DSQUERY Reference 1:
2. Start the Certification Authority snap-in
Configuring access control lists (ACLs) on certificate templates QUESTION 40
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.
You need to approve a pending certificate request.
Which snap-in should you use?
A. Active Directory Users and Computers B. Authorization Manager
C. Certification Authority D. Group Policy Management E. Certificate Templates F. TPM Management G. Certificates H. Enterprise PKI I. Security Templates Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Practically the same question as K/Q15.
Reference:
http://technet.microsoft.com/de-de/library/ff849263.aspx To issue a pending certificate request:
1. Log on to your root CA by using an account that is a certificate manager.
2. Start the Certification Authority snap-in.
3. In the console tree, expand your root CA, and click Pending Certificates.
4. In the details pane, right-click the pending CA certificate, and click Issue.
Exam H QUESTION 1
Your network contains an Active Directory domain named adatum.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
A. Reverse Lookup Zones B. adatum.com
C. Forward Lookup Zones D. Conditional Forwarders E. _msdcs.adatum.com Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Practically the same as I/Q13.
Reference:
Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193
A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN.
QUESTION 2
Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of 192.168.200.100.
You need to identify the zone that contains the Pointer (PTR) record for DC1.
Which zone should you identify?
A. adatum.com
B. _msdcs.adatum.com C. 100.168.192.in-addr.arpa D. 200.168.192.in-addr.arpa Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Reference 1:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57
Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server’s PTR (pointer) resource record.
Reference 2:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010)
page 45/730
You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?
a. 5.168.192.in-addr.arpa b. 0.5.168.192.in-addr.arpa c. 192.168.5.in-addr.arpa d. 192.168.5.0.in-addr.arpa
The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect.
QUESTION 3
Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
A. Netlogon B. DNS Server
C. Network Location Awareness D. Network Store Interface Service E. Online Responder Service Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Reference:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.
QUESTION 4
Your network contains an Active Directory domain named adatum.com.
The password policy of the domain requires that the passwords for all user accounts be changed every 50 days.
You need to create several user accounts that will be used by services. The passwords for these accounts must be changed automatically every 50 days.
Which tool should you use to create the accounts?
A. Active Directory Administrative Center B. Active Directory Users and Computers
C. Active Directory Module for Windows PowerShell
D. ADSI Edit
E. Active Directory Domains and Trusts Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic password management, making password management easier.
Reference 1:
http://technet.microsoft.com/en-us/library/dd367859.aspx What are the benefits of new service accounts?
In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
(...)
Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically.
(...) Reference 2:
http://technet.microsoft.com/en-us/library/dd391964.aspx
Use the Active Directory module for Windows PowerShell to create a managed service account.
Reference 3:
http://technet.microsoft.com/en-us/library/dd548356.aspx To create a new managed service account
1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists.
2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.
3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>].
Reference 4:
http://technet.microsoft.com/en-us/library/hh852236.aspx
Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval.
-ManagedPasswordIntervalInDays<Int32>
Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the
msDS-ManagedPasswordInterval of the group managed service account object.
The following example shows how to specify a 90 day password changes interval:
-ManagedPasswordIntervalInDays 90 QUESTION 5
Your network contains an Active Directory domain. The domain contains several domain controllers.
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
A. Group Policy Management
B. Active Directory Domains and Trusts C. Active Directory Users and Computers D. Computer Management
E. Security Configuration Wizard Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Practically the same as I/Q12.
Reference:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx Administering the Password Replication Policy
This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs).
To configure the PRP using Active Directory Users and Computers