Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Practice Exam

    Practice Exam

    1.Brett is the systems administrator for a company that operates an AD DS domain with two sites corresponding to the head office and a suburban branch office. Servers run a mix of Windows Server 2003 R2 and Windows Server 2008 and client computers run a mix of Windows XP Professional, Windows Vista Business, and Windows 7 Professional.

    Brett deploys Active Directory Rights Management Services (AD RMS) on a server in the head office and sets up a rights-enabled application to enable users to create and work with rights-protected files and folders. Users of Windows XP Professional computers report that they are unable to create rights-protected files.

    Brett must enable all users to create rights-protected files. What should he do to accomplish this objective with the least amount of administrative effort?

    1. Install the AD RMS client software on all Windows XP client computers.

    2. Upgrade all Windows XP client computers to Windows Vista or Windows 7.

    3. Upgrade all domain controllers to Windows Server 2008.

    4. Install Active Directory Metadirectory Services (AD MDS) on a Windows Server 2008 computer.

    2.Shirley administers the network for a catering company called Thoughtful Food. This firm operates a single domain AD DS network that includes three Windows Server 2008 computers and a mix of Windows XP Professional and Windows 7 Professional clients. Management has notified Shirley that a competitor known as Engorge & Devour has taken a keen interest in her pumpkin soup recipe. Two employees of Thoughtful Food have recently resigned and taken up positions with Engorge & Devour, and management is afraid that they will attempt to steal proprietary formulas and recipes belonging to Thoughtful Food by breaking into the network. Shirley is tasked with improving logon security on Thoughtful Food’s network by limiting the number of failed logon attempts for all users on the network and by establishing an audit policy for tracking failed logon attempts.

    Which of the following tasks should she undertake to complete this task? (Each correct answer represents part of the solution. Choose two answers.)

    1. Edit the Default Domain Policy GPO to enable auditing and account lockout.

    2. Monitor the security log for failed account management attempts on each domain controller.

    3. Monitor the security log for failed logon attempts on each domain controller.

    4. Configure a local security policy on each computer in the domain.

    3.Phil is the network administrator for a company that operates an AD DS network consisting of a single domain. DNS is running as an Active Directory–integrated zone on two domain controllers named Server1 and Server2. One morning, several users inform him that they were unable to access a resource by name. In attempting to troubleshoot this problem, he notices that the event logs at Server2 contain several errors with ID 4006 and containing a message that the DNS server was unable to load the records in the specified name found in the Active Directory–integrated zone.

    What should Phil do to enable proper name resolution and prevent these errors from occurring in the future?

    1. Access the Debug Logging tab of the server’s Properties dialog box and enable logging of incoming and outgoing packets for queries and transfers.

    2. Access the Monitoring tab of the server’s Properties dialog box, perform a simple and recursive test, and then check that the cache.dns file is present and configured properly.

    3. Access the Advanced tab of the server’s Properties dialog box and select the All names option in the Name Checking section of this tab.

    4. Access the Advanced tab of the server’s Properties dialog box and select the Strict RFC (ANSI) option in the Name Checking section of this tab.

    4.Edward is the systems administrator for his company, which operates an AD DS forest consisting of a single domain. The network operates at the Windows Server 2003 domain and forest functional level. He has accidentally deleted the Management OU from a domain controller running Windows Server 2008 R2. The deletion has propagated to other domain controllers, and Edward urgently needs to get this OU back before he receives complaints from managers who are unable to log on. He has a system state backup that was created the previous evening. Which of the following steps must he perform to get this OU back? (Each correct answer represents part of the solution. Choose all that apply, and arrange these steps in the order in which Edward must perform them.)

    1. At a command prompt, type the wbadmin get versions command.

    2. Restart the domain controller normally.

    3. At a command prompt, type the net stop ntds command.

    4. Use the ntdsutil utility to mark the restored OU as authoritative.

    5. Restart the domain controller using the Windows Server 2008 R2 DVD, and select the Repair your computer option.

    6. Restart the domain controller in Directory Services Restore Mode.

    7. Restore the OU from the Active Directory Recycle Bin.

    8. At a command prompt, type the wbadmin start recovery command.

    9. At a command prompt, type the wbadmin start systemstaterecovery command.

    10. At a command prompt, type the net start ntds command.

    5.Mike is the systems administrator for a company that operates an AD DS network consisting of a single domain. The company operates a head office and three branch offices, each of which has been set up with a read-only domain controller (RODC) to handle employee authentication locally.

    A technician named Christina regularly travels to the branch offices to ensure that the computer network in each office is working properly. Her job duties require that she perform administrative actions on each RODC, but she does not need to perform such actions on domain controllers located at the head office. She must be ensured that she can log on to each RODC with her domain user account even if the connection to the head office happens to be down.

    Which of the following actions should Mike perform so that Christina can perform her duties, without granting her excessive administrative privileges? (Each correct answer represents part of the solution. Choose two answers.)

    1. Configure each RODC with a password replication policy that includes Christina’s user account in the Denied list.

    2. Configure each RODC with a password replication policy that includes Christina’s user account in the Allowed list.

    3. Add Christina’s user account to the Domain Admins global group.

    4. Add Christina’s user account to the Server Operators global group.

    5. Add Christina’s user account to each RODC’s local Administrators group.

    6.Veronica is in charge of Group Policy object (GPO) creation for her company, which operates an AD DS network consisting of six domains and 20 sites. Although Veronica is responsible for creating all GPOs, other administrators are responsible for applying the GPOs to the domains for which they are responsible. Veronica wants to grant these administrators permission to apply the GPOs but not to modify them.

    How can Veronica maintain control over the creation of GPOs while permitting other administrators to determine where they will be applied?

    1. Right-click the desired domain in the Group Policy Management Console and select Delegate Control. In the Delegation of Control Wizard, she should select the Manage Group Policy links task.

    2. Right-click the desired domain in the Group Policy Management Console and select Delegate Control. In the Delegation of Control Wizard, she should specify the required users or groups and then select the Manage Group Policy links task.

    3. Right-click the desired users or groups in Active Directory Users and Computers and select Delegate Control. In the Delegation of Control Wizard, she should select the Manage Group Policy links task.

    4. Right-click the desired domain in Active Directory Users and Computers and select Delegate Control. In the Delegation of Control Wizard, she should specify the required users or groups and then select the Manage Group Policy links task.

    7.Roy is responsible for maintaining DNS on his company’s AD DS network, which consists of a single domain in which all servers run Windows Server 2008 R2. The company operates an office in downtown Denver and a suburban office in Littleton.

    After upgrading a member server in the company’s suburban office to a domain controller, users at that office report that logon to the domain is slow. On investigating the problem, Roy notices that the service (SRV) resource records for the new domain controller are not registered in the DNS zone for the suburban office. What should he do to re-register these SRV resource records as fast as possible?

    1. Restart the DNS Server service.

    2. Restart the DNS Client service.

    3. Restart the Netlogon service.

    4. Reboot the domain controller.

    8.Oliver is a systems administrator for a company that operates an Active Directory forest with two domains and eight sites. All servers run either the original or R2 version of Windows Server 2008, and all client computers run either Windows XP Professional or Windows 7 Professional. Administrators at remote sites have informed Oliver that intersite replication is slow at times and he needs to investigate the source of this problem. How should he obtain information regarding the possible causes of this problem? (Choose all that apply.)

    1. Use Event Viewer to check for errors and warnings that relate to replication problems.

    2. Use dcdiag to test connectivity and replication at the domain controller.

    3. Use ntdsutil to obtain information about replication slowdowns and failures.

    4. Use repadmin to obtain information about replication slowdowns and failures.

    9.Ellen is the network administrator for a regional hospital complex that operates an AD DS forest containing a root domain and two child domains. All domain controllers in the root domain and one child domain run Windows Server 2003 and the domain controllers in the second child domain run Windows 2000 Server.

    Ellen is planning an upgrade of the domain controllers in the root domain to Windows Server 2008. She is also planning to install a read-only domain controller (RODC) in this domain.

    Which of the following configuration actions represent the minimum actions that Ellen must perform in order to upgrade the forest to accept Windows Server 2008 domain controllers including the RODC? (Each correct answer represents part of the solution. Choose all that apply.)

    1. Upgrade all domain controllers in the second child domain to Windows Server 2003 or 2008.

    2. Upgrade all domain controllers in the forest to Windows Server 2008.

    3. Upgrade the PDC emulator in the root domain to Windows Server 2008.

    4. Raise the domain and forest functional levels to Windows Server 2003.

    5. Raise the domain and forest functional levels to Windows Server 2008.

    6. Run the Adprep /forestprep command at the schema master.

    7. Run the Adprep /forestprep command at the domain naming master.

    8. Run the Adprep /domainprep command at the RID master in the forest root domain.

    9. Run the Adprep /domainprep command at the infrastructure master in the forest root domain.

    10. Run the Adprep /rodcprep command at the infrastructure master in the forest root domain.

    11. Run the Adprep /rodcprep command at the PDC emulator in the forest root domain.

    10.Stephanie is a network administrator for Certguide.com, which has just merged with a former competitor named Que.com. Customers and business partners of the second company have communicated with the company’s employees using their email addresses of the format user@que.com. This is a well-established relationship that has existed for a number of years, and managers in both companies want to retain these email addresses.

    Stephanie is merging the networks of the two companies under the certguide.com AD DS domain, which operates at the Windows Server 2008 domain and forest functional level. Users in the company use their email addresses to log on, and Stephanie needs to incorporate the new users from que.com into the network while retaining their existing email address and using these addresses to log on to the certguide.com domain.

    What should Stephanie do to accomplish this objective with the least amount of administrative effort?

    1. Create a new Active Directory forest named que.com and create user accounts for the new users in that forest.

    2. Create a new domain as a separate domain tree named que.com and create user accounts for the new users in that domain.

    3. Create user accounts for the new users in the existing domain and assign them user logon names in the format of user@que.com.

    4. Create user accounts for the new users in the existing domain and specify an alternative UPN suffix of que.com.

    11.Scott is responsible for maintaining AD CS on his company’s AD DS network, which consists of a single domain. He has used the Certificate Services snap-in to configure a version 2 certificate template that will be used for archiving the subject’s encryption private key. Certificates issued with this template will be used for signature purposes. However, Scott discovers that the private keys associated with these certificates are not being archived. What should he do?

    1. On the template’s Request Handling tab, select the Signature and encryption option and then select Archive subject’s encryption private key.

    2. On the template’s Request Handling tab, select the Allow private key to be exported option.

    3. Duplicate the template and select the Windows Server 2008 Enterprise option to create a version 3 certificate template.

    4. On the template’s Security tab, enable the Autoenroll permission.

    12.Donna administers a single AD DS domain called que.com. She has decided against configuring que.com as an Active Directory–integrated zone. Donna has designated her domain controllers as Scorpio01 and Scorpio02. Her DNS servers are called Taurus01, Taurus02, and Taurus03. Taurus01 is the master DNS server. Taurus02 and Taurus03 are secondary DNS servers.

    Donna would like only Taurus01 and Taurus02 to be authoritative for the que.com zone, so she specifies these two servers on the Name Servers tab of the que.com Properties dialog box. She accesses the Zone Transfers tab and clicks Notify to open the Notify dialog box. How should she configure the options in this dialog box so that all DNS servers are notified of any DNS zone updates? (Each correct answer represents part of the solution. Choose two answers.)

    1. Select the Automatically notify check box.

    2. Clear the Automatically notify check box.

    3. Select the Servers listed on the Name Servers tab option.

    4. Select the option labeled The following servers and specify IP address information for Taurus01, Taurus02, and Taurus03.

    5. Select the option labeled The following servers and specify IP address information for Taurus01, Scorpio01, and Scorpio02.

    6. Select the option labeled The following servers and specify IP address information for Taurus02 and Taurus03.

    13.Mark’s company has just merged operations with a former competitor. Mark’s company operates an AD DS forest with four domains in a single tree and running at the Windows Server 2008 functional level. The other company operates a forest with three domains in a single tree and running at the Windows Server 2003 functional level.

    Managers at the other company want to keep their operations as separate as possible; however, employees whose user accounts are in various domains of both forests require access to resources in all domains. What should Mark do to enable access to the other forest with the least amount of effort?

    1. He should create an external trust between child domains of the two forests.

    2. He should create a shortcut trust between child domains of the two forests.

    3. He should create a forest trust between the two forests.

    4. He should inform his manager that the other company’s forest should be reconfigured as a second tree in his company’s forest.

    14.Carolyn is the network administrator for a company that has offices in seven U.S. cities. The company operates an AD DS network with a single domain and sites representing the cities in which offices are located. The offices are connected with WAN links of varying bandwidth and Carolyn has configured site links in Active Directory for the various available links.

