DSQUERY Reference 1:
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard
Reference 2:
http://technet.microsoft.com/en-us/library/dd145442.aspx Delegate the following common tasks
The following are common tasks that you can select to delegate control of them:
(...)
Reset user passwords and force password change at next logon QUESTION 42
Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1.
You link a new Group Policy object (GPO) named GPO10 to OU1.
You need to ensure that GPO10 is applied only to client computers that run Windows 7.
What should you do?
A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.
B. Enable block inheritance on OU1.
C. Create a WMI filter and assign the filter to GPO10.
D. Modify the permissions of OU1.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/cc947846.aspx
To make sure that each GPO associated with a group can only be applied to computers running the correct
version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer.
QUESTION 43
Your network contains an Active Directory domain named contoso.com.
You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes.
Which security policy setting should you configure?
A. Audit Sensitive Privilege Use B. Audit User Account Management C. Audit Directory Service Changes
D. Audit Other Account Management Events Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Reference 1:
http://technet.microsoft.com/en-us/library/dd772641.aspx Audit Directory Service Changes
This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
Reference 2:
http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step Guide
This guide includes a description of the new Active Directory® Domain Services (AD DS) auditing feature in Windows Server® 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte.
QUESTION 44
Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest.
You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest.
What should you do?
A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.
B. Create an external trust from nwtraders.com to contoso.com.
C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.
D. Create an external trust from contoso.com to nwtraders.com.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Same question as J/Q30.
Reference:
http://technet.microsoft.com/en-us/library/hh311036.aspx Using AD RMS trust
It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust.
QUESTION 45
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server.
You plan to add a new token-signing certificate to Server1.
You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)
When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.
You need to ensure that you can use the new certificate for AD FS.
What should you do?
A. From the properties of the certificate, modify the Certificate Policy OIDs setting.
B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.
C. From the properties of the certificate, modify the Certificate purposes setting.
D. Import the certificate to the local computer personal certificate store.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/hh341466.aspx
When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server.
QUESTION 46
You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC).
What should you do?
A. Run the repadmin.exe command and specify the /prp parameter.
B. From Active Directory Sites and Services, modify the properties of the RODC computer object.
C. From Active Directory Users and Computers, modify the properties of the RODC computer object.
D. Run the dsrm.exe command and specify the -u parameter.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx Clearing the authenticated accounts list
In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of
accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC.
Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure.
To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all . Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all , and then press ENTER.
QUESTION 47
Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site.
You discover that the domain controllers in the branch offices sometimes replicate directly to each other.
You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office.
What should you do?
A. Modify the firewall settings for the main office site.
B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.
C. Disable site link bridging.
D. Modify the security settings for the main office site.
Correct Answer: C Section: (none)
Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/cc757117.aspx Configuring site link bridges
By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites.
Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases:
(...)
You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller.
QUESTION 48
Your network contains an Active Directory forest. The forest contains one domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.
DC1 was installed before DC2.
DC1 fails.
You need to ensure that you can add 1,000 new user accounts to the domain.
What should you do?
A. Modify the permissions of the DC2 computer account.
B. Seize the schema master FSMO role.
C. Configure DC2 as a global catalog server.
D. Seize the RID master FSMO role.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Reference:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 536-537
RID master failure
A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been
performing the role cannot be brought back online.
QUESTION 49
Your network contains an Active Directory domain named contoso.com.
You need to identify whether the Active Directory Recycle Bin is enabled.
What should you do?
A. From Ldp, search for the Reanimate-Tombstones object.
B. From Ldp, search for the LostAndFound container.
C. From Windows PowerShell, run the Get-ADObject cmdlet.
D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Reference:
http://www.frickelsoft.net/blog/?p=224
How can I check whether the AD Recycle-Bin is enabled in my R2 forest?
[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.]
QUESTION 50
Your network contains an Active Directory domain.
You create and mount an Active Directory snapshot.
You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can browse the contents of the Active Directory snapshot. What should you?
A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.
