Q1. Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table.
All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range.
You need to minimize the number of client authentication requests sent to DC2.
What should you do?
A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1.
B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1.
C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1.
D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1.
Answer: C
Explanation:
Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself.
Q2. Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers.
You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. From Event Viewer on the member server, create a subscription.
B. From Event Viewer on each domain controller, create a subscription.
C. From Event Viewer on the member server, run the Create Basic Task Wizard.
D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.
Answer: C
Explanation:
Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort.
Explanation:
http://technet.microsoft.com/en-us/library/cc748900.aspx
To Run a Task in Response to a Given Event
1. Start Event Viewer.
2. In the console tree, navigate to the log that contains the event you want to associate with a task.
3. Right-click the event and select Attach Task to This Event.
4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an e-mail.
Q3. Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2.
You need to configure Server1 as a global catalog server.
What should you do?
A. Modify the Active Directory schema.
B. From Ntdsutil, use the Roles option.
C. Run the Active Directory Domain Services Installation Wizard on Server1.
D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).
Answer: C
Explanation:
Now it's just a member server, so you'll have to run dcpromo to start the Active Directory Domain Services Installation Wizard in order to promote the server to a domain controller. Only a domain controller can be a global catalog server.
Explanation:
http://technet.microsoft.com/en-us/library/cc728188.aspx
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.
Q4. Your network contains two standalone servers named Server1 and Server2 that have
Active Directory Lightweight Directory Services (AD LDS) installed.
Server1 has an AD LDS instance.
You need to ensure that you can replicate the instance from Server1 to Server2.
What should you do on both servers?
A. Obtain a server certificate.
B. Import the MS-User.ldf file.
C. Create a service user account for AD LDS.
D. Register the service location (SRV) resource records.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspx Administering AD LDS Instances Each AD LDS instance runs as an independent—and separately administered—service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually. AD LDS service account The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation.
Q5. You have an Active Directory domain that runs Windows Server 2008 R2.
You need to implement a certification authority (CA) server that meets the following requirements:
Allows the certification authority to automatically issue certificates
Integrates with Active Directory Domain Services
What should you do?
A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.
B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.
C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA.
D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx Enterprise certification authorities The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card. An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx Stand-alone certification authorities You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.
Q6. You have an Active Directory snapshot.
You need to view the contents of the organizational units (OUs) in the snapshot.
Which tools should you run?
A. explorer.exe, netdom.exe, and dsa.msc
B. ntdsutil.exe, dsamain.exe, and dsa.msc
C. wbadmin.msc, dsamain.exe, and netdom.exe
D. wbadmin.msc, ntdsutil.exe, and explorer.exe
Answer: B
Q7. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2).
You need to audit user access to the administrative shares on the client computers.
What should you do?
A. Deploy a logon script that runs Icacls.exe.
B. Deploy a logon script that runs Auditpol.exe.
C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.
D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.
Answer: B
Explanation:
http://support.microsoft.com/kb/921469
Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain.
Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.
Q8. Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1.
You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers.
What should you do?
A. Run ntdsutil.exe and use the Roles option.
B. Run dsmgmt.exe and use the Local Roles option.
C. From Active Directory Sites and Services, modify the NTDS Site Settings.
D. From Active Directory Users and Computers, add the user to the Server Operators group.
Answer: B
Explanation: http://technet.microsoft.com/en-us/library/cc732301.aspx Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and
for adding a user to that role.
To configure Administrator Role Separation for an RODC
1. Click Start, click Run, type cmd, and then press ENTER.
2. At the command prompt, type dsmgmt.exe, and then press ENTER.
3. At the DSMGMT prompt, type local roles, and then press ENTER.
Q9. You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.
What should you use?
A. the Add-WBSystemState cmdlet
B. the Group Policy Management console
C. the Wbadmin tool
D. the Windows Server Backup feature
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc770536.aspx
To back up a Group Policy object
1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up.
2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All.
Q10. Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store.
What should you do?
A. Add your account to the Domain Admins group.
B. Upgrade your client computers to Windows 7.
C. Install .NET Framework 3.0 on your client computers.
D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide
Microsoft Windows Vista. and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows2003-environments.aspx Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was: “…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…” The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and Explanationd by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can. Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema. So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy PExplanations. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start!