    Her company operates a small office located in Duluth, which connects to the company’s Minneapolis office by a T1 link and to the company’s Chicago office by a 56 Kbps dial-up link. The Minneapolis and Chicago offices are also connected by a T1 link.

    A junior administrator in Duluth calls Carolyn to inform her that every time administrators in Chicago issue updates to AD DS (which has occurred frequently in recent weeks), a domain controller in Duluth dials the 56 Kbps link despite the rapid T1 link being available. What should Carolyn do to minimize the times the 56 Kbps link is dialed?

    1. Configure the 56 Kbps link to use Simple Mail Transport Protocol (SMTP) replication rather than IP.

    2. Configure the 56 Kbps link to be available outside business hours only.

    3. Create a site link bridge that encompasses the Duluth-to-Minneapolis and Minneapolis-to-Chicago site links and then set the cost of the 56 Kbps link to 300.

    4. Create a site link bridge that encompasses the Duluth-to-Minneapolis and Minneapolis-to-Chicago site links and then set the cost of the site link bridge to 50.

    15.Darcy’s company operates an AD DS forest consisting of a single tree with an empty root domain and five child domains that represent operational divisions. Darcy is responsible for maintaining the flexible single-master operations (FSMO) roles. In total, how many FSMO roles are present in this tree?

    1. One schema master, one domain naming master, six RID masters, six PDC emulators, and six infrastructure masters.

    2. One schema master, one domain naming master, five RID masters, five PDC emulators, and five infrastructure masters.

    3. Six schema masters, six domain naming masters, six RID masters, six PDC emulators, and six infrastructure masters.

    4. One schema master, one domain naming master, one RID master, one PDC emulator, and one infrastructure master.

    16.Jackie is the domain administrator for her company, which operates an AD DS domain in which all servers run Windows Server 2008 and client computers run either Windows XP Professional or Windows 7 Professional. There is one server configured as an offline standalone root CA and two servers configured as online enterprise subordinate CAs. Another administrator named Len is responsible for all operations of the CA hierarchy. The CIO is concerned that operation of the CA hierarchy would be severely affected should Len’s account be compromised.

    What should Jackie do to reduce the possibility of this occurrence?

    1. Create a special user account for Len that has a 20-character password and limit the privileges of this account to administration of the CA servers.

    2. Implement role-based administration in the CA hierarchy.

    3. Configure the subordinate CA servers so that certificate enrollment and renewal take place on different servers.

    4. Reconfigure the offline standalone root CA as an offline enterprise root CA.

    5. Reconfigure the offline standalone root CA as an online enterprise root CA.

    17.Justin is configuring a certificate template that will enable autoenrollment of smart cards for users in his company’s Windows Server 2008 R2 domain. Justin needs to ensure that a user creating a new smart card is prompted to enter her PIN as part of the enrollment procedure. He opens the Request Handling tab of the certificate template. Which of the following options should he select?

    1. Prompt the user during enrollment

    2. Prompt the user during enrollment and require user input when the private key is used

    3. Authorize additional service accounts to access the private key

    4. Allow private key to be exported

    18.Luke is network administrator for Acme Construction Ltd. The company’s network consists of a single AD DS domain called acmeconstr.com. Servers in the domain run either Windows Server 2003 or Windows Server 2008, and client computers run either Windows XP Professional or Windows 7 Professional. Two Windows Server 2008 computers named NS01 and NS02 host DNS zones for the acmeconstr.com domain; NS01 hosts a standard primary zone and NS02 hosts a standard secondary DNS zone. Queries that cannot be resolved by these servers are forwarded to Acme Construction’s ISP.

    Because Acme Construction has put a number of jobs out for tender in the past few months its DNS servers are receiving an exceptionally high number of requests and are becoming bogged down as a result. Luke decides to create a new zone called bids.acmeconstr.com to handle the traffic. He decides to configure a new Windows Server 2008 R2 DNS server called NS03 and dedicate it exclusively to servicing DNS requests for the bids.acmeconstr.com zone, where all future bids will be directed. In order to do this he needs to delegate control of the bids.acmeconstr.com zone to the NS03 server. How should Luke proceed?

    1. Manually create an A record for the NS03 server computer.

    2. Use the New Delegation Wizard in the DNS console to delegate control of the new zone.

    3. Manually create an A record and an NS record for the NS03 server computer.

    4. Add the appropriate IP address for NS03 to the Forwarders tab on the NS01 and NS02 server computers

    19.Rob is a network administrator for a company that operates a single domain AD DS network. All servers run Windows Server 2008 and all client computers run Windows XP Professional. Both portable and desktop client computers are used on the network. The domain is organized into a series of organizational units (OUs) that reflect the departmental structure of the company.

    The CIO has requested that no unattended portable computer be left logged on to the network, unless protected by a password. This requirement is to be enforced on portable computers only because all desktop computers are located in areas that are protected by building security. Rob needs to configure a Group Policy object (GPO) in such a manner that this rule will be properly enforced for portable computers only. How should he accomplish this objective using the least amount of administrative effort and without modifying any other policy settings for these computers?

    1. Create a GPO linked to the domain that specifies a password-protected screen saver. Use a Windows Management Instrumentation (WMI) filter to query for the hardware chassis type information so that this GPO applies only to portable computers.

    2. Create a global security group and move all computer accounts of portable computers to this group. Create a GPO linked to the domain that specifies a password-protected screen saver. Filter the GPO so that only this group has the Allow-Read and Allow-Apply Group Policy permissions.

    3. Create a child OU under each OU in which portable computers are found and move all portable computer accounts to this OU. Create a GPO that specifies a password-protected screen saver. Link this GPO to each child OU containing portable computers.

    4. Create one OU and move all portable computer accounts to this OU. Create a GPO linked to this OU that specifies a password-protected screen saver.

    20.Debbie is the network administrator for a global manufacturing conglomerate. She has created a large number of universal groups with several hundred users in each group. She has noticed that a large quantity of network traffic has resulted. What is the recommended manner of handling universal groups that Debbie should utilize?

    1. Debbie should place the users into universal groups and then place the universal groups into domain local groups.

    2. Debbie should place the users into global groups and then place the global groups into universal groups. She should then place the universal groups into domain local groups.

    3. Debbie should place the users into local groups and then place the local groups into universal groups. She should then place the universal groups into global groups.

    4. The universal groups are configured properly in this scenario; the traffic is being generated from other sources.

    21.Lynn has installed and configured a new server running Windows Server 2008 R2 as an additional domain controller on her company’s AD DS network, which consists of a single domain with domain controllers and member servers running the original version of Windows Server 2008.

    Lynn has heard that Windows Server 2008 R2 offers a new feature called the Active Directory Recycle Bin that enables her to recover accidentally deleted objects without the need for performing an authoritative restore operation. However, she is unable to locate this feature on the new server. What does she need to do to enable the Active Directory Recycle Bin on this server? (Each correct answer represents part of the solution. Choose all that apply.)

    1. Upgrade all domain controllers and member servers to Windows Server 2008 R2.

    2. Upgrade all domain controllers to Windows Server 2008 R2.

    3. Raise the domain functional level to Windows Server 2008 R2.

    4. Raise the forest functional level to Windows Server 2008 R2.

    5. Use the Ldifde.exe command-line utility to enable the Active Directory Recycle Bin.

    6. Use the Ldp.exe command-line utility to enable the Active Directory Recycle Bin.

    7. Edit the Registry to enable the Active Directory Recycle Bin.

    22.Elaine is responsible for maintaining the user account database for a local school board located in a suburban area just outside a major city. The state has implemented new county school boards that abolish the local boards and join them to the county boards, and Elaine must add several thousand new user accounts to the school board’s AD DS domain.

    Elaine uses a bulk import tool to import these user accounts, but the process stops after several hundred user accounts have been successfully imported. While troubleshooting the problem, the superintendent asks her to ensure that user accounts for school principals are added as soon as possible, so she opens Active Directory Users and Computers and attempts to create these user accounts. However, this attempt fails.

    Which of the following is the most likely cause of this problem?

    1. The infrastructure master for the domain is unavailable.

    2. The RID master for the domain is unavailable.

    3. The .csv file Elaine is using is corrupted and she must re-create this file.

    4. Elaine must wait until the user accounts she has added have replicated to all domain controllers in all sites of the domain before she can continue.

    23.Tom is the systems administrator for a company that operates an AD DS network consisting of a single domain. The company has formed an alliance with another company that supplies raw materials for manufacturing. Tom has installed a server running Active Directory Federation Services (AD FS) on a Windows Server 2008 R2 computer located on his company’s internal network. Now he needs to configure a server on the company’s perimeter network so that it can obtain user credentials from clients in the partner company and forward this information to the internal AD FS server.

    Tom opens Server Manager on the perimeter network server and starts the Add Roles Wizard. After selecting Active Directory Federation Services and clicking Next, he receives the dialog box shown in the exhibit. Which option should he select to configure the perimeter network server properly?

    [View full size image]

    1. Federation Service

    2. Federation Service Proxy

    3. AD FS Web Agents

    4. Claims-aware Agent

    5. Windows Token-based Agent

    24.Hazel is responsible for monitoring Active Directory functionality on her company’s network. She needs to know the update sequence number (USN) of the most recent changes to the AD DS database at a domain controller named DC3. What should she do?

    1. Configure a data collector set in Reliability and Performance Monitor with counters for the NTDS performance object.

    2. Use the Resource Monitor feature of Windows System Resource Manager.

    3. In replmon, right-click DC3 and choose Update Status (only for this server).

    4. Use the repadmin utility with the /showmeta option.

    25.Richard is the network administrator for a company that operates an AD DS network consisting of a single domain. All users in the Finance department have user accounts in the Finance OU. Richard creates a GPO linked to the Finance OU and configures it to publish Microsoft Excel.

    Some of the users in the department report that the application is not available from the Start menu, and other users report that Excel was installed successfully after they double-clicked an Excel spreadsheet. Richard needs to ensure that all users in the Finance OU can run Excel. What should he do?

    1. Run the gpresult command on each client computer where a user reports a problem.

    2. Run the gpupdate command on each client computer where a user reports a problem.

    3. Access the Deployment tab of the software package’s Properties dialog box. Change the deployment type from Assigned to Published. Then instruct users who report a problem to log off and log back on.

    4. Access the Deployment tab of the software package’s Properties dialog box. Change the deployment type from Published to Assigned. Then instruct users who report a problem to log off and log back on.

    26.Brent is a systems administrator for a company that operates a single domain AD DS network. As a result of corporate expansion, the company is opening a new branch office in a neighboring city. Brent installs a new domain controller and several client computers in the new office and sets up a 56 Kbps WAN link between the two offices. He needs to make sure that all changes to Active Directory that are configured on head office domain controllers are replicated to the new office domain controller as soon as possible. He also needs to make sure that network traffic over the WAN is kept minimal and that users in the branch office always authenticate to the domain controller in that office.

    What should Brent do to meet these objectives?

    1. Create a new OU for the branch office and add all computer accounts for clients and the branch office domain controller to this OU.

    2. Designate the branch office as a new Active Directory site. Configure the subnet that includes the computers in this office as belonging to that site and specify the site link cost to be 1.

    3. Designate the branch office as a new Active Directory site. Configure the subnet that includes the computers in this office as belonging to that site and specify a 15-minute intersite replication interval.

    4. Designate the branch office as a new Active Directory site. Configure the subnet that includes the computers in this office as belonging to that site and specify the replication interval to be 0.

    27.Alfredo is a network administrator for a community college. He has installed DNS on a Windows Server 2008 R2 computer called DNS1 that hosts a primary DNS zone for the college’s domain. The college network is also home to a UNIX server that has been configured to host the secondary DNS zone. This server, named DNS2, runs BIND 2.4.1. The chief network architect has assigned Alfredo the task of ensuring that DNS2 can receive zone transfers from DNS1.

    Which of the following options should Alfredo enable to achieve this result?

    1. Disable recursion (also disables forwarders)

    2. BIND secondaries

    3. Fail on load if bad zone data

    4. Enable round robin

    5. Enable netmask ordering

    6. Secure cache against pollution

    28.Maria is the domain administrator for a company that operates an AD DS domain with sites that span 20 cities in the United States, Canada, and Mexico. All client computers run either Windows 7 Professional or Windows 7 Ultimate. She has created ADMX files that define Registry-based policy settings that are to be applied to client computers in all sites of the domain.

    Maria needs to create custom ADMX files that support French and Spanish language users in offices where these languages are used. She also needs to ensure that the custom ADMX files are available to all administrators in the domain. What should she do?

    1. Create ADMX files and copy them to the %systemroot%\sysvol\domain\policies\PolicyDefinitions folder on the domain controller.

    2. Create ADMX files and copy them to the %systemroot%\sysvol\domain\policies\PolicyDefinitions folder on each client computer.

    3. Create ADML files and copy them to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[language] folder on the domain controller.

    4. Create ADML files and copy them to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[language] folder on each client computer.

    29.Peter has been given the responsibility of configuring Certificate Services for certificate autoenrollment. His company operates a public key infrastructure (PKI) that includes a standalone root certification authority (CA) and an enterprise subordinate CA. The PKI has recently been upgraded from Windows 2000 to Windows Server 2008. He wants to enable autoenrollment of certificates using a template that has been used in the past for web-based enrollment of certificates from the previous Windows 2000–based PKI. Which of the following steps should Peter perform? (Each correct answer represents part of the solution. Choose all that apply.)

    1. Configure an additional Windows Server 2008 computer as an autoenrollment-based subordinate CA.

    2. In the Certificate Templates snap-in, right-click the certificate template and choose Duplicate Template.

    3. From the Request Handling tab of the template’s Properties dialog box, specify an option for prompting the user during autoenrollment.

    4. From the Security tab of the template’s Properties dialog box, grant the required user or group the Read and Enroll permissions.

    5. From the Security tab of the template’s Properties dialog box, grant the required user or group the Read, Enroll, and Autoenroll permissions.

    6. Enable the template from the Certificate Templates node of the Certification Authority snap-in.

    7. Configure a GPO linked to the domain to enroll certificates automatically.

    30.Laura is the systems administrator for a company that operates an AD DS domain. The domain and forest functional level are set to Windows Server 2008. She has configured a password policy for users in her company’s domain that specifies that passwords must be at least seven characters long. The CIO has informed her that users in the legal department should have highly secure passwords. She configures a password policy in a GPO linked to the Legal OU that specifies that passwords be at least 12 characters long.

    A few days later, she receives a call from the CIO asking her why she has not yet implemented the stricter password policy. What must Laura do to implement the policy with the least amount of administrative effort?

    1. She needs to create a global security group, add the required users to this group, and ensure that the group has the Allow–Apply Group Policy permission applied to it.

    2. She needs to create a new domain, place the legal users and their computers in this domain, and then reapply the password policy to this domain.

    3. She needs to create a password settings object containing the required password settings and apply this object to the Legal OU.

    4. She needs to create a global security group and add the required users to this group. She then needs to create a password settings object containing the required password settings and apply this object to the group containing these users.

    31.Kathy is the administrator of a state government agency responsible for construction and maintenance of roads and highways. The agency operates a single domain within the government’s AD DS forest. The functional level of the domain is Windows Server 2003, and all servers that hold data accessible to outside parties are located on a perimeter network.

    The agency frequently contracts road work to private consultants, who need access to a web-based application that holds specifications and other data required for the work projects. All private consultants operate AD DS networks with either Windows 2000 or Windows Server 2003 domain controllers.

    Kathy is required to provide access for consultant employees without creating or managing user accounts for these employees, and she must keep the internal network secure from external access. Which of the following should she do? (Each correct answer represents part of the solution. Choose all that apply.)

    1. Install an AD RMS server and configure rights-protected documents.

    2. Install AD FS on an internal server and create a federated trust.

    3. Install an AD FS proxy server in the perimeter network.

    4. Install an AD FS web agent.

    5. Install a domain controller on the perimeter network to simplify the authentication of consultant employees.

    6. Install an AD LDS server on the perimeter network to simplify the authentication of consultant employees.

    32.Karen is the network administrator for a company that operates an Active Directory domain in which all domain controllers run Windows Server 2003. The company wants to upgrade the domain controllers to Windows Server 2008. Karen’s user account is a member of the Domain Admins, Enterprise Admins, and Schema Admins groups in her company’s domain.

    Which of the following actions does Karen need to perform before upgrading any of the domain controllers to Windows Server 2008? To answer, select the two required actions from the list that follows in the sequence in which she must execute them.

    1. Run the Adprep /domainprep command on the PDC emulator.

    2. Run the Adprep /forestprep command on the PDC emulator.

    3. Run the Adprep /domainprep command on the infrastructure master.

    4. Run the Adprep /forestprep command on the domain naming master.

    5. Run the Adprep /domainprep command on the schema master.

    6. Run the Adprep /forestprep command on the schema master.

    33.Rick is responsible for planning operations master role placements in his company’s AD DS forest, which consists of a forest root domain and three child domains. Four domain controllers in the forest root domain are called Server1, Server2, Server3, and Server4. This domain spans two sites, as shown in the exhibit. He needs to determine on which server to place the infrastructure master role. Which of the following represents the best placement of the infrastructure master in the forest root domain?

    1. On Server1, which hosts the RID master, but not the global catalog. This server has a direct connection to Server2 and Server3.

    2. On Server2, which hosts all four other operations master roles plus the global catalog.

    3. On Server3, which does not host any other operations master roles, but does host the global catalog.

    4. On Server4, which is located across a WAN connection from Server1 and does not host any other operations master roles.

    34.Bill is the network administrator for a company that operates a network containing a single AD DS domain. Servers run a mix of Windows Server 2003 and Windows Server 2008, and client computers run a mix of Windows XP Professional and Windows 7 Enterprise. Certificate Services is installed on a Windows Server 2008 R2 domain controller and configured as an Enterprise CA. The company’s written security policy stipulates that employees must have user certificates that are to be issued by designated managers. These managers are to be the only individuals authorized to approve, issue, and revoke certificates. Their user accounts are included in the CertMgrs global security group.

    What should Bill do to enable the authorized managers to perform these tasks without providing them with excess privileges?

    1. Grant the CertMgrs group the Allow-Manage CA permission on the CA server.

    2. Issue each member of the CertMgrs group the Enrollment Agent certificate.

    3. Grant the CertMgrs group the CA Administrator administrative role.

    4. Grant the CertMgrs group the Certificate Manager administrative role.

    35.Gerry is the network administrator for a company that operates an AD DS domain named certguide.com. Servers run a mix of Windows 2000 Server, Windows Server 2003, and Windows Server 2008. Client computers run either Windows XP Professional or Windows 7 Professional. The company acquires another company named Prep Ltd. Gerry creates a new domain named prep.certguide.com to reflect the changes in corporate structure. He must now manage two DNS servers: dns1.certguide.com and dns2.prep.certguide.com.

    dns1.certguide.com is the Start of Authority (SOA) for certguide.com, and dns2.prep.certguide.com is the SOA for prep.certguide.com. Gerry has also configured an intranet server called trans.prep.certguide.com that employees from both companies can access for updates on issues relating to the two companies becoming one corporate concern.

    A user of a client computer in certguide.com called client25.certguide.com reports that she cannot access the intranet server. Gerry discovers that he cannot ping this server by name from the client computer. What can he do to correct this problem? (Each correct answer represents a complete solution to the problem. Choose two answers.)

    1. Add a stub zone for certguide.com on dns2.prep.certguide.com.

    2. Add a stub zone for prep.certguide.com on dns1.certguide.com.

    3. Add an A resource record for dns2 prep.certguide.com on dns1.certguide.com.

    4. Add an A resource record for dns1.certguide.com on dns2.prep.certguide.com.

    5. Configure zone delegation for prep.certguide.com on dns1.certguide.com.

    6. Add a PTR record for prep.certguide.com on dns1.certguide.com.

    36.Connie works for a company that has just opened a branch office in a neighboring city that is connected to the head office with an ISDN link. Her manager has requested that replication occur at least once daily during the daytime. However, the line is expected to be close to 90% utilized during the day but only about 30% utilized during night hours.

    Connie needs to make sure that replication does not use excessive bandwidth during the day, but that at night it will provide adequate bandwidth to complete any synchronization. What should Connie do to complete this request with the least amount of effort?

    1. Create one site link, available only at night with the default cost and replication interval. Once a day, force replication manually.

    2. Create one site link with the default cost and replication interval. Configure this link to be available from noon to 1 PM and also during the nighttime hours.

    3. Create two site links, one available only at night with the default cost and replication interval and one available only during the day with a site link cost of 500.

    4. Create two site links, one available only at night with the default replication interval and the other available only from noon to 1 PM also with the default replication interval.

    5. Create two site links, one available only at night with the default replication interval and the other available only during the day with a replication interval of 4 hours.

    37.Stephanie has installed a standalone root CA and an enterprise subordinate issuing CA for her company’s domain. Which of the following additional tasks should she perform before issuing certificates to users on the network? (Each correct answer represents part of the solution. Choose three answers.)

    1. Configure certificate templates.

    2. Configure the Certificate Services web pages.

    3. Configure certificate revocation lists (CRLs) or online responders.

    4. Configure key archival and recovery.

    38.Shannon is the systems administrator for a company that operates a single domain AD DS network. A user named Steven has created a group named Designers on his computer, which runs Windows 7 Ultimate. He has added the domain user accounts of several colleagues in his work unit to the Designers group and now wants to assign permissions to a shared folder on the work unit’s file server to the group. However, when he accesses the shared folder, he is unable to add the Designers group to the folder’s ACL.

    Steven approaches Shannon for help. What should she do?

    1. Create a domain local group named Work Unit and add the domain user accounts of the colleagues to this group. Then create a global group named Designers, add the Work Unit group to this group, and add the Designers domain local group to the folder’s ACL.

    2. Create a global group named Work Unit and add the domain user accounts of the colleagues to this group. Then create a domain local group named Designers, add the Work Unit group to this group, and add the Designers domain local group to the folder’s ACL.

    3. Ask Steven to create local user accounts for each of the work colleagues on the file server and add these accounts to the Designers group.

    4. Ask Steven to check the network connectivity between his computer and the file server. His action should work if the connectivity is not a problem.

    39.Cassandra is in charge of monitoring and maintaining her company’s domain controllers. She opens Event Viewer on a domain controller named Server1 and notices that several thousand events, many of which are related to updates delivered via Windows Update, are present. She wants to create a custom log so that she can locate the most important events rapidly, so she opens the Create Custom View dialog box. Which of the following criteria can she use in creating the custom log? (Choose all that apply.)

    1. Time interval during which the events were logged

    2. Event level such as critical, error, warning, and so on

    3. The logs from which she wants to view data

    4. Event ID numbers

    5. Task categories

    6. Users and computers associated with the event

    40.Heidi is the network administrator for a financial company, which operates an AD DS network consisting of a single domain. Servers on the network run a mix of Windows Server 2003 and Windows Server 2008. She will be upgrading Windows Server 2003 DNS servers to Windows Server 2008 R2 and needs to obtain information about the configuration of the DNS zones. Which of the following commands should she run?

    1. Dnscmd /enumzones

    2. Dnscmd /statistics

    3. Dnscmd /zoneinfo

    4. Dnscmd /info

    41.Bob is responsible for software deployment and maintenance for his company, which operates an AD DS network consisting of a single domain. The company is planning to upgrade all users from Microsoft Office 2003 to Office 2007, and Bob must ensure that employees are unable to use Office 2003. In addition, he must ensure that users retain their user files such as customized spell check dictionaries after the upgrade.

    What should he do to accomplish these objectives? (Each correct answer represents part of the solution. Choose two answers.)

    1. Select the Advanced deployment option from the Deploy Software dialog box.

    2. Select the Required upgrade for existing packages option from the Add Upgrade Package dialog box.

    3. Select the Uninstall the existing package, then install the upgrade package option from the Add Upgrade Package dialog box.

    4. Select the Package can upgrade over the existing package option from the Add Upgrade Package dialog box.

    5. Select the Immediately uninstall the software from users and computers option from the Remove Software dialog box.

    42.Ted is the network administrator for CertGuide Ltd. The company has a subsidiary named Que. The CertGuide network consists of a single AD DS forest containing one domain named certguide.com. The domain and forest functional levels are Windows Server 2008. The Que network consists of an AD DS forest containing two domains named que.com and corp.que.com. These domains operate at the Windows 2000 native forest and domain functional levels.

    A file server named Server2 is a member of the certguide.com domain. All users in all three domains need to save files on Server2 every day. Ted needs to ensure that the domain administrators of the que.com and corp.que.com domains cannot grant users in the certguide.com domain permissions on servers in the que.com and corp.que.com domains. What should Ted do to accomplish this objective?

    1. Create two one-way external trust relationships in which the certguide.com and corp.que.com domains trust the que.com domain.

    2. Create two one-way external trust relationships in which the que.com and corp.que.com domains trust the certguide.com domain.

