labs.eu.contoso.com domain when they access resources in the

eng.na.contoso.com domain. What should you do?

A. Decrease the replication interval for all Connection objects.

B. Decrease the replication interval for the DEFAULTIPSITELINK site link.

C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.

D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.

Answer: C

Explanation:



QUESTION NO: 58

Your company purchases a new application to deploy on 200 computers. The application requires

that you modify the registry on each target computer before you install the application. The registry

modifications are in a file that has an .adm extension. You need to prepare the target computers

for the application. What should you do?

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an

organizational unit that contains the target computers.

B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the

REDIRUsr CONTAINER-DN command on each target computer.

C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each

target computer.

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the

REDIRCmp CONTAINER-DN command on each target computer.

Answer: A

Explanation:

QUESTION NO: 59

Your company has an Active Directory forest that contains eight linked Group Policy Objects

(GPOs). One of these GPOs publishes applications to user objects. A user reports that the

application is not available for installation. You need to identify whether the GPO has been

applied. What should you do?

A. Run the Group Policy Results utility for the user.

B. Run the GPRESULT /S <system name> /Z command at the command prompt.

C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.

D. Run the Group Policy Results utility for the computer.

Answer: A

Explanation:

QUESTION NO: 60


You plan to install the Active Directory Certificate Services (AD CS) server role on a member

server that runs Windows Server 2008 R2.

You need to ensure that members of the Account Operators group are able to issue smartcard

credentials.



They should not be able to revoke certificates. Which three actions should you perform? (Each

correct answer presents part of the solution. Choose three.)

A. Install the AD CS server role and configure it as an Enterprise Root CA .

B. Install the AD CS server role and configure it as a Standalone CA .

C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.

D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

E. Create a Smartcard logon certificate.

F. Create an Enrollment Agent certificate.

Answer: A,C,E

Explanation:

QUESTION NO: 61

You create 200 new user accounts. The users are located in six different sites. New users report

that they receive the following error message when they try to log on: "The username or password

is incorrect."

You confirm that the user accounts exist and are enabled. You also confirm that the user name

and password information supplied are correct.

You need to identify the cause of the failure. You also need to ensure that the new users are able

to log on.

Which utility should you run?

A. Active Directory Domains and Trusts

B. Repadmin

C. Rstools

D. Rsdiag

Answer: B

Explanation:

QUESTION NO: 62

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008

R2 and are configured as DNS servers. You have an Active Directory-integrated zone for

contoso.com. You have a Unix-based DNS server. You need to configure your Windows Server

2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS

server. What should you do in the DNS Manager console?



A. Enable BIND secondaries

B. Create a stub zone

C. Disable recursion

D. Create a secondary zone

Answer: A

Explanation:

QUESTION NO: 63

Your company has an Active Directory domain. You log on to the domain controller. The Active

Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You

need to access the Active Directory Schema snap-in. What should you do?

A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller

by using Server Manager.

B. Log off and log on again by using an account that is a member of the Schema Administrators

group.

C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open

the schema for writing.

D. Register Schmmgmt.dll.

Answer: D

Explanation:

QUESTION NO: 64

Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate

Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.

You need to audit changes to the CA configuration settings and the CA security settings.


two.)

A. Configure auditing in the Certification Authority snap-in.

B. Enable auditing of successful and failed attempts to change permissions on files in the

%SYSTEM32%\CertSrv directory.

C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog

directory.

D. Enable the Audit object access setting in the Local Security Policy for the Active Directory

Certificate Services (AD CS) server.



Answer: A,D

Explanation:

QUESTION NO: 65

Your company has a single-domain Active Directory forest. The functional level of the domain is

Windows Server 2008.

You perform the following activities:

Create a global distribution group.

Add users to the global distribution group.

Create a shared folder on a Windows Server 2008 member server.

Place the global distribution group in a domain local group that has access to the shared folder.

You need to ensure that the users have access to the shared folder.

What should you do?

A. Add the global distribution group to the Domain Administrators group.

B. Change the group type of the global distribution group to a security group.

C. Change the scope of the global distribution group to a Universal distribution group.

D. Raise the forest functional level to Windows Server 2008.

Answer: B

Explanation:

QUESTION NO: 66

Your company hires 10 new employees. You want the new employees to connect to the main

office through a VPN connection. You create new user accounts and grant the new employees

they Allow Read and Allow Execute permissions to shared resources in the main office. The new

employees are unable to access shared resources in the main office. You need to ensure that

users are able to establish a VPN connection to the main office. What should you do?

A. Grant the new employees the Allow Access Dial-in permission.

B. Grant the new employees the Allow Full control permission.

C. Add the new employees to the Remote Desktop Users security group.

D. Add the new employees to the Windows Authorization Access security group.



Answer: A

Explanation:

QUESTION NO: 67


Server 2008 R2.

You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the

largest amount of available CPU resources on a domain controller.

What should you do?

A. Review performance data in Resource Monitor.

B. Review the Hardware Events log in the Event Viewer.

C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory

Diagnostics report.

D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.

Answer: C

Explanation:

QUESTION NO: 68

Your company has an Active Directory forest that contains only Windows Server 2008 domain

controllers.

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain

controllers.


two.)

A. Run the adprep /domainprep command.

B. Raise the forest functional level to Windows Server 2008.

C. Raise the domain functional level to Windows Server 2008.

D. Run the adprep /forestprep command.

Answer: A,D

Explanation:



QUESTION NO: 69

You need to identify all failed logon attempts on the domain controllers. What should you do?

A. View the Netlogon.log file.

B. View the Security tab on the domain controller computer object.

C. Run Event Viewer.

D. Run the Security and Configuration Wizard.

Answer: C

Explanation:

QUESTION NO: 70

Your company has a DNS server that has 10 Active DirectoryCintegrated zones. You need to

provide copies of the zone files of the DNS server to the security department. What should you

do?

A. Run the dnscmd /ZoneInfo command.

B. Run the ipconfig /registerdns command.

C. Run the dnscmd /ZoneExport command.

D. Run the ntdsutil > Partition Management > List commands.

Answer: C

Explanation:

QUESTION NO: 71

Your company has an Active Directory forest. The company has three locations. Each location has

an organizational unit and a child organizational unit named Sales. The Sales organizational unit

contains all users and computers of the sales department. The company plans to deploy a

Microsoft Office 2007 application on all computers within the three Sales organizational units. You

need to ensure that the Office 2007 application is installed only on the computers in the Sales

organizational units. What should you do?

A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the

application to the computer account. Link the SalesAPP GPO to the domain.

B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the

application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each

location.

C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the

application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in

each location.



D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the

application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each

location.

Answer: C

Explanation:

QUESTION NO: 72

Your company has a main office and 10 branch offices. Each branch office has an Active Directory

site that contains one domain controller.

Only domain controllers in the main office are configured as Global Catalog servers.

You need to deactivate the Universal Group Membership Caching option on the domain

controllers in the branch offices.

At which level should you deactivate the Universal Group Membership Caching option?

A. Server

B. Connection object

C. Domain

D. Site

Answer: D

Explanation:

QUESTION NO: 73


Server 2003. You upgrade all domain controllers to Windows Server 2008 R2.

You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).

What should you do?

A. From the command prompt, run dfsutil /addroot:sysvol.

B. From the command prompt, run netdom /reset.

C. From the command prompt, run dcpromo /unattend:unattendfile.xml.

D. Raise the functional level of the domain to Windows Server 2008 R2.

Answer: D

Explanation:



QUESTION NO: 74

Your company has a main office and a branch office that are configured as a single Active

Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There

are four Windows Server 2003 domain controllers in the main office. You need to ensure that you

are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions


A. Raise the functional level of the forest to Windows Server 2008.

B. Deploy a Windows Server 2008 domain controller at the main office.

C. Raise the functional level of the domain to Windows Server 2008.

D. Run the adprep/rodcprep command.

Answer: B,D

Explanation:

QUESTION NO: 75

Your company has an Active Directory forest that contains Windows Server 2008 R2 domain

controllers and DNS servers. All client computers run Windows XP SP3.

You need to use your client computers to edit domain-based GPOs by using the ADMX files that

are stored in the ADMX central store.

What should you do?

A. Add your account to the Domain Admins group.

B. Upgrade your client computers to Windows 7.

C. Install .NET Framework 3.0 on your client computers.

D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX

files to the PolicyDefinitions folder.

Answer: B

Explanation:

QUESTION NO: 76 DRAG DROP

A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active

Directory Lightweight Directory Services (AD LDS) role installed.



An AD LDS instance named LDS1 stores its data on the C: drive.

You need to relocate the LDS1 instance to the D: drive.

Which three actions should you perform in sequence? (To answer, move the three appropriate

actions from the list of actions to the answer area and arrange them in the correct order.)

Answer:

Explanation:




You need to perform an offline defragmentation of an Active Directory database.

Which four actions should you perform in sequence? (To answer, move the appropriate four

actions from the list of actions to the answer area and arrange them in the correct order.)

Answer:

Explanation:


Your company has an Active Directory forest that contains multiple domain controllers. The

domain controllers run Windows Server 2008.

You need to perform an authoritative restore of a deleted organizational unit and its child objects.

Which four actions should you perform in sequence? (To answer, move the appropriate four

actions from the list of actions to the answer area, and arrange them in the correct order.)



Answer:

Explanation:

QUESTION NO: 79

Your company has a domain controller that runs Windows Server 2008. The domain controller has

the backup features installed. You need to perform a non-authoritative restore of the domain

controller using an existing backup file. What should you do?

A. Boot into Directory Services Restore Mode and use wbadmin to restore critical volume

B. Boot into Directory Services Restore Mode and use the backup snap-in to restore critical

volume



C. Boot into Safe Mode and use wbadmin to restore critical volume

D. Boot into Safe Mode and use the backup snap-in to restore critical volume

Answer: A

Explanation:

QUESTION NO: 80

Your company has an Active Directory domain. All servers run Windows Server. You deploy a

Certification Authority (CA) server. You create a new global security group named CertIssuers.

You need to ensure that members of the CertIssuers group can issue, approve, and revoke

certificates.

What should you do?

A. Assign the Certificate Manager role to the CertIssuers group

B. Place CertIssuers group in the Certificate Publisher group

C. Run the certsrv -add CertIssuers command promt of the certificate server

D. Run the add -member-membertype memberset CertIssuers command by using Microsoft

Windows Powershell

Answer: A

Explanation:

QUESTION NO: 81

Your company has an Active Directory domain. The company has purchased 100 new computers.

You want to deploy the computers as members of the domain. You need to create the computer

accounts in an OU. What should you do?

A. Run the csvde -f computers.csv command

B. Run the ldifde -f computers.ldf command

C. Run the dsadd computer <computerdn> command

D. Run the dsmod computer <computerdn> command

Answer: C

Explanation: DSAdd is the command line utility that is used to add computers to a domain.

DSMod is a commandline utility that is designed to modify an already existing object.

QUESTION NO: 82



Your network consists of a single Active Directory domain. You have a domain controller and a

member server that run Windows Server 2008 R2. Both servers are configured as DNS servers.

Client computers run either Windows XP Service Pack 3 or Windows 7. You have a standard

primary zone on the domain controller. The member server hosts a secondary copy of the zone.

You need to ensure that only authenticated users are allowed to update host (A) records in the

DNS zone.


A. On the member server, add a conditional forwarder.

B. On the member server, install Active Directory Domain Services.

C. Add all computer accounts to the DNS UpdateProxy group.

D. Convert the standard primary zone to an Active Directory-integrated zone.

Answer: D

Explanation:

QUESTION NO: 83

Your company has two domain controllers that are configured as internal DNS servers. All zones

on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates.

You discover that the contoso.com zone has multiple entries for the host names of computers that

do not exist.

You need to configure the contoso.com zone to automatically remove expired records.

What should you do?

A. Enable only secure updates on the contoso.com zone,

B. Enable scavenging and configure the refresh interval on the contoso.com zone.

C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.

D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone

Answer: B

Explanation:

QUESTION NO: 84

You have an Active Directory domain that runs Windows Server 2008 R2.



You need to implement a certification authority (CA) server that meets the following requirements:

- Allows the certification authority to automatically issue certificates

- Integrates with Active Directory Domain Services

What should you do?

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root

CA.

B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root

CA.

C. Purchase a certificate from a third-party certification authority, Install and configure the Active

Directory Certificate Services server role as a Standalone Subordinate CA.

D. Purchase a certificate from a third-party certification authority, Import the certificate into the

computer store of the schema master.

Answer: B

Explanation:

QUESTION NO: 85

You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).

You need to grant members of the Account Operators group the ability to only manage Basic EFS

certificates.

You grant the Account Operators group the Issue and Manage Certificates permission on the CA.

Which three tasks should you perform next? (Each correct answer presents part of the solution.

Choose three.)

A. Enable the Restrict Enrollment Agents option on the CA.

B. Enable the Restrict Certificate Managers option on the CA.

C. Add the Basic EFS certificate template for the Account Operators group.

D. Grant the Account Operators group the Manage CA permission on the CA.

E. Remove all unnecessary certificate templates that are assigned to the Account Operators

group.

Answer: B,C,E

Explanation:



QUESTION NO: 86

Your company has an Active Directory domain. You have a two-tier PKI infrastructure that

contains an offline root CA and an online issuing CA. The Enterprise certification authority is

running Windows Server 2008 R2.

You need to ensure users are able to enroll new certificates.

What should you do?

A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll

folder on the issuing CA.

B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the

SysternCertificates folder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client

workstations.

D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations,

Answer: A

Explanation:

QUESTION NO: 87


company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.

The Enterprise Intermediate CA certificate expires.

You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.

What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA

server,

B. Import the new certificate into the Intermediate Certification Store on the Enterprise

Intermediate CA server,

C. Import the new certificate into the Intermediate Certification Store in the Default Domain

Controllers group policy object,

D. Import the new certificate into the Intermediate Certification Store in the Default Domain group

policy object.



Answer: D

Explanation:

QUESTION NO: 88

Your company has recently acquired a new subsidiary company in Quebec. The Active Directory

administrators of the subsidiary company must use the French-language version of the

administrative templates.

You create a folder on the PDC emulator for the subsidiary domain in the path

%systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR .

You need to ensure that the French-language version of the templates is available.

What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft

Web site. Copy the ADM files to the FR folder.

B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to

the FR folder on the subsidiary PDC emulator.

C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2

to the FR folder on the subsidiary PDC emulator.

D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to

the FR folder on the subsidiary PDC emulator.

Answer: B

Explanation:

QUESTION NO: 89

A user in a branch office of your company attempts to join a computer to the domain, but the

attempt fails.

You need to enable the user to join a single computer to the domain.

You must ensure that the user is denied any additional rights beyond those required to complete

the task.

What should you do?

A. Prestage the computer account in the Active Directory domain.



B. Add the user to the Domain Administrators group for one day.

C. Add the user to the Server Operators group in the Active Directory domain,

D. Grant the user the right to log on locally by using a Group Policy Object (GPO).

Answer: A

Explanation:

QUESTION NO: 90

The default domain GPO in your company is configured by using the following account policy

settings:

- Minimum password length: 8 characters

- Maximum password age: 30 days

- Enforce password history: 12 passwords remembered

- Account lockout threshold: 3 invalid logon attempts

- Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008

R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has

domain user rights.

The SQL Server computer fails after running successfully for several weeks. The SQLSrv user

account is not locked out.

You need to resolve the server failure and prevent recurrence of the failure. Which two actions


A. Reset the password of the SQLSrv user account.

B. Configure the local security policy on Serverl to grant the Logon as a service right on the

SQLSrv user account.

C. Configure the properties of the SQLSrv account to Password never expires.

D. Configure the properties of the SQLSrv account to User cannot change password.

E. Configure the local security policy on Serverl to explicitly grant the SQLSrv user account the

Allow logon locally user right.

Answer: A,C

Explanation:

QUESTION NO: 91

Your company has two Active Directory forests named Forestl and Forest2, The forest functional



level and the domain functional level of Forestl are set to Windows Server 2008.

The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in

Forest2 are set to Windows Server 2003.

You need to set up a transitive forest trust between Forestl and Forest2,


A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode,

B. Raise the forest functional level of Forest2 to Windows Server 2003.

C. Upgrade the domain controllers in Forest2 to Windows Server 2008.

D. Upgrade the domain controllers in Forest2 to Windows Server 2003,

Answer: B

Explanation:

QUESTION NO: 92

Your company has an Active Directory forest that contains two domains.

The forest has universal groups that contain members from each domain. A branch office has a

domain controller named DC1.

Users at the branch office report that the logon process takes too long.

You need to decrease the amount of time it takes for the branch office users to logon.

What should you do?

A. Configure DC1 as a Global Catalog server.

B. Configure DC1 as a bridgehead server for the branch office site.

C. Decrease the replication interval on the site link that connects the branch office to the corporate

network.

D. Increase the replication interval on the site link that connects the branch office to the corporate

network.

Answer: A

Explanation:

QUESTION NO: 93

Your company has an Active Directory domain. The main office has a DNS server named DNS1



that is configured with Active Directory-integrated DNS. The branch office has a DNS server

named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are

connected with an unreliable WAN link.

You add a new server to the main office. Five minutes after adding the server, a user from the

branch office reports that he is unable to connect to the new server. You need to ensure that the

user is able to connect to the new server.

What should you do?

A. Clear the cache on DNS2.

B. Reload the zone on DNS1.

C. Refresh the zone on DNS2.

D. Export the zone from DNS1 and import the zone to DNS2,

Answer: C

Explanation:

QUESTION NO: 94

You need to validate whether Active Directory successfully replicated between two domain

controllers.

What should you do?

A. Run the DSget command.

B. Run the Dsquery command.

C. Run the RepAdmin command.

D. Run the Windows System Resource Manager.

Answer: C

Explanation:

QUESTION NO: 95

You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup

feature is installed on the domain controller.

You need to perform a non-authoritative restore of the domain controller by using an existing

backup file.



What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN

command to perform a critical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server

Backup snap-in to perform a critical volume restore.

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to

perform a critical volume restore.

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical

volume restore.

Answer: A

Explanation:

QUESTION NO: 96

Your company has an Active Directory forest. Not all domain controllers in the forest are

configured as Global Catalog Servers. Your domain structure contains one root domain and one

child domain. You modify the folder permissions on a file server that is in the child domain. You

discover that some Access Control entries start with S-1-5-21 and that no account name is listed.

You need to list the account names. What should you do?

A. Move the RID master role in the child domain to a domain controller that holds the Global

Catalog.

B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.

C. Move the RID master role in the child domain to a domain controller that does not hold the

Global Catalog.

D. Move the infrastructure master role in the child domain to a domain controller that does not hold

the Global Catalog.

Answer: D

Explanation:

QUESTION NO: 97

Your company security policy requires complex passwords.

You have a comma delimited file named import.csv that contains user account information.

You need to create user account in the domain by using the import.csv file.

You also need to ensure that the new user accounts are set to use default passwords and are



disabled.

What shoulld you do?

A. Modify the userAccountControl attribute to disabled. Run the csvde -i -k -f import.csv command.

Run the DSMOD utility to set default passwords for the user accounts.

B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv

command. Run the DSMOD utility to set default passwords for the user accounts.

C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run

the DSADD utility to set default passwords for the imported user accounts.

D. Modify the userAccountControl attribute to disabled. Run the ldifde -i -f import.csv command.

Run the DSADD utility to set passwords for the imported user accounts.

Answer: A

Explanation:

QUESTION NO: 98

You are installing an application on a computer that runs Windows Server 2008 R2. During

installation, the application will need to install new attributes and classes to the Active Directory

database. You need to ensure that you can install the application. What should you do?

A. Change the functional level of the forest to Windows Server 2008 R2.

B. Log on by using an account that has Server Operator rights.

C. Log on by using an account that has Schema Administrator rights and the appropriate rights to

install the application.

D. Log on by using an account that has the Enterprise Administrator rights and the appropriate

rights to install the application.

Answer: C

Explanation:

QUESTION NO: 99

Your company has an Active Directory forest. The company has servers that run Windows Server

2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative

templates that have been approved to support regulatory compliance requirements. Your partner

company has an Active Directory forest that contains a single domain. The company has servers

that run Windows Server 2008 R2 and client computers that run Windows 7. You need to

configure your partner company's domain to use the approved set of administrative templates.

What should you do?



A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In

each site, import the GPO to the default domain policy.

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the

partner company's PDC emulator

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the

partner company's PDC emulator

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft

Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's

emulator.

Answer: B

Explanation:

QUESTION NO: 100

You need to ensure that users who enter three successive invalid passwords within 5 minutes are

locked out for 5 minutes.

Which three actions should you perform? (Each correct answer presents part of the solution.

Choose three.)

A. Set the Minimum password age setting to one day.

B. Set the Maximum password age setting to one day.

C. Set the Account lockout duration setting to 5 minutes.

D. Set the Reset account lockout counter after setting to 5 minutes.

E. Set the Account lockout threshold setting to 3 invalid logon attempts.

F. Set the Enforce password history setting to 3 passwords remembered.

Answer: C,D,E

Explanation:

QUESTION NO: 101

Your company has an Active Directory domain and an organizational unit. The organizational unit

is named Web. You configure and test new security settings for Internet Information Service (IIS)

Servers on a server named IISServerA. You need to deploy the new security settings only on the

IIS servers that are members of the Web organizational unit. What should you do?

A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit

/configure /db webou.inf from the comand prompt.

B. Export the settings on IISServerA to create a security template. Import the security template

into a GPO and link the GPO to the Web organizational unit.

C. Export the settings on IISServerA to create a security template. Run secedit /configure /db



webou.inf from the comand prompt.

D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.

Answer: B

Explanation:

QUESTION NO: 102

Your network consists of an Active Directory forest that contains two domains. All servers run

Windows Server 2008 R2. All domain controllers are configured as DNS Servers.

You have a standard primary zone for dev. contoso.com that is stored on a member server.

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.

What should you do?

A. On the member server, create a stub zone.

B. On the member server, create a NS record for each domain controller.

C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to

replicate to all DNS servers in the forest.

D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to

replicate to all DNS servers in the domain.

Answer: C

Explanation:

QUESTION NO: 103

Your company has an Active Directory domain. You install a new domain controller in the domain.

Twenty users report that they are unable to log on to the domain. You need to register the SRV

records. Which command should you run on the new domain controller?

A. Run the netsh interface reset command.

B. Run the ipconfig /flushdns command.

C. Run the dnscmd /EnlistDirectoryPartition command.

D. Run the sc stop netlogon command followed by the sc start netlogon command.

Answer: D

Explanation:



QUESTION NO: 104

You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role

installed.

You need to minimize the amount of time it takes for client computers to download a certificate

revocation list (CRL).

What should you do?

A. Install and configure an Online Responder.

B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.

C. Install and configure an additional domain controller.

D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client

workstations.

Answer: A

Explanation:

QUESTION NO: 105

You want users to log on to Active Directory by using a new Principal Name (UPN).

You need to modify the UPN suffix for all user accounts.


A. Dsmod

B. Netdom

C. Redirusr

D. Active Directory Domains and Trusts

Answer: A

Explanation:

QUESTION NO: 106


Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group

objects in an organizational unit named OU1.



You need to log changes made to the Description attribute on all group objects in OU1 only.

What should you do?

A. Run auditpol.exe.

B. Modify the auditing entry for OU1.

C. Modify the auditing entry for the domain.

D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting.

Link the GPO to OU1.

Answer: B

Explanation:

QUESTION NO: 107

Your company uses shared folders. Users are granted access to the shared folders by using

domain local groups. One of the shared folders contains confidential data. You need to ensure that

unauthorized users are not able to access the shared folder that contains confidential data. What

should you do?

A. Enable the Do not trust this computer for delegation property on all the computers of

unauthorized users by using the Dsmod utility.

B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full

control permission on the shared folders that hold the confidential data for the Guest account.

C. Create a Global Group named Deny DLG. Place the global group that contains the

unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the

shared folder that hold the confidential data for the Deny DLG group.

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the

unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the

shared folder that hold the confidential data for the Deny DLG group.

Answer: D

Explanation:

QUESTION NO: 108


You install an Enterprise Root certification authority (CA) on a member server named Server1.

You need to ensure that only the Security Manager is authorized to revoke certificates that are

supplied by Server1.



What should you do?

A. Remove the Request Certificates permission from the Domain Users group.

B. Remove the Request Certificates permission from the Authenticated Users group.

C. Assign the Allow - Manage CA permission to only the Security Manager User account.

D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager User

account.

Answer: D

Explanation:

QUESTION NO: 109

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What is the minimal forest functional level that you should use?

A. Windows Server 2008 R2

B. Windows Server 2008

C. Windows Server 2003

D. Windows 2000

Answer: C

Explanation:

QUESTION NO: 110

Your company has three Active Directory domains in a single forest. You install a new Active

Directory enabled application. The application ads new user attributes to the Active Directory

schema. You discover that the Active Directory replication traffic to the Global Catalogs has

increased. You need to prevent the new attributes from being replicated to the Global Catalog.

You must achieve this goal without affecting application functionality. What should you do?

A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.

B. Change the cost for the DEFAULTIPSITELINK object to 9990.

C. Make the new attributes in the Active Directory as defunct.

D. Modify the properties in the Active Directory schema for the new attributes.

Answer: D

Explanation:



QUESTION NO: 111

You are decommissioning one of the domain controllers in a child domain. You need to transfer all

domain operations master roles within the child domain to a newly installed domain controller in

the same child domain.

Which three domain operations master roles should you transfer? (Each correct answer presents

part of the solution. Choose three.)

A. RID master

B. PDC emulator

C. Schema master

D. Infrastructure master

E. Domain naming master

Answer: A,B,D

Explanation:

QUESTION NO: 112

There are 100 server and 2000 computers present at your company's headquarters.

The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure

the high availability of the service.

The nodes are named as CKMFON1 and CKMFON2.

The cluster on CKMFO has one physical shared disk of 400 GB capacity.

A 200GB single volume is configured on the shared disk.

Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.

The DHCP and WINS services will be hosted on other nodes.

Using High Availability Wizard, you begin creating the WINS service group on cluster available on

CKMFON1 node.

The wizard shows an error "no disks are available" during configuration.

Which action should you perform to configure storage volumes on CKMFON1 to successfully add

the WINS Service group to CKMFON1?

A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition

table and create two volumes. Restore the backed up data on one of the volumes and use the



other for WINS service group

B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it.

Use this volume to fix the error in the wizard.

C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes on these

disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group

D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use

this volume to fix the error in the wizard

E. None of the above

Answer: B

Explanation:

QUESTION NO: 113

Exhibit:

Company servers run Windows Server 2008. It has a single Active Directory domain. A server

called S4 has file services role installed. You install some disk for additional storage. The disks are

configured as shown in the exhibit.

To support data stripping with parity, you have to create a new drive volume.

What should you do to achieve this objective?

A. Build a new spanned volume by combining Disk0 and Disk1

B. Create a new Raid-5 volume by adding another disk.

C. Create a new virtual volume by combining Disk 1 and Disk 2

D. Build a new striped volume by combining Disk0 and Disk 2

Answer: B



Explanation:

QUESTION NO: 114

Your company asks you to implement Windows Cardspace in the domain. You want to use

Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate.

What should you do to create a backup copy of Windows Cardspace cards to be used at home?

A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB

drive

B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB

drive

C. Back up the system state data by using backup status tool on your USB drive

D. Employ Windows Cardspace application to backup the data on your USB drive.

E. Reformat the C: Drive

F. None of the above

Answer: D

Explanation:

QUESTION NO: 115

Company has servers on the main network that run Windows Server 2008. It also has two domain

controllers. Active Directory services are running on a domain controller named CKDC1. You have

to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.

What should you do to perform offline critical updates on CKDC1 without rebooting the server?

A. Start the Active Directory Domain Services on CKDC1

B. Disconnect from the network and start the Windows update feature

C. Stop the Active Directory domain services and install the updates. Start the Active Directory

domain services after installing the updates.

D. Stop Active Directory domain services and install updates. Disconnect from the network and

then connect again


Answer: C

Explanation:



QUESTION NO: 116

One of the remote branch offices of Company branch is running a Windows Server 2008 having

ready only domain controller (RODC) installed. For security reasons you don't want some critical

credentials like (passwords, encryption keys) to be stored on RODC.

What should you do so that these credentials are not replicated to any RODC's in the forest?

(Select 2)

A. Configure RODC filtered attribute set on the server

B. Configure RODC filtered set on the server that holds Schema Operations Master role.

C. Delegate local administrative permissions for an RODC to any domain user without granting

that user any user rights for the domain

D. Configure forest functional level server for Windows server 2008 to configure filtered attribute

set.


Answer: B,D

Explanation:

QUESTION NO: 117

Company has a server with Active Directory Rights Management Services (AD RMS) server

installed. Users have computers with Windows Vista installed on them with an Active Directory

domain installed at Windows Server 2003 functional level. As an administrator at Company, you

discover that the users are unable to benefit from AD RMS to protect their documents. You need

to configure AD RMS to enable users to use it and protect their documents.

What should you do to achieve this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each user.

B. Add and configure ADRMSADMIN account in local administrators group on the user computers

C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group

D. Reinstall the Active Directory domain on user computers

E. All of the above

Answer: A

Explanation:

QUESTION NO: 118

Company has an active directory forest on a single domain.



Company needs a distributed application that employs a custom application. The application is

directory partition software named PARDAT. You need to implement this application for data

replication.

Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part

of a complete solution)

A. Dnscmd.

B. Ntdsutil.

C. Ipconfig

D. Dnsutil

E. All of the above

Answer: A,B

Explanation:

QUESTION NO: 119

Company has an Active Directory forest with six domains. The company has 5 sites.

The company requires a new distributed application that uses a custom application directory

partition named ResData for data replication. The application is installed on one member server in

five sites.

You need to configure the five member servers to receive the ResData application directory

partition for data replication. What should you do?

A. Run the Dcpromo utility on the five member servers.

B. Run the Regsvr32 command on the five member servers

C. Run the Webadmin command on the five member servers

D. Run the RacAgent utility on the five member servers

Answer: A

Explanation:

QUESTION NO: 120

As an administrator at Company, you have installed an Active Directory forest that has a single

domain. You have installed an Active Directory Federation services (AD FS) on the domain

member server. What should you do to configure AD FS to make sure that AD FS token contains

information from the active directory domain?



A. Add a new account store and configure it.

B. Add a new resource partner and configure it

C. Add a new resource store and configure it

D. Add a new administrator account on AD FS and configure it


Answer: A

Explanation:

QUESTION NO: 121

Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain

and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to

examine revoked certificate information.

You need to make sure that the revoked certificate information is available at all times. What

should you do to achieve that?

A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer

certificates and link the GPO to the domain.

B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain

C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS

(Internet Security and Acceleration Server) array.

D. Use network load balancing and publish an OCSP responder.


Answer: D

Explanation:

QUESTION NO: 122

As the Company administrator you had installed a read-only domain controller (RODC) server at

remote location.

The remote location doesn't provide enough physical security for the server.

What should you do to allow administrative accounts to replicate authentication information to

Read-Only Domain Controllers?

A. Remove any administrative accounts from RODC's group

B. Add administrative accounts to the domain Allowed RODC Password Replication group

C. Set the Deny on Receive as permission for administrative accounts on the RODC computer

account Security tab for the Group Policy Object (GPO)

D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link



the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow

permissions for the administrators on the Security tab for the GPO.


Answer: B

Explanation:

QUESTION NO: 123

ABC.com boosts a two-node Network Load Balancing cluster which is called web. CK1.com. The

purpose of this cluster is to provide load balancing and high availability of the intranet website

only.

With monitoring the cluster, you discover that the users can view the Network Load Balancing

cluster in their Network Neighborhood and they can use it to connect to various services by using

the name web. CK1.com.

You also discover that there is only one port rule configured for Network Load Balancing cluster.

You have to configure web. CK1 .com NLB cluster to accept HTTP traffic only. Which two actions

should you perform to achieve this objective? (Choose two answers. Each answer is part of the

complete solution)

A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console

B. Run the wlbs disable command on the cluster nodes

C. Assign a unique port rule for NLB cluster by using the NLB Cluster console

D. Delete the default port rules through Network Load Balancing Cluster console

Answer: A,D

Explanation:

QUESTION NO: 124

ABC.com has a main office and a branch office. ABC.com's network consists of a single Active

Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run

Windows server 2003.

You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD

DS) on a computer that runs Windows Server 2008. The branch office is located in a physically

insecure place. It has not IT personnel onsite and there are no administrators over there. You

need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in

the branch office.

What should you do to setup RODC on the computer in branch office?



A. Execute an attended installation of AD DS

B. Execute an unattended installation of AD DS

C. Execute RODC through AD DS

D. Execute AD DS by using deploying the image of AD DS

E. none of the above

Answer: B

Explanation:

QUESTION NO: 125

You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008

in your organization.

Now you need to test the connectivity of clients in the network to ensure that they can successfully

reach the new Federation server and Federation server is operational.

What should you do? (Select all that apply)

A. Go to Services tab, and check if Active Directory Federation Services is running

B. In the event viewer, Applications, Event ID column look for event ID 674.

C. Open a browser window, and then type the Federation Service URL for the new federation

server.

D. None of the above

Answer: B,C

Explanation:

QUESTION NO: 126

ABC.com has purchased laptop computers that will be used to connect to a wireless network. You

create a laptop organizational unit and create a Group Policy Object (GPO) and configure user

profiles by utilizing the names of approved wireless networks. You link the GPO to the laptop

organizational unit. The new laptop users complain to you that they cannot connect to a wireless

network.

What should you do to enforce the group policy wireless settings to the laptop computers?

A. Execute gpupdate/target:computer command at the command prompt on laptop computers

B. Execute Add a network command and leave the SSID (service set identifier) blank

C. Execute gpupdate/boot command at the command prompt on laptops computers

D. Connect each laptop computer to a wired network and log off the laptop computer and then

login again.




Answer: D

Explanation:

QUESTION NO: 127

The Company has a Windows 2008 domain controller server. This server is routinely backed up

over the network from a dedicated backup server that is running Windows 2003 OS.

You need to prepare the domain controller for disaster recovery apart from the routine backup

procedures. You are unable to launch the backup utility while attempting to back up the system

state data for the data controller.

You need to backup system state data from the Windows Server 2008 domain controller server.

What should you do?

A. Add your user account to the local Backup Operators group

B. Install the Windows Server backup feature using the Server Manager feature.

C. Install the Removable Storage Manager feature using the Server Manager feature

D. Deactivating the backup job that is configured to backup Windows 2008 server domain

controller on the Windows 2003 server.


Answer: B

Explanation:

QUESTION NO: 128

You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server

at a remote location. The remote location doesn't have proper physical security. You need to

activate nonadministrative accounts passwords on that RODC server. Which of the following

action should be considered to populate the RODC server with non-administrative accounts

passwords?

A. Delete all administrative accounts from the RODC's group

B. Configure the permission to Deny on Receive for administrative accounts on the security tab for

Group Policy Object (GPO)

C. Configure the administrative accounts to be added in the Domain RODC Password Replication

Denied group

D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and

on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the

administrators.




Answer: C

Explanation:

QUESTION NO: 129

ABC.com has a network that is comprise of a single Active Directory Domain.

As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD

LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based

connections to the AD LDS server, you install certificates from a trusted Certification Authority

(CA) on the AD LDS server and client computers.

Which tool should you use to test the certificate with AD LDS?

A. Ldp.exe

B. Active Directory Domain services

C. ntdsutil.exe

D. Lds.exe

E. wsamain.exe

F. None of the above

Answer: A

Explanation:

QUESTION NO: 130

ABC.com boosts a main office and 20 branch offices. Configured as a separate site, each branch

office has a Read-Only Domain Controller (RODC) server installed.

Users in remote offices complain that they are unable to log on to their accounts.

What should you do to make sure that the cached credentials for user accounts are only stored in

their local branch office RODC server?

A. Open the RODC computer account security tab and set Allow on the Receive as permission

only for the users that are unable to log on to their accounts

B. Add a password replication policy to the main Domain RODC and add user accounts in the

security group

C. Configure a unique security group for each branch office and add user accounts to the

respective security group. Add the security groups to the password replication allowed group on

the main RODC server

D. Configure and add a separate password replication policy on each RODC computer account

Answer: D



Explanation:

QUESTION NO: 131

The corporate network of Company consists of a Windows Server 2008 single Active Directory

domain. The domain has two servers named Company 1 and Company 2.

To ensure central monitoring of events you decided to collect all the events on one server,

Company

1. To collect events from Company

2. and transfer them to Company 1, you configured the required event subscriptions.

You selected the Normal option for the Event delivery optimization setting by using the HTTP

protocol.

However, you discovered that none of the subscriptions work.

Which of the following actions would you perform to configure the event collection and event

forwarding on the two servers? (Select three. Each answer is a part of the complete solution).

A. Through Run window execute the winrm quickconfig command on Company 2.

B. Through Run window execute the wecutil qc command on Company 2.

C. Add the Company 1 account to the Administrators group on Company 2.

D. Through Run window execute the winrm quickconfig command on Company 1.

E. Add the Company 2 account to the Administrators group on Company 1.

F. Through Run window execute the wecutil qc command on Company 1.

Answer: A,B,D

Explanation:

QUESTION NO: 132

Your company has a main office and 40 branch offices. Each branch office is configured as a

separate Active Directory site that has a dedicated read-only domain controller (RODC). An RODC

server is stolen from one of the branch offices.

You need to identify the user accounts that were cached on the stolen RODC server.

Which utility should you use?



A. Dsmod.exe

B. Ntdsutil.exe

C. Active Directory Sites and Services

D. Active Directory Users and Computers

Answer: D

Explanation:

QUESTION NO: 133

ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT.

CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual

servers running on an isolated virtual segment to evaluate software. To connect to the internet, it

uses physical network interface card.

ABC.com requires every server in the company to access Internet.

ABC.com security policy dictates that the IP address space used by software evaluation lab must

not be used by other networks. Similarly, it states the IP address space used by other networks

should not be used by the evaluation lab network. As an administrator you find you that the

applications tested in the software evaluation lab need to access normal network to connect to the

vendors update servers on the internet. You need to configure all virtual servers on the CKT

server to access the internet. You also need to comply with company's security policy.

Which two actions should you perform to achieve this task? (Choose two answers. Each answer is

a part of the complete solution)

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew

command on each virtual server.

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)

C. Use ABC.com intranet IP addresses on all virtual servers on CKT.

D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network

interface and create a new virtual network.

E. None of the above.

Answer: A,D

Explanation:

QUESTION NO: 134

You are an administrator at ABC.com. Company has a network of 5 member servers acting as file

servers. It has an Active Directory domain. You have installed a software application on the



servers. As soon as the application is installed, one of the member servers shuts down itself. To

trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the

domain security settings to trace the shutdowns and identify the cause of it.

What should you do to perform this task?

A. Link the GPO to the domain and enable System Events option

B. Link the GPO to the domain and enable Audit Object Access option

C. Link the GPO to the Domain Controllers and enable Audit Object Access option

D. Link the GPO to the Domain Controllers and enable Audit Process tracking option

E. Perform all of the above actions

Answer: A

Explanation:

QUESTION NO: 135

ABC.com has a network that consists of a single Active Directory domain. A technician has

accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of

ABC.com, you are in process of restoring the OU. You need to execute a non-authoritative restore

before an authoritative restore of the OU. Which backup should you use to perform non-

authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data

stored on domain controller?

A. Critical volume backup

B. Backup of all the volumes

C. Backup of the volume that hosts Operating system

D. Backup of AD DS folders

E. all of the above

Answer: A

Explanation:


ABC.com has an Active Directory forest on a single domain. The domain operates Windows

Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active

Directory database that hosts 6000 objects. You have backed up the system state data using

third-party backup software. To restore backup, you start the domain controller in the Directory

Services Restore Mode (DSRM). You need to perform an authoritative restore of the

organizational unit and restore the domain controller to its original state. Which three actions

should you perform?



The answer should be in a sequence.

Drag and drop the appropriate action into the sequential order.

Answer:

Explanation:

QUESTION NO: 137

ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is

installed on all domain controllers in the network. You are instructed to capture all replication

errors from all domain controllers to a central location.

What should you do to achieve this task?



A. Initiate the Active Directory Diagnostics data collector set

B. Set event log subscriptions and configure it

C. Initiate the System Performance data collector set

D. Create a new capture in the Network Monitor

Answer: B

Explanation:

QUESTION NO: 138

Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008

servers. Client computers running Windows XP and Windows Vista. All domain controllers are

running Windows server 2008.

Exhibit B

You need to deploy Active Directory Rights Management System (AD RMS) to secure all

documents, spreadsheets and to provide user authentication. What do you need to configure, in

order to complete the deployment of AD RMS?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company

_DC1

B. Ensure that all Windows XP computers have the latest service pack and install the RMS client

on all systems. Install AD RMS on domain controller Company _DC1

C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5

D. Ensure that all Windows XP computers have the latest service pack and install the RMS client

on all systems. Install AD RMS on domain controller Company _SRV5


Answer: D

Explanation:

QUESTION NO: 139

You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD

LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued



availability of data to applications and users in the event of a system failure. Because you have

limited media resources, you decided to backup only specific ADLDS instance instead of taking

backup of the entire volume.

What should you do to accomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of database and

log files of AD LDS

B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance

C. Move AD LDS database and log files on a separate volume and use windows server backup

utility

D. None of the above

Answer: B

Explanation:

QUESTION NO: 140

You had installed Windows Server 2008 on a computer and configured it as a file server, named

FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For

fault tolerance and performance you want to configure Redundant Array of Independent Disks

(RAID) 0 +1 on FileSrv1.

Which utility you will use to convert basic disks to dynamic disks on FileSrv1?

A. Diskpart.exe

B. Chkdsk.exe

C. Fsutil.exe

D. Fdisk.exe


Answer: A

Explanation:

QUESTION NO: 141

ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boosts

40 Windows Vista client machines. As an administrator at ABC.com, you want to deploy Active

Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates.

What should you do to manage certificate settings on all machines in a domain from one main

location?



A. Configure Enterprise CA certificate settings

B. Configure Enterprise trust certificate settings

C. Configure Advance CA certificate settings

D. Configure Group Policy certificate settings

E. All of the above

Answer: D

Explanation:

QUESTION NO: 142

A domain controller named DC12 runs critical services. Restructuring of the organizational unit

hierarchy for the domain has been completed and unnecessary objects have been deleted. You

need to perform an offline defragmentation of the Active Directory database on DC12. You also

need to ensure that the critical services remain online.

What should you do?

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.

B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.

C. Stop the Domain Controller service in the Services (local) Microsoft Management Console

(MMC). Run the Defrag utility.

D. Stop the Domain Controller service in the Services (local) Microsoft Management Console

(MMC). Run the Ntdsutil utility.

Answer: D

Explanation:

QUESTION NO: 143

Your company has a server that runs Windows Server 2008 R2. The server runs an instance of

Active Directory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network.

What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.

B. Create a naming context by running the Dsmgmt command on the test computer.

C. Create a new directory partition by running the Dsmgmt command on the test computer.

D. Create and install a replica by running the AD LDS Setup wizard on the test computer.



Answer: D

Explanation:


Your company has two domain controllers named DC1 and DC2. DC1 host all domain and forest

operations master roles.

DC1 fails.

You need to rebuild DC1 by reinstalling the operating system. Youn also need to rollback all

operations master roles to their original state. You perform a metadate cleanup and remove all

references of DC1.

Which three actions should you perform next? (To answer, move the appropriate actions from the

list of actions to the answer area and arrange them in the correct order.)

Answer:



Explanation:

Topic 2, Exam Set 2

QUESTION NO: 145

Your network contains an Active Directory domain. The relevant servers in the domain are

configured as shown in the following table.

You need to ensure that all device certificate requests use the MD5 hash algorithm.

What should you do?



A. On Server2, run the Certutil tool.

B. On Server1, update the CEP Encryption certificate template.

C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.

D. On Server3, set the value of the

HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm\HashAlgorithm registry key.

Answer: D

Explanation:

QUESTION NO: 146

Your network contains an Active Directory domain.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise

root certification authority (CA).

You have a client computer named Computer1 that runs Windows 7. You enable automatic

certificate enrollment for all client computers that run Windows 7. You need to verify that the

Windows 7 client computers can automatically enroll for certificates.

Which command should you run on Computer1?

A. certreq.exe retrieve

B. certreq.exe submit

C. certutil.exe getkey

D. certutil.exe pulse

Answer: D

Explanation:

QUESTION NO: 147

Your network contains two Active Directory forests named contoso.com and adatum.com. The

functional level of both forests is Windows Server 2008 R2. Each forest contains one domain.

Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow

users from both forests to automatically enroll user certificates. You need to ensure that all users

in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).

What should you configure in the adatum.com domain?



A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.

B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.

C. From the Default Domain Policy, modify the Certificate Enrollment policy.

D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.

Answer: C

Explanation:

QUESTION NO: 148

You have a server named Server1 that has the following Active Directory Certificate Services (AD

CS) role services installed:

- Enterprise root certification authority (CA)

- Certificate Enrollment Web Service

- Certificate Enrollment Policy Web Service

You create a new certificate template.

External users report that the new template is unavailable when they request a new certificate.

You verify that all other templates are available to the external users. You need to ensure that the

external users can request certificates by using the new template.

What should you do on Server1?

A. Run iisreset.exe /restart.

B. Run gpupdate.exe /force.

C. Run certutil.exe dspublish.

D. Restart the Active Directory Certificate Services service.

Answer: A

Explanation:

QUESTION NO: 149

Your network contains an enterprise root certification authority (CA). You need to ensure that a

certificate issued by the CA is valid.

What should you do?



A. Run syskey.exe and use the Update option.

B. Run sigverif.exe and use the Advanced option.

C. Run certutil.exe and specify the -verify parameter.

D. Run certreq.exe and specify the -retrieve parameter.

Answer: C

Explanation:

QUESTION NO: 150

You have an enterprise subordinate certification authority (CA). The CA issues smart card logon

certificates.

Users are required to log on to the domain by using a smart card. Your company's corporate

security policy states that when an employee resigns, his ability to log on to the network must be

immediately revoked. An employee resigns.

You need to immediately prevent the employee from logging on to the domain.

What should you do?

A. Revoke the employee's smart card certificate.

B. Disable the employee's Active Directory account.

C. Publish a new delta certificate revocation list (CRL).

D. Reset the password for the employee's Active Directory account.

Answer: B

Explanation:

QUESTION NO: 151

You add an Online Responder to an Online Responder Array.

You need to ensure that the new Online Responder resolves synchronization conflicts for all

members of the Array.

What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.

B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.



C. From the Online Responder Management Console, select the new Online Responder, and then

select Set as Array Controller.

D. From the Online Responder Management Console, select the new Online Responder, and then

select Synchronize Members with Array Controller.

Answer: C

Explanation:

QUESTION NO: 152

Your network contains a server that runs Windows Server 2008 R2. The server is configured as an

enterprise root certification authority (CA).

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to

use a many-to-one mapping.

You revoke a certificate issued to an external partner.

You need to prevent the external partner from accessing the Web site.

What should you do?

A. Run certutil.exe -crl.

B. Run certutil.exe -delkey.

C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.

D. From Active Directory Users and Computers, modify the Contact object for the external partner.

Answer: A

Explanation:

QUESTION NO: 153

Your company has a main office and five branch offices that are connected by WAN links. The

company has an Active Directory domain named contoso.com. Each branch office has a member

server configured as a DNS server. All branch office DNS servers host a secondary zone for

contoso.com.

You need to configure the contoso.com zone to resolve client queries for at least four days in the




What should you do?

A. Configure the Expires after option for the contoso.com zone to 4 days.

B. Configure the Retry interval option for the contoso.com zone to 4 days.

C. Configure the Refresh interval option for the contoso.com zone to 4 days.

D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.

Answer: A

Explanation: Explanation/Reference:

http://technet.microsoft.com/en-us/library/bb727018.aspx

DNS Config

Expires After The period of time for which zone information is valid on the secondary server. If the

secondary server can't download data from a primary server within this period, the secondary

server lets the data in its cache expire and stops responding to DNS queries. Setting Expires After

to seven days allows the data on a secondary server to be valid for seven days.

QUESTION NO: 154

Your company has an Active Directory domain named contoso.com. FS1 is a member server in

contoso.com.

You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that

contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server

and a DNS server.

Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has

an A record in the fabrikam.com DNS zone. What are two possible ways to achieve this goal?

(Each correct answer presents a complete solution. Choose two.)

A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.

B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain

Name to the domain name fabrikam.com.

C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.

D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.

E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name

to the domain name fabrikam.com.

Answer: B,D

Explanation:



QUESTION NO: 155

Your company Datum Corporation, has a single Active Directory domain named

intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2

operating system. The domain controllers also run DNS servers.

The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the

Dynamic updates setting configured to Secure only.

A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated

only by domain controllers or member servers.

You need to configure the intranet.adatum.com zone to meet the new security policy requirement.


Choose two.)

A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com

DNS zone properties.

B. Assign the SELF Account Deny on Write permission on the Security tab of the

intranet.adatum.com DNS zone properties.

C. Assign the server computer accounts the Allow on Write All Properties permission on the

Security tab of the intranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the

Security tab of the intranet.adatum.com DNS zone properties.

Answer: A,D

Explanation:

QUESTION NO: 156

Your company has two Active Directory forests as shown in the following table.



The forests are connected by using a two-way forest trust. Each trust direction is configured with

forest-wide authentication. The new security policy of the company prohibits users from the

eng.fabrikam.com domain to access resources in the contoso.com domain.

You need to configure the forest trust to meet the new security policy requirement.

What should you do?

A. Delete the outgoing forest trust in the contoso.com domain.

B. Delete the incoming forest trust in the contoso.com domain.

C. Change the properties of the existing incoming forest trust in the contoso.com domain from

Forest-wide authentication to Selective authentication.

D. Change the properties of the existing outgoing forest trust in the contoso.com domain to

exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties.

Answer: D

Explanation:

QUESTION NO: 157

Your company has an Active Directory Rights Management Services (AD RMS) server. Users

have Windows Vista computers. An Active Directory domain is configured at the Windows Server

2003 functional level.

You need to configure AD RMS so that users are able to protect their documents.

What should you do?

A. Install the AD RMS client 2.0 on each client computer.

B. Add the RMS service account to the local administrators group on the AD RMS server.

C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.

D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Answer: C

Explanation:

QUESTION NO: 158

Your company has an Active Directory domain. All consultants belong to a global group named

TempWorkers.



The TempWorkers group is not nested in any other groups. You move the computer objects of

three file servers to a new organizational unit named SecureServers. These file servers contain

only confidential data in shared folders. You need to prevent members of the TempWorkers group

from accessing the confidential data on the file servers. You must achieve this goal without

affecting access to other domain resources.

What should you do?

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access

to this computer from the network user right to the TempWorkers global group.

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the

network user right to the TempWorkers global group.

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the

TempWorkers global group.

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on

locally user right to the TempWorkers global group.

Answer: A

Explanation:

QUESTION NO: 159

Your network consists of a single Active Directory domain. User accounts for engineering

department are located in an OU named Engineering.

You need to create a password policy for the engineering department that is different from your

domain password policy.

What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.

B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for

the Engineering OU.

C. Create a global security group and add all the user accounts for the engineering department to

the group. Create a new Password Policy Object (PSO) and apply it to the group.

D. Create a domain local security group and add all the user accounts for the engineering

department to the group. From the Active Directory Users and Computer console, select the group

and run the Delegation of Control Wizard.

Answer: C

Explanation:



QUESTION NO: 160

Your network contains an Active Directory domain. The domain contains two domain controllers

named DC1 and DC2.

DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the

zone. DC2 hosts a standard secondary DNS zone for the domain. You need to configure DNS to

allow only secure dynamic updates.


A. On DC1 and DC2, configure a trust anchor.

B. On DC1 and DC2, configure a connection security rule.

C. On DC1, configure the zone transfer settings.

D. On DC1, configure the zone to be stored in Active Directory.

Answer: D

Explanation:

QUESTION NO: 161

Your network contains a domain controller that has two network connections named Internal and

Private.

Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5.

You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP

address.

What should you do?

A. Modify the netlogon.dns file on the domain controller.

B. Modify the Name Server settings of the DNS zone for the domain.

C. Modify the properties of the Private network connection on the domain controller.

D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.

Answer: C

Explanation:

QUESTION NO: 162



Your network contains an Active Directory forest named contoso.com. You plan to add a new

domain named nwtraders.com to the forest. All DNS servers are domain controllers.

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any

of the DNS servers in the forest.

What should you do?

A. Add the computer accounts of all the domain controllers to the DnsAdmins group.

B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.

C. Create a standard primary zone on a domain controller in the forest root domain.

D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.

Answer: D

Explanation:

QUESTION NO: 163

Your network contains an Active Directory domain named contoso.com. The domain contains a

domain controller named DC1. DC1 hosts a standard primary zone for contoso.com.

You discover that non-domain member computers register records in the contoso.com zone.

You need to prevent the non-domain member computers from registering records in the

contoso.com zone.

All domain member computers must be allowed to register records in the contoso.com zone.


A. Configure a trust anchor.

B. Run the Security Configuration Wizard (SCW).

C. Change the contoso.com zone to an Active Directory-integrated zone.

D. Modify the security settings of the %SystemRoot%\System32\Dns folder.

Answer: C

Explanation:

QUESTION NO: 164



Your network contains an Active Directory domain named contoso.com. You create a

GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The

target host of the record is server2.contoso.com. When you ping Server1, you discover that the

name fails to resolve.

You successfully resolve server2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.

What should you do?

A. From the command prompt, use the netsh tool.

B. From the command prompt, use the dnscmd tool.

C. From DNS Manager, modify the properties of the GlobalNames zone.

D. From DNS Manager, modify the advanced settings of the DNS server.

Answer: B

Explanation:

QUESTION NO: 165

Your company has a main office and a branch office.

The network contains an Active Directory domain named contoso.com. The DNS zone for

contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain

controllers in the domain.

The main office contains a writable domain controller named DC1. The branch office contains a

read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server

2008 R2 and are configured as DNS servers.

You uninstall the DNS server role from RODC1.

You need to prevent DNS records from replicating to RODC1.

What should you do?

A. Modify the replication scope for the contoso.com zone.

B. Flush the DNS cache and enable cache locking on RODC1.

C. Configure conditional forwarding for the contoso.com zone.



D. Modify the zone transfer settings for the contoso.com zone.

Answer: A

Explanation:

QUESTION NO: 166

Your network contains an Active Directory domain named contoso.com. The domain contains the

servers shown in the following table.

The functional level of the forest is Windows Server 2003. The functional level of the domain is


DNS1 and DNS2 host the contoso.com zone.

All client computers run Windows 7 Enterprise.

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.


A. Change the functional level of the forest.

B. Change the functional level of the domain.

C. Upgrade DC1 to Windows Server 2008 R2.

D. Upgrade DNS1 to Windows Server 2008 R2.

Answer: D

Explanation:

QUESTION NO: 167

Your network contains a domain controller that is configured as a DNS server. The server hosts an

Active Directory-integrated zone for the domain.



You need to reduce how long it takes until stale records are deleted from the zone.

What should you do?

A. From the configuration directory partition of the forest, modify the tombstone lifetime.

B. From the configuration directory partition of the forest, modify the garbage collection interval.

C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.

D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire

interval.

Answer: C

Explanation:

QUESTION NO: 168

You have an Active Directory domain named contoso.com. You have a domain controller named

Server1 that is configured as a DNS server. Server1 hosts a standard primary zone for

contoso.com. The DNS configuration of Server1 is shown in the exhibit. (Click the Exhibit button.)



You discover that stale resource records are not automatically removed from the contoso.com

zone.

You need to ensure that the stale resource records are automatically removed from the

contoso.com zone.

What should you do?

A. Set the scavenging period of Server1 to 0 days.

B. Modify the Server Aging/Scavenging properties.

C. Configure the aging properties for the contoso.com zone.

D. Convert the contoso.com zone to an Active Directory-integrated zone.

Answer: C



Explanation:

QUESTION NO: 169

Your network contains an Active Directory domain named contoso.com.

You remove several computers from the network.

You need to ensure that the host (A) records for the removed computers are automatically deleted

from the contoso.com DNS zone.

What should you do?

A. Configure dynamic updates.

B. Configure aging and scavenging.

C. Create a scheduled task that runs the Dnscmd /ClearCache command.

D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.

Answer: B

Explanation:

QUESTION NO: 170

You need to force a domain controller to register all service location (SRV) resource records in

DNS.

Which command should you run?

A. ipconfig.exe /registerdns

B. net.exe stop dnscache & net.exe start dnscache

C. net.exe stop netlogon & net.exe start netlogon

D. regsvr32.exe dnsrslvr.dll

Answer: C

Explanation:



QUESTION NO: 171


You plan to deploy a child domain named sales.contoso.com.

The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com.

You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by

using fully qualified domain names (FQDNs).

What should you do?

A. Create a DNS forwarder.

B. Create a DNS delegation.

C. Configure root hint servers.

D. Configure an alternate DNS server on all client computers.

Answer: B

Explanation:

QUESTION NO: 172

Your network contains a single Active Directory domain named contoso.com. The domain contains

two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a

primary zone for contoso.com.

DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an Active

Directory-integrated zone and configure the zone to accept secure dynamic updates only.

You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.


A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com

B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary

C. dnslint.exe /ql

D. repadmin.exe /syncall /force

Answer: B



Explanation:

QUESTION NO: 173

Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as

shown in the following Command Prompt window.

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource

records for contoso.com.

What should you modify?

A. the root hints of the DNS server

B. the security settings of the zone

C. the Windows Firewall settings on the DNS server

D. the zone transfer settings of the zone

Answer: D

Explanation:

QUESTION NO: 174


The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows

Server 2008 R2.

You need to identify if all of the DNS records used for Active Directory replication are correctly

registered.

What should you do?



A. From the command prompt, use netsh.exe.

B. From the command prompt, use dnslint.exe.

C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.

D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController

cmdlet.

Answer: B

Explanation:

QUESTION NO: 175

Your network contains an Active Directory forest. The forest contains one domain and three sites.

Each site contains two domain controllers. All domain controllers are DNS servers.

You create a new Active Directory-integrated zone.

You need to ensure that the new zone is replicated to the domain controllers in only one of the

sites.


A. Modify the NTDS Site Settings object for the site.

B. Modify the replication settings of the default site link.

C. Create an Active Directory connection object.

D. Create an Active Directory application directory partition.

Answer: D

Explanation:

QUESTION NO: 176

Your network contains a single Active Directory forest. The forest contains two domains named

contoso.com and sales.contoso.com. The domain controllers are configured as shown in the

following table.



All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory-

integrated zones.

You need to ensure that contoso.com records are available on DC3.


A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain

B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest

C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain

D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest

Answer: B

Explanation:

QUESTION NO: 177

You have a DNS zone that is stored in a custom application directory partition.

You install a new domain controller.

You need to ensure that the custom application directory partition replicates to the new domain

controller.

What should you use?

A. the Active Directory Administrative Center console

B. the Active Directory Sites and Services console



C. the DNS Manager console

D. the Dnscmd tool

Answer: D

Explanation:

QUESTION NO: 178

Your network contains an Active Directory domain named contoso.com. All domain controllers run

Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The

functional level of the forest is Windows Server 2008.

You have a member server named Server1 that runs Windows Server 2008.

You need to ensure that you can add Server1 to contoso.com as a domain controller.

What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccount

B. dcpromo.exe /ReplicaOrNewDomain:replica

C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain

D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest

Answer: C

Explanation:

QUESTION NO: 179

Your network contains an Active Directory forest. The forest contains a single domain. You want to

access resources in a domain that is located in another forest. You need to configure a trust

between the domain in your forest and the domain in the other forest.

What should you create?

A. an incoming external trust

B. an incoming realm trust

C. an outgoing external trust

D. an outgoing realm trust

Answer: A



Explanation:

QUESTION NO: 180

Your network contains two Active Directory forests. One forest contains two domains named

contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A

forest trust is configured between the two forests.

You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on

to a computer in the nwtraders.com domain by using the user name NA\User1.

Other users from na.contoso.com report that they can log on to the computers in the

nwtraders.com domain.

You need to ensure that User1 can log on to the computer in the nwtraders.com domain.

What should you do?

A. Enable selective authentication over the forest trust.

B. Create an external one-way trust from na.contoso.com to nwtraders.com.

C. Instruct User1 to log on to the computer by using his user principal name (UPN).

D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.

Answer: C

Explanation:

QUESTION NO: 181

Your company has a main office and a branch office. The main office contains two domain

controllers.

You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the

branch office, and then add the domain controller to the BranchOfficeSite site.

You discover that users in the branch office are randomly authenticated by either the domain

controller in the branch office or the domain controllers in the main office. You need to ensure that

the users in the branch office always attempt to authenticate to the domain controller in the branch

office first.

What should you do?



A. Create organizational units (OUs).

B. Create Active Directory subnet objects.

C. Modify the slow link detection threshold.

D. Modify the Location attribute of the computer objects.

Answer: B

Explanation:

QUESTION NO: 182

Your company has a main office and 50 branch offices. Each office contains multiple subnets.

You need to automate the creation of Active Directory subnet objects.


A. the Dsadd tool

B. the Netsh tool

C. the New-ADObject cmdlet

D. the New-Object cmdlet

Answer: C

Explanation:

QUESTION NO: 183

Your network contains an Active Directory forest. The forest contains multiple sites.

You need to enable universal group membership caching for a site.

What should you do?

A. From Active Directory Sites and Services, modify the NTDS Settings.

B. From Active Directory Sites and Services, modify the NTDS Site Settings.

C. From Active Directory Users and Computers, modify the properties of all universal groups used

in the site.

D. From Active Directory Users and Computers, modify the computer objects for the domain

controllers in the site.

Answer: B

Explanation:



QUESTION NO: 184

You need to ensure that domain controllers only replicate between domain controllers in adjacent

sites. What should you configure from Active Directory Sites and Services?

A. From the IP properties, select Ignore all schedules.

B. From the IP properties, select Disable site link bridging.

C. From the NTDS Settings object, manually configure the Active Directory Domain Services

connection objects.

D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology

Generator for each site.

Answer: B

Explanation:

QUESTION NO: 185


You discover that when you disable IPv4 on a computer in the branch office, the computer

authenticates by using a domain controller in the main office. You need to ensure that IPv6-only

computers authenticate to domain controllers in the same site.

What should you do?

A. Configure the NTDS Site Settings object.

B. Create Active Directory subnet objects.

C. Create Active Directory Domain Services connection objects.

D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

Answer: B

Explanation:

QUESTION NO: 186

Your network contains an Active Directory domain. The domain is configured as shown in the

following table.



Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure

that users in Branch2 only authenticate to the domain controllers in Main.

What should you do?

A. On DC3, set the AutoSiteCoverage value to 0.

B. On DC3, set the AutoSiteCoverage value to 1.

C. On DC1 and DC2, set the AutoSiteCoverage value to 0.

D. On DC1 and DC2, set the AutoSiteCoverage value to 1.

Answer: A

Explanation:

QUESTION NO: 187

Your network contains a single Active Directory domain that has two sites named Site1 and Site2.

Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named

DC3 and DC4.

DC3 fails.

You discover that replication no longer occurs between the sites. You verify the connectivity

between DC4 and the domain controllers in Site1.

On DC4, you run repadmin.exe /kcc.

Replication between the sites continues to fail.

You need to ensure that Active Directory data replicates between the sites.

What should you do?

A. From Active Directory Sites and Services, modify the properties of DC3.

B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.

C. From Active Directory Users and Computers, modify the location settings of DC4.



D. From Active Directory Users and Computers, modify the delegation settings of DC4.

Answer: A

Explanation:

QUESTION NO: 188

Your network contains an Active Directory domain. The functional level of the domain is Windows

Server 2003.

The domain contains five domain controllers that run Windows Server 2008 and five domain

controllers that run Windows Server 2008 R2.

You need to ensure that SYSVOL is replicated by using Distributed File System Replication

(DFSR).


A. Run dfsrdiag.exe PollAD.

B. Run dfsrmig.exe /SetGlobalState 0.

C. Upgrade all domain controllers to Windows Server 2008 R2.

D. Raise the functional level of the domain to Windows Server 2008.

Answer: D

Explanation:

QUESTION NO: 189

Your network contains an Active Directory forest. The forest contains two domains named

contoso.com and woodgrovebank.com.

You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User

objects.

You need to ensure that Attribute1 is replicated to the global catalog.

What should you do?

A. In Active Directory Sites and Services, configure the NTDS Settings.

B. In Active Directory Sites and Services, configure the universal group membership caching.

C. From the Active Directory Schema snap-in, modify the properties of the User class schema



object.

D. From the Active Directory Schema snap-in, modify the properties of the Attribute1 class

schema attribute.

Answer: D

Explanation:

QUESTION NO: 190

Your network contains an Active Directory domain. The domain contains three domain controllers.

One of the domain controllers fails.

Seven days later, the help desk reports that it can no longer create user accounts. You need to

ensure that the help desk can create new user accounts.

Which operations master role should you seize?

A. domain naming master

B. infrastructure master

C. primary domain controller (PDC) emulator

D. RID master

E. schema master

Answer: D

Explanation:

QUESTION NO: 191

Your network contains two standalone servers named Server1 and Server2 that have Active

Directory Lightweight Directory Services (AD LDS) installed.

Server1 has an AD LDS instance.

You need to ensure that you can replicate the instance from Server1 to Server2.

What should you do on both servers?

A. Obtain a server certificate.



B. Import the MS-User.ldf file.

C. Create a service user account for AD LDS.

D. Register the service location (SRV) resource records.

Answer: C

Explanation:

QUESTION NO: 192

Your network contains a server named Server1 that runs Windows Server 2008 R2.

You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1.

You need to create an additional AD LDS application directory partition in the existing instance.


A. Adaminstall

B. Dsadd

C. Dsmod

D. Ldp

Answer: D

Explanation:

QUESTION NO: 193

Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1,

you create an Active Directory Lightweight Directory Services (AD LDS) instance named

Instance1.

You connect to Instance1 by using ADSI Edit.

You run the Create Object wizard and you discover that there is no User object class.

You need to ensure that you can create user objects in Instance1.

What should you do?



A. Run the AD LDS Setup Wizard.

B. Modify the schema of Instance1.

C. Modify the properties of the Instance1 service.

D. Install the Remote Server Administration Tools (RSAT).

Answer: A

Explanation:

QUESTION NO: 194

Your network contains an Active Directory domain. The domain contains a server named Server1.

Server1 runs Windows Server 2008 R2.

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from

Server1.

What should you do?

A. Run ldp.exe and use the Bind option.

B. Run diskpart.exe and use the Attach option.

C. Run dsdbutil.exe and use the snapshot option.

D. Run imagex.exe and specify the /mount parameter.

Answer: C

Explanation:

QUESTION NO: 195

Your network contains a single Active Directory domain. Active Directory Rights Management

Services (AD RMS) is deployed on the network.

A user named User1 is a member of only the AD RMS Enterprise Administrators group.

You need to ensure that User1 can change the service connection point (SCP) for the AD RMS

installation.

The solution must minimize the administrative rights of User1.



To which group should you add User1?

A. AD RMS Auditors

B. AD RMS Service Group

C. Domain Admins

D. Schema Admins

Answer: C

Explanation:

QUESTION NO: 196

Your network contains two Active Directory forests named contoso.com and adatum.com.

Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS

trusted user domain (TUD) exists between contoso.com and adatum.com.

From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com

forest are authenticating as users from contoso.com.

You need to prevent users from impersonating contoso.com users.

What should you do?

A. Configure trusted e-mail domains.

B. Enable lockbox exclusion in AD RMS.

C. Create a forest trust between adatum.com and contoso.com.

D. Add a certificate from a third-party trusted certification authority (CA).

Answer: A

Explanation:

QUESTION NO: 197

Your network contains an Active Directory domain named contoso.com. The network contains

client computers that run either Windows Vista or Windows 7. Active Directory Rights

Management Services (AD RMS) is deployed on the network.

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The



template is updated every month.

You need to ensure that all the computers can use the most up-to-date version of the AD RMS

template. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.

B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).

C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2

(SP2) to all users by using a Software Installation extension of Group Policy.

D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2

(SP2) to all computers by using a Software Installation extension of Group Policy.

Answer: B

Explanation:

QUESTION NO: 198

Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who

have Windows Mobile 6 devices report that they cannot access documents that are protected by

AD RMS.

You need to ensure that all users can access AD RMS protected content by using Windows

Mobile 6 devices.

What should you do?

A. Modify the security of the ServerCertification.asmx file.

B. Modify the security of the MobileDeviceCertification.asmx file.

C. Enable anonymous authentication for the _wmcs virtual directory.

D. Enable anonymous authentication for the certification virtual directory.

Answer: B

Explanation:

QUESTION NO: 199

Your network contains a server named Server1. The Active Directory Rights Management



Services (AD RMS) server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS.

You need to update AD RMS to use the new password.

Which console should you use?

A. Active Directory Rights Management Services

B. Active Directory Users and Computers

C. Component Services

D. Services

Answer: A

Explanation:

QUESTION NO: 200

Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You

have several custom policy templates. The custom policy templates are updated frequently.

Some users report that it takes as many as 30 days to receive the updated policy templates. You

need to ensure that users receive the updated custom policy templates within seven days.

What should you do?

A. Modify the registry on the AD RMS servers.

B. Modify the registry on the users computers.

C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled

task.

D. Change the schedule of the AD RMS Rights Policy Template Management (Automated)

scheduled task.

Answer: B

Explanation:

QUESTION NO: 201

Your company has a main office and a branch office. The branch office contains a read-only



domain controller named RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must

prevent Admin1 from logging on to other domain controllers.

What should you do?

A. Run ntdsutil.exe and use the Roles option.

B. Run dsmgmt.exe and use the Local Roles option.

C. From Active Directory Sites and Services, modify the NTDS Site Settings.

D. From Active Directory Users and Computers, add the user to the Server Operators group.

Answer: B

Explanation:

QUESTION NO: 202

You install a read-only domain controller (RODC) named RODC1.

You need to ensure that a user named User1 can administer RODC1. The solution must minimize

the number of permissions assigned to User1.


A. Active Directory Administrative Center


C. Dsadd

D. Dsmgmt

Answer: D

Explanation:

QUESTION NO: 203

Your network contains an Active Directory domain. The domain contains two sites named Site1

and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller

(RODC). You add a user named User1 to the Allowed RODC Password Replication Group.

The WAN link between Site1 and Site2 fails.



User1 restarts his computer and reports that he is unable to log on to the domain.

The WAN link is restored and User1 reports that he is able to log on to the domain.

You need to prevent the problem from reoccurring if the WAN link fails.

What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.

B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.

C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.

D. Add the computer account of User1's computer to the Allowed RODC Password Replication

Group.

Answer: D

Explanation:

QUESTION NO: 204


The network contains an Active Directory domain.

The main office contains a writable domain controller named DC1. The branch office contains a

read- only domain controller (RODC) named DC2.

You discover that the password of an administrator named Admin1 is cached on DC2. You need

to prevent Admin1's password from being cached on DC2.

What should you do?

A. Modify the NTDS Site Settings.

B. Modify the properties of the domain.

C. Create a Password Setting object (PSO).

D. Modify the properties of DC2's computer account.

Answer: D

Explanation:



QUESTION NO: 205

Your network contains an Active Directory domain named contoso.com. The network has a branch

office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs

Windows Server 2008 R2.

A user named User1 logs on to a computer in the branch office site. You discover that the

password of User1 is not stored on RODC1. You need to ensure that User1's password is stored

on RODC1.


A. the Member Of properties of RODC1

B. the Member Of properties of User1

C. the Security properties of RODC1

D. the Security properties of User1

Answer: B

Explanation:

QUESTION NO: 206

Your company has a main office and a branch office. The branch office has an Active Directory

site that contains a read-only domain controller (RODC).

A user from the branch office reports that his account is locked out. From a writable domain

controller in the main office, you discover that the user's account is not locked out.

You need to ensure that the user can log on to the domain.

What should you do?

A. Modify the Password Replication Policy.

B. Reset the password of the user account.

C. Run the Knowledge Consistency Checker (KCC) on the RODC.

D. Restore network communication between the branch office and the main office.

Answer: D

Explanation:



QUESTION NO: 207

Your network contains a single Active Directory domain. The domain contains five read-only

domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server

2008. You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure

that you can add the new RODC to the domain.

You want to achieve this goal by using the minimum amount of administrative effort.


Choose two.)

A. At the command prompt, run adprep.exe /rodcprep.

B. At the command prompt, run adprep.exe /forestprep.

C. At the command prompt, run adprep.exe /domainprep.

D. From Active Directory Domains and Trusts, raise the functional level of the domain.

E. From Active Directory Users and Computers, pre-stage the RODC computer account.

Answer: B,C

Explanation:

QUESTION NO: 208

You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server

named Server1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by

using AD FS.

Which inbound TCP port should you allow on Server1?

A. 88

B. 135

C. 443

D. 445

Answer: C

Explanation:

QUESTION NO: 209



You deploy a new Active Directory Federation Services (AD FS) federation server. You request

new certificates for the AD FS federation server.

You need to ensure that the AD FS federation server can use the new certificates.

To which certificate store should you import the certificates?

A. Computer

B. IIS Admin Service service account

C. Local Administrator

D. World Wide Web Publishing Service service account

Answer: A

Explanation:

QUESTION NO: 210


server named Server1. Server1 has the Active Directory Federation Services (AD FS) role

installed.

You have an application named App1 that is configured to use Server1 for AD FS authentication.

You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.

You need to ensure that App1 can use Server2 for authentication.


A. Add an attribute store.

B. Create a relying party trust.

C. Create a claims provider trust.

D. Create a relaying provider trust.

Answer: B

Explanation:

QUESTION NO: 211




server named Server1. The Active Directory Federation Services (AD FS) role is installed on

Server1. Contoso.com is defined as an account store.

A partner company has a Web-based application that uses AD FS authentication. The partner

company plans to provide users from contoso.com access to the Web application.

You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by

the partner company.

What should you create on Server1?

A. a new application

B. a resource partner

C. an account partner

D. an organization claim

Answer: B

Explanation:

QUESTION NO: 212

Your network contains two servers named Server1 and Server2 that run Windows Server 2008

R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service

installed.

You plan to deploy AD FS 2.0 on Server2.

You need to export the token-signing certificate from Server1, and then import the certificate to

Server2.

Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)

B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)

C. DER encoded binary X.509 (.cer)

D. Personal Information Exchange PKCS #12 (.pfx)

Answer: D

Explanation:



QUESTION NO: 213

Your network contains two servers named Server1 and Server2 that run Windows Server 2008

R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member

of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on

a separate Microsoft SQL Server.

You install AD FS 2.0 on Server2.

You need to add Server2 to the existing AD FS farm.

What should you do?

A. On Server1, run fsconfig.exe.

B. On Server1, run fsconfigwizard.exe.

C. On Server2, run fsconfig.exe.

D. On Server2, run fsconfigwizard.exe.

Answer: C

Explanation:

QUESTION NO: 214

Your network contains an Active Directory forest.

You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller

in the network. You create a Windows PowerShell script named new-users.ps1 that contains the

following lines:

New-aduser user1

New-aduser user2

New-aduser user3

New-aduser user4

New-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the



script fails to create the user accounts.

You need to ensure that the script creates the user accounts.

Which cmdlet should you add to the script?

A. Import-Module

B. Register-ObjectEvent

C. Set-ADDomain

D. Set-ADUser

Answer: A

Explanation:

QUESTION NO: 215

Your network contains an Active Directory forest. The forest schema contains a custom attribute

for user objects.

You need to modify the custom attribute value of 500 user accounts.


A. Csvde

B. Dsmod

C. Dsrm

D. Ldifde

Answer: D

Explanation:

QUESTION NO: 216


for user objects.

You need to give the human resources department a file that contains the last logon time and the

custom attribute values for each user in the forest.




A. the Dsquery tool

B. the Export-CSV cmdlet

C. the Get-ADUser cmdlet

D. the Net.exe user command

Answer: C

Explanation:

QUESTION NO: 217

You have a Windows PowerShell script that contains the following code:

import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -

AccountPassword $_.password}

When you run the script, you receive an error message indicating that the format of the password

is incorrect.

The script fails.

You need to run a script that successfully creates the user accounts by using the password

contained in accounts.csv.

Which script should you run?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –

AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)}

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –

AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)}

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –

AccountPassword (Read-Host -AsSecureString "Password")}

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –

AccountPassword (Read-Host -AsSecureString $_.Password)}

Answer: B

Explanation:

QUESTION NO: 218



Your network contains an Active Directory forest. The functional level of the forest is Windows

Server 2008 R2.

Your company's corporate security policy states that the password for each user account must be

changed at least every 45 days.

You have a user account named Service1. Service1 is used by a network application named

Application1.

Every 45 days, Application1 fails.

After resetting the password for Service1, Application1 runs properly.

You need to resolve the issue that causes Application1 to fail. The solution must adhere to the

corporate security policy.

What should you do?

A. Run the Set-ADAccountControl cmdlet.

B. Run the Set-ADServiceAccount cmdlet.

C. Create a new password policy.

D. Create a new Password Settings object (PSO).

Answer: B

Explanation:

QUESTION NO: 219


You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN

suffix of all users. You want to achieve this goal by using the minimum amount of administrative

effort.


A. the Active Directory Domains and Trusts console

B. the Active Directory Users and Computers console

C. the Csvde tool

D. the Ldifde tool



Answer: D

Explanation:

QUESTION NO: 220

Your network contains a single Active Directory domain. All client computers run Windows Vista

Service Pack 2 (SP2).

You need to prevent all users from running an application named App1.exe.

Which Group Policy settings should you configure?

A. Application Compatibility

B. AppLocker

C. Software Installation

D. Software Restriction Policies

Answer: D

Explanation:

QUESTION NO: 221

Your network contains an Active Directory domain. All domain controllers run Windows Server

2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You

need to ensure that all client computers can apply Group Policy preferences.

What should you do?

A. Upgrade all Windows XP client computers to Windows 7.

B. Create a central store that contains the Group Policy ADMX files.

C. Install the Group Policy client-side extensions (CSEs) on all client computers.

D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).

Answer: C

Explanation:

QUESTION NO: 222




2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2). You

need to audit user access to the administrative shares on the client computers.

What should you do?

A. Deploy a logon script that runs Icacls.exe.

B. Deploy a logon script that runs Auditpol.exe.

C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.

D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.

Answer: B

Explanation:

QUESTION NO: 223

Your network contains an Active Directory domain named contoso.com. You need to create a

central store for the Group Policy Administrative templates.

What should you do?

A. Run dfsrmig.exe /createglobalobjects.

B. Run adprep.exe /domainprep /gpprep.

C. Copy the %SystemRoot%\PolicyDefinitions folder to the

\\contoso.com\SYSVOL\contoso.com\Policies folder.

D. Copy the %SystemRoot%\System32\GroupPolicy folder to the

\\contoso.com\SYSVOL\contoso.com\Policies folder.

Answer: C

Explanation:

QUESTION NO: 224

You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.

You need to identify whether a specific application file is allowed to run on a computer.

Which Windows PowerShell cmdlet should you use?



A. Get-AppLockerFileInformation

B. Get-GPOReport

C. Get-GPPermissions

D. Test-AppLockerPolicy

Answer: D

Explanation:

QUESTION NO: 225

You create a Password Settings object (PSO).

You need to apply the PSO to a domain user named User1.

What should you do?

A. Modify the properties of the PSO.

B. Modify the account options of the User1 account.

C. Modify the security settings of the User1 account.

D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).

Answer: A

Explanation:

QUESTION NO: 226

You need to create a Password Settings object (PSO).


A. Active Directory Users and Computers

B. ADSI Edit

C. Group Policy Management Console

D. Ntdsutil

Answer: B

Explanation:

QUESTION NO: 227



Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.

You need to audit the deletion of registry keys on each server.

What should you do?

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.

B. From Audit Policy, modify the System Events settings and the Privilege Use settings.

C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed

Tracking settings.

D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global

Object Access Auditing settings.

Answer: D

Explanation:

QUESTION NO: 228

Your network contains a single Active Directory domain. The functional level of the forest is

Windows Server 2008 R2.

You need to enable the Active Directory Recycle Bin.


A. the Dsmod tool

B. the Enable-ADOptionalFeature cmdlet

C. the Ntdsutil tool

D. the Set-ADDomainMode cmdlet

Answer: B

Explanation:

QUESTION NO: 229

Your network contains a single Active Directory domain.

You need to create an Active Directory Domain Services snapshot.



What should you do?

A. Use the Ldp tool.

B. Use the NTDSUtil tool.

C. Use the Wbadmin tool.

D. From Windows Server Backup, perform a full backup.

Answer: B

Explanation:

QUESTION NO: 230

Your network contains a single Active Directory domain.

A domain controller named DC2 fails.

You need to remove DC2 from Active Directory.


Choose two.)

A. At the command prompt, run dcdiag.exe /fix.

B. At the command prompt, run netdom.exe remove dc2.

C. From Active Directory Sites and Services, delete DC2.

D. From Active Directory Users and Computers, delete DC2.

Answer: C,D

Explanation:

QUESTION NO: 231

Your network contains a single Active Directory domain. The functional level of the forest is

Windows Server 2008. The functional level of the domain is Windows Server 2008 R2.

All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2.

You need to ensure that you can enable the Active Directory Recycle Bin.

What should you do?



A. Change the functional level of the forest.

B. Change the functional level of the domain.

C. Modify the Active Directory schema.

D. Modify the Universal Group Membership Caching settings.

Answer: A

Explanation:

QUESTION NO: 232

Your network contains an Active Directory domain. The domain contains several domain

controllers.

All domain controllers run Windows Server 2008 R2.

You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the

Windows Server 2008 R2 default settings.

What should you do?

A. Run dcgpofix.exe /target:dc.

B. Run dcgpofix.exe /target:domain.

C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.

D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.

Answer: A

Explanation:

QUESTION NO: 233

A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is

configure as shown in the following table.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is

Windows 2003.



Active Directory replication between Seatle site and the Chicago site occurs from 8:00 P.M. to

1:00 A.M. every day.

At 7:00 A.M. , an administrator deletes a user account while he is logged on to DC001.

You need to restore the deleted user account. You must achieve this goal by using the minimum

amount of administrative effort.

What should you do?

A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.

B. On DC001, run the Restore-ADObject cmdlet.

C. On DC006, run the Restore-ADObject cmdlet.

D. On DC001, stop the AD DS, restore the System State, and then start AD DS.

Answer: A

Explanation:

QUESTION NO: 234

Your network contains an Active Directory domain. The domain contains two domain controllers

named DC1 and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.

You update a script in the SYSVOL folder.

You discover that the new script fails to run properly. You need to restore the previous version of

the script in the SYSVOL folder.

The solution must minimize the amount of time required to restore the script.


A. Run the Restore-ADObject cmdlet.

B. Restore the system state to its original location.

C. Restore the system state to an alternate location.

D. Attach the VHD file created by Windows Server Backup.

Answer: D



Explanation:

QUESTION NO: 235


You need to restore a deleted computer account from the Active Directory Recycle Bin.

What should you do?

A. From the command prompt, run recover.exe.

B. From the command prompt, run ntdsutil.exe.

C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.

D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.

Answer: D

Explanation:

QUESTION NO: 236

You need to back up all of the group policies in a domain. The solution must minimize the size of

the backup.


A. the Add-WBSystemState cmdlet

B. the Group Policy Management console

C. the Wbadmin tool

D. the Windows Server Backup feature

Answer: B

Explanation:

QUESTION NO: 237

You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.

You need to ensure that you can recover the private key of a certificate issued to a Web server.



What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.

B. From the Web server, run the Get-PfxCertificate cmdlet.

C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.

D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.

Answer: D

Explanation:

QUESTION NO: 238


The network contains a single Active Directory domain. The main office contains a domain

controller named DC1.

You need to install a domain controller in the branch office by using an offline copy of the Active

Directory database.


A. From the Ntdsutil tool, create an IFM media set.

B. From the command prompt, run djoin.exe /loadfile.

C. From Windows Server Backup, perform a system state backup.

D. From Windows PowerShell, run the get-ADDomainController cmdlet.

Answer: A

Explanation:

QUESTION NO: 239


2008. The functional level of the domain is Windows Server 2003. All client computers run

Windows 7.

You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline

domain join of Server1.




Choose two.)

A. From Server1, run djoin.exe.

B. From Server1, run netdom.exe.

C. From a Windows 7 computer, run djoin.exe.

D. Upgrade one domain controller to Windows Server 2008 R2.

E. Raise the functional level of the domain to Windows Server 2008.

Answer: A,C

Explanation:

QUESTION NO: 240

You have an Active Directory snapshot.

You need to view the contents of the organizational units (OUs) in the snapshot.

Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.msc

B. ntdsutil.exe, dsamain.exe, and dsa.msc

C. wbadmin.msc, dsamain.exe, and netdom.exe

D. wbadmin.msc, ntdsutil.exe, and explorer.exe

Answer: B

Explanation:

QUESTION NO: 241

Your network contains a domain controller that runs Windows Server 2008 R2. You run the

following command on the domain controller:

dsamain.exe dbpath

c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport

389 - allowNonAdminAccess



The command fails.

You need to ensure that the command completes successfully.

How should you modify the command?

A. Include the path to Dsamain.

B. Change the value of the -dbpath parameter.

C. Change the value of the -ldapport parameter.

D. Remove the allowNonAdminAccess

Answer: C

Explanation:

QUESTION NO: 242

Your network contains an Active Directory domain. The domain contains five domain controllers.

A domain controller named DC1 has the DHCP role and the file server role installed.

You need to move the Active Directory database on DC1 to an alternate location. The solution

must minimize impact on the network during the database move.


A. Restart DC1 in Safe Mode.

B. Restart DC1 in Directory Services Restore Mode.

C. Start DC1 from Windows PE.

D. Stop the Active Directory Domain Services service on DC1.

Answer: D

Explanation:

QUESTION NO: 243


The network contains an Active Directory forest. The forest contains three domains. The branch

office contains one domain controller named DC5. DC5 is configured as a global catalog server, a



DHCP server, and a file server.

You remove the global catalog from DC5.

You need to reduce the size of the Active Directory database on DC5. The solution must minimize

the impact on all users in the branch office.


A. Start DC5 in Safe Mode.

B. Start DC5 in Directory Services Restore Mode.

C. On DC5, start the Protected Storage service.

D. On DC5, stop the Active Directory Domain Services service.

Answer: D

Explanation:

QUESTION NO: 244

Your network contains a domain controller that runs Windows Server 2008 R2. You need to

change the location of the Active Directory log files.


A. Dsamain

B. Dsmgmt

C. Dsmove

D. Ntdsutil

Answer: D

Explanation:

Topic 3, Exam Set 3

QUESTION NO: 245

Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.

You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the

internal network.



You need to ensure that the new server is already joined to the domain when it first connects to

the internal network.

What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new

server, run sysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the

new server, run sysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the

new server, run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the

new server, run djoin.exe and specify the /provision parameter.

Answer: C

Explanation:

QUESTION NO: 246

Your network contains an Active Directory domain. The domain contains four domain controllers.

You modify the Active Directory schema.

You need to verify that all the domain controllers received the schema modification.


A. dcdiag.exe /a

B. netdom.exe query fsmo

C. repadmin.exe /showrepl *

D. sc.exe query ntds

Answer: C

Explanation:

QUESTION NO: 247

You remotely monitor several domain controllers.

You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query



to retrieve information from the bios of each domain controller.

Which format should you use to write the query?

A. XrML

B. XML

C. WQL

D. HTML

Answer: C

Explanation:

QUESTION NO: 248

Your network contains an Active Directory domain named contoso.com. The domain contains five

domain controllers.

You add a logoff script to an existing Group Policy object (GPO). You need to verify that each

domain controller successfully replicates the updated group policy. Which two objects should you

verify on each domain controller? (Each correct answer presents part of the solution. Choose two.)

A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini

B. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol

C. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com

container

D. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com

container

Answer: A,D

Explanation:

QUESTION NO: 249

Your network contains an Active Directory domain that contains five domain controllers.

You have a management computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the

domain.



The information must be consolidated on one list.

Which command should you run on each domain controller?

A. Wecutil.exe qc

B. Wevtutil.exe gli

C. Winrm.exe quickconfig

D. Winrshost.exe

Answer: C

Explanation:

QUESTION NO: 250

You create a new Active Directory domain. The functional level of the domain is Windows Server

2008 R2. The domain contains five domain controllers. You need to monitor the replication of the

group policy template files.


A. Dfsrdiag

B. Fsutil

C. Ntdsutil

D. Ntfrsutl

Answer: A

Explanation:

QUESTION NO: 251

You create a new Active Directory domain. The functional level of the domain is Windows Server

2003. The domain contains five domain controllers that run Windows Server 2008 R2. You need to

monitor the replication of the group policy template files.


A. Dfsrdiag

B. Fsutil

C. Ntdsutil

D. Ntfrsutl



Answer: D

Explanation:

QUESTION NO: 252

You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to

determine the size of the Active Directory database on Server1.

What should you do?

A. Run the Active Directory Sizer tool.

B. Run the Active Directory Diagnostics data collector set.

C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.

D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.

Answer: C

Explanation:

QUESTION NO: 253

You need to receive an e-mail message whenever a domain user account is locked out.



B. Event Viewer

C. Resource Monitor

D. Security Configuration Wizard

Answer: B

Explanation:

QUESTION NO: 254


You have a management computer named Computer1 that runs Windows 7.



You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object

(GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding

node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object

(GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding

node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication

certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit

(OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server

authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers

organizational unit (OU).

Answer: A

Explanation:

QUESTION NO: 255

Your network contains an Active Directory domain that has two sites.

You need to identify whether logon scripts are replicated to all domain controllers.

Which folder should you verify?

A. GroupPolicy

B. NTDS

C. SoftwareDistribution

D. SYSVOL

Answer: D

Explanation:

QUESTION NO: 256

You install a standalone root certification authority (CA) on a server named Server1.



You need to ensure that every computer in the forest has a copy of the root CA certificate installed

in the local computer's Trusted Root Certification Authorities store.

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameter

B. certreq.exe and specify the -retrieve parameter

C. certutil.exe and specify the -dspublish parameter

D. certutil.exe and specify the -importcert parameter

Answer: C

Explanation:

QUESTION NO: 257

Your network contains an Active Directory forest. The forest contains two domains.

You have a standalone root certification authority (CA).

On a server in the child domain, you run the Add Roles Wizard and discover that the option to

select an enterprise CA is disabled.

You need to install an enterprise subordinate CA on the server.

What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domain

B. an account that is a member of the Certificate Publishers group in the forest root domain

C. an account that is a member of the Schema Admins group in the forest root domain

D. an account that is a member of the Enterprise Admins group in the forest root domain

Answer: D

Explanation:

QUESTION NO: 258

You have an enterprise subordinate certification authority (CA).

You have a group named Group1.



You need to allow members of Group1 to publish new certificate revocation lists. Members of

Group1 must not be allowed to revoke certificates.

What should you do?

A. Add Group1 to the local Administrators group.

B. Add Group1 to the Certificate Publishers group.

C. Assign the Manage CA permission to Group1.

D. Assign the Issue and Manage Certificates permission to Group1.

Answer: C

Explanation:

QUESTION NO: 259

You have an enterprise subordinate certification authority (CA) configured for key archival. Three

key recovery agent certificates are issued.

The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new

private keys.

What should you do?

A. Add a data recovery agent to the Default Domain Policy.

B. Modify the value in the Number of recovery agents to use box.

C. Revoke the current key recovery agent certificates and issue three new key recovery agent

certificates.

D. Assign the Issue and Manage Certificates permission to users who have the key recovery

agent certificates.

Answer: B

Explanation:

QUESTION NO: 260

You have an enterprise subordinate certification authority (CA). The CA is configured to use a

hardware security module. You need to back up Active Directory Certificate Services on the CA.




A. certutil.exe backup

B. certutil.exe backupdb

C. certutil.exe backupkey

D. certutil.exe store

Answer: B

Explanation:

QUESTION NO: 261

You have Active Directory Certificate Services (AD CS) deployed.

You create a custom certificate template.

You need to ensure that all of the users in the domain automatically enroll for a certificate based

on the custom certificate template.


Choose two.)

A. In a Group Policy object (GPO), configure the autoenrollment settings.

B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.

C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated

Users group.

D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain

Users group.

Answer: A,D

Explanation:

QUESTION NO: 262


You have a custom Version 3 certificate template.

Users can enroll for certificates based on the custom certificate template by using the Certificates

console. The certificate template is unavailable for Web enrollment. You need to ensure that the

certificate template is available on the Web enrollment pages.



What should you do?

A. Run certutil.exe pulse.

B. Run certutil.exe installcert.

C. Change the certificate template to a Version 2 certificate template.

D. On the certificate template, assign the Autoenroll permission to the users.

Answer: C

Explanation:

QUESTION NO: 263

You have an enterprise subordinate certification authority (CA). You have a custom certificate

template that has a key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses

the new template.



B. Certification Authority

C. Certificate Templates

D. Group Policy Management

Answer: C

Explanation:

QUESTION NO: 264

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008

Standard.

The functional level of the domain is Windows Server 2003.

You have a certification authority (CA).



The relevant servers in the domain are configured as shown in the following table.

You need to ensure that you can install the Active Directory Certificate Services (AD CS)

Certificate Enrollment Web Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.

B. Upgrade Server2 to Windows Server 2008 R2.

C. Raise the functional level of the domain to Windows Server 2008.

D. Install the Windows Server 2008 R2 Active Directory Schema updates.

Answer: D

Explanation:

QUESTION NO: 265

You have a domain controller that runs the DHCP service.

You need to perform an offline defragmentation of the Active Directory database on the domain

controller. You must achieve this goal without affecting the availability of the DHCP service.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter

utility.

B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.

C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.

D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.

Answer: C

Explanation:



QUESTION NO: 266

Your network contains two Active Directory forests named contoso.com and nwtraders.com. A

two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured

to use selective authentication. Contoso.com contains a server named Server1.

Server1 contains a shared folder named Marketing. Nwtraders.com contains a global group

named G_Marketing. The Change share permission and the Modify NTFS permission for the

Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that

they cannot access the Marketing folder. You need to ensure that the G_Marketing members can

access the folder from the network.

What should you do?

A. From Windows Explorer, modify the NTFS permissions of the folder.

B. From Windows Explorer, modify the share permissions of the folder.

C. From Active Directory Users and Computers, modify the computer object for Server1.

D. From Active Directory Users and Computers, modify the group object for G_Marketing.

Answer: C

Explanation:

QUESTION NO: 267

Your network contains an Active Directory forest. You need to add a new user principal name

(UPN) suffix to the forest. Which tool should you use?


B. Active Directory Domains and Trusts



Answer: B

Explanation:

QUESTION NO: 268

Your network contains an Active Directory domain. The domain contains two sites named Site1

and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller



(RODC). Site1 and Site2 connect to each other by using a slow WAN link.

You discover that the cached password for a user named User1 is compromised on the RODC.

On a domain controller in Site1, you change the password for User1.

You need to replicate the new password for User1 to the RODC immediately. The solution must

not replicate other objects to the RODC. Which tool should you use?

A. Active Directory Sites and Services


C. Repadmin

D. Replmon

Answer: A

Explanation:

QUESTION NO: 269

Your network contains an Active Directory domain named contoso.com. The properties of the

contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)



You need to update all service location (SRV) records for a domain controller in the domain.

What should you do?

A. Restart the Netlogon service.

B. Restart the DNS Client service.

C. Run sc.exe and specify the triggerinfo parameter.

D. Run ipconfig.exe and specify the /registerdns parameter.

Answer: A

Explanation:



QUESTION NO: 270


A user named User1 takes a leave of absence for one year.

You need to restrict access to the User1 user account while User1 is away.

What should you do?

A. From the Default Domain Policy, modify the account lockout settings.

B. From the Default Domain Controller Policy, modify the account lockout settings.

C. From the properties of the user account, modify the Account options.

D. From the properties of the user account, modify the Session settings.

Answer: C

Explanation:

QUESTION NO: 271

Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You

have a list that contains the mobile phone number of each user.

You need to add the mobile number of each user to Active Directory.

What should you do?

A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.

B. Create a file that contains the mobile phone numbers, and then run csvde.exe.

C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.

D. From Active Directory Users and Computers, select all of the users, and then modify the

properties of the users.

Answer: A

Explanation:

QUESTION NO: 272

Your network contains an Active Directory domain named contoso.com. All domain controllers and

member servers run Windows Server 2008. All client computers run Windows 7.

From a client computer, you create an audit policy by using the Advanced Audit Policy

Configuration settings in the Default Domain Policy Group Policy object (GPO).



You discover that the audit policy is not applied to the member servers. The audit policy is applied

to the client computers. You need to ensure that the audit policy is applied to all member servers

and all client computers.

What should you do?

A. Add a WMI filter to the Default Domain Policy GPO.

B. Modify the security settings of the Default Domain Policy GPO.

C. Configure a startup script that runs auditpol.exe on the member servers.

D. Configure a startup script that runs auditpol.exe on the domain controllers.

Answer: B

Explanation:

QUESTION NO: 273

Your network contains an Active Directory domain. The domain contains a group named Group1.

The minimum password length for the domain is set to six characters. You need to ensure that the

passwords for all users in Group1 are at least 10 characters long. All other users must be able to

use passwords that are six characters long.


A. Run the New-ADFineGrainedPasswordPolicy cmdlet.

B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.

C. From the Default Domain Policy, modify the password policy.

D. From the Default Domain Controller Policy, modify the password policy.

Answer: A

Explanation:

QUESTION NO: 274

Your company uses an application that stores data in an Active Directory Lightweight Directory

Services (AD LDS) instance named Instance1. You attempt to create a snapshot of Instance1 as

shown in the exhibit. (Click the Exhibit button.)



You need to ensure that you can take a snapshot of Instance1. What should you do?

A. At the command prompt, run net start VSS.

B. At the command prompt, run net start Instance1.

C. Set the Startup Type for the Instance1 service to Disabled.

D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.

Answer: A

Explanation:

QUESTION NO: 275

Your network contains 10 domain controllers that run Windows Server 2008 R2.

The network contains a member server that is configured to collect all of the events that occur on

the domain controllers.

You need to ensure that administrators are notified when a specific event occurs on any of the

domain controllers. You want to achieve this goal by using the minimum amount of administrative

effort.

What should you do?

A. From Event Viewer on the member server, create a subscription.

B. From Event Viewer on each domain controller, create a subscription.

C. From Event Viewer on the member server, run the Create Basic Task Wizard.

D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.



Answer: C

Explanation:

QUESTION NO: 276

Your network contains an Active Directory domain controller named DC1. DC1 runs Windows

Server 2008 R2.

You need to defragment the Active Directory database on DC1. The solution must minimize

downtime on DC1.


A. At the command prompt, run net stop ntds.

B. At the command prompt, run net stop netlogon.

C. Restart DC1 in Safe Mode.

D. Restart DC1 in Directory Services Restore Mode (DSRM).

Answer: A

Explanation:

QUESTION NO: 277

Your network contains a single Active Directory domain named contoso.com.

An administrator accidentally deletes the _msdsc.contoso.com zone.

You recreate the _msdsc.contoso.com zone.

You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.

What should you do on each domain controller?

A. Restart the Netlogon service.

B. Restart the DNS Server service.

C. Run dcdiag.exe /fix.

D. Run ipconfig.exe /registerdns.



Answer: A

Explanation:

QUESTION NO: 278

Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are

domain controllers. You add multiple DNS records to the zone. You need to ensure that the

records are replicated to all DNS servers. Which tool should you use?

A. Dnslint

B. Ldp

C. Nslookup

D. Repadmin

Answer: A

Explanation:

QUESTION NO: 279


contoso.com and eu.contoso.com. All domain controllers are DNS servers. The domain controllers

in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the

zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit.

(Click the Exhibit button.)



You need to ensure that all domain controllers in the forest host a writable copy of

_msdsc.contoso.com. Which two actions should you perform? (Each correct answer presents part

of the solution. Choose two.)

A. Create a zone delegation record in the contoso.com zone.

B. Create a zone delegation record in the eu.contoso.com zone.

C. Create an Active Directory-integrated zone for _msdsc.contoso.com.

D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.

Answer: A,C

Explanation:

QUESTION NO: 280

You need to compact an Active Directory database on a domain controller that runs Windows

Server 2008 R2.

What should you do?

A. Run defrag.exe /a /c.

B. Run defrag.exe /c /u.

C. From Ntdsutil, use the Files option.

D. From Ntdsutil, use the Metadata cleanup option.

Answer: C

Explanation:

QUESTION NO: 281

Your network contains an Active Directory domain named contoso.com. Contoso.com contains

three servers. The servers are configured as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the

Certificate Enrollment Web Service.




Choose two.)

A. Configure the policy module settings.

B. Configure the issuance requirements for the certificate templates.

C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.

D. Configure the delegation settings for the Certificate Enrollment Web Service application pool

account.

Answer: B,C

Explanation:

QUESTION NO: 282

Your network contains an Active Directory domain named contoso.com. Contoso.com contains a

member server that runs Windows Server 2008 Standard.

You need to install an enterprise subordinate certification authority (CA) that supports private key

archival.

You must achieve this goal by using the minimum amount of administrative effort.


A. Initialize the Trusted Platform Module (TPM).

B. Upgrade the member server to Windows Server 2008 R2 Standard.

C. Install the Certificate Enrollment Policy Web Service role service on the member server.

D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate

Services - Certification Authority server role template check box.

Answer: B

Explanation:

QUESTION NO: 283

You have an enterprise subordinate certification authority (CA). You have a custom Version 3

certificate template. Users can enroll for certificates based on the custom certificate template by

using the Certificates console. The certificate template is unavailable for Web enrollment. You

need to ensure that the certificate template is available on the Web enrollment pages. What

should you do?



A. Run certutil.exe Cpulse.

B. Run certutil.exe Cinstallcert.

C. Change the certificate template to a Version 2 certificate template.

D. On the certificate template, assign the Autoenroll permission to the users.

Answer: C

Explanation:

QUESTION NO: 284

Your network contains an Active Directory domain. The domain contains a member server named

Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a global catalog

server. What should you do?

A. Modify the Active Directory schema.

B. From Ntdsutil, use the Roles option.

C. Run the Active Directory Domain Services Installation Wizard on Server1.

D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Answer: C

Explanation:

QUESTION NO: 285

Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each

forest contains three domains.

A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between

Forest2 and Forest3.

You need to configure the forests to meet the following requirements:

- Users in Forest3 must be able to access resources in Forest1

- Users in Forest1 must be able to access resources in Forest3.

- The number of trusts must be minimized.

What should you do?

A. In Forest2, modify the name suffix routing settings.

B. In Forest1 and Forest3, configure selective authentication.

C. In Forest1 and Forest3, modify the name suffix routing settings.

D. Create a two-way forest trust between Forest1 and Forest3.



E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.

Answer: D

Explanation:

QUESTION NO: 286

Your network contains an Active Directory domain. All domain controller run Windows Server

2003.

You replace all domain controllers with domain controllers that run Windows Server 2008 R2.

You raise the functional level of the domain to Windows Server 2008 R2.

You need to minimize the amount of SYSVOL replication traffic on the network.

What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.

B. Modify the path of the SYSVOL folder on all of the domain controllers.

C. On a global catalog server, run repadmin.exe and specify the KCC parameter.

D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role,

run dfsrmig.exe.

Answer: C

Explanation:

QUESTION NO: 287

Your network contains an Active Directory forest. The forest contains two domain controllers. The

domain controllers are configured as shown in the following table.

All client computers run Windows 7. You need to ensure that all client computers in the domain



keep the same time as an external time server. What should you do?

A. From DC1, run the time command.

B. From DC2, run the time command.

C. From DC1, run the w32tm.exe command.

D. From DC2, run the w32tm.exe command.

Answer: D

Explanation:

QUESTION NO: 288

Your network contains an Active Directory domain named contoso.com. Contoso.com contains

two domain controllers. The domain controllers are configured as shown in the following table.

All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range. You need to minimize

the number of client authentication requests sent to DC2. What should you do?

A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and

assign the subnet to Site1. Move DC1 to Site1.

B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and


C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and


D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and


Answer: C

Explanation:

QUESTION NO: 289

Active Directory Rights Management Services (AD RMS) is deployed on your network.

You need to configure AD RMS to use Kerberos authentication.




Choose two.)

A. Register a service principal name (SPN) for AD RMS.

B. Register a service connection point (SCP) for AD RMS.

C. Configure the identity setting of the _DRMSAppPool1 application pool.

D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS)

metabase.

Answer: A,D

Explanation:

QUESTION NO: 290

Your network contains an Active Directory forest. The forest contains an Acitve Directory site for a

remote office. The remote site contains a read-only domain controller (RODC).

You need to configure the RODC to store only the password of users in the remote site.

What should you do?

A. Create a Password Settings object (PSO).

B. Modify the Partial-Attribute-Set attribute of the forest.

C. Add the users accounts of the remote site users to the Allowed RODC Password Replication

Group.

D. Add the users accounts of users who are not in the remote site to the Denied RODC Password

Replication Group.

Answer: C

Explanation:

QUESTION NO: 291

Your company has four offices. The network contains a single Active Directory domain. Each

office has a domain controller. Each office has an organizational unit (OU) that contains the user

accounts for the users in that office. In each office, support technicians perform basic

troubleshooting for the users in their respective office. You need to ensure that the support

technicians can reset the passwords for the user accounts in their respective office only. The

solution must prevent the technicians from creating user accounts. What should you do?

A. For each OU, run the Delegation of Control Wizard.

B. For the domain, run the Delegation of Control Wizard.



C. For each office, create an Active Directory group, and then modify the security settings for each

group.

D. For each office, create an Active Directory group, and then modify the controlAccessRights

attribute for each group.

Answer: A

Explanation:

QUESTION NO: 292

Your network contains a single Active Directory domain. Client computers run either Windows XP

Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are

located in an organizational unit (OU) named OU1.

You link a new Group Policy object (GPO) named GPO10 to OU1.

You need to ensure that GPO10 is applied only to client computers that run Windows 7.

What should you do?

A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.

B. Enable block inheritance on OU1.

C. Create a WMI filter and assign the filter to GPO10.

D. Modify the permissions of OU1.

Answer: C

Explanation: http://technet.microsoft.com/en-us/library/cc758471(v=WS.10).aspx

QUESTION NO: 293


You need to audit changes to a service account. The solution must ensure that the audit logs

contain the before and after values of all the changes.

Which security policy setting should you configure?

A. Audit Sensitive Privilege Use

B. Audit User Account Management

C. Audit Directory Service Changes



D. Audit Other Account Management Events

Answer: C

Explanation:

QUESTION NO: 294

Your network contains two Active Directory forests named contoso.com and nwtraders.com.

Active Directory Rights Management Services (AD RMS) is deployed in each forest.

You need to ensure that users from the nwtraders.com forest can access AD RMS protected

content in the contoso.com forest.

What should you do?

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.

B. Create an external trust from nwtraders.com to contoso.com.

C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.

D. Create an external trust from contoso.com to nwtraders.com.

Answer: C

Explanation:

QUESTION NO: 295

Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is

configured as an Active Directory Federation Services (AD FS) 2.0 standalone server.

You plan to add a new token-signing certificate to Server1.

You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)



When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is

unavailable.

You need to ensure that you can use the new certificate for AD FS.

What should you do?

A. From the properties of the certificate, modify the Certificate Policy OIDs setting.

B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.

C. From the properties of the certificate, modify the Certificate purposes setting.

D. Import the certificate to the local computer personal certificate store.

Answer: D

Explanation:

QUESTION NO: 296

You need to purge the list of user accounts that were authenticated on a read-only domain

controller (RODC).

What should you do?

A. Run the repadmin.exe command an specify the /prp parameter

B. From Active Directory Sites and Services, modify the properties of the RODC computer object.

C. From Active Directory Users and Computers, modify the properties of the RODC computer

object.

D. Run the dsrm.exe command and specify the -u parameter.



Answer: A

Explanation:

QUESTION NO: 297

Your company has a main office and four branch offices.

An Active Directory site exists for each office. Each site contains one domain controller. Each

branch office site has a site link to the main office site.

You discover that the domain controllers in the branch offices sometimes replicate directly to each

other.

You need to ensure that the domain controllers in the branch offices only replicate to the domain

controller in the main office.

What should you do?

A. Modify the firewall settings for the main office site.

B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.

C. Disable site link bridging.

D. Modify the security settings for the main office site.

Answer: C

Explanation:

QUESTION NO: 298

Your network contains an Active Directory forest. The forest contains one domain. The domain

contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.

DC1 was installed before DC2.

DC1 fails.

You need to ensure that you can add 1,000 new user accounts to the domain.

What should you do?

A. Modify the permissions of the DC2 computer account.



B. Seize the schema master FSMO role.

C. Configure DC2 as a global catalog server.

D. Seize the RID master FSMO role.

Answer: D

Explanation:

QUESTION NO: 299


You need to identify whether the Active Directory Recycle Bin is enabled.

What should you do?

A. From Ldp, search for the Reanimate-Tombstones object.

B. From Ldp, search for the LostAndFound container.

C. From Windows PowerShell, run the Get-ADObject cmdlet.

D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

Answer: D

Explanation:

QUESTION NO: 300

Your Network contains an Active Directory domain. You create and mount an Active Directory

snapshot.

You run the following command on the domain controller:

dsamain.exe -dbpath C:\Windows\NTDS\ntds.dit -ldapport 54321 –allowNonAdminAccess and the

command fails as shown in the exhibit. ( Click the Exhibit button ).

You need to ensure that you can browse the contents of Active Directory snapshot. What should

you do?



You need to ensure that you can browse the contents of the Active Directory snapshot.

What should you?

A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.

B. Change the value of the dbpath parameter, and then rerun dsamain.exe.

C. Change the value of the ldapport parameter, and then rerun dsamain.exe.

D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.

Answer: B

Explanation:

QUESTION NO: 301


You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group

Policy links for the domain.

What should you do?

A. From Group Policy Management Console (GPMC), back up the GPOs.

B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.

C. From Windows Server Backup, perform a system state backup.

D. From Windows PowerShell, run the Backup-GPO cmdlet.

Answer: A



Explanation:

QUESTION NO: 302

Your network contains a domain controller that runs Windows Server 2008 R2.

You need to reset the Directory Services Restore Mode (DSRM) password on the domain

controller.


A. Ntdsutil

B. Dsamain

C. Active Directory Users and Computers

D. Local Users and Groups

Answer: A

Explanation:

QUESTION NO: 303

Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).

B. Configure an Online Certification Status Protocol (OCSP) responder.

C. Modify the settings of the delta certificate revocation list (CRL).

D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Answer: B

Explanation:

QUESTION NO: 304



Your network contains an Active Directory domain. You have five organizational units (OUs)

named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to

the domain as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs.

The solution must prevent GPO1 from being applied to users in the Dev OU. What should you do?

A. Enforce GPO1.

B. Modify the security settings of the Dev OU.

C. Link GPO1 to the Finance OU.

D. Modify the security settings of the Finance OU.

Answer: C

Explanation:

QUESTION NO: 305

Your network contains an Active Directory domain. The domain contains an organizational unit

(OU) named OU1. OU1 contains all managed service accounts in the domain.

You need to prevent the managed service accounts from being deleted accidentally from OU1.

Which cmdlet should you use?

A. Set-ADUser

B. Set-ADOrganizationalUnit

C. Set-ADServiceAccount



D. Set-ADObject

Answer: D

Explanation:

QUESTION NO: 306


writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All

domain controllers run Windows Server 2008 R2. You need to install a new writable domain

controller named DC3 in a remote site. The solution must minimize the amount of replication traffic

that occurs during the installation of Active Directory Domain Services (AD DS) on DC3.


A. Run dcpromo.exe /createdcaccount on DC3.

B. Run ntdsutil.exe on DC2.

C. Run dcpromo.exe /adv on DC3.

D. Run ntdsutil.exe on DC1.

Answer: C

Explanation:

QUESTION NO: 307

Your network contains an Active Directory forest. The forest contains 10 domains. All domain

controllers are configured as global catalog servers.

You remove the global catalog role from a domain controller named DC5.

You need to reclaim the hard disk space used by the global catalog on DC5.

What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).

B. From Active Directory Sites and Services, modify the general properties of DC5.

C. From Ntdsutil, use the Semantic database analysis option.

D. From Ntdsutil, use the Files option.

Answer: D

Explanation:



QUESTION NO: 308

A corporate network includes an Active Directory-integrated zone. All DNS servers that host the

zone are domain controllers.

You add multiple DNS records to the zone.

You need to ensure that the new records are available on all DNS servers as soon as possible.


A. Ldp

B. Repadmin

C. Ntdsutil

D. Nslookup

E. Active Directory Sites And Services console

F. Active Directory Domains And Trusts console

G. Dnslint

H. Dnscmd

Answer: H

Explanation: http://technet.microsoft.com/en-us/library/cc778513(WS.10).aspx

QUESTION NO: 309

You have a DNS zone that is stored in a custom application partition.

You need to add a domain controller to the replication scope of the custom application partition.


A. DNScmd

B. DNS Manager

C. Server Manager

D. Dsmod

Answer: A

Explanation:



QUESTION NO: 310

Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard.

Server1 has the Active Directory Certificate Services (AD CS) role installed.

You configure a certificate template named Template1 for autoenrollment.

You discover that certificates are not being issued to any client computers. The event logs on the

client computers do not contain any autoenrollment errors.

You need to ensure that all of the client computers automatically receive certificates based on

Template1.

What should you do?

A. Modify the Default Domain Policy Group Policy object (GPO).

B. Modify the Default Domain Controllers Policy Group Policy object (GPO).

C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.

D. Restart Certificate Services on Server1.

Answer: A

Explanation:

QUESTION NO: 311

Your network contains a server that has the Active Directory Lightweight Directory Services (AD

LDS) role installed.

You need to perform an automated installation of an AD LDS instance.


A. Dism.exe

B. Servermanagercmd.exe

C. Adaminstall.exe

D. Ocsetup.exe

Answer: C

Explanation:



QUESTION NO: 312

Your network contains an Active Directory domain named contoso.com. A partner company has

an Active Directory domain named nwtraders.com.

The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.

You need to ensure that users in contoso.com can access resources in nwtraders.com and

resources on the Internet.


A. Modify the Trusted Root Certification Authorities store.

B. Modify the Intermediate Certification Authorities store.

C. Create conditional forwarders.

D. Add a root hint to the DNS server.

Answer: C

Explanation:

QUESTION NO: 313

Your network contains an Active Directory forest. The forest contains multiple domains.

You need to ensure that users in the human resources department can search for employees by

using the employeeNumber attribute.

What should you do?

A. From Active Directory Sites and Services, modify the properties of each global catalog server.

B. From the Active Directory Schema snap-in, modify the properties of the user object class.

C. From Active Directory Sites and Services, modify the NTDS Settings object of each global

catalog server.

D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber

attribute.

Answer: D

Explanation:

QUESTION NO: 314

Your network contains a single Active Directory domain. The domain contains an enterprise



certification authority (CA).

You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA

database.

You modify the e-mail certificate template to support key archival.


A. Issue the key recovery agent certificate template.

B. Run certutil.exe -recoverkey.

C. Run certreq.exe-policy.

D. Modify the location of the Authority Information Access (AIA) distribution point.

Answer: A

Explanation: Not certutil.exe –recoverkey as this recovers archived keys but e-mail certificate

template does not have key archival by default.

QUESTION NO: 315

Your network contains an Active Directory-integrated DNS zone named contoso.com. You

discover that the zone includes DNS records for computers that were removed from the network.

You need to ensure that the DNS records are deleted automatically from the zone. What should

you do?

A. From DNS Manager, set the aging properties.

B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.

C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.

D. Create a scheduled task that runs ipconfig.exe /flushdns.

Answer: A

Explanation:

QUESTION NO: 316

Your network contains a domain controller that runs Windows Server 2008 R2.

You run the following command on the domain controller:



Dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C

ldapport 389 - allowNonAdminAccess

The command fails.

You need to ensure that the command completes successfully.

How should you modify the command?

A. Change the value of the -dbpath parameter.

B. Include the path to Dsamain.

C. Change the value of the -ldapport parameter.

D. Remove the CallowNonAdminAccess parameter.

Answer: C

Explanation:

QUESTION NO: 317

Your network contains an Active Directory domain. The domain contains 10 domain controllers

that run Windows Server 2008 R2.

You need to monitor the following information on the domain controllers during the next five days:

- Memory usage

- Processor usage

- The number of LDAP queries

What should you do?

A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics

template.

B. Use the System Performance Data Collector Set (DCS).

C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.

D. Use the Active Directory Diagnostics Data Collector Set (DCS).

Answer: A

Explanation:

QUESTION NO: 318




Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC)

named RODC1.

You need to view the most recent user accounts authenticated by RODC1.


A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then

click Replicate Now.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then

click Replicate Now.

C. From Active Directory Users and Computers, right-click contoso.com, click Change

DomainController, and then connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain

Controller, and then connect to RODC1.

Answer: C

Explanation:

QUESTION NO: 319

Your network contains an Active Directory domain. The domain contains 3,000 client computers.

All of the client computers run Windows 7.

Users log on to their client computers by using standard user accounts.

You plan to deploy a new application named App1.

The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative

rights to run.

You need to deploy App1 to all client computers. The solution must meet the following

requirements:

- App1 must automatically detect and replace corrupt application files.

- App1 must be available from the Start menu on each client computer.


A. Create a logon script that calls Setup.exe for App1.



B. Create a .zap file.

C. Create a startup script that calls Setup.exe for App1.

D. Repackage App1 as a Windows Installer package.

Answer: D

Explanation:

QUESTION NO: 320


Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named

DC1.

In Site1, you install a new domain controller named DC2. You ship DC2 to Site2. You discover that

certain users in Site2 authenticate to DC1.

You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.

What should you do?

A. From Active Directory Users and Computers, modify the Location settings of

the DC2 computer object.

B. From Active Directory Sites and Services, modify the Location attribute for

Site2.

C. From Active Directory Sites and Services, move the DC2 server object.

D. From Active Directory Users and Computers, move the DC2 computer object.

Answer: C

Explanation:

QUESTION NO: 321


Contoso.com contains a server named Server2. You open the System properties on Server2 as

shown in the exhibit. (Click the Exhibit button.)



When you attempt to configure Server2 as an enterprise subordinate certification authority (CA),

you discover that the enterprise subordinate CA option is unavailable.

You need to configure Server2 as an enterprise subordinate CA.


A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.

B. Log in as an administrator and run Server Manager.

C. Import the root CA certificate.

D. Join Server2 to the domain.

Answer: D

Explanation:

QUESTION NO: 322

Your network contains an Active Directory domain. The domain contains an enterprise certification

authority (CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.



Which tool should you use to assign permissions to Admin1?

A. the Certification Authority console


C. the Certificates snap-in

D. Active Directory Sites and Services

Answer: B

Explanation:

QUESTION NO: 323

Your network contains an Active Directory domain. All DNS servers are domain controllers.

You view the properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)



You need to ensure that only domain members can register DNS records in the zone.


A. Modify the zone type.

B. Create a trust anchor.

C. Modify the Advanced properties of the DNS server.

D. Modify the Dynamic updates setting.

Answer: A

Explanation:

QUESTION NO: 324

Your company has a single Active Directory forest with a single domain. Consultants in different

departments of the company require access to different network resources. The consultants

belong to a global group named TempWorkers.

Three file servers are placed in a new organizational unit named SecureServers. The file servers

contain confidential data in shared folders.

You need to prevent the consultants from accessing the confidential data.

What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.

Assign the Deny access to this computer from the network user right to the TempWorkers global

group.

B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to

this computer from the network user right to the TempWorkers global group.

C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full

control permission for the TempWorkers global group on the share.

D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on

locally user right to the TempWorkers global group.

E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.

Assign the Deny log on locally user right to the TempWorkers global group.

Answer: A

Explanation:



QUESTION NO: 325

Your network contains two Active Directory forests named contoso.com and nwtraders.com. The

functional level of both forests is Windows Server 2003. Contoso.com contains one domain.

Nwtraders.com contains two domains. You need to ensure that users in contoso.com can access

the resources in all domains. The solution must require the minimum number of trusts.

Which type of trust should you create?

A. external

B. forest

C. realm

D. shortcut

Answer: B

Explanation:

QUESTION NO: 326

You install an Active Directory domain in a test environment.

You need to reset the passwords of all the user accounts in the domain from a domain controller.

Which two Windows PowerShell commands should you run? (Each correct answer presents part

of the solution, choose two.)

A. $ newPassword = *

B. Import-Module ActiveDirectory

C. Import-Module WebAdministration

D. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - Reset

E. Set- ADAccountPossword - NewPassword - Reset

F. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )

G. Import-Module ServerManager

Answer: D,F

Explanation:


Your network contains an Active Directory forest named contoso.com. The forest contains a



domain controller named DC1 that runs Windows Server 2008 R2 Enterprise and a member

server named Server1 that runs Windows Server 2008 R2 Standard.

You have a computer named Computer1 that runs Windows 7. Computer1 is not connected to the

network. You need to join Computer1 to the contoso.com domain.

What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions

area and arrange them in the correct order.

Answer:

Explanation:



QUESTION NO: 328 HOTSPOT


You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

To answer, select the appropriate node in the answer area.

Answer:



Explanation:



domain controller named Server1. Server1 has an IP address of 192.168.200.100.

You need to view the Pointer (PTR) record for Server1.

Which zone should you open in the DNS snap-in to view the record?

To answer, select the appropriate zone in the answer area.



Answer:

Explanation:



Select “200.168.192.in-addr.arpa”



You need to create a new site link between two sites named Site1 and Site3. The site link must

support the replication of domain objects.

Under which node in Active Directory Sites and Services should you create the site link?




Answer:

Explanation:

Select the “IP” container under Inter-Site Transports.




Your network contains an Active Directory forest named adatum.com. The forest contains four

child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and

africa.adatum.com.

You need to create four new groups in the forest root domain. The groups must be configured as

shown in the following table.

What should you do?

To answer, drag the appropriate group type to the correct group name in the answer area.



Answer:

Explanation:


You need to modify the Password Replication Policy on a read-only domain controller (RODC).


To answer, select the appropriate tool in the answer area.



Answer:

Explanation:




Your network contains an Active Directory forest named contoso.com.

The password policy of the forest requires that the passwords for all of the user accounts be

changed every 30 days.

You need to create user accounts that will be used by services. The passwords for these accounts

must be changed automatically every 30 days.

Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

Answer:

Explanation:



QUESTION NO: 334

Your network contains two forests named adatum.com and litwareinc.com. The functional level of

all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a forest trust between adatum.com and litwareinc.com.


A. Create an external trust.

B. Raise the functional level of both forests.

C. Configure SID filtering.

D. Raise the functional level of all the domains.

Answer: B

Explanation:

QUESTION NO: 335

Your network contains an Active Directory forest named adatum.com.

All client computers used by the marketing department are in an organizational unit (OU) named

Marketing Computers. All user accounts for the marketing department are in an OU named

Marketing Users.



You purchase a new application.

You need to ensure that every user in the domain who logs on to a marketing department

computer can use the application. The application must only be available from the marketing

department computers.

What should you do?

A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation

package to a shared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the

installation package to a shared folder on the network. Assign the application.

C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the

installation package to a local drive on each marketing department computer. Publish the

application.

D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation

package to a folder on each marketing department computer. Publish the application.

Answer: B

Explanation:

QUESTION NO: 336


You need to create an Active Directory Rights Management Services (AD RMS) licensing-only

cluster.

What should you install before you create the AD RMS root cluster?

A. The Failover Cluster feature

B. The Active Directory Certificate Services (AD CS) role

C. Microsoft Exchange Server 2010

D. Microsoft SharePoint Server 2010

E. Microsoft SQL Server 2008

Answer: E

Explanation:





The DNS infrastructure fails.

You rebuild the DNS infrastructure.

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

To answer, select the appropriate service in the answer area.

Answer:



Explanation:



QUESTION NO: 338

Your network contains an Active Directory domain named contoso.com. The contoso.com domain

contains a domain controller named DC1.

You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME)

resource record named Server1 to the zone. The target host of the record is server2.contoso.com.

When you ping Server1, you discover that the name fails to resolve. You are able to successfully

ping server2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.


A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain

B. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest

C. Dnscmd DCl.contoso.com/config/Enableglobalnamessupport 1

D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

Answer: C

Explanation:

QUESTION NO: 339


The network has a branch office site that contains a read-only domain controller (RODC) named

R0DC1. R0DC1 runs Windows Server 2008 R2.

A user logs on to a computer in the branch office site.

You discover that the user's password is not stored on R0DC1.

You need to ensure that the user's password is stored on RODC1 when he logs on to a branch

office site computer.

What should you do?

A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC



Password Replication Group.

B. Modify the RODC's password replication policy by adding R0DC1's computer account to the list

of allowed users, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on

R0DC1.

D. Add R0DC1's computer account to the built-in Allowed RODC Password Replication Group on

R0DC1.

Answer: C

Explanation:

QUESTION NO: 340

You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server

named Server1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by

using AD FS.

Which protocol should you allow on Server1?

A. Kerberos

B. SSL

C. SMB

D. RPC

Answer: B

Explanation:

QUESTION NO: 341


member server that runs Windows Server 2008 R2 Standard.

You need to create an enterprise subordinate certification authority (CA) that can issue certificates

based on version 3 certificate templates.

You must achieve this goal by using the minimum amount of administrative effort.




A. Run the certutil.exe - addenrollmentserver command.

B. Install the Active Directory Certificate Services (AD CS) role on the member server.

C. Upgrade the member server to Windows Server 2008 R2 Enterprise.

D. Run the certutil.exe - installdefaulttemplates command.

Answer: C

Explanation:

QUESTION NO: 342

Your network contains a server named Server1. The Active Directory Rights Management

Services (AD RMS) server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS. You need to

update AD RMS to use the new password.


A. Active Directory Rights Management Services


C. Local Users and Groups

D. Services

Answer: A

Explanation:

QUESTION NO: 343

Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by

a WAN link. Contoso has an Active Directory forest that contains a single domain named

ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the

main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is

configured as a standard primary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the




What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.

B. Create a new stub zone named ad.contoso.com on DC2.

C. Configure the DNS server on DC2 to forward requests to DC1.

D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Answer: D

Explanation:

QUESTION NO: 344

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2

Enterprise.

You enable key archival on the CA. The CA is configured to use custom certificate templates for

Encrypted File System (EFS) certificates.

You need to archive the private key for all new EFS certificates.

Which snap-in should you use?


B. Authorization Manager

C. Group Policy Management

D. Enterprise PKI

E. Security Templates

F. TPM Management

G. Certificates

H. Certification Authority

I. Certificate Templates

Answer: H

Explanation:

QUESTION NO: 345


Enterprise.



You need to ensure that all of the members of a group named Group1 can view the event log

entries for Certificate Services.


A. Certificate Templates


C. Authorization Manager


E. TPM Management

F. Security Templates

G. Group Policy Management

H. Enterprise PKI

I. Certificates

Answer: C

Explanation:

QUESTION NO: 346


Enterprise.

You need to ensure that users can enroll for certificates that use the IPSEC (Offline request)

certificate template.


A. Enterprise PKI

B. TPM Management

C. Certificates


E. Authorization Manager

F. Certification Authority


H. Security Templates

I. Certificate Templates

Answer: I

Explanation:



QUESTION NO: 347


Enterprise.

You have a custom certificate template named Template 1. Template1 is published to the CA.

You need to ensure that all of the members of a group named Group1 can enroll for certificates

that use Template1.


A. Security Templates

B. Enterprise PKI

C. Certification Authority

D. Certificate Templates

E. Certificates

F. TPM Management

G. Authorization Manager

H. Group Policy Management

I. Active Directory Users and Computers

Answer: D

Explanation:

QUESTION NO: 348


Enterprise.

You need to approve a pending certificate request.




C. Certification Authority

D. Group Policy Management

E. Certificate Templates



F. TPM Management

G. Certificates

H. Enterprise PKI

I. Security Templates

Answer: C

Explanation:


Your network contains an Active Directory domain named adatum.com.

You need to use Group Policies to deploy the line-of-business applications shown in the following

table.

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.



Answer:

Explanation:





You need to create an Active Directory Rights Management Services (AD RMS) licensing-only

cluster.

What should you do?



Answer:

Explanation:




Your network contains two forests named contoso.com and fabrikam.com. The functional level of

all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that

users from contoso.com can only access the servers in fabrikam.com that have the Allowed to

Authenticate permission set.

What should you do?





Answer:

Explanation:

QUESTION NO: 352


You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

A. Reverse Lookup Zones



B. adatum.com

C. Forward Lookup Zones

D. Conditional Forwarders

E. _msdcs.adatum.com

Answer: A

Explanation:


Your company has a main office and a branch office. All servers are located in the main office.

The network contains an Active Directory forest named adatum.com. The forest contains a domain

controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server

named FileServer that runs Windows Server 2008 R2 Standard.

You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not

connected to the network.

You need to join Public_Computer to the adatum.com domain.

What should you do?



Answer:



Explanation:

QUESTION NO: 354

Your network contains an Active Directory domain named adatum.com. The domain contains a

domain controller named DC1. DC1 has an IP address of 192.168.200.100.

You need to identify the zone that contains the Pointer (PTR) record for 0C1.

Which zone should you identify?

A. adatum.com

B. _msdcs.adatum.com

C. 100.168.192.in-addr.arpa

D. 200.168.192.in-addr.arpa



Answer: D

Explanation:

QUESTION NO: 355


The DNS infrastructure fails.

You rebuild the DNS infrastructure.

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

Which service should you restart on the domain controllers?

A. Netlogon

B. DNS Server

C. Network Location Awareness

D. Network Store Interface Service

E. Online Responder Service

Answer: A

Explanation:

QUESTION NO: 356


The password policy of the domain requires that the passwords for all user accounts be changed

every 50 days.

You need to create several user accounts that will be used by services. The passwords for these

accounts must be changed automatically every 50 days.

Which tool should you use to create the accounts?



C. Active Directory Module for Windows PowerShell



D. ADSI Edit

E. Active Directory Domains and Trusts

Answer: C

Explanation:

QUESTION NO: 357

Your network contains an Active Directory domain. The domain contains several domain

controllers. You need to modify the Password Replication Policy on a read-only domain controller

(RODC).


A. Group Policy Management

B. Active Directory Domains and Trusts


D. Computer Management

E. Security Configuration Wizard

Answer: C

Explanation:


Your network contains an Active Directory forest named contoso.com. All client computers run

Windows 7 Enterprise.

You need automatically to create a local group named PowerManagers on each client computer

that contains a battery. The solution must minimize the amount of administrative effort.

Which node in Group Policy Management Editor should you use?




Answer:

Explanation:

Select “Control Panel Settings” under Preferences.

QUESTION NO: 359

Your network contains an Active Directory forest. The forest contains domain controllers that run

Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The

functional level of the domain is Windows Server 2008.

From a domain controller, you need to perform an authoritative restore of an organizational unit

(OU).


A. Raise the functional level of the forest

B. Modify the tombstone lifetime of the forest.

C. Restore the system state.



D. Raise the functional level of the domain.

Answer: C

Explanation:

QUESTION NO: 360


contoso.com and woodgrovebank.com.

You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to

User objects.

You need to ensure that Attribute1 is included in the global catalog.

What should you do?

A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1

attributeSchema object.

B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute

for User objects.

C. From the Active Directory Schema snap-in, modify the properties of the User classSchema

object.

D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain

controllers in the forest.

Answer: A

Explanation:

QUESTION NO: 361

Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has

the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD

LDS instances named Instance1 and Instance2.

You need to remove Instance2 from Server1 without affecting Instance1.




A. NTDSUtil

B. Dsdbutil

C. Programs and Features in the Control Panel

D. Server Manager

Answer: C

Explanation:

QUESTION NO: 362


2008 R2.

You need to compact the Active Directory database.

What should you do?

A. Run the Get-ADForest cmdlet.

B. Configure subscriptions from Event Viewer.

C. Run the eventcreate.exe command.

D. Configure the Active Directory Diagnostics Data Collector Set (OCS).

E. Create a Data Collector Set (DCS).

F. Run the repadmin.exe command.

G. Run the ntdsutil.exe command.

H. Run the dsquery.exe command.

I. Run the dsamain.exe command.

J. Create custom views from Event Viewer.

Answer: G

Explanation:

QUESTION NO: 363


2008 R2.

You need to collect all of the Directory Services events from all of the domain controllers and store

the events in a single central computer.



What should you do?

A. Run the ntdsutil.exe command.

B. Run the repodmin.exe command.

C. Run the Get-ADForest cmdlet.

D. Run the dsamain.exe command.

E. Create custom views from Event Viewer.

F. Run the dsquery.exe command.

G. Configure the Active Directory Diagnostics Data Collector Set (DCS),

H. Configure subscriptions from Event Viewer.

I. Run the eventcreate.exe command.

J. Create a Data Collector Set (DCS).

Answer: H

Explanation:

QUESTION NO: 364


2008 R2.

You need to receive a notification when more than 100 Active Directory objects are deleted per

second.

What should you do?

A. Create custom views from Event Viewer.

B. Run the Get-ADForest cmdlet.

C. Run the ntdsutil.exe command.

D. Configure the Active Directory Diagnostics Data Collector Set (DCS).


F. Run the dsamain.exe command.

G. Run the dsquery.exe command.

H. Run the repadmin.exe command.

I. Configure subscriptions from Event Viewer.

J. Run the eventcreate.exe command.

Answer: E

Explanation:



QUESTION NO: 365


2008 R2.

You need to create a snapshot of Active Directory.

What should you do?

A. Run the dsquery.exe command.

B. Run the dsamain.exe command.

C. Create custom views from Event Viewer.

D. Configure subscriptions from Event Viewer.


F. Configure the Active Directory Diagnostics Data Collector Set (DCS).

G. Run the repadmin.exe command.

H. Run the ntdsutil.exe command.

I. Run the Get-ADForest cmdlet.

J. Run the eventcreate.exe command.

Answer: H

Explanation:

QUESTION NO: 366


2008 R2.

You mount an Active Directory snapshot.

