DSQUERY Reference 1:
2. Open the properties of the computer to which trusted users should be allowed to authenticate —that is, the computer that trusted users will log on to or that contains resources to which trusted users have been
given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
QUESTION 17
Your network contains an Active Directory forest.
You need to add a new user principal name (UPN) suffix to the forest.
Which tool should you use?
A. Active Directory Administrative Center B. Active Directory Domains and Trusts C. Active Directory Sites and Services D. Active Directory Users and Computers Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Reference:
http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/
Demonstration adding a UPN Suffix
To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.
QUESTION 18
Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.
Which tool should you use?
A. Active Directory Sites and Services B. Active Directory Users and Computers C. Repadmin
D. Replmon Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/cc742095.aspx Repadmin /rodcpwdrepl
Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).
Example:
The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:
repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com QUESTION 19
Your network contains an Active Directory domain named contoso.com. The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)
You need to update all service location (SRV) records for a domain controller in the domain. What should you do?
A. Restart the Netlogon service.
B. Restart the DNS Client service.
C. Run sc.exe and specify the triggerinfo parameter.
D. Run ipconfig.exe and specify the /registerdns parameter.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.
QUESTION 20
Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?
A. From the Default Domain Policy, modify the account lockout settings.
B. From the Default Domain Controller Policy, modify the account lockout settings.
C. From the properties of the user account, modify the Account options.
D. From the properties of the user account, modify the Session settings.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Account lockout settings deal with logon security, like how many times a wrong password can be entered before an account gets locked out, or after how many minutes a locked out user can try again.
To really restrict access to the User1 account it has to be disabled, by modifying the account options.
Reference:
http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx
Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online data, but retains the user’s data. Disabling a user account also keeps the user license associated with that account. This is the best option to utilize when a person leaves an organization temporarily.
QUESTION 21
Your network contains an Active Directory domain. The domain contains 1,000 user accounts.
You have a list that contains the mobile phone number of each user. You need to add the mobile number of each user to Active Directory.
What should you do?
A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.
B. Create a file that contains the mobile phone numbers, and then run csvde.exe.
C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.
D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the users.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
CSVDE can only import and export data from AD DS.
http://technet.microsoft.com/en-us/library/cc732101.aspx Reference:
http://technet.microsoft.com/en-us/library/cc731033.aspx Ldifde
Creates, modifies, and deletes directory objects.
QUESTION 22
Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7.
From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO).
You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.
You need to ensure that the audit policy is applied to all member servers and all client computers.
What should you do?
A. Add a WMI filter to the Default Domain Policy GPO.
B. Modify the security settings of the Default Domain Policy GPO.
C. Configure a startup script that runs auditpol.exe on the member servers.
D. Configure a startup script that runs auditpol.exe on the domain controllers.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers.
Reference1:
http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ
The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The
advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.
Note
In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated with Group Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
QUESTION 23
Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six characters.
You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long.
What should you do first?
A. Run the New-ADFineGrainedPasswordPolicy cmdlet.
B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.
C. From the Default Domain Policy, modify the password policy.
D. From the Default Domain Controller Policy, modify the password policy.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
First we need to create a new Active Directory fine grained password policy, using New-ADFineGrainedPasswordPolicy.
Then we can apply the new policy to Group1, using Add-ADFineGrainedPasswordPolicySubject.
Reference:
http://technet.microsoft.com/en-us/library/ee617238.aspx New-ADFineGrainedPasswordPolicy
Creates a new Active Directory fine grained password policy.
QUESTION 24
Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1.
You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can take a snapshot of Instance1.
What should you do?
A. At the command prompt, run net start VSS.
B. At the command prompt, run net start Instance1.
C. Set the Startup Type for the Instance1 service to Disabled.
D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Hard to find references on this, but the solution can be found by eliminating the rest.
Instance1 is running, otherwise you'd get a different message at the snaphot: create step. ("AD service must be running in order to perform this operation", on my virtual server.)
Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.
QUESTION 25
Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers.
You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. From Event Viewer on the member server, create a subscription.
B. From Event Viewer on each domain controller, create a subscription.
C. From Event Viewer on the member server, run the Create Basic Task Wizard.
D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort.
Reference:
http://technet.microsoft.com/en-us/library/cc748900.aspx To Run a Task in Response to a Given Event
1. Start Event Viewer.
2. In the console tree, navigate to the log that contains the event you want to associate with a task.
3. Right-click the event and select Attach Task to This Event.
4. Perform each step presented by the Create Basic Task Wizard.
In the Action step in the wizard you can decide to send an e-mail.
QUESTION 26
Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.
You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.
What should you do first?
A. At the command prompt, run net stop ntds.
B. At the command prompt, run net stop netlogon.
C. Restart DC1 in Safe Mode.
D. Restart DC1 in Directory Services Restore Mode (DSRM).
Correct Answer: A Section: (none)
Explanation
Explanation/Reference:
We don't need to restart the server to defragment the AD database. We only need to stop AD DS in order to defragment the database, using ntdsutil.
Reference:
http://technet.microsoft.com/en-us/library/cc794920.aspx
To perform offline defragmentation of the directory database 1. Open a Command Prompt as an administrator.
2. At the command prompt, type the following command, and then press ENTER: net stop ntds 3. Type Y to agree to stop additional services, and then press ENTER.
4. At the command prompt, type ntdsutil, and then press ENTER.
5. (...)
QUESTION 27
Your network contains a single Active Directory domain named contoso.com.
An administrator accidentally deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone.
You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.
What should you do on each domain controller?
A. Restart the Netlogon service.
B. Restart the DNS Server service.
C. Run dcdiag.exe /fix.
D. Run ipconfig.exe /registerdns.
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Reference 1:
http://support.microsoft.com/kb/817470
To register the required records to the single root domain controller, restart the Net Logon service on all the domain controllers. The replication works correctly if the replication window is not less than the default DNS Time to Live (TTL) entry. To restart the Net Logon service, follow these steps:
1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. At the command prompt, type the following command, and then press ENTER: net stop netlogon 3. Type net start netlogon, and then press ENTER.
Reference 2:
http://serverfault.com/questions/383915/how-do-i-manually-create-the-msdcs-dns-zone-for-a-domain-that-was-created-pre-s
Be sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces the DC's to register their SRV records in the _msdcs zone.
QUESTION 28
Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the records are replicated to all DNS servers.
Which tool should you use?
A. Dnslint B. Ldp C. Nslookup D. Repadmin Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Practically the same question as G/Q8, J/Q24, K/Q8, K/Q31, different set of answers sometimes.
To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.
Reference:
http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication
Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.
Force a replication event with all partners
The repadmin /syncall command synchronizes a specified domain controller with all replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters
<DC>
Specifies the host name of the domain controller to synchronize with all replication partners.
<NamingContext>
Specifies the distinguished name of the directory partition.
<Flags>
Performs specific actions during the replication.
QUESTION 29
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.
contoso.com. All domain controllers are DNS servers.
The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.
com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit.
(Click the Exhibit button.)
You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a zone delegation record in the contoso.com zone.
B. Create a zone delegation record in the eu.contoso.com zone.
C. Create an Active Directory-integrated zone for _msdsc.contoso.com.
D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.
QUESTION 30
You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. From Ntdsutil, use the Files option.
D. From Ntdsutil, use the Metadata cleanup option.
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Reference 1:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Reference 2:
Mastering Windows Server 2008 R2 (Sybex, 2010) page 805
Performing Offline Defragmentation of Ntds.dit
These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.