    3. Create a one-way forest trust relationship in which the certguide.com domain trusts the que.com domain.

    4. Create a one-way forest trust relationship in which the que.com domain trusts the certguide.com domain.

    5. Upgrade the que.com and corp.que.com domains to Windows Server 2008 and make the que.com domain the root domain of a second tree in the existing forest.

    43.Rebecca is the network administrator for a clothing manufacturer. The company’s network is configured as a single AD DS domain. All domain controllers run Windows Server 2008 R2 and the domain and forest functional levels are set to Windows Server 2008 R2.

    The company buys out a competitor. The former competitor also operates a single domain AD DS network that runs at the Windows Server 2008 domain and forest functional levels. Rebecca wants to export the settings of a GPO from her company and import them into the second company. How can she perform this task with the least amount of administrative effort?

    1. Use the BackupGPO.wsf script to back up the settings in her domain and then use the RestoreGPO.wsf script to import them in the second domain.

    2. Use the BackupGPO.wsf script to back up the settings in her domain and then use the ImportGPO.wsf script to import them in the second domain.

    3. Use the Wbadmin command to back up the settings in her domain and then use the Wbadmin command to restore them to the second domain.

    4. Create a forest trust between the two companies and then access the required GPO from the Group Policy Management Console and copy it to the second company.

    44.Heather is an administrator for a company that operates an AD DS network consisting of a single domain that runs at the Windows 2000 domain functional level. There are three sites corresponding to the company’s head office and two small branch offices. Domain controllers on the network run either Windows 2000 Server or Windows Server 2003, but the company has plans of introducing domain controllers running Windows Server 2008 to the network.

    Heather has read about all the advantages of using RODCs to authenticate users in her company’s branch offices and is planning to set up an RODC in each of the branch offices. Which of the following does she need to do before setting up the RODCs? (Each correct answer represents part of the solution. Choose four answers.)

    1. Upgrade all Windows 2000 Server domain controllers to either Windows Server 2003 or Windows Server 2008.

    2. Upgrade all Windows 2000 Server and Windows Server 2003 domain controllers to Windows Server 2008.

    3. Raise the domain and forest functional levels to Windows Server 2003.

    4. Raise the domain and forest functional levels to Windows Server 2008.

    5. Upgrade the PDC emulator to Windows Server 2003.

    6. Upgrade the PDC emulator to Windows Server 2008.

    7. Run the Adprep /rodcprep utility on the schema master.

    8. Run the Adprep /rodcprep utility on the infrastructure master.

    45.Julian is the network administrator for a company that has operated a UNIX-based network and is switching over to a Windows Server 2008–based AD DS network. He installs Windows Server 2008 R2 on a new computer and runs dcpromo.exe to promote this server to the first domain controller in the new domain.

    Julian wants to ensure that AD DS has been properly installed on the new domain controller. Which of the following should he do? (Each correct answer represents part of the solution. Choose three answers.)

    1. Open Active Directory Users and Computers and verify that an organizational unit (OU) named Users is present.

    2. Open Active Directory Users and Computers and verify that an OU named Domain Controllers is present.

    3. In Windows Explorer, navigate to the %systemroot% folder and verify the existence of the Active Directory database and shared system volume folders.

    4. In Windows Explorer, navigate to the root of the system drive and verify the existence of the Active Directory database and shared system volume folders.

    5. Open the Domain Name System (DNS) Manager snap-in and verify that two zones containing the domain name are present in the console tree. One of these should be prefixed with _msdcs.

    6. Open the DNS Manager snap-in and verify that a reverse lookup zone containing the domain name has been created and is visible in the console tree.

    46.Janet is responsible for configuring application directory partitions on the domain controllers in her company’s AD DS domain. She has configured a financial application to store its data in an application directory partition on a domain controller named DC1. She now needs to enable fault tolerance for this partition by configuring an appropriate partition on another domain controller named DC2. What should she do?

    1. Use the ntdsutil utility to create an application directory partition replica on DC2.

    2. Use the ntdsutil utility to create a new application directory partition on DC2 and then specify the application directory partition’s reference domain to point to DC1.

    3. Use the repadmin utility to specify replication of the application directory partition on DC1 to DC2.

    4. Use the dnscmd utility with the /ZoneChangeDirectoryPartition parameter to specify an application directory partition on DC2 to which the data on DC1 will be replicated.

    47.Managers at Betty’s company have requested that she configure all computers used by data entry clerks so that they are unable to access the Internet. However, data entry supervisors need access to the Internet. All computers used by both data entry clerks and supervisors run either Windows Vista Business or Windows 7 Professional.

    All members of the data entry team belong to the Data Entry security group and data entry supervisors also belong to the Supervisors security group.

    Which of the following should Betty do to accomplish this objective?

    1. Create two Group Policy objects (GPOs): one to disable Internet access and the other to enable Internet access. Grant the Data Entry group the Read and Apply group policy permissions on the first GPO and grant the Supervisors group the Read and Apply group policy permissions on the second GPO.

    2. Create one GPO that disables Internet access and grant the Data Entry group the Read and Apply group policy permissions.

    3. Create one GPO that disables Internet access and grant the Data Entry group the Read and Apply group policy permissions. Grant the Supervisors group the Read permission only on this GPO.

    4. Create one GPO that disables Internet access and grant the Data Entry group the Read and Apply group policy permissions. Also, deny the Supervisors group the Apply group policy permission on this GPO.

    48.Wendy is responsible for maintaining certificates in her company’s AD DS domain, which operates a two-tier PKI hierarchy consisting of an offline standalone root CA and an enterprise subordinate CA. She needs to create an additional copy of the certificate and private key used by the company’s CEO for storage at a remote location. What should she do to accomplish this task with the least amount of effort?

    1. Use the Certificate Export Wizard to export the certificate and choose Yes when asked whether she wants to export the private key. Browse to a suitable removable disk for the file location and provide a secure password for the key.

    2. Use the Certification Authority Backup Wizard to back the certificate up and choose Yes when asked whether she wants to export the private key. Browse to a suitable removable disk for the file location and provide a secure password for the key.

    3. Use the ntdsutil command to back up the certificate and private key and use the password keyword to provide a secure password for the key.

    4. Use the wbadmin command to back up the certificate and private key and use the password keyword to provide a secure password for the key.

    49.Ester’s company is expanding its North American operations to Asia. To accommodate these operations, she needs to add several objects and attributes to the schema. Her boss has added her user account to the Schema Admins group for this purpose. Working from a branch office domain controller, Ester attempts to locate the Active Directory Schema snap-in. She calls the help desk and asks to be given the appropriate permission to access this snap-in but is told that this is not a permissions issue. What does Ester need to do to access this snap-in? (Each correct answer represents part of the solution. Choose two answers.)

    1. She must first register the Schema snap-in by using the regsvr32 command from the Run dialog box.

    2. She needs to install the Active Directory Schema snap-in to a new MMC console.

    3. She needs to go to the schema master computer to modify the schema. Because the domain controller she is working from does not have this snap-in, it must not be the schema master.

    4. She should contact the help desk manager because she has received incorrect advice from the support technician. She needs to belong to both the Schema Admins and Enterprise Admins groups to access this snap-in.

    50.Betsy is responsible for administering her company’s PKI. The company has an offline root CA and four enterprise subordinate CAs, each of which issues certificates to users in a major division of the company.

    As a result of corporate downsizing and reorganization, one of the four major divisions is being disbanded. Betsy must ensure that resources on the network will not accept certificates from the subordinate CA located in the division that is being disbanded. Which of the following should she do? (Each correct answer represents part of the solution. Choose three answers.)

    1. At the disbanded division’s subordinate CA, revoke all the certificates that it has issued.

    2. Uninstall the AD CS role from the disbanded division’s subordinate CA.

    3. Bring the offline root CA online, revoke the disbanded division’s subordinate CA’s certificate and then take the root CA back offline.

    4. Publish a new base CRL.

    5. Publish a new delta CRL.

    6. Copy the new CRL to the network’s CRL distribution point.

    7. Add the AIA extension to all URLs at which certificates issued by the disbanded division’s subordinate CA can be retrieved.

    51.Brian is responsible for maintaining AD DS replication on his company’s network, which consists of three domains and nine sites. When he uses replmon to check the automatically configured replication topology, he notices that connection paths are not established in what he thinks is the optimum manner.

    What can Brian do to manually change the topology?

    1. Edit the Registry to indicate the appropriate paths.

    2. Use Active Directory Sites and Services to manually create a site link object connecting the required servers.

    3. Force the Knowledge Consistency Checker (KCC) to update the replication topology.

    4. Brian cannot modify the replication paths. The KCC does not permit this type of configuration.

    52.Dennis is responsible for managing Active Directory Lightweight Directory Services (AD LDS) on his company’s network. He needs to create a replica of an AD LDS instance that he has created in order to provide fault tolerance. Which of the following tools should he use to accomplish this task?

    1. Adsiedit.exe

    2. Ldp.exe

    3. Ntdsutil.exe

    4. Active Directory Lightweight Directory Services Setup Wizard

    53.Marilyn is responsible for security on her company’s network. While reviewing the security log one morning, she notices that a hacker has been using brute-force methods to attempt to crack passwords on the network.

    Marilyn’s company does not have the financial resources to implement a more secure authentication method such as smart cards at the present time, so she decides to create a policy to strengthen password security. Which of the following should she do? (Each correct answer represents part of the solution. Choose all that apply.)

    1. Enable the Password must meet complexity requirements setting.

    2. Enable the Store passwords using reversible encryption setting.

    3. Enable the Users must change password at next logon setting.

    4. Increase the Minimum password length setting.

    5. Decrease the Maximum password age setting.

    54.Sheldon is a network administrator for his company, which operates an AD DS network consisting of a single domain operating at the Windows Server 2008 forest and domain functional levels. He is really counting his blessings because his company has gone through a major downsizing in which almost one quarter of all jobs have been eliminated, mostly through layoffs. As a result, he has been cleaning up the company’s AD DS network by clearing out a lot of user and group accounts that are no longer needed.

    Sheldon has been monitoring the ntds.dit file and has been expecting the size of this file to reduce because it now holds much less data. However, he has seen nothing yet. What should he do?

    1. He must wait for 24 hours for the deletions to be propagated to other domain controllers.

    2. He must wait for 60 days because objects that are deleted from AD DS are not immediately deleted. Rather, they are assigned a tombstone of 60 days. The size of the file will not reduce until after this tombstone period has expired.

    3. He should back up and restore the database. This compresses the file.

    4. He must perform an offline compaction of the database because the space that was consumed by the deleted objects simply remains empty space within the ntds.dit file until he does this.

    55.Paul administers the network for a new company whose AD DS root domain will be named que.com. He installs Windows Server 2008 R2 on a computer named DC01 and runs dcpromo.exe on this computer to create the first domain controller in the new forest. He accepts the option to create a new DNS server.

    Paul also sets up a Windows Server 2008 member server running Internet Information Services (IIS) 7.0 and 12 client computers running Windows 7 Professional. He configures all 13 of these computers with static IP addresses and specifies the IP address of DC01 as their preferred DNS server.

    Which of the following steps must Paul take to ensure that both the address (A) and pointer (PTR) resource records of the client computers and the IIS server are recorded properly when he adds them to the que.com domain?

    1. Create a forward lookup zone for the network and enable it to accept dynamic updates.

    2. Create a reverse lookup zone for the network and enable it to accept dynamic updates.

    3. Enable DC01 to accept dynamic updates.

    4. Configure the client computers to send updates to DC01.

    5. Enable the zones for que.com to accept dynamic updates.

    56.Alexander is the domain administrator for the que.com domain, which operates at the Windows Server 2008 R2 functional level. He has configured AD CS on a server in the domain. Several users in the legal.que.com domain attempt to enroll for a user certificate, but receive a message that the template was not found. What should Alexander do so that these users can locate this template?

    1. Create a duplicate of the User certificate template and specify the Windows Server 2008 option. Then specify the Autoenroll permission for the Authenticated Users group.

    2. Place the users in a security group and configure the Security tab of the template’s Properties dialog box with the appropriate permissions to the template.

    3. Configure the automatic certificate request policy in a GPO linked to the legal.que.com domain.

    4. Configure the web enrollment pages to use basic authentication.

    57.Rachel is responsible for ensuring that the servers on her company’s Windows Server 2008 network can handle all requests sent by users on the network. She wants to display graphs of server performance data in real-time and, at the same time, create resource allocation policies that determine how server resources such as processor and memory are allocated to processes running on the server. Furthermore, she wants the ability to configure events under which the server will automatically modify how server resources are allocated. Which of the following tools enables her to perform all these actions?

    1. Network Monitor

    2. Task Manager

    3. Reliability and Performance Monitor

    4. Event Viewer

    5. Windows System Resource Manager (WSRM)

    58.George is responsible for creating and managing GPOs for a company that operates an AD DS forest with three domains, each of which has 10 or more OUs representing different work groups in the company. All servers run Windows Server 2008 and client computers run Windows XP, Windows Vista, or Windows 7. The functional level of the forest is Windows Server 2008.

    George needs to create a series of similar GPOs that will be linked to various OUs in the forest. What should he do to accomplish this task with the least amount of administrative effort?

    1. Create a Starter GPO and link it to the required OUs. Then edit this GPO to introduce OU-specific settings.

    2. Create a Starter GPO and copy it to each domain. Then use the Starter GPO to create GPOs in the required OUs and edit these GPOs to introduce OU-specific settings.

    3. Create one GPO and link it to all OUs that require its settings. Then edit the GPO in each OU to introduce OU-specific settings.

    4. Create a new GPO in each OU that contains the required settings for its OU.

    59.Wayne is the network administrator for a medical office that operates an AD DS network consisting of a single domain. He suspects that unauthorized users have been attempting to access the DNS server and wants to log packets being sent to and received from a specific range of IP addresses at the DNS server. What should he do?

    1. Access the Monitoring tab of the DNS server’s Properties dialog box and enable both simple and recursive queries.

    2. Access the Event Logging tab of the DNS server’s Properties dialog box and enable the All events option.

    3. Access the Debug Logging tab of the DNS server’s Properties dialog box, enable Log packets for debugging, and specify the Filter packets by IP address option.

    4. Configure Network Monitor with a capture filter that enables the capture of frames originating from the required range of IP addresses.

    60.Theodore is the network administrator for a company that operates an AD DS network consisting of a single domain. The domain contains OUs that mirror the departmental structure of the company. A user named Jill, who is a member of the Marketing OU, has been delegated permission to reset passwords in that OU. Jill has been transferred to the Design OU and will no longer need the capability of resetting passwords in the Marketing OU.

    How should Theodore prevent Jill from resetting passwords in the Marketing OU, with the least amount of administrative effort?

    1. Move Jill’s user account from the Marketing OU to the Design OU. Her permissions will be reset automatically.

    2. Run the Delegation of Control Wizard to revoke Jill’s permissions to the Marketing OU.

    3. Access the Security tab of the Marketing OU Properties dialog box and remove Jill’s permission to reset passwords.

    4. Delete Jill’s user account and then re-create it in the Marketing OU.

    61.John is the network administrator for a company that operates an AD DS network consisting of two domains and two sites. The head office is located in Toronto and a branch office is located in Boston. Each office has two domain controllers and the global catalog, and all operations master roles are hosted on the domain controllers in the Toronto office. Several universal groups are used for assigning permissions to resources in both domains and both offices.

    Users in Boston report that logon times are often slow, and John decides to implement universal group membership caching in this office. He opens Active Directory Sites and Services and expands the console tree to obtain the view shown in the exhibit. Which item should John select to implement universal group membership caching?

    [View full size image]

    1. The Inter-Site Transports folder

    2. The Boston site

    3. The Servers folder beneath the Boston site

    4. SERVER3

    5. The NTDS Settings folder beneath SERVER3

    62.David is responsible for software deployment throughout his company, which operates an AD DS domain with eight OUs that represent administrative divisions in the company. Employees are frequently moved between administrative divisions, and their work responsibilities and software needs change when this happens. Furthermore, they should not have access to software that they no longer need after a move.

    When employees move, David must ensure that these requirements are met. What should he do?

    1. In the Upgrades tab of the Software Installation Properties dialog box, select the Required upgrade for existing packages check box.

    2. In the General tab of the Software Installation Properties dialog box, select the Display the Deploy Software dialog box option.

    3. In the Advanced tab of the Software Installation Properties dialog box, select the Uninstall the applications when they fall out of the scope of management check box.

    4. In the Delegation tab of the Properties for the associated GPOs, ensure that the Apply Group Policy permission is granted to only those security groups that require access to the applications.

    63.Evan is the systems administrator for a company that operates an AD DS network consisting of a single domain and five sites, which represent the head office and four branch offices. Each branch office is configured with a read-only domain controller (RODC).

    Evan receives a call from a branch office employee named Melissa, who is experiencing extremely long delays in logging on to the network. Evan wants to verify whether Melissa’s credentials are cached at the RODC.

    What should Evan do? (Each correct answer represents part of the solution. Choose three answers.)

    1. Access the Active Directory Sites and Services snap-in.

    2. Access the Active Directory Users and Computers snap-in.

    3. Access the Properties dialog box for Melissa’s user account.

    4. Access the Properties dialog box for the RODC in Melissa’s branch office.

    5. Click Advanced and then select the Accounts whose passwords are stored on this Read-only Domain Controller option from the drop-down list.

    6. Click Advanced and then select the Accounts that have been authenticated to this Read-only Domain Controller option from the drop-down list.

    64.Duncan has configured Certificate Services on his company’s domain-based PKI to publish a base CRL every Friday at 8 p.m. and a delta CRL Monday to Thursday at 8 p.m. On Wednesday morning, an accounting application needs to check the CRL to ensure that a user’s certificate is valid. Which of the following CRLs does the application check?

    1. The base CRL and Tuesday’s delta CRL

    2. The base CRL and Wednesday’s delta CRL

    3. The base CRL and both Monday’s and Tuesday’s delta CRL

    4. The base CRL and all of Monday’s, Tuesday’s, and Wednesday’s delta CRLs

    5. Tuesday’s delta CRL only

    6. Wednesday’s delta CRL only

    65.Karla is the network administrator for a company that operates an AD DS network consisting of a parent domain and two child domains. All DNS servers run Windows Server 2008 or Windows Server 2008 R2, and all DNS zones are configured as Active Directory–integrated zones hosted on domain controllers.

    Karla notices that the zone data for one of the child domains contains several entries for unknown computers that are not domain members. What should she do to prevent this from occurring in the future?

    1. Select the Secure only option on the General tab of the zone’s Properties dialog box.

    2. Change the zone replication scope to the All DNS servers in this domain option.

    3. On the Zone Aging/Scavenging Properties dialog box, select the Scavenge Stale Resource Records option.

    4. Right-click the server in the console tree of DNS Manager and choose Scavenge Stale Resource Records.

    66.Karen is a network manager for a global musical instrument company that operates a complicated AD DS forest consisting of five domain trees and a total of 32 individual domains. The domain structure includes the following tree root domains:

    mm-corp.us, asiamusical.com, willywilly.com.au, worldwideguitars.com, and virtual-realm.com

    Users in development.california.mm-corp.us often need to collaborate with their Australian counterparts in development.willywilly.com.au, and users in both domains complain that it takes an extremely long time for shared folders to open even though there is excellent connectivity between physical locations.

    Which of the following should Karen do to improve this situation?

    1. Karen should purchase additional bandwidth to reduce the delay in accessing shared resources.

    2. Karen can create a forest trust between the california.mm-corp.us and willywilly.com.au domain trees.

    3. Karen should create a shortcut trust between development.california.mm-corp.us and development.willywilly.com.au.

    4. Karen should move the users from the two domains into a common domain.

    67.Hubert is the systems administrator for a clothing manufacturer based in San Francisco. During a standard review of the AD DS files on his domain controller, he notices that the hard drive containing the ntds.dit file is running out of space. However, plenty of space is available on the RAID-5 array attached to the server. He decides to move the file to the RAID-5 array. How should he perform this procedure using the least amount of administrative effort?

    1. Restart the server in Directory Services Restore Mode and use Windows Explorer to move the file.

    2. Restart the server in Directory Services Restore Mode and use the ntdsutil utility to move the file.

    3. From a command prompt, stop AD DS, use the ntdsutil utility to move the file, and then restart AD DS.

    4. From a command prompt, stop AD DS, use Windows Explorer to move the file, and then restart AD DS.

    5. While the server is running, open a command prompt and use ntdsutil to move the file.

    6. While the server is running, use Windows Explorer to move the file.

    68.Kim is the network administrator for a company that operates an AD DS network consisting of one domain and four sites. She installs a new domain controller and a new member server running Windows Server 2008 R2 in one of the sites but notices several days later that replication is not taking place properly. Investigating this problem, Kim discovers that these servers have been placed in the wrong site. What should she do to correct this problem? (Each correct answer represents part of the solution. Choose two answers.)

    1. Use Active Directory Sites and Services to place the domain controller in the correct site.

    2. Use Active Directory Sites and Services to place the member server in the correct site.

    3. Use Active Directory Administrative Center to place the domain controller in the correct site.

    4. Use Active Directory Administrative Center to place the member server in the correct site.

    5. Reconfigure the domain controller with an IP address corresponding to the subnet specified for the correct site.

    6. Reconfigure the member server with an IP address corresponding to the subnet specified for the correct site.

    69.Peter is a network administrator for a company that operates an AD DS forest consisting of two domains in separate trees. The company has offices in New York and Rome, which are connected by a 236 Kbps WAN link. Each office is represented by a separate AD DS site as well as its own domain.

    Peter’s company stores resource location data in AD DS so that users can perform searches to locate the appropriate resources on their client computers, which run either Windows XP Professional or Windows 7 Professional. However, users in the Rome office report that search times for resources are unacceptably slow.

    Which of the following should Peter do to improve search times at the Rome office?

    1. Enable universal group membership caching at the Rome office.

    2. Configure a global catalog server at the Rome office.

    3. Configure a domain controller for the New York domain in the Rome office.

    4. Configure a domain controller for the Rome domain in the New York office.

    70.Lenny is responsible for configuring Group Policy in his company’s domain. The domain functional level is set to Windows Server 2003. Lenny’s manager has requested that he implement an account policy that specifies that all user accounts will be locked out if an incorrect password is entered five times within a one-quarter-hour period. The account is to remain locked out until a support technician unlocks it.

    How should Lenny configure the account policy? (Each correct answer represents part of the solution. Choose three answers.)

    1. Set the account lockout threshold to 0.

    2. Set the account lockout threshold to 1.

    3. Set the account lockout threshold to 4.

    4. Set the account lockout duration to 0.

    5. Set the account lockout duration to 1.

    6. Set the reset account lockout counter value to 0.25.

    7. Set the reset lockout counter to 15.

    8. Set the reset lockout counter to 900.

    71.Michelle administers a server named Server3 that has Active Directory Lightweight Directory Services (AD LDS) installed. She installs an instance of AD LDS together with its associated application directory partition that will store data for a directory-enabled engineering design application.

    Michelle wants to create a new OU in the AD LDS application directory partition that will organize users that require access to the design application. Which of the following tools can she use for this purpose? (Each correct answer represents a complete solution to the problem. Choose two answers.)

    1. Ldp.exe

    2. Ntdsutil.exe

    3. Dsadd.exe

    4. Adsiedit.msc

    5. Dssite.msc

    72.Stuart is responsible for administering the DNS servers in his company’s AD DS network, which contains an Active Directory–integrated zone. A DNS server named Server1 does not appear to be receiving accurate zone transfer information.

    Stuart decides to capture information that relates to DNS update data that should be sent and received at Server1, so he enables every debugging option available on the Debug Logging tab of the server’s Properties dialog box, as shown in the exhibit. The next day, after noticing that the log has collected a large quantity of data he realizes that he does not need detailed information and that he should clear certain options. Which of the following options should he clear? (Choose all that apply.)

    1. Log packets for debugging

    2. Queries/Transfers

    3. Updates

    4. Notifications

    5. Details

    6. Filter packets by IP address

    73.Arlene is responsible for configuring Group Policy in her company’s AD DS domain. The domain contains OUs that mirror the company’s departmental organization. Another administrator has applied a GPO to the Sales OU that limits user access to their computers. Arlene’s manager has noticed that this GPO has reduced the number of help desk calls generated by the users in this department, so he asks Arlene to apply the same policies to the Marketing department. What is the best way to accomplish this task?

    1. Create a new GPO containing the required settings and link this GPO to the Marketing OU.

    2. Use the GPO linked to the Sales OU as a Starter GPO to create a new GPO linked to the Marketing OU.

    3. Add the group containing the Marketing team members to the Sales OU.

    4. Simply link the current GPO to the Marketing OU.

    74.Carm is the senior network administrator for a large investment company that operates an AD DS forest consisting of nine domains in four domain trees. The forest functional level is Windows 2000.

    In recent months, a vigorous server upgrade program has been in place throughout the company and all domain controllers and most member servers have been upgraded to Windows Server 2008 R2. Carm verifies that the domain functional level of each of the tree root domains has been set to Windows Server 2008 R2 and is now proceeding to upgrade the forest functional level to Windows Server 2008 R2. However, he is unable to select this functional level. What might be causing this problem? (Choose all that apply.)

    1. Carm must log on using an account that is a member of the Schema Admins group.

    2. Carm must log on using an account that is a member of the Enterprise Admins group.

    3. Some of the child domains might be still at the Windows 2000 or 2003 domain functional level.

    4. Carm must raise the forest functional level to Windows Server 2003 first and let this change propagate throughout the forest before he can raise the forest functional level to Windows Server 2008 R2.

    5. Two of the child domains are connected by a shortcut trust relationship. Carm must remove this trust before he can raise the forest functional level.

    75.Teresa is responsible for configuring and maintaining Group Policy in her company’s AD DS domain. The domain contains computers running Windows XP Professional, Windows Vista Business, Windows 7 Professional, Windows Server 2003, and Windows Server 2008. There are eight OUs representing company departments, all of which have multiple GPOs linked to them.

    Because of an organizational change, Teresa needs to move the Design OU under the Engineering OU. She needs to find out which objects in the Design OU are adversely affected by GPOs linked to the Engineering OU. She must achieve this goal without disruption to users. Which of the following should she do?

    1. Use the Group Policy Modeling Wizard for the Engineering OU. Choose the Design OU to simulate policy settings.

    2. Use the Group Policy Results Wizard for the Engineering OU. Choose the Design OU to simulate policy settings.

    3. Use the Group Policy Modeling Wizard for the Design OU. Choose the Engineering OU to simulate policy settings.

    4. Use the Group Policy Results Wizard for the Design OU. Choose the Engineering OU to simulate policy settings.

    76.Jennifer is responsible for maintaining the user and group accounts databases in her company’s AD DS domain. The company is expanding its operations and will be hiring several hundred new university graduates as soon as they have finished their exams. These graduates will work in several different departments of the company and require access to numerous shared resources in different components of the network.

    Human Resources (HR) has prepared an Excel spreadsheet containing all required information on the new hires, such as names, addresses, work departments, locations, and so on. Jennifer must create new user and group accounts for these new hires. What should she do to create the accounts with the least amount of administrative effort?

    1. Export the Excel spreadsheet to a comma-separated text file and use Csvde to create the required accounts.

    2. Export the Excel spreadsheet to a LDIF-formatted file and use Ldifde to create the required accounts.

    3. Use the dsadd command to add the required accounts to the database.

    4. Use the New Object—User and New Object—Group wizards to create the required accounts.

    77.Matt has successfully installed and configured an enterprise root CA for his company, which operates an AD DS network consisting of a single domain. Matt has also configured a certificate template for autoenrollment.

    What additional tasks must Matt perform to enable autoenrollment of user certificates? (Each correct answer represents part of the solution. Choose two answers.)

    1. Install Internet Information Services (IIS) 7.0 on the CA.

    2. Install an enterprise subordinate CA.

    3. Configure a certificate trust list (CTL).

    4. Configure the CA to issue certificates based on the template he has just configured.

    5. Configure a GPO linked to the domain to enroll certificates automatically.

    78.Charles is the administrator for a company whose AD DS domain spans four sites: Pittsburgh, Cincinnati, Cleveland, and Baltimore. He has configured site links to reflect the geography so that replication traffic takes the shortest routes. To that end, Charles configures the site link cost between shorter paths to 200 and the cost between longer paths to 100.

    The following week, Charles notices that replication is inconsistent and seems to take longer than it should. What should he check first in troubleshooting this problem?

    1. Charles should use the SMTP transport protocol rather than the IP protocol.

    2. Charles should change bridgehead servers at each site to the most powerful servers available to accommodate the increased traffic burden.

    3. Charles should configure site link bridges to bridge the links on the longer paths.

    4. Charles should reverse the site link costs.

    79.Working at one of the six domain controllers in his company’s network, Brendan accidentally deleted his company’s Executive OU. Realizing that none of the executives would be able to log on the next morning, Brendan knew he must restore this OU as rapidly as possible. Fortunately, a backup of the system state of the domain controller had been created the day before.

    Which of the following actions does Brendan need to perform? (Each correct answer represents part of the solution. Choose two answers.)

    1. Use the net stop ntds and the wbadmin start systemstaterecovery commands to restore System State from backup.

    2. Start the domain controller in Safe Mode and then use the wbadmin start systemstaterecovery command to restore System State from backup.

    3. Start the domain controller in Directory Services Restore Mode and then use the wbadmin start systemstaterecovery command to restore System State from backup.

    4. Select the Repair your computer option.

    5. Use the ntdsutil program to mark the restored Executive OU as authoritative by specifying the LDAP DN of the Executive OU.

    6. Select the System Image Recovery option.

    80.Cindy is a systems administrator for a company that operates a single domain AD DS network. All servers run Windows Server 2008 and all client computers run Windows 7 Professional. Cindy is setting up special user-based options for installation of a custom accounting application provided by a software vendor. She wants to configure the software options so that users can view the installation process as it takes place on their computers. She creates a GPO linked to the domain and in the Group Policy Management Editor; she creates a software installation policy that assigns the software in the User Configuration\Policies\Software Settings\Software Installation branch. Which of the following should she configure?

    1. Under Installation User Interface Options on the Deployment tab of the package’s Properties dialog box, select Basic.

    2. Under Installation User Interface Options on the Deployment tab of the package’s Properties dialog box, select Maximum.

    3. Under Deployment Options on the Deployment tab of the package’s Properties dialog box, select Do not display this package in the Add/Remove Programs control panel option.

    4. Under Deployment Options on the Deployment tab of the package’s Properties dialog box, select Install this application at logon.

    81.Judy is the systems administrator for a company that operates an AD DS forest containing three domains. There are six sites, each of which represents a city in which the company does business. Each site contains at least two domains and several OUs within each domain, and each site is configured with a proxy server that all users are expected to access the Internet through.

    Judy has created GPOs that set the proxy configuration for all computers in the forest, including portable computers that traveling users carry to different offices in the course of their job duties. How should she configure this GPO to ensure that users always access the Internet by means of the proxy server in the office where they are located?

    1. She should link each GPO to its site and specify the Enforced option.

    2. She should link each GPO to its site and do nothing else.

    3. She should link each GPO to the OUs located in its site and specify the Block Inheritance option.

    4. She should link each GPO to the domains located in its site and specify the Block Inheritance option.

    5. She should link each GPO to the domains located in its site and do nothing else.

    82.Wilson is the network administrator for a company that operates an AD DS network consisting of a single domain and four sites representing the company’s offices, which are located in Dallas, Austin, San Antonio, and Houston. Each site has at least one domain controller that runs DNS and hosts an Active Directory–integrated zone. Domain controllers in the company run a mix of Windows 2000 Server, Windows Server 2003, and Windows Server 2008.

    Wilson’s company places a contract with a second company in Houston to provide extensive educational materials for company employees. Wilson configures a conditional forwarder on a Houston DNS server to point to a private web server at the second company’s network, but employees in the Dallas, Austin, and San Antonio offices report that they are unable to access the private web server.

    On contacting administrators in the Dallas, Austin, and San Antonio offices, Wilson discovers that the conditional forwarder setting does not appear in their DNS servers. What should Wilson to?

    1. Use Active Directory Sites and Services to force intersite replication.

    2. Configure the conditional forwarder with the All domain controllers in this domain option.

    3. Configure the conditional forwarder with the All DNS servers in this domain option.

    4. Configure a new zone delegation for each of the Dallas, Austin, and San Antonio sites.

    83.Dan is responsible for administering the DNS configuration for his company, which operates an AD DS network consisting of a single domain and sites corresponding to the New York boroughs in which offices are located. The Manhattan office houses a primary standard DNS server named NS01 plus a secondary name server named NS02. The Brooklyn office houses two standard secondary name servers called NS03 and NS04. A facility in Bronx houses two additional standard secondary DNS servers called NS05 and NS06.

    Lately, the administrative overhead of looking after these servers and configuring zone transfers has taken up a lot of time. In addition, the zone transfers themselves generate an excessive amount of network traffic. Dan needs to reduce both the administrative time and the network traffic, so he opens the DNS Manager snap-in at NS01 and accesses the Properties dialog box for his zone. From the General tab, he clicks the Change button opposite the zone type. Which options should he configure (Each correct answer represents part of the solution. Choose two answers.)

    1. He should select Primary zone.

    2. He should select Secondary zone.

    3. He should select Stub zone.

    4. He should select the Store the zone in Active Directory option.

    5. He should clear the Store the zone in Active Directory option.

    84.Brenda is the security administrator for a company that operates an AD DS network consisting of a single domain. All servers run Windows Server 2008 and client computers run either Windows XP Professional or Windows 7 Enterprise. The network includes an offline root CA and three enterprise issuing CAs.

    In addition to the locally issued certificates, Brenda needs to enable the use by domain clients of several certificates that have been issued by third-party CAs. What does she need to do to ensure that all domain clients will trust certificates issued by the third-party CAs?

    1. Install the third-party CA certificates on her company’s root CA and place this CA online for sufficient time for the certificates to replicate to other network servers.

    2. Install the third-party CA certificates on her company’s issuing CAs.

    3. Add a copy of each third-party CA certificates to the Trusted Root Certification Authorities node in the Default Domain Policy GPO.

    4. Add a copy of each third-party CA certificates to the Trusted Root Certification Authorities certificate store on each client computer.

    85.A junior administrator in your company named Sandy has just created a new one-way outgoing trust relationship between your company’s domain and a contractor’s domain. The purpose of this trust is to enable engineers in your company to send detailed design charts and specifications to the contractor without having to fax them. However, engineers report that they are unable to access the contractor’s domain. What should you do to enable access while keeping resources in your company’s domain secure?

    1. In the trust’s Properties dialog box, change the direction of the trust from outgoing to incoming.

    2. In the trust’s Properties dialog box, change the authentication scope of the trust from selective authentication to domainwide.

    3. Remove the trust relationship and create a new two-way trust relationship.

    4. Remove the trust relationship and create a new one-way incoming trust relationship.

    86.Nolan is a network administrator for a company that operates an Active Directory Domain Services (AD DS) network consisting of two domains. The company has offices in Los Angeles and Tokyo, which are connected by a 128 kbps WAN link. Each office is represented by a separate AD DS site, as well as its own domain.

    Nolan’s company stores resource location information in AD DS so that users can perform searches to locate the appropriate resources using the Entire Directory option. However, users in the Tokyo office report that search times for resources are unacceptably slow.

    What can Nolan do to improve search times at the Tokyo office?

    1. Configure a global catalog server at the Tokyo office.

    2. Enable universal group caching at the Tokyo office.

    3. Configure a domain controller for the Los Angeles domain in the Tokyo office.

    4. Configure a domain controller for the Tokyo domain in the Los Angeles office.

    87.Julio is the network administrator for a company that has deployed a new AD DS domain containing Windows Server 2008 domain controllers and member servers and Windows 7 Enterprise client computers.

    Julio’s boss would like him to keep track of any attempts, authorized or otherwise, to modify the configuration of directory objects in the domain. Julio has configured the system access control lists (SACLs) of these objects to enable auditing. What else must Julio do?

    1. In a domain-based GPO, enable auditing of object access attempts.

    2. In a domain-based GPO, enable auditing of directory service access attempts.

    3. In a domain-based GPO, enable auditing of directory service changes attempts.

    4. Use the auditpol.exe tool to enable auditing of object access attempts.

    5. Use the auditpol.exe tool to enable auditing of directory service access attempts.

    6. Use the auditpol.exe tool to enable auditing of directory service changes attempts.

    88.Kent is the network administrator for a company that operates an AD DS network consisting of a single domain. The company has four domain controllers that run either Windows Server 2003 or Windows Server 2008.

    Kent has obtained a new computer that he plans to install Windows Server 2008 on and promote to a domain controller. This computer will replace an older domain controller, which holds the RID master and PDC emulator roles and will be recommissioned as a backup file server.

    Before demoting this domain controller to member server, Kent must transfer these roles to another domain controller. Which of the following tools can he use for this purpose? (Each correct answer represents a complete solution to the problem. Choose two answers.)

    1. Active Directory Domains and Trusts

    2. Active Directory Sites and Services

    3. Active Directory Users and Computers

    4. Active Directory Schema

    5. The Ntdsutil utility

    89.Carol is the network administrator for a company that operates an AD DS network consisting of a single domain. Company executives have signed a long-term partnership agreement with another company that also operates an AD DS network. Users in Carol’s company will require access to rights-protected confidential information that is stored on web servers located on the second company’s network. Users in the second company will not require access to any documents on Carol’s network.

    Which two of the following should Carol configure on her network? (Each correct answer represents part of the solution. Choose two answers.)

    1. Active Directory Lightweight Directory Services (AD LDS)

    2. Active Directory Rights Management Services (AD RMS)

    3. Active Directory Federation Services (AD FS)

    4. Active Directory Certificate Services (AD CS)

    5. A one-way external trust relationship

    90.Ruby suspects that an intruder has been attempting to obtain usernames and passwords from her company’s Windows Server 2008 R2 domain controller. She would like to capture data transmitted across the network adapter of the domain controller. Which tool should she use?

    1. Network Monitor

    2. Task Manager

    3. Performance Monitor

    4. Event Viewer

    5. Windows System Resource Manager (WSRM)

    91.Lynda is a network administrator for a company that operates an AD DS network containing two domains in a single tree. One of the hard disks on a domain controller failed and had to be replaced. As a result, she had to restore the ntds.dit file from backup.

    When Lynda restarted the domain controller in Directory Services Restore Mode, she entered her administrator password but was denied access. Which of the following is the most likely reason why she was denied access to Directory Services Restore Mode?

    1. Lynda changed her password a few days ago. Because this domain controller had failed beforehand, AD DS did not replicate the password change. She needs to use her old password.

    2. A domain-based Group Policy setting denies Lynda the right to log on locally to the domain controller.

    3. Lynda is not a member of the Enterprise Administrators group. Only members of the Enterprise Administrators group are allowed access to the Directory Services Restore Mode in a forest that contains more than one domain.

    4. Lynda entered the password to the domain rather than the password she specified when installing AD DS.

    92.Jim is responsible for maintaining the CRLs in his company. A new user named Brigitte has been hired to work in the Accounting department, and Jim issues a certificate to her. He receives an email from Human Resources informing him that Brigitte has failed a preliminary security evaluation and might be unsuitable for this job, so he revokes her certificate.

    The next morning, Human Resources informs Jim that the security evaluation has proven to be successful and Brigitte needs her certificate back. So, he attempts to unrevoke the certificate but receives an error message stating that this attempt failed. Which of the following is the most likely reason why Jim was unable to unrevoke her certificate?

    1. Jim should delete the delta CRL containing the revoked certificate before he can unrevoke it.

    2. Jim should restore the CRL to the day before he first revoked the certificate.

    3. Jim specified the Unspecified reason code when he revoked the certificate. He should have used the Certificate Hold reason code.

    4. Jim should have unrevoked the certificate before it was published to the latest base CRL. After a revoked certificate is published in the base CRL, he cannot unrevoke it.

    93.Diane is responsible for maintaining the DNS configuration of her company’s AD DS domain. All servers run Windows Server 2008, and client computers run either Windows XP Professional or Windows 7 Enterprise or Ultimate. DNS is configured as an Active Directory–integrated zone on two domain controllers and as a secondary zone on a single external DNS server located on the network’s perimeter zone. The external DNS server hosts only the records for her company’s web and mail servers.

    Diane deploys an additional secondary DNS server on the perimeter network to improve Internet-based name resolution. She uses Reliability and Performance Monitor to monitor the new DNS server and notices that the Transfer Start of Authority (SOA) Requests Sent value is high. She needs to minimize the bandwidth used by the perimeter network DNS servers across the firewall server for zone transfer requests. She must also ensure that only authorized servers can receive copies of this zone file.

    Which of the following should she configure on the external DNS server? (Each correct answer represents part of the solution. Choose two answers.)

    1. On the Notify list, select Servers listed on the Name Servers tab.

    2. On the Notify list, select The following servers and specify the IP addresses of the perimeter zone secondary DNS servers.

    3. Increase the value of the Refresh interval.

    4. Decrease the value of the Refresh interval.

    5. Increase the value of the Retry interval.

    6. Decrease the value of the Retry interval.

    7. Disable dynamic updates.

    94.Stan is responsible for configuring password and account lockout policies for his company’s AD DS domain. He has configured the domain password policy as shown in the exhibit.

    [View full size image]

    The network has a Windows Server 2008 R2 computer that is configured as an application server. One application utilizes a domain account named App to log on to the application server. This account is granted the Log On as a Service right on the server.

    Several weeks after the application was configured, the help desk starts to receive calls from users complaining that they are unable to access the application. What should Stan do to enable proper user access using the least amount of administrative effort?

    1. In Group Policy Management Editor, change the Maximum password age setting to 999.

    2. Use Adsiedit.msc to configure a password settings object (PSO) that specifies a maximum password age of 999:00:00:00 and apply the PSO to the App user account.

    3. In Group Policy Management Editor, change the value of Enforce password history to 0.

    4. In Active Directory Administrative Center, configure the password for the App user account to never expire.

    95.Evelyn is planning a PKI for her company’s AD DS network. She needs to install an enterprise root CA on a Windows Server 2008 R2 computer on the network. Which of the following computers can she use for this purpose? (Choose all that apply.)

    1. Windows Server 2008 R2 Web Edition

    2. Windows Server 2008 R2 Foundation Edition, configured as a member server

    3. Windows Server 2008 R2 Foundation Edition, configured as a domain controller

    4. Windows Server 2008 R2 Standard Edition, configured as a member server

    5. Windows Server 2008 R2 Standard Edition, configured as a domain controller

    6. Windows Server 2008 R2 Enterprise Edition, configured as a member server

    7. Windows Server 2008 R2 Enterprise Edition, configured as a domain controller

    8. Windows Server 2008 R2 Datacenter Edition, configured as a member server

    9. Windows Server 2008 R2 Datacenter Edition, configured as a domain controller

    96.Ursula’s AD DS domain uses a standard DNS zone with a primary DNS server called Alpha and two secondary servers called Beta and Gamma. All three servers are listed as name servers on the Name Servers tab of the DNS zone’s Properties dialog box. Their IP addresses are 192.168.1.61, 192.168.1.62, and 192.168.1.63, respectively.

    Ursula has configured zone transfer to allow zone transfers only to servers listed on the Name Servers tab. Nevertheless, zone transfers are not taking place across the network in a timely fashion. Ursula clicks the Notify button on the Zone Transfers tab and notices that the dialog box is configured as shown in the exhibit. What should she do? (Each correct answer represents part of the solution. Choose all that apply).

    [View full size image]

    1. Select the Automatically notify check box.

    2. Select The following servers option.

    3. Add the IP address 192.168.1.63 to the list.

    4. Remove the IP address 192.168.1.62 from the list.

    5. Select the Servers listed on the Name Servers tab option.

    97.Shelley is a network administrator for a company that operates a single-domain AD DS network. There are three sites that represent offices located in St. Louis, Detroit, and Chicago. These offices are connected with two T1 links, from St. Louis to Chicago and from Chicago to Detroit. No direct physical connection exists between St. Louis and Detroit. The site links are configured as described in the following table:

    Site LinkReplication ScheduleReplication IntervalSite Link Cost
    St. Louis–Chicago2:00 AM to 7:00 AM30 minutes300
    Chicago –Detroit7:00 PM to 2:00 AM45 minutes100


    Shelley works in the St. Louis office and configures most of the changes to AD DS from that office. Users in Detroit complain that changes to AD DS take more than a day to appear in their office. What should Shelley do to ensure that changes made in St. Louis appear in Detroit by the start of the following business day?

    1. Reduce the replication interval of the Chicago–Detroit site link to 30 minutes.

    2. Reduce the cost of the St. Louis–Chicago site link to 100.

    3. Modify the replication schedule of the St. Louis–Chicago site link to 10:00 PM to 4:00 AM.

    4. Create a site link bridge that bridges the two site links from St. Louis to Detroit.

    98.Ryan has installed Windows Server 2008 R2 on a new server using the Server Core option. He would like to install AD DS and promote the server to be a replica domain controller in his company’s single domain network. What should he do?

    1. Run Server Manager from the command prompt and select the AD DS role.

    2. Run Server Manager from the command prompt and select the dcpromo option.

    3. Execute the dcpromo command from the command prompt and specify the appropriate answers when prompted.

    4. Execute the dcpromo command from the command prompt and specify an unattended answer file containing the required information.

    99.Joanne is the network administrator for a company that builds outdoor furniture. The company operates an AD DS network consisting of a single domain in which each department has its own OU. All servers run Windows Server 2008, and the domain and forest functional levels are set to Windows Server 2008.

    Joanne’s company purchases another company that manufactures camping and recreational equipment. All servers on this company’s network run Windows Server 2003, and the domain and forest functional levels are set to Windows Server 2003. Executives in both companies have agreed that the acquired company network will remain as a separate forest. Joanne needs to create several similar GPOs in different OUs in her company’s network. She also needs to take the settings from the Financial OU in her company’s network and copy them to the Financial OU in the acquired company’s domain. What should she do to accomplish these tasks with the least amount of administrative effort? (Each correct answer represents part of the solution. Choose two answers.)

    1. In the outdoor furniture company’s domain, create a Starter GPO and link this GPO to the appropriate OUs. Then make any necessary changes for each OU.

    2. In the outdoor furniture company’s domain, create a Starter GPO. Then create GPOs based on the Starter GPO and link them to the appropriate OUs.

    3. In the outdoor furniture company’s domain, use Group Policy Management Console (GPMC) to back up the GPO linked to the Financial OU. Then import this GPO to the other company’s network and link it to the Financial OU in that domain.

    4. In the outdoor furniture company’s domain, use GPMC to back up the Starter GPO. Then import this GPO to the other company’s network and use it to create the appropriate GPO in this network’s Financial OU.

    100.Jonathan is the systems administrator for his company, which runs a large AD DS network that consists of several domains all contained within two tree structures. The company has operations in both North America and Asia. Jonathan works in the Los Angeles head office, where the root domain is located, including the domain controllers that hold the roles of domain naming master and schema master. One weekend, the domain naming master crashed and the hardware techs discovered that it requires several new parts, including a new SCSI hard drive. The parts will take at least 10 days to be delivered and installed. However, Jonathan urgently needs to create two new domains that will encompass the company’s new ventures into Australia. Without a functioning domain naming master, he is unable to create the new domains. He realizes that it is necessary to have another domain controller seize the role of domain naming master.

    Which of the following does Jonathan need to do to accomplish this task?

    1. Use Active Directory Users and Computers.

    2. Use Active Directory Domains and Trusts.

    3. Use the ntdsutil command-line utility.

    4. Install another new computer with Windows Server 2008. Use dcpromo.exe to promote it to a domain controller and specify that it is to be a domain naming master.

    101.Merle is responsible for securing a new physical printer that her company has purchased especially for printing confidential documents. She installs the printer in a secure office and configures a logical printer for the device on a Windows Server 2008 computer. She also configures the appropriate permissions and enables auditing in a GPO for her company’s domain.

    After printing several documents to the new printer, she examines the print server’s security logs and finds that no entries related to the printer have been recorded. What is the most likely cause for the lack of entries in the security log?

    1. The security log does not record activity by an administrator.

    2. Merle failed to enable auditing in the printer’s Properties dialog box.

    3. The events were recorded in a log on the domain controller.

    4. The security log only records attempts by unauthorized users to access the printer.

    102.Brandon is the network administrator for a company that operates an AD DS network consisting of a single domain. Servers run a mix of Windows Server 2008 and Windows Server 2008 R2, and client computers run either Windows XP Professional or Windows 7 Professional or Ultimate.

    Brandon wants to deploy Active Directory Rights Management Services (AD RMS) to provide rights-enabled protection for sensitive corporate documents. Which of the following additional role services and features must Brandon install when he is installing AD RMS? (Each correct answer represents part of the solution. Choose all that apply.)

    1. Internet Information Services (IIS)

    2. Active Directory Certificate Services (AD CS)

    3. Active Directory Metadirectory Services (AD MDS)

    4. Windows Process Activation Service

    5. Message Queuing Services

    103.Andy is the network administrator for a company that runs an AD DS network with a single domain. One of the domain controllers has been running slowly during much of the day, and Andy suspects that he might need to upgrade the processor. Andy has added additional RAM to the computer, but he wants to be informed of potential processor bottlenecks.

    Andy decides he wants to have the domain controller inform him when the processor utilization exceeds 85%. What should he do? (Each correct answer represents part of the solution. Choose two answers.)

    1. Configure Windows System Resource Manager to generate an alert when the Processor\%Processor Time counter exceeds 85%.

    2. Configure Performance Monitor to generate an alert when the Processor\%Processor Time counter exceeds 85%.

    3. Configure a data collector set to generate an alert when the Processor\%Processor Time counter exceeds 85%.

    4. In Server Manager, ensure that the Alerter service is configured to start automatically and send a message to his computer. He will then receive a message box on his computer when an alert is created.