You need to ensure that you can query the snapshot by using LDAP.

What should you do?

A. Run the dsamain.exe command.

B. Create custom views from Event Viewer.


D. Configure subscriptions from Event Viewer.

E. Run the Get-ADForest cmdlet.

F. Create a Data Collector Set (DCS).

G. Run the eventcreate.exe command.



H. Configure the Active Directory Diagnostics Data Collector Set (DCS).

I. Run the repadmin.exe command.

J. Run the dsquery.exe command.

Answer: A

Explanation:

QUESTION NO: 367


The Administrator deletes an OU named OU1 accidentally.

You need to restore OU1. Which cmdlet should you use?

A. Set-ADObject cmdlet

B. Set-ADOrganizationalUnit cmdlet

C. Set-ADUser cmdlet

D. Set-ADGroup cmdlet

Answer: A

Explanation:


Your company plans to open a new branch office.

The new office will have a low-speed connection to the Internet.

You plan to deploy a read-only domain controller (RODC) in the branch office.

You need to create an offline copy of the Active Directory database that can be used to install the

Active Directory on the new RODC.

Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange

them in the correct order.



Answer:

Explanation:

QUESTION NO: 369


All users have a value set for the Department attribute.

From Active Directory Users and Computers, you search a domain for all users who have a



Department attribute value of Marketing. The search returns 50 users.

From Active Directory Users and Computers, you search the entire directory for all users who

have the Department attribute value of Marketing. The search does not return any users.

You need to ensure that a search of the entire directory for users in marketing department returns

all of the users who have the Marketing Department attribute.

What should you do?

A. Install the Windows Search Service role service on a global catalogue server.

B. From the Active Directory Schema snap-in, modify the properties of the Department attribute.

C. Install the Indexing service role service on a global catalogue server.

D. From th Active Directory Schema snap-in, modify the properties of the user class.

Answer: B

Explanation:

QUESTION NO: 370

A corporate network includes a singe Active Directory Domain Services ( ADDS ) domain. The AD

DS infrastructure is shown in the following graphic. (See Exhibit)

When the Montreal Site domain controller is offline, authentication request for Montreal branch



office users are sent to the Toronto Site domain controller.

You need to ensure that when the Montreal Site domain controller is offline, authentication

requests for Montreal branch offices users are sent to Quebec City Site domain controller.

What should you do?

A. Create a site link bridge between the Montreal Site and the Quebec City Site.

B. Enable the global catalog role on the Montreal Site domain controller.

C. Modify the Default Domain Policy Group Policy Object

D. Delete the Toronto-Montreal Site Link

Answer: D

Explanation:

QUESTION NO: 371

A corporate environment includes two Active Directory Domain Service ( AD DS ) forests, as

shown in the following table:

You need to ensure that users in the contoso.com domain can access resources in the

eng.fabrikam.com domain.

What should you do?

A. Enable selective authentication.

B. Enable forest-wide authentication.

C. Create an external trust between contoso.com and eng.fabrikam.com

D. Enable domain-wide authentication

Answer: C

Explanation:

QUESTION NO: 372




You need to activate the Active Directory Recycle Bin in the domain.


A. Dsamain

B. Set-ADDomain

C. Add-WindowsFeature

D. Ldp

Answer: D

Explanation:

QUESTION NO: 373


server named Server1 and a domain controller named DC1.

On Server1, you configure a collector-initiated subscription for the Application of DC1. The

subscription is configured to collect all events.

After several days, you discover that Server1 failed to collect any events from DC1, although there

are more than 100 new events in the Application log of DC1.

You need to ensure that Server1 collects the events from DC1.

What should you do?

A. On Server1, run wecutil quick-config

B. On Server1, run winrm quick-config

C. On DC1, run wecutil quick-config

D. On DC1, run winrm quickconfig

Answer: D

Explanation:

QUESTION NO: 374




exhibit.

You have a Group Policy Object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer

accounts in the Finance organizational unit (OU). You must achieve this goal by using the

minimum amount of administrative effort.

What should you do?

A. Modify the Group Policy Permission

B. Configure WMI filtering

C. Enable block inheritance

D. Enable loopback processing in replace mode.

E. Configure the link order.

F. Configure Group Policy Preferences.

G. Link the GPO to the Human Resources OU.

H. Configure Restricted Groups.

I. Enable loopback processing in merge mode.

J. Link the GPO to the Finance OU.

Answer: C

Explanation:

QUESTION NO: 375


You have an organizational unit (OU) named Sales and an OU named Engineering.

You have two Group Policy objects (GPOs) named GP01 and GPO2. GP01 and GP02 are linked

to the Sales OU and contain multiple settings.

You discover that GPO2 has a setting that conflicts with a setting in GP01. When the policies are

applied, the setting in GPO2 takes effect.

You need to ensure that the settings in GP01 supersede the settings in GP02. The solution must

ensure that all non-conflicting settings in both GPOs are applied.



A. Configure Restricted Groups.

B. Configure the link order.

C. Link the GPO to the Sales OU.

D. Link the GPO to the Engineering OU.

E. Enable loopback processing in merge mode.

F. Modify the Group Policy permissions.

G. Configure WMI Filtering.

H. Configure Group Policy Preferences.

I. Enable loopback processing in replace mode.

J. Enable block inheritance.

Answer: B

Explanation:

QUESTION NO: 376

All vendors belong to a global group named Vendors.

You place three file servers in a new organization unit (OU) named ConfidentialFileServers. The

three file servers contain confidential data located in shared folders.

You need to record any failed attempts made by the vendors to access the confidential data.


Choose two)

A. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.

Configure the Audit object access Failure audit policy setting.

B. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.

Configure the Audit privilege use Failure audit policy setting.

C. On each shared folder on the three file servers, add the Vendors global group to the Auditing

tab. Configure the Failed Full control setting in the AuditingEntry dialog box.

D. On each shared folder on the three file servers, add the three servers to the Auditing tab.

Configure the Failed Full control setting in the AuditingEntry dialog box.

E. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.

Configure the Deny access to this computer from the network user rights setting for the Vendors

global group.

Answer: A,C

Explanation:



QUESTION NO: 377

A corporate network includes a single Active Directory Domain Services (AD DS) domain.

The HR department has a dedicated organization unit named HR. The HR has two sub-OUs: HR

Users and HR Computers. User accounts for the HR Department reside in the HR Users OU.

Computer accounts for the HR department reside in the HR Computers OU. All HR department

employees belong to a security group named HR Employees. All HR Department computers

belong to a security group named HR PCs.

Company policy requires that passwords are a minimum of six characters.

You need to ensure that, the next time HR Department employees change their passwords, the

passwords are required to have at least eight characters. The password length requirement should

not change for employees of any other department.

What should you do?

A. Modify the password policy in the GPO that is applied to the domain.

B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.

C. Create a fine-grained password policy and apply it to the HR Users OU.

D. Modify the password policy in the GPO that is applied to the domain controllers OU.

Answer: C

Explanation:

QUESTION NO: 378

A corporate network includes a single Active Directory Domain Services (AD DS) domain. All

regular user accounts reside in an organizational unit (OU) named Employees. All administrator

accounts reside in an OU named Admins.

You need to ensure that any time an administrator modifies an employee's name in AD DS, the

change is audited.


A. Create a Group Policy Object with the Audit directory service access setting enabled and link it

to the Employees OU.

B. Modify the searchFlags property for the Name attribute in the schema.



C. Create a Group Policy Object with the Audit directory service access setting enabled and link it

to the Admins OU.

D. Use the Auditpol.exe command-line tool to enable the directoryserviceschanges auditing

subcategory.

Answer: C

Explanation:

QUESTION NO: 379


You need to provide a user named User1 with the ability to create and manage subnet objects.

The solution must minimize the number of permissions assigned to User1.

What should you do?

A. From the Active Directory Users and Computers, run the Delegation of Control Wizard.

B. From the Active Directory Administrative Center, add User1 to the Schema Admins group.

C. From the Active Directory Sites and Services, run the Delegation of Control Wizard.

D. From Active Directory Administrative Center, add User1 to the Network Configuration Operators

group.

Answer: C

Explanation:

QUESTION NO: 380

A corporate network contains a Windows Server 2008 R2 Active Directory forest.

You need to add a user principal name (UPN) suffix to the forest.


A. Dsmgmt

B. Active Directory Domains and Trusts console

C. Active Directory Users and Computers console

D. Active Directory Sites and Services console



Answer: B


http://technet.microsoft.com/en-us/library/cc772007.aspx

QUESTION NO: 381

Your network contains a single Active Directory domain that has two sites named Site1 and Site2.

Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named

DC3 and DC4.

DC3 fails.

You discover that replication no longer occurs between the sites.

You verify the connectivity between DC4 and the domain controllers in Site1.

On DC4, you run repadmin.exe /kcc.

Replication between the sites continues to fail.

You need to ensure that Active Directory data replicates between the sites.

What should you do?

A. From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.

B. From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead

server

C. From Active Directory users and Computers, configure the NTDS settings of DC4.

D. From Active Directory Users and Computers, configure the location settings of DC4.

Answer: B

Explanation:

QUESTION NO: 382




All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2

Service Pack 1 (SP1). The functional level of the domain is Windows Server 2003.

You need to configure SYSVOL to use DFS Replication.

Which tools should you use? (Each correct answer presents part of the solution. Choose two.)

A. Dfsrmig

B. Frsdiag

C. Ntdsutil

D. Set- ADForest

E. Repadmin

F. Set- ADDomainMode

G. DFS Management

Answer: A,F


First raise the Funcional level of the domain to 2008 to use DFS using: Set-ADDomainMode

Second configure sysvol to use dfs replication: Dfsrmig

(Use dfsrmig with Windows2008 R2, not repadamin.)


You manage an Active Directory forest named contoso.com.

The forest contains an empty root domain named contoso.com and a child domain named

child.contoso.com.

All domain controllers run Windows Server 2008. The functional level of the forest is Windows

Server 2008.

You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve

this goal by using the minimum amount of administrative effort.

What should you do?

To answer, move the appropriate actions from the list of actions to the answer area and arrange

them in the correct order.



Answer:

Explanation:



QUESTION NO: 384

Your network contains an Active Directory forest. The forest contains one domain named

contoso.com.

You attempt to run adprep /domainprep and the operation fails.

You discover that the first domain controller deployed to the forest failed.

You need to run adprep /domainprep successfully.

What should you do?

A. Move the PDC emulator role.

B. Move the global catalog server.

C. Deploy an additional global catalog server.

D. Move the infrastructure master role.

E. Restart the Active Directory Domain Services (AD DS) service.

F. Install a read-only domain controller (RODC)

G. Move the RID master role.

H. Move the domain naming master role.

I. Move the bridgehead server.

J. Move the schema master role.

Answer: D

Explanation:



QUESTION NO: 385


contoso.com.

You discover the following event in the Event log of client computers: "The time provider NtpClient

was unable to find a domain controller to use as a time source. NtpClient will try again in %1

minutes."

You need to ensure that the client computers can synchronize their clocks properly.

What should you do?

A. Move the domain naming master role.

B. Restart the Active Directory Domain Services (AD DS) service.

C. Move the PDC emulator role.

D. Move the infrastructure master role.

E. Move the global catalog server.

F. Move the RID master role.

G. Move the bridgehead server.

H. Move the schema master role.

I. Deploy an additional global catalog server.

J. Install a read-only domain controller (RODC)

Answer: C

Explanation:

QUESTION NO: 386

Your network contains an Active Directory forest named contoso.com. The functional level of the

forest is Windows Server 2008 R2.

The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named RODC1.

You install the DNS Server server role on RODC1.



You discover that RODC1 does not have any DNS application directory partitions.

You need to ensure that RODC1 has a copy of the DNS application directory partition.

What should you do?

A. From DNS Manger, create secondary zones.

B. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

C. From DNS Manager, right- click RODC1 and click Update Server Data Files.

D. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter

Answer: B

Explanation:

QUESTION NO: 387


You need to identify whether a fine-grained password policy is applied to a specific group.


A. Credential Manager

B. Group Policy Management Editor


D. Active Directory Sites and Services

Answer: C

Explanation:

QUESTION NO: 388


You need to create one password policy for administrators and another password policy for all

users.




A. Group Policy Management Editor

B. Group Policy Management Console (GPMC)

C. Authorization Manager

D. Ldifde

Answer: D

Explanation:

QUESTION NO: 389

Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each

forest contains one domain. A two-way forest trust exists between the forests.

You plan to add users from fabrikam.com to groups in contoso.com.

You need to identify which group you must use to assign users in fabrikam.com access to the

shared folders in contoso.com.

To which group should you add the users? (See Exhibit)

A. Security Group - Domain Local

B. Distribution Group - Domain Local

C. Security Group - Global

D. Distribution Group - Global

E. Security Group - Universal

F. Distribution Group – Universal

Answer: E

Explanation:



QUESTION NO: 390

Your network contains an Active Directory domain. The domain contains 5,000 user accounts.

You need to disable all of the user accounts that have a description of Temp. You must achieve

this goal by using the minimum amount of administrative effort.

Which tools should you use? (Each correct answer presents part of the solution. Choose two.)

A. Find

B. Dsget

C. Dsmod

D. Dsadd

E. Net accounts

F. Dsquery

Answer: C,F

Explanation:

QUESTION NO: 391

Your network contains an Active Directory domain. The domain contains two file servers. The file

servers are configured as shown in the following table.

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.

You configure the advanced audit policy as shown in the exhibit.



You discover that the settings are not applied to Server1. The settings are applied to Server2.

You need to ensure that access to the file shares on Server1 is audited.

What should you do?

A. From Active Directory Users and Computers, modify the permissions of the computer account

for Server1

B. From GPO1, configure the Security Options.

C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.

D. On Server1, run secedit.exe and specify the /configure parameter.

E. On Server1, run auditpol.exe and specify the /set parameter.

Answer: E

Explanation:

QUESTION NO: 392




You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU

contains over 200 user accounts.

The Sales OU and the Engineering OU contain several user accounts that are members of a

universal group named Group1.

You have a Group Policy object (GPO) linked to the domain.

You need to prevent the GPO from being applied to the members of Group1 only.

What should you do?

A. Modify the Group Policy permissions.

B. Configure Restricted Groups.

C. Configure WMI filtering.

D. Configure the fink order.


F. Link the GPO to the Sales OU.

G. Configure Group Policy Preferences.

H. Link the GPO to the Engineering OU.

I. Enable block inheritance.

J. Enable loopback processing in replace mode.

Answer: A

Explanation:

QUESTION NO: 393


exhibit.



You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked

to the Finance organizational unit (OU) and contain multiple settings.

You discover that GP02 has a setting that conflicts with a setting in GPO1. When the policies are

applied, the setting in GPO2 takes effect.

You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must

ensure that all non-conflicting settings in both GPOs are applied.

What should you do?

A. Configure the link order.

B. Configure Restricted Groups.

C. Enable block inheritance.

D. Link the GPO to the Finance OU.


F. Enable loopback processing in replace mode.

G. Link the GPO to the Human Resources OU.


I. Configure WMI filtering.

J. Modify the Group Policy permissions.

Answer: A

Explanation:



QUESTION NO: 394




You need to ensure that the new records are available on aft DNS servers as soon as possible.


A. Active Directory Sites And Services console

B. Ntdsutil

C. Dnslint

D. Nslookup

Answer: A

Explanation:

QUESTION NO: 395

Your network contains an Active Directory domain named contosocom. Contoso.com contains two

domain controllers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host

the Active Directoryintegrated zone for contoso.com.

From DNS Manager on DC1

You enable scavenging for the contosocom zone.

You discover stale DNS records in the zone.

You need to ensure that the stale DNS records are deleted from contoso.com.

What should you do?

A. From DNS Manager, enable scavenging on DC1

B. From DNS Manager, reload the zone.

C. Run dnscmd.exe and specify the ageallrecords parameter.

D. Run dnscmd.exe and specify the startscavenging parameter.

Answer: A



Explanation:

QUESTION NO: 396


contoso.com.

You discover the following event in the Event log of domain controllers: 'The request for a new

accountidentifier pool failed. The operation will be retried until the request succeeds. The error is "

%1 "

You need to ensure that the domain controllers can acquire e new account-identifier pools

successfully.

What should you do?

A. Move the domain naming master role.

B. Move the global catalog server.

C. Restart the Active Directory Domain Services (AD DS) service.

D. Deploy an additional global catalog server

E. Move the infrastructure master role.

F. Move the PDC emulator role.

G. Install a read-only domain controller (RODC).

H. Move the RID master role.


J. Move the schema master role.

Answer: H

Explanation:

QUESTION NO: 397

Your network contains an Active Directory domain named adatum.com. All servers run Windows

Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA).

You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA.



You need to ensure that all of the members of a group named Sales can enroll for certificates that

use Sales_Temp.


A. Enterprise PKI


C. Share and Storage Management

D. Certificate Templates

E. Security Configuration Wizard

F. Authorization Manager


H. Certificates

I. Active Directory Administrative Center

Answer: D

Explanation:

QUESTION NO: 398

Your network contains an Active Directory forest named adatum.com. All domain controllers

currently run Windows Server 2003 Service Pack (SP2). The functional level of the forest and the

domain is Windows Server 2003.

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.


A. Deploy a writable domain controller that runs Windows Server 2008 R2.

B. Raise the functional level of the forest to Windows Server 2008.

C. Run adprep.exe.

D. Raise the functional level of the domain to Windows Server 2008.

Answer: C

Explanation:

QUESTION NO: 399




All users have a value set for the Department attribute.

From Active Directory Users and Computers, you search a domain for all users who have a

Department attribute value of Marketing. The search returns 50 users.

From Active Directory Users and Computers, you search the entire directory for all users who

have a Department attribute value of Marketing.

The search does not return any users.

You need to ensure that a search of the entire directory for users in the marketing department

returns all of the users who have the Marketing Department attribute.

What should you do?

A. Install the Windows Search Service role service on a global catalog server.

B. From the Active Directory Schema snap-in modify the properties of the Department attribute.

C. Install the Indexing Service role service on a global catalog server.

D. From the Active Directory Schema snap-in modify the properties of the user class.

Answer: B

Explanation:

QUESTION NO: 400


You need to create a script that runs the Best Practices Analyzer (BPA) each week for all of the

server roles that BPA supports on each domain controller.

Which cmdlets should you include in the script? (Each correct answer presents part of the

solution. Choose three.)

A. Get- TroubleshootingPack | Invoke- TroubleshootingPack

B. Import-Module BestPractices

C. Get- BPAModel | Invoke- BPAModel

D. Import-Module TroubleshootingPack

E. Get- BPAResult

Answer: B,C,E



Explanation:

QUESTION NO: 401


contoso.com.

You discover the following event in the Event log of domain controllers: "The request for a new

account-identifier pool failed. The operation will be retried until the request succeeds. The error is "

%1 ""

You need to ensure that the domain controllers can acquire new account-identifier pools

successfully.

What should you do?


B. Move the schema master role.

C. Move the global catalog server.

D. Move the domain naming master role.

E. Move the infrastructure master role.

F. Move the RID master role.

G. Restart the Active Directory Domain Services (AD DS) service.

H. Deploy an additional global catalog server.


J. Install a read-only domain controller (RODC).

Answer: F

Explanation: Ref: http://technet.microsoft.com/en-us/library/cc756699(v=ws.10)

QUESTION NO: 402 CORRECT TEXT

Your network contains an Active Directory domain. The domain contains a domain controller

named DC1 that runs windows Server 2008 R2 Service Pack 1 (SP1).

You need to implement a central store for domain policy templates.

What should you do?



To answer, select the source content that should be copied to the destination folder in the answer

area.

Answer: Copy “C:\Windows\PolicyDefinitions” to “C:\Windows\SYSVOL\domain\Policies”

Ref: http://www.petri.co.il/creating-group-policy-central-store.htm

QUESTION NO: 403


You need to create one password policy for administrators and another password policy for all

other users.


A. Ntdsutil


C. ADSI Edit

D. Group Policy Management Console (GPMC)

Answer: C

Explanation:

Ref: http://technet.microsoft.com/en-US/library/cc754461.aspx

QUESTION NO: 404


You need to identify whether a fine-grained password policy is applied to a specific group.






C. Local Security Policy

D. ADSI Edit

Answer: D

Explanation: The link below instructs you to access the “Attribute Editor” via Active Directory

Users and Computers. However the “Attribute Editor” can also be accessed by right-clicking on a

user or group in ADSI Edit.

Ref: http://technet.microsoft.com/en-US/library/cc770848.aspx

QUESTION NO: 405






A. Repadmin

B. Active Directory Domains and Trusts console

C. Ldp

D. Ntdsutil

Answer: A

Explanation: Ref: http://technet.microsoft.com/en-us/library/cc835086(v=ws.10)

QUESTION NO: 406

Your network contains an Active Directory forest named contoso.com. The forest contains two



domains named contoso.com and child.contoso.com. The forest contains two sites named Seattle

and Denver. Both sites contain users, client computers, and domain controllers from both

domains.

The Seattle site contains the first domain controller deployed to the forest. The Seattle site also

contains the primary domain controller (PDC) emulator for both domains. All of the domain

controllers are configured as DNS servers. All DNS zones are replicated to all of the domain

controllers in the forest.

The users in the Denver site report that is takes a long time to log on to their client computer when

they use their user principal name (UPN). The users in the Seattle site do not experience the

same issue.

You need to reduce the amount of time it takes for the Denver users to log on to their client

computer by using their UPN.

What should you do?

A. Reduce the cost of the site link between the Denver site and the Seattle site.

B. Enable the global catalog on a domain controller in the Denver site.

C. Enable universal group membership caching in the Denver site.

D. Move a PDC emulator to the Denver site.

E. Reduce the replication interval of the site link between the Denver site and the Seattle site.

F. Add an additional domain controller to the Denver site.

Answer: B

Explanation:

QUESTION NO: 407


The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)



You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes

between the sites.

What should you do?

A. Configure DC1 as a preferred bridgehead server for IP transport.

B. Configure DC4 as a preferred bridgehead server for IP transport.

C. From the DC4 server object, create a Connection object for DC1.

D. From the DC1 server object, create a Connection object for DC4.

Answer: C

Explanation:

QUESTION NO: 408

Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each

forest contains a single domain.

A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.

Contoso.com contains a group named Group 1.



Fabrikam.com contains a server named Server1.

You need to ensure that users in Group1 can access resources on Server1.


A. the permissions of the Group1 group

B. the UPN suffixes of the contoso.com forest

C. the UPN suffixes of the fabrikam.com forest

D. the permissions of the Server1 computer account

Answer: A

Explanation:



sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain

controllers are configured as shown in the following table.

You need to enable universal group membership caching in the Seattle site.

Which object's properties should you modify?

To answer, select the appropriate object in the answer area.



Answer:

Explanation:



QUESTION NO: 410



Users in the Sates OU frequently log on to client computers in the Engineering OU.

You need to meet the following requirements:

- All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the

Engineering OU must be applied to sales users when they log on to client computers in the

Engineering OU.

- Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when

they log on to client computers in the Sales OU.

- Policy settings in the GPOs linked to the Sales OU must not be applied to users in the

Engineering OU.

What should you do?


B. Enable block inheritance.

C. Configure the link order.

D. Enable loopback processing in merge mode.



E. Enable loopback processing in replace mode.

F. Configure WMI filtering.

G. Configure Restricted Groups.


I. Link the GPO to the Sales OU.

J. Link the GPO to the Engineering OU.

Answer: C

Explanation:

QUESTION NO: 411


exhibit. (Click the Exhibit button.)

You have a Group Policy object (GPO) linked to the domain. The GPO is used to deploy a number

of software packages.

You need to ensure that the GPO is applied only to client computers that have sufficient free disk

space.

What should you do?











I. Link the GPO to the Finance organizational unit (OU).

J. Link the GPO to the Human Resources organizational unit (OU).

Answer: B

Explanation:

QUESTION NO: 412

You have an Active Directory domain named contoso.com.

You need to view the account lockout threshold and duration for the domain.


A. Computer Management

B. Net Config


D. Gpresult

Answer: C

Explanation:

QUESTION NO: 413


contoso.com and east.contoso.com. The contoso.com domain contains a domain controller

named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and

DC2 have the DNS Server server role installed.

You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that

zone transfers are encrypted.



What should you do?

A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure

inbound rules and outbound rules by using Windows Firewall with Advanced Security. Create a

secondary zone on DC2 and select DC1 as the master.

B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso,

DC=com naming context.

C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com

naming context. Create a secondary zone on DC1 and select DC2 as the master.

D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the

zone. Create a secondary zone on DC2 and select DC1 as the master,

Answer: D

Explanation:

QUESTION NO: 414


domain controller named DC1. DC1 has the DNS Server server role installed and hosts an Active

Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are

both set to three days.

The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the

Exhibit button.)



You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.

(Click the Exhibit button.)



You discover that the scavenging process ran today, but the record for Server1 was not deleted.

You run dnscmd.exe and specify the ageallrecords parameter.

You need to identify when the record for Server1 will be deleted from the zone.

In how many days will the record be deleted?

A. 13

B. 10

C. 23

D. 7

Answer: D



Explanation:

QUESTION NO: 415


Server 2008 R2.


You need to ensure that all of the members of a group named Managers can view the event log

entries for Certificate Services.





D. Certificates

E. Certification Authority

F. Enterprise PKI


H. Security Configuration Wizard

I. Share and Storage Management

Answer: G

Explanation:

QUESTION NO: 416


Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.


You need to approve a pending certificate request.







D. Certificates

E. Certification Authority

F. Enterprise PKI


H. Security Configuration Wizard

I. Share and Storage Management

Answer: E

Explanation:

QUESTION NO: 417



Each organizational unit (OU) contains over 500 user accounts.

The Finance OU and the Human Resources OU contain several user accounts that are members

of a universal group named Group1.




You need to prevent the GPO from being applied to the members of Group1 only.

What should you do?




D. Enable loopback processing in merge mode,





I. Link the GPO to the Finance OU.

J. Link the GPO to the Human Resources OU.

Answer: A

Explanation:

QUESTION NO: 418




You need to ensure that the settings in the GPO are not processed by user accounts or computer

accounts in the Sales OU. You must achieve this goal by using the minimum amount of

administrative effort.

What should you do?









I. Link the GPO to the Sales OU.



J. Link the GPO to the Engineering OU.

Answer: B

Explanation:

QUESTION NO: 419

A corporate network includes a single Active Directory Domain Services (AD DS) domain. The

domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and

are configured as DNS servers.

You plan to create an Active Directory-integrated zone.

You need to ensure that the new zone is replicated to only four of the domain controllers.


A. Use the ntdsutil tool to modify the DS behavior for the domain.

B. Use the ntdsutil tool to add a naming context.

C. Create a new delegation in the ForestDnsZones application directory partition.

D. Use the dnscmd tool with the /zoneadd parameter.

Answer: D

Explanation:

QUESTION NO: 420


You plan to migrate all user accounts to a new forest named litwareinc.com.

The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains

four servers. The servers are configured as shown in the following table.



The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains

four servers. The servers are configured as shown in the following table.

You need to identify on which server in the litwareinc.com forest you must install Active Directory

Migration Tool version 3.2 (ADMT v3.2).

Which server should you identify?

A. Litw_Srv4

B. Litw_Srv1

C. Litw_Srv2

D. Litw_Srv3

Answer: D

Explanation:

QUESTION NO: 421

Your network contains an Active Directory forest named fabrikam.com. The forest contains the

following domains:

- Fabrikam.com



- Eu.fabrikam.com

- Na.fabrikam.com

- Eu.contoso.com

- Na.contoso.com

You need to configure the forest to ensure that the administrators of any of the domains can

specify a user principal name (UPN) suffix of contoso.com when they create user accounts from

Active Directory Users and Computers.



B. Set-ADDomain

C. Set-ADForest

D. Active Directory Administrative Center

Answer: C

Explanation:



Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that

contains only a single read-only domain controller (RODC).

You accidentally delete the site link between the two sites.

You recreate the site link while you are connected to a domain controller in Seattle.

You need to replicate the change to the RODC in Montreal.

Which node in Active Directory Sites and Services should you use?




Answer:

Explanation:



C:\Users\Kamran\Desktop\image.JPG

QUESTION NO: 423

A corporate network includes a single Active Directory Domain Services (AD DS) domain and two

AD DS sites. The AD DS sites are named Toronto and Montreal. Each site has multiple domain

controllers.

You need to determine which domain controller holds the Inter-Site Topology Generator role for

the Toronto site.

What should you do?

A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the

Toronto site.

B. Use the Ntdsutil tool with the roles parameter.

C. Use the Ntdsutil tool with the LDAP policies parameter.

D. Use the Active Directory Sites and Services console to view the properties of each domain

controller in the Toronto site.

Answer: A

Explanation:



sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain

controllers are configured as shown in the following table.

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server

in the forest.



You need to configure DC2 as a global catalog server.

Which object's properties should you modify?

To answer, select the appropriate object in the answer area.

Answer:

Explanation:




QUESTION NO: 425

Your network contains an Active Directory domain. The domain contains five sites. One of the

sites contains a read-only domain controller (RODC) named RODC1.

You need to identify which user accounts can have their password cached on RODC1.


A. Repadmin

B. Dcdiag

C. Get-ADDomainControllerPasswordReplicationPolicyUsage

D. Adtest

Answer: A

Explanation:

QUESTION NO: 426

A network contains an Active Directory forest. The forest contains three domains and two sites.

You remove the global catalog from a domain controller named DC2. DC2 is located in Site1.



You need to reduce the size of the Active Directory database on DC2. The solution must minimize

the impact on all users in Site1.


A. On DC2, start the Protected Storage service.

B. On DC2, stop the Active Directory Domain Services service.

C. Start DC2 in Safe Mode.

D. Start DC2 in Directory Services Restore Mode.

Answer: B

Explanation:

QUESTION NO: 427

Your network contains an Active Directory domain named adatum.com. The functional level of the

domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client

computers run Windows 7 Enterprise.

You need to receive a notification when more than 50 Active Directory objects are deleted per

second.

What should you do?

A. Run the Get-ADDomain cmdlet.

B. Run the dsget.exe command.


D. Run the ocsetup.exe command.

E. Run the dsamain.exe command.

F. Run the eventcreate.exe command.

G. Create a Data Collector Set (DCS).

H. Create custom views from Event Viewer.


J. Import the Active Directory module for Windows PowerShell.

Answer: G

Explanation:

QUESTION NO: 428




You have a custom certificate template that has a key length of 1,024 bits. The template is

enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses

the new template.


A. Group Policy Management MMC Snap-In

B. Certificates MMC Snap-In on the Certificate Authority

C. Certificate Templates MMC Snap-In

D. Certification Authority MMC Snap-In

Answer: C

Explanation:

QUESTION NO: 429


The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the

Exhibit button.)



You change the password policy for the domain as shown in the New Policy exhibit. (Click the

Exhibit button.)

You need to provide users with examples of a valid password.

Which password examples should you provide to the users? (Each correct answer presents a

complete solution. Choose three.)

A. 123456!@#$%^

B. !@#$1234ABCD

C. passwordl234

D. 1-2-3-4-5-a-b-c-e

E. %%PASS1234%%

F. 111111aaaaaaa

Answer: A,B,D

Explanation:



You need to use Group Policies to deploy the applications shown in the following table.



What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Answer:

Explanation:




QUESTION NO: 431


contoso.com.

You attempt to create a new child domain and you receive the following error message: "An LDAP

read of operational attributes failed."

You need to ensure that you can add a new child domain to the forest.

What should you do?


B. Move the RID master role.

C. Move the infrastructure master role.

D. Move the schema master role.

E. Move the domain naming master role.

F. Move the global catalog server.

G. Move the bridgehead server.

H. Install a read-only domain controller (RODC).

I. Deploy an additional global catalog server.

J. Restart the Active Directory Domain Services (AD DS) service.

Answer: E

Explanation:

QUESTION NO: 432


The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)



You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes

between the sites.

What should you do?

A. Configure DC1 as a preferred bridgehead server for IP transport.

B. Configure DC4 as a preferred bridgehead server for IP transport.

C. From the DC4 server object, create a Connection object for DC1.

D. From the DC1 server object, create a Connection object for DC4.

Answer: A

Explanation:


Your network contains two Active Directory forests named contoso.com and fabrikam.com.

A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.

Fabrikam.com contains a server named Server1.

You assign Contoso\Domain Users the Manage documents permission and the Print permission to

a shared printer on Server1.

You discover that users from contoso.com cannot access the shared printer on Server1.

You need to ensure that the contoso.com users can access the shared printer on Server1.

Which permission should you assign to Contoso\Domain Users.



To answer, select the appropriate permission in the answer area.

Answer:



Explanation:




QUESTION NO: 434


forest is Windows Server 2008 R2. The forest contains a single domain.

You need to ensure that objects can be restored from the Active Directory Recycle Bin.




A. Ntdsutil

B. Set-ADDomain

C. Dsamain

D. Enable-ADOptionalFeature

Answer: C

Explanation:

QUESTION NO: 435

Your network contains an Active Directory domain named adatum.com. The functional level of the

domain is Windows Server 2003. All domain controllers run Windows Server 2008 R2.

You mount an Active Directory snapshot.

You need to ensure that you can connect to the snapshot by using LDAP.

What should you do?

A. Run the Get-ADDomain cmdlet.

B. Run the dsget.exe command.


D. Run the ocsetup.exe command.

E. Run the dsamain.exe command.

F. Run the eventcreate.exe command,

G. Create a Data Collector Set (DCS).

H. Create custom views from Event Viewer.


J. Import the Active Directory module for Windows PowerShell.

Answer: E

Explanation:

QUESTION NO: 436





Users in the Finance organizational unit (OU) frequently log on to client computers in the Human

Resources OU.

You need to meet the following requirements:

- All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and

the Human Resources OU must be applied to finance users when they log on to client

computers in the Engineering OU.

- Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users

when they log on to client computers in the Finance OU.

- Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human

Resources OU.

What should you do?









I. Link the GPO to the Finance OU.

J. Link the GPO to the Human Resources OU.

Answer: D

Explanation:



QUESTION NO: 437



You need to ensure that when users log on to client computers, they are added automatically to

the local Administrators group. The users must be removed from the group when they log off of

the client computers.

What should you do?









I. Link the Group Policy object (GPO) to the Sales OU.

J. Link the Group Policy object (GPO) to the Engineering OU.

Answer: H

Explanation:

QUESTION NO: 438

Your network contains an Active Directory domain. The domain contains two Active Directory sites

named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2

contains two domain controller named DC3 and DC4,

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is


Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.

At 07:00, an administrator deletes a user account while he is logged on to DC1.



You need to restore the deleted user account. You want to achieve this goal by using the minimum

amount of administrative effort.

What should you do?

A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then

start Active Directory Domain Services

B. On DC3, run the Restore-ADObject cmdlet.

C. On DC1, run the Restore-ADObject cmdlet.

D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active

Directory Domain Services.

Answer: A

Explanation:

QUESTION NO: 439

You create a standard primary zone for contoso.com.

You need to specify a user named Admin1 as the person responsible for managing the zone.

What should you do? (Each correct answer presents a complete solution. Choose two.)

A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all

instances of "hostmaster.contoso.com" to "admin1.contoso.com",

B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com,

Specify admin1.contoso.com as the responsible person.

C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all

instances of "[email protected]" to "[email protected]" .

D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com.

Specify [email protected] as the responsible person.

Answer: B,C

Explanation:

QUESTION NO: 440


member servers named Server1 and Server2. Server1 and Server2 have the DNS Server server



role installed.

Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary

name server for contoso.com.

You experience issues with the copy of the zone on Server2,

You verify that both copies of the zone have the same serial number.

You need to transfer a complete copy of the zone from Server1 to Server2.


A. From DNS Manager, right-click contoso.com and click Transfer from Master.

B. From Services, right-click DNS Server and click Refresh.

C. From Services, right-click DNS Server and click Restart.

D. From DNS Manager, right-click contoso.com and click Reload.

E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from

Master.

Answer: E

Explanation:

QUESTION NO: 441


forest is Windows Server 2008 R2

The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named R0DC1. You install the DNS Server

server role on R0DC1.

You discover that R0DC1 does not have any DNS application directory partitions.

You need to ensure that R0DC1 has a copy of the DNS application directory partition of

contoso.com.

What should you do? (Each correct answer presents a complete solution. Choose two.)



A. From DNS Manager, right-click RODC1 and click Create Default Application Directory

Partitions.

B. Run ntdsutil.exe. From the Partition Management context, run the create nc command.

C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.

D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.

E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Answer: A,D

Explanation:

QUESTION NO: 442






A. Ntdsutil

B. Dnscmd

C. Repadmin

D. Nslookup

Answer: D

Explanation:

QUESTION NO: 443

Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server

2008 R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role

service installed.

You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.

You need to export the token-signing certificate from ADFS1, and then import the certificate to

ADFS2 and ADFS3.



In which format should you export the certificate?

A. Personal Information Exchange PKCS #12 (.pfx)

B. DER encoded binary X.509 (.cer)

C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)

D. Base-64 encoded X.S09 (.cer)

Answer: A

Explanation:

QUESTION NO: 444

You create a user account template for the marketing department.

When you copy the user account template, you discover that the Web page attribute is not copied.

You need to preserve the Web page attribute when you copy the user account template.

What should you do?

A. From Active Directory Administrative Center, modify the value of the wWWHomePage attribute

for the user account template.

B. From the Active Directory Schema snap-in, modify the properties of the user class.

C. From Active Directory Users and Computers, modify the value of the wWWHomePage attribute

for the user account template.

D. From ADSI Edit, modify the properties of the wWWHomePage attribute.

Answer: B

Explanation:

QUESTION NO: 445

Your network contains an Active Directory forest named contoso.com. The forest contains four

computers. The computers are configured as shown in the following table.



An administrator creates a script that contains the following commands:

You need to identity which computers can successfully run all of the commands in the script.

Which two computers should you identify? (Each correct answer presents part of the solution.

Choose two.)

A. Computer1

B. Server1

C. Computer2

D. Server2

Answer: B,D

Explanation:

QUESTION NO: 446


exhibit, (Click the Exhibit button.)



You need to ensure that when users log on to client computers, they are added automatically to

the local Administrators group. The users must be removed from the group when they log off of

the client computers.

What should you do?









I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).

J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Answer: H

Explanation:



You need to view which password setting object is applied to a user.



Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter

option in the answer area.

Answer:

Explanation:




QUESTION NO: 448

Your company has an Active Directory forest. Each regional office has an organizational unit (OU)

named Marketing. The Marketing OU contains all users and computers in the region's Marketing

department.

You need to install a Microsoft Office 2007 application only on the computers in the Marketing

OUs.

You create a GPO named MarketingApps.


A. Configure the GPO to assign the application to the computer account. Link the GPO to the

domain.

B. Configure the GPO to assign the application to the user account. Link the GPO to each

Marketing OU.

C. Configure the GPO to assign the application to the computer account. Link the GPO to each

Marketing OU.

D. Configure the GPO to publish the application to the user account. Link the GPO to each

Marketing OU.

Answer: C

Explanation:



QUESTION NO: 449

Your network contains an Active Directory domain named contoso.com. The functional level of the

forest is Windows Server 2008 R2.

The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.

On a domain controller named DC1, an administrator configures the Advanced Audit Policy

Configuration settings by using a local GPO.

You need to identify what will be audited on DC1.


A. Get-ADObject

B. Secedit

C. Security Configuration and Analysis

D. Auditpol

Answer: D

Explanation:

QUESTION NO: 450

A network contains an Active Directory forest. The forest schema contains a custom attribute for

user objects.

You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.


A. Dsmod

B. Csvde

C. Ldifde

D. Dsrm

Answer: B

Explanation:



QUESTION NO: 451


domains named contoso.com and child.contoso.com. All domain controllers run Windows Server

2008. All forest-wide operations master roles are in child.contoso.com.

An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2

Service Pack 1 (SP1) installation media.

You plan to run adprep.exe /domainprep in each domain.

You need to ensure that you have the required user rights to run the command successfully in

each domain.

Of which groups should you be a member? (Each correct answer presents part of the solution.

Choose two.)

A. Administrators in child.contoso.com

B. Enterprise Admins in contoso.com

C. Domain Admins in child.contoso.com

D. Domain Admins in contoso.com

E. Administrators in contoso.com

F. Schema Admins in contoso.com

Answer: C,D

Explanation:

QUESTION NO: 452

Your network contains an Active Directory forest named contoso.com. The forest contains a single

domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2

Service Pack 1 (SP1).

The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A

domain controller named DC1 has a copy of the application directory partition.

You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,



dc=corn.



B. Dsmod

C. Dcpromo

D. Dsmgmt

Answer: B

Explanation:

QUESTION NO: 453

A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services

(AD DS) domain.

You need to enable Universal Group Membership Caching on several domain controllers in the

domain.


A. Dsmod

B. Dscmd

C. Ntdsutil

D. Active Directory Sites and Services console

Answer: A

Explanation:

QUESTION NO: 454

Your network contains an Active Directory forest. The forest contains three domains. All domain

controllers have the DNS Server server role installed.

The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client

computers, and domain controllers of each domain. Site1 contains the first domain controller

deployed to the forest.



The sites connect to each other by using unreliable WAN links.

The users in Site2 and Site3 report that is takes a long time to log on to their client computer when

they use their user principal name (UPN). The users in Site1 do not experience the same issue.

You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to

their client computer by using their UPN.

What should you do?

A. Configure a global catalog server in Site2 and a global catalog server in Site3.

B. Reduce the replication interval of the site links.

C. Move a primary domain controller (PDC) emulator to Site2 and to Site3.

D. Add additional domain controllers to Site2 and to Site3.

E. Reduce the cost of the site links.

F. Enable universal group membership caching in Site2 and in Site3.

Answer: A

Explanation:

QUESTION NO: 455

You have a client computer named Computer1 that runs Windows 7.

On Computer1, you configure a source-initiated subscription.

You configure the subscription to retrieve all events from the Windows logs of a domain controller

named DC1. The subscription is configured to use the HTTP protocol.

You discover that events from the Security log of DC1 are not collected on Computer1. Events

from the Application log of DC1 and the System log of DC1 are collected on Computer1.

You need to ensure that events from the Security log of DC1 are collected on Computer1.

What should you do?

A. Add the computer account of Computer1 to the Event Log Readers group on the domain

controller.

B. Add the Network Service security principal to the Event Log Readers group on the domain



controller.

C. Configure the subscription to use custom Event Delivery Optimization settings.

D. Configure the subscription to use the HTTPS protocol.

Answer: B

Explanation:

QUESTION NO: 456

Your network contains an Active Directory forest named contoso.com. The forest contains six

domains.

You need to ensure that the administrators of any of the domains can specify a user principal

name (UPN) suffix oflitwareinc.com when they create user accounts by using Active Directory

Users and Computers.



B. Set-ADDomain


D. Set-ADForest

Answer: C

Explanation:

QUESTION NO: 457

Your network contains an Active Directory domain named litwareinc.com. The domain contains

two sites named Sitel and Site2. Site2 contains a read-only domain controller (RODC).

You need to identify which user accounts attempted to authenticate to the RODC.



B. Ntdsutil

C. Get-ADAccountResultantPasswordReplicationPolicy

D. Adtest



Answer: A

Explanation:

QUESTION NO: 458


for user objects.

You need to generate a file that contains the last logon time and the custom attribute values for

each user in the forest.


A. the Get-ADUser cmdlet

B. the Export-CSV cmdlet

C. the Net User command

D. the Dsquery User tool

Answer: A

Explanation:

QUESTION NO: 459

You have an Active Directory domain named contoso.com.

You need to view the account lockout threshold and duration for the domain.


A. Net User


C. Group Policy Management Console (GPMC)

D. Computer Management

Answer: C

Explanation:



QUESTION NO: 460

A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS

server for fabrikam.com.

You install the DNS Server server role on a member server named DNS1 and then you create a

standard secondary zone for fabrikam.com. You configure DC4 as the master server for the zone.

You need to ensure that DNS1 receives zone updates from DC4.

What should you do?

A. Add the DNS1 computer account to the DNSUpdateProxy group.

B. On DC4, modify the permissions offabrikam.com zone.

C. On DNS1, add a conditional forwarder.

D. On DC4, modify the zone transfer settings for the fabrikam.com zone.

Answer: D

Explanation:

QUESTION NO: 461

A company has an Active Directory forest. You plan to install an offline Enterprise root certification

authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and

is attached to a hardware security module for private key storage.

You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The

Enterprise CA option is not available.

You need to install the AD CS server role as an Enterprise CA on CA1.


A. Add the DNS Server server role to CA1.

B. Add the Web Server (IIS) server role and the AD CS server role to CA1.

C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.

D. Join CA1 to the domain.

Answer: D

Explanation:


Microsoft 70-640 TS: Windows Server 2008 Active Directory, Configuring

Documents

Transcript of Microsoft 70-640 TS: Windows Server 2008 Active Directory, Configuring