B. Change the value of the dbpath parameter, and then rerun dsamain.exe.
C. Change the value of the ldapport parameter, and then rerun dsamain.exe.
D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
The path in the exhibit points to the running Active Directory database, not to the snapshot.
Reference:
http://technet.microsoft.com/en-us/library/cc772168.aspx
For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example:
/dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit
Exam G QUESTION 1
Your network contains an Active Directory domain.
You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain.
What should you do?
A. From Group Policy Management Console (GPMC), back up the GPOs.
B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.
C. From Windows Server Backup, perform a system state backup.
D. From Windows PowerShell, run the Backup-GPO cmdlet.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
When you backup a GPO using the Group Policy Management Console or the Backup-GPO cmdlet, the links to domains/sites/OUs are not included. The link is indicated in an accompanying gpreport.xml, but it's not in the backup itself. If you restore the backup, then the GPO is not linked to anything.
Microsoft recommends that you do not modify the Sysvol structure. This recommendation also applies to backup and restore operations of the Sysvol structure. On top of that, the SYSVOL folder only contains the GPT part of a GPO, so it would be an incomplete backup anyway.
The link between GPO and for example an OU is an attribute (gPLink) of the OU, not of the GPO. So, to backup the GPOs, including the links, we have to perform a system state backup.
Reference 1:
http://www.microsoft.com/en-us/download/details.aspx?id=22478 Planning and Deploying Group Policy (Word-document)
Backing up and restoring WMI filter data, IPsec policy settings, and links to OUs
Links to WMI filters and IPsec policies are stored in GPOs and are backed up as part of a GPO. When you restore a GPO, these links are preserved if the underlying objects still exist in Active Directory. Links to OUs, however, are not part of the backup data and will not be restored during a restore operation.
Reference 2:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266-4991-8309-c957a123a455/
Does backup-gpo cmdlet backup GPO links and permission?
"Permissions are backed up but links are not. The links are actually properties of the OU and would be backed up as part of the system state. Please see this article for more information: http://technet.microsoft.com/en-us/
library/cc784474.aspx. The article refers to the GPMC process which is the same as the PowerShell cmdlet."
Reference 3:
http://technet.microsoft.com/en-us/library/cc784474.aspx Information saved in a backup
Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following information:
GPO globally unique identifier (GUID) and domain.
GPO settings.
Discretionary access control list (DACL) on the GPO.
WMI filter link, if there is one, but not the filter itself.
Links to IP Security Policies, if any.
XML report of the GPO settings, which can be viewed as HTML from within GPMC.
Date and time stamp of when the backup was taken.
User-supplied description of the backup.
Information not saved in a backup
Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is not available when the backup is restored to the original GPO or imported into a new one. This data that becomes unavailable includes the following information:
Links to a site, domain, or organizational unit.
WMI filter.
IP Security policy.
Reference 4:
http://technet.microsoft.com/en-us/library/jj134176.aspx Check Group Policy Infrastructure Status
Each GPO is stored partly in Active Directory and partly in the SYSVOL on the domain controller. The portion of the GPO stored in Active Directory is called the Group Policy container (GPC) while the portion of the GPO stored in the SYSVOL is called the Group Policy template (GPT). GPMC and Group Policy Management Editor manage the GPO as a single unit. For example, when you set permissions on a GPO in GPMC, GPMC is actually setting permissions on objects in both Active Directory and the SYSVOL. It is not recommended that you manipulate these separate objects independently outside of GPMC and the Group Policy Management Editor.
It is important to understand that these two separate features of a GPO rely on different replication
mechanisms. The file system portion, GPT, is replicated through Distributed File Service Replication (DFS-R) or File Replication Service (FRS), independently of the replication handled by Active Directory, GPC.
QUESTION 2
Your network contains a domain controller that runs Windows Server 2008 R2.
You need to reset the Directory Services Restore Mode (DSRM) password on the domain controller.
Which tool should you use?
A. Ntdsutil B. Dsamain
C. Active Directory Users and Computers D. Local Users and Groups
Correct Answer: A To Reset the DSRM Administrator Password