    5. View the Application log in Event Viewer to determine whether any alerts have been generated.

    6. View the System log in Event Viewer to determine whether any alerts have been generated.

    104.Allison is the network administrator for a company that operates an AD DS network consisting of a single domain. The network includes a standalone root CA and an enterprise subordinate issuing CA.

    Allison has configured an autoenrollment certificate template and a GPO that enables users to automatically receive certificates. She needs to provide certificates for routers and switches on the network. How should she proceed?

    1. Install the Simple Certificate Enrollment Protocol (SCEP) on the issuing CA server.

    2. Configure an online responder on the issuing CA server.

    3. Configure a certificate template that includes the Authority Information Access (AIA) extension.

    4. Create a security group that contains the machine accounts for the routers and switches and then grant this group the Autoenroll permission for the required template.

    105.Erica is administrator of Acme Construction, which operates an AD DS network consisting of a single domain. Acme is headquartered in Toronto with branch offices in Buffalo, Detroit, and Miami. Erica’s companywide domain name will be acmeconstr.com. Initially, Erica plans to install a DNS server at headquarters and another in each of the three branch offices. She plans to have the DNS server in Toronto host her company’s domain. Additionally, Erica intends to delegate responsibility for maintaining DNS systems and zone information to network administrators located at each of the branch offices.

    Which of the following plans will achieve the desired results for Erica?

    1. The DNS server in Toronto will host a standard primary zone for the acmeconstr.com domain. Each branch office will host a standard primary zone.

    2. The DNS server in Toronto will host a standard primary zone for the acmeconstr.com domain. Branch offices will be configured as subdomains. Each branch office will host a standard secondary zone for its subdomain.

    3. The DNS server in Toronto will host a standard primary zone for the acmeconstr.com domain. Branch offices will be configured as subdomains. Each branch office will host a standard primary zone for its subdomain.

    4. The DNS server in Toronto will host a standard primary zone for the acmeconstr.com domain. Branch offices will be configured as subdomains. Each branch office will host a stub zone for its subdomain.

    106.Trevor is a network administrator for a company that operates an AD DS forest containing two domains in separate trees named que.com and certguide.com. A junior administrator has accidentally deleted the Financial OU from the que.com domain. This domain contains some security groups that have back-links of groups in the certguide.com domain as members of these groups.

    Trevor authoritatively restores the Financial OU, but users in this OU report that they are unable to access objects in the certguide.com domain. He realizes that he should create an LDIF file for recovering the back-links of these groups in the certguide.com domain for the authoritatively restored objects in the Financial OU. Which utility should he use to perform this operation?

    1. Ntdsutil.exe

    2. Esentutl.exe

    3. Ldifde.exe

    4. Wbadmin.exe

    107.Sharon is responsible for configuring BitLocker policies for her company’s AD DS domain. More specifically, she needs to ensure that recovery information for the operating system drive in a RODC and located in a branch office is properly backed up to AD DS. She must ensure that the key package used for encrypting the operating system drive is included in the backup. So, she opens up the Group Policy Management Editor focused on the Default Domain Controllers Policy GPO and accesses the Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption node. What should she do? (Each answer represents part of the solution. Choose two.)

    1. Enable the Store BitLocker recovery information in Active Directory Domain Services policy and select the Require BitLocker backup to AD DS check box.

    2. Access the Fixed Data Drives subnode, enable the Choose how BitLocker protected fixed drives can be recovered policy, and select the Require BitLocker backup to AD DS check box.

    3. Access the Operating System Drives subnode, enable the Choose how BitLocker protected operating system drives can be recovered policy, and select the Require BitLocker backup to AD DS check box.

    4. Select the Allow data recovery agent check box and then select the Allow 48-digit recovery password option.

    5. Select the Store recovery passwords and key packages option.

    6. Select the Store recovery passwords only option.

    108.Juan is responsible for configuring certificate autoenrollment for his Windows Server 2008 environment and would like to implement this feature as soon as possible. Juan is considering a third-party solution because he wants to have the most secure environment possible and wants to assign certificates to both users and computers. What should Juan do?

    1. Windows Server 2008 enables Juan to assign certificates to both users and computers. There is no need to use a third-party tool.

    2. Windows Server 2008 offers autoenrollment to users but not to computers. Consequently, he should look for a third-party tool that assigns to computers only.

    3. Juan’s instincts are correct. Because Group Policy in Windows Server 2008 can assign certificates to computers only, he should find a third-party tool to do this task.

    4. Certificates are more important for computers. Although in theory it is possible to utilize a third-party tool to assign certificates to users, assigning them to computers gives him better control and is actually more secure.

    109.Sandra is the senior administrator of a Windows Server 2003 forest that consists of a single domain, and Ralph is a UNIX administrator who works alongside her. The company’s CIO has asked Sandra and Ralph to reduce the total cost of ownership of the two networks by improving the efficiency of user access from one network to the other and reducing the current duplication of resources existing in the Windows and UNIX networks.

    Which of the following should Sandra and Ralph do? (Each correct answer represents part of the solution. Choose two answers.)

    1. Create an external trust between the Windows domain and the UNIX realm.

    2. Create a forest trust between the Windows forest and the UNIX realm.

    3. Create a realm trust between the Windows domain and the UNIX realm.

    4. Upgrade the Windows network to Windows Server 2008.

    5. Migrate the UNIX network to Windows Server 2008 AD DS.

    110.Kevin is installing a PKI for his company, which operates an AD DS domain in which all servers run Windows Server 2008. He has installed a root CA and is now at the computer that will host an enterprise subordinate CA. However, on the Specify Setup page he discovers that the Enterprise CA option is grayed out and only the Standalone CA option is available. What must Kevin do to install an enterprise subordinate CA on this computer?

    1. Log on to the server as a member of the Enterprise Admins group.

    2. Log on to the server as a member of the Schema Admins group.

    3. Use Server Manager to install AD DS on this server.

    4. Run dcpromo.exe to promote the server to a domain controller.

    5. Install a standalone CA on the server and then use the Certification Authority console to promote the server to an enterprise CA.

    111.Tricia is a junior administrator for a large enterprise corporation whose Active Directory network contains two domains, seven sites, and 11 OUs, each of which represents a different company department. The IT manager has assigned Tricia the responsibility of administering the Design OU and has provided her with Full Control permission for this OU.

    Tricia needs to configure a GPO for deployment of a specialized design application to all employees the Design department of each of the company’s offices. These employees should have access to the application at all times, regardless of which department they are accessing the application from. It is not to be available to employees of other departments, even if they are working from computers located in the Design department.

    Which of the following steps should Tricia take to deploy this application?

    1. She should create a GPO that is linked to the Design OU. In this GPO, she should add a Windows Installer package for the application under the User Configuration\Policies\Software Settings\Software Installation node. On the Deploy Software dialog box, she should select Assigned.

    2. She should create a GPO that is linked to the Design OU. In this GPO, she should add a Windows Installer package for the application under the Computer Configuration\Policies\Software Settings\Software Installation node. On the Deploy Software dialog box, she should select Assigned.

    3. She should create a GPO that is linked to the Design OU. In this GPO, she should add a Windows Installer package for the application under the User Configuration\Policies\Software Settings\Software Installation node. On the Deploy Software dialog box, she should select Published.

    4. She should create a GPO that is linked to the Design OU. In this GPO, she should add a Windows Installer package for the application under the Computer Configuration\Policies\Software Settings\Software Installation node. On the Deploy Software dialog box, she should select Published.

    112.Maggie is the network administrator for a company that operates an AD DS forest containing two geographically distinct domains: que.com located in Atlanta and west.que.com located in San Jose. Each domain has a single site named by its city and containing three domain controllers. The two sites are connected by an ISDN link.

    Maggie is configuring the placement of global catalog servers to optimize user logon and resource access. Which of the following configurations should she use?

    1. Place a single global catalog server at the Atlanta site only.

    2. Place a single global catalog server at each site.

    3. Place two global catalog servers at the Atlanta site only.

    4. Place two global catalog servers at the San Jose site only.

    5. Place two global catalog servers at each site.

    113.Sam is a domain administrator for a company that operates a single domain AD DS network. All servers run Windows Server 2008 R2. Sam needs to grant a junior administrator named Julie the ability to create child OUs in the company’s Employees OU. She needs to verify the existence of the OUs she creates, but she should not be able to perform other administrative tasks. Sam accesses the Delegation of Control Wizard and specifies Julie’s user account. Which of the following should he do?

    1. Select the Create a custom task to delegate option, select Organizational Unit objects, and then grant Julie the Read and Write permissions.

    2. Select the Create a custom task to delegate option and then select the option labeled This folder, existing objects in this folder, and creation of new objects in this folder.

    3. Select the Delegate the following common tasks option and then select Create, delete, and manage OUs.

    4. Select the Create a custom task to delegate option, select Organizational Unit objects, and then grant Julie the Read and Create all child objects permissions.

    114.Jane is the network administrator for a company whose AD DS forest includes a domain tree called que.org with child domains named calif.que.org, ariz.que.org, and texas.que.org. In the California domain there is an OU named Sales. This OU contains a user named Don Smith. Jane has implemented several GPOs within the domain, including the following:

    - Site Group Policy: Wallpaper is set to Green. Task Manager is disabled.

    - Domain Group Policy: Display Properties tab is disabled (Enforced setting is selected). Task Manager is not disabled.

    - OU1 Policy: Wallpaper is set to Red. The Display Properties tab is enabled. (Block Inheritance is set to On.)

    - OU2 Policy: Wallpaper is set to Blue.

    The OU policies are set in the order of OU1 being on top and OU2 on the bottom of the application order list. What is the resultant set of policies?

    1. Don logs on and his wallpaper is red. Task Manager is not disabled. Display Properties is disabled.

    2. Don logs on and his wallpaper is green. Task Manager is disabled. Display Properties is enabled.

    3. Don logs on and his wallpaper is blue. Task Manager is not disabled. Display Properties is disabled.

    4. Don logs on and his wallpaper is green. Task Manager is disabled.

    115.Nancy is a systems administrator for her company, which has just purchased a new computer running Windows Server 2008 R2. She has installed this computer as a DNS server on the internal network and has assigned it a static IP address of 172.22.1.3. She accesses the Monitoring tab of the server’s properties dialog box on the DNS snap-in, selects the simple and recursive query test type, and then runs these tests. However, she receives a Fail response in both test columns.

    What should Nancy try first to troubleshoot this failure?

    1. Determine whether the root hints are correct.

    2. Restart the DNS server service.

    3. Access the Debug Logging tab and specify logging of incoming and outgoing packets with the Queries/Transfers option.

    4. Determine whether the server contains the 1.0.0.127.in-addr.arpa zone.

    116.Roy is the network administrator for Que, which operates a single AD DS domain named que.com. Servers run a mix of Windows Server 2008 and Windows Server 2008 R2, and client computers run a mix of Windows XP Professional and Windows 7 Enterprise. Que’s main office is located in Buffalo and there is a branch office in Rochester. Roy creates a GPO that redirects the Start menu for users in the Rochester office to a shared folder on a file server.

    Users in Rochester report that many of the programs they normally use are missing from their Start menus, even though the programs were available on the Start menu the previous day. Logging on to one of the client computers, Roy notices that all the programs in question are present on the Start menu. Roy verifies that users can access the shared folder on the server. He needs to find out why the Start menu changed for the affected users. How can he accomplish this task? (Each correct answer represents a complete solution to the problem. Choose two answers.)

    1. On one of the affected computers, run the gpresult command.

    2. On one of the affected computers, run the gpupdate command.

    3. In the Group Policy Management Console, right-click the Group Policy Results node and choose Group Policy Results Wizard.

    4. In the Group Policy Management Console, right-click the Group Policy Modeling node and choose Group Policy Modeling Wizard.

    5. In Active Directory Sites and Services, right-click the Rochester site and choose All Tasks > Resultant Set of Policy (Planning).

    117.Gary is the network administrator for a company that has entered into a partnership relationship with a second company. He has set up an Active Directory Federation Services (AD FS) server to enable users in the second company to access web-based data by means of a single sign-on capability.

    Gary wants to test which claims the Federation Service sends in AD FS security tokens. Which of the following should he configure?

    1. A Windows token-based agent

    2. A Federation Service proxy

    3. A trust policy

    4. A claims-aware application

    118.Ian is the administrator of a company that operates an AD DS network that contains two domains. Both domains operate at the Windows Server 2003 domain and forest functional levels. He has installed a new Windows Server 2008 computer and promoted this server to be an additional domain controller in his domain.

    Having heard about the new capability of configuring fine-grained password policies, Ian decides to give it a try and configure a PSO that specifies a minimum of 10 characters. He then associates this PSO with his user account and attempts to change his password to a new one that is 8 characters long.

    When this attempt succeeds, Ian wonders why the new PSO was