Q1. Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/ DC promotion and adprep/forestprep
Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder"
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the
contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to
the schema master role holder and run Adprep from there.
A2: to introduce the first W2K8 DC within an AD forest....
(1) no AD forest exists yet:
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
Q2. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.
B. Review the Hardware Events log in the Event Viewer.
C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.
D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Answer: C
Explanation:
http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads on the CPU. Download SPA tool:http://www.microsoft.com/en-us/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t have to install SPA anymore.
This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When you will check the properties of the collector you will notice that the data is stored under %systemdrive %\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To start the data collector set, you just have to right click on Active Directory Diagnostics data collector set and select Start. Data will be stored at %systemdrive%\perflogs location.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aid in your troubleshooting and server performance trending.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Further information: http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx
Monitoring Your Branch Office Environment
http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx
Son of SPA: AD Data Collector Sets in Win2008 and beyond
Q3. Exhibit:
Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has file services role installed. You install some disk for additional storage. The disks are configured as shown in the exhibit.
To support data stripping with parity, you have to create a new drive volume.
What should you do to achieve this objective?
A. Build a new spanned volume by combining Disk0 and Disk1
B. Create a new Raid-5 volume by adding another disk.
C. Create a new virtual volume by combining Disk 1 and Disk 2
D. Build a new striped volume by combining Disk0 and Disk 2
Answer: B
Explanation:
https://sort.symantec.com/public/documents/sf/5.0/solaris/html/vxvm_admin/ag_ch_intro_v m17.html
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q4. Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network.
You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month.
You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Upgrade all of the Windows Vista computers to Windows 7.
B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).
C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy.
D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy.
Answer: B
Q5. Your company asks you to implement Windows Cardspace in the domain.
You want to use Windows Cardspace at your home.
Your home and office computers run Windows Vista Ultimate.
What should you do to create a backup copy of Windows Cardspace cards to be used at home?
A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ Windows Cardspace application to backup the data on your USB drive.
E. Reformat the C: Drive
F. None of the above
Answer: D
Explanation:
http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros#
BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer
Windows CardSpace for IT pros
Microsoft Windows CardSpace. is a system for creating relationships with websites and
online services.
Windows CardSpace provides a consistent way for:
Sites to request information from you.
You to review the identity of a site.
You to manage your information by using Information Cards.
You to review card information before you send it.
Windows CardSpace can replace the user names and passwords that you use to register
with and log on to websites and online services.
15. How do I back up my cards or transfer them to another computer?
Cards are stored on your computer in an encrypted format. To save a backup file
containing some or all of your cards or to use a card on a different computer, you can save
cards to a backup card file.
To back up your cards:
1. Start Windows CardSpace.
2. View all your cards.
3. In the pane on the right of your screen, click Back up cards.
4. Select the cards that you want to back up.
5. Browse to the folder where you want to save the backup card file, and then give it a
name.
When you complete these steps, you save a file containing some or all of your cards. You
can copy the backup card file to media such as a Universal Serial Bus (USB) storage
device, CD, or other digital media. You can restore the backup card file on this computer or
on another computer.
To restore your cards
1. Save the backup card file to the computer.
2. Browse to the location of the file on the computer.
3. Double-click the file, and then follow the instructions to restore the cards.
Q6. Your company has a main office and a branch office.
You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.
You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.
What should you do?
A. Configure the NTDS Site Settings object.
B. Create Active Directory subnet objects.
C. Create Active Directory Domain Services connection objects.
D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.
Answer: B
Q7. You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?
A. certutil.exe backup
B. certutil.exe backupdb
C. certutil.exe backupkey
D. certutil.exe store
Answer: B
Explanation:
Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that. The given commands are: certutil -backup Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb Backup set only includes certificate database certutil -backupkey Backup set only includes CA certificate and the CA key pair certutil –store Provides a dump of the certificate store onscreen.
Since we cannot extract the keys from the HSM we have to use backupdb. Explanation 1: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215 For the commands listed above. Explanation 2: http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil <-parameter> [-parameter] Parameter -backupdb Backup the Active Directory Certificate Services database Explanation 3: http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/
Q8. Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.
You create a GPO.
You need to track which employees access the Payroll files on the file servers.
What should you do?
A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder.
Answer: B
Explanation:
Q9. You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. From Ntdsutil, use the Files option.
D. From Ntdsutil, use the Metadata cleanup option.
Answer: C
Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline
defragmentation returns free disk space in the Active Directory database to the file system.
As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Explanation 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
Q10. Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in the following Command Prompt window.
You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com.
What should you modify?
A. the root hints of the DNS server
B. the security settings of the zone
C. the Windows Firewall settings on the DNS server
D. the zone transfer settings of the zone
Answer: D
Explanation:
http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm
11.7 Troubleshooting nslookup Problems
11.7.4 Query Refused Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here's what it looks like when nslookup exits on startup because of a refused query: % nslookup *** Can't find server name for address 192.249.249.3: Query refused *** Default servers are not available % This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup. Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see: % nslookup Default Server: hp.com
Address: 15.255.152.4 > server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3 > carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3 *** terminator.movie.edu can't find carrie.movie.edu.: Query refused > ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused