DSQUERY Reference 1:
1. Open Active Directory Users and Computers as a member of the Domain Admins group
2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.
3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.
4. Click the Password Replication Policy tab.
5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add.
To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.
To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.
QUESTION 6
Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2008.
From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).
What should you do first?
A. Raise the functional level of the forest B. Modify the tombstone lifetime of the forest.
C. Restore the system state.
D. Raise the functional level of the domain.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
The Recycle Bin feature cannot be applied here, see the reference below.
Reference:
Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297
Active Directory Recycle Bin Recovery
Let’s begin this section with a very clear statement: If you need to recover a deleted Active Directory object and the Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceed to the “Active Directory Authoritative Restore” section.
Active Directory Authoritative Restore
When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active Directory
database, a single object, or a container, such as an organizational unit including all objects previously stored within the container. To perform an authoritative restore of Active Directory, perform the System State restore of a domain controller.
QUESTION 7
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.
You need to ensure that Attribute1 is included in the global catalog.
What should you do?
A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.
B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects.
C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.
D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Same question as D/Q39 Reference:
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set
The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.
Global Catalog Replication of Additions to the Partial Attribute Set
Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute
set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.
If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object. You mark the attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the
isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog. If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog.
QUESTION 8
Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named Instance1 and Instance2.
You need to remove Instance2 from Server1 without affecting Instance1.
Which tool should you use?
A. NTDSUtil B. Dsdbutil
C. Programs and Features in the Control Panel D. Server Manager
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Reference 1:
http://technet.microsoft.com/en-us/library/cc794857.aspx Administering AD LDS Instances
Each AD LDS instance runs as an independent—and separately administered—service on a computer.
Reference 2:
technet.microsoft.com/en-us/library/cc794886.aspx To remove an AD LDS instance
1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features.
2. Locate and click the AD LDS instance that you want to remove.
3. Click Uninstall.
Note
It is not necessary to restart the computer after you remove an AD LDS instance.
QUESTION 9
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to compact the Active Directory database.
What should you do?
A. Run the Get-ADForest cmdlet.
B. Configure subscriptions from Event Viewer.
C. Run the eventcreate.exe command.
D. Configure the Active Directory Diagnostics Data Collector Set (OCS).
E. Create a Data Collector Set (DCS).
F. Run the repadmin.exe command.
G. Run the ntdsutil.exe command.
H. Run the dsquery.exe command.
I. Run the dsamain.exe command.
J. Create custom views from Event Viewer.
Correct Answer: G
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Reference 2:
Mastering Windows Server 2008 R2 (Sybex, 2010) page 805
Performing Offline Defragmentation of Ntds.dit
These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
QUESTION 10
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer.
What should you do?
A. Run the ntdsutil.exe command.
B. Run the repodmin.exe command.
C. Run the Get-ADForest cmdlet.
D. Run the dsamain.exe command.
E. Create custom views from Event Viewer.
F. Run the dsquery.exe command.
G. Configure the Active Directory Diagnostics Data Collector Set (DCS), H. Configure subscriptions from Event Viewer.
I. Run the eventcreate.exe command.
J. Create a Data Collector Set (DCS).
Correct Answer: H Section: (none) Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting computers.
The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. To learn about the steps required to configure event collecting and
forwarding computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/
en-us/library/cc748890.aspx).
QUESTION 11
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to receive a notification when more than 100 Active Directory objects are deleted per second.
What should you do?
A. Create custom views from Event Viewer.
B. Run the Get-ADForest cmdlet.
C. Run the ntdsutil.exe command.
D. Configure the Active Directory Diagnostics Data Collector Set (DCS).
E. Create a Data Collector Set (DCS).
F. Run the dsamain.exe command.
G. Run the dsquery.exe command.
H. Run the repadmin.exe command.
I. Configure subscriptions from Event Viewer.
J. Run the eventcreate.exe command.
Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Practically the same question as K/Q22.
Reference:
http://technet.microsoft.com/en-us/magazine/ff458614.aspx
Configure Windows Server 2008 to Notify you when Certain Events Occur
You can configure alerts to notify you when certain events occur or when certain performance thresholds are
reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.
To configure an alert, follow these steps:
1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
2. (...)
3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected.
QUESTION 12
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to create a snapshot of Active Directory.
What should you do?
A. Run the dsquery.exe command.
B. Run the dsamain.exe command.
C. Create custom views from Event Viewer.
D. Configure subscriptions from Event Viewer.
E. Create a Data Collector Set (DCS).
F. Configure the Active Directory Diagnostics Data Collector Set (DCS).
G. Run the repadmin.exe command.
H. Run the ntdsutil.exe command.
I. Run the Get-ADForest cmdlet.
J. Run the eventcreate.exe command.
Correct Answer: H Section: (none) Explanation
Explanation/Reference:
Practically the same question as E/Q29 Reference:
http://technet.microsoft.com/en-us/library/cc753609.aspx To create an AD DS or AD LDS snapshot
1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
2. Click Start, right-click Command Prompt, and then click Run as administrator.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 7. At the snapshot prompt, type the following command, and then press ENTER: create
QUESTION 13
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can query the snapshot by using LDAP.
What should you do?
A. Run the dsamain.exe command.
B. Create custom views from Event Viewer.
C. Run the ntdsutil.exe command.
D. Configure subscriptions from Event Viewer.
E. Run the Get-ADForest cmdlet.
F. Create a Data Collector Set (DCS).
G. Run the eventcreate.exe command.
H. Configure the Active Directory Diagnostics Data Collector Set (DCS).
I. Run the repadmin.exe command.
J. Run the dsquery.exe command.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Practically the same question as K/Q25.
Reference:
http://technet.microsoft.com/en-us/library/cc753609.aspx
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your
organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
Requirements for using the Active Directory database mounting tool
You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following:
(...)
Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers
Exam I QUESTION 1
Your network contains an Active Directory forest named adatum.com.
The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.
com, and africa.adatum.com.
You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table.
What should you do?
To answer, drag the appropriate group type to the correct group name in the answer area.
Select and Place:
Correct Answer: