At the Ntdsutil command prompt, type set dsrm password

3. (...) QUESTION 3

Your network contains an Active Directory forest. All client computers run Windows 7.

The network contains a high-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Configure an LDAP publishing point for the certificate revocation list (CRL).

B. Configure an Online Certification Status Protocol (OCSP) responder.

C. Modify the settings of the delta certificate revocation list (CRL).

D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Correct Answer: B Section: (none) Explanation

Explanation/Reference:

Reference:

MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 779

Online responder

This service is designed to respond to specific certificate validation requests through the Online Certificate Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the requested certificate, it sends back an encrypted response containing the information to the requester. Using online responders is much faster and more efficient than using CRLs. AD CS includes online responders as a new feature in Windows Server 2008 R2.

QUESTION 4

Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solution must prevent GPO1 from being applied to users in the Dev OU.

What should you do?

A. Enforce GPO1.

B. Modify the security settings of the Dev OU.

C. Link GPO1 to the Finance OU.

D. Modify the security settings of the Finance OU.

Correct Answer: C Section: (none) Explanation

Explanation/Reference:

The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. This means that GPO1 will not be applied to those OUs. For the Dev OU that's ok, but not for the Finance OU. So we have to link GPO1 to the Finance OU.

Reference:

http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance

You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree.

QUESTION 5

Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain.

You need to prevent the managed service accounts from being deleted accidentally from OU1.

Which cmdlet should you use?

A. Set-ADUser

B. Set-ADOrganizationalUnit C. Set-ADServiceAccount D. Set-ADObject

Correct Answer: D Section: (none) Explanation

Explanation/Reference:

You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to prevent OU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use Set-ADObject to protect the accounts.

Reference:

http://technet.microsoft.com/en-us/library/hh852326.aspx Set-ADObject

Modifies an Active Directory object.

Parameter

-ProtectedFromAccidentalDeletion <Boolean>

Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include:

$false or 0

$true or 1

The following example shows how to set this parameter to true.

-ProtectedFromAccidentalDeletion $true QUESTION 6

Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllers run Windows Server 2008 R2.

You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS) on DC3.

What should you do first?

A. Run dcpromo.exe /createdcaccount on DC3.

B. Run ntdsutil.exe on DC2.

C. Run dcpromo.exe /adv on DC3.

D. Run ntdsutil.exe on DC1.

Correct Answer: D Section: (none) Explanation

Explanation/Reference:

We can run dcpromo.exe /adv on DC3 to install a new writable domain controller using the Install From Media (IFM) option. That way there is less replication traffic. But before we can do that we have to create the

installation media first. I suspect that's what they mean when they say "What should you do first?" So first we create the installation media, then we use the installation media to install DC3.

Technet gives us instructions on how to create the installation media. It says:

"You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently."

"You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller ."

Since DC2 in answer B is a read-only domain controller, that leaves us with answer D ("Run ntdsutil.exe on DC1").

Reference 1:

http://technet.microsoft.com/en-us/library/cc770654.aspx [Used for the information above]

[Some extra info on using IFM to install the DC:]

Reference 2:

http://http://technet.microsoft.com/en-us/library/cc732887.aspx dcpromo /adv

Performs an install from media (IFM) operation.

Reference 3:

http://http://technet.microsoft.com/en-us/library/cc816722.aspx Installing an Additional Domain Controller by Using IFM

When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller.

QUESTION 7

Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers are configured as global catalog servers.

You remove the global catalog role from a domain controller named DC5.

You need to reclaim the hard disk space used by the global catalog on DC5.

What should you do?

A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).

B. From Active Directory Sites and Services, modify the general properties of DC5.

C. From Ntdsutil, use the Semantic database analysis option.

D. From Ntdsutil, use the Files option.

Correct Answer: D

Section: (none) Explanation

Explanation/Reference:

Reference 1:

http://http://technet.microsoft.com/en-us/library/cc816618.aspx Database defragmentation

In cases in which the data decreases significantly, such as when the global catalog is removed from a domain controller, free disk space is not automatically returned to the file system. Although this condition does not affect database operation, it does result in large amounts of free disk space in the database. To decrease the size of the database file by returning free disk space from the database file to the file system, you can perform an offline defragmentation of the database. Whereas online defragmentation occurs automatically while AD DS is running, offline defragmentation requires taking the domain controller offline and using the Ntdsutil.exe command-line tool to perform the procedure.

Reference 2:

http://technet.microsoft.com/en-us/library/cc794920.aspx

To perform offline defragmentation of the directory database

1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER.

4. At the command prompt, type ntdsutil, and then press ENTER.

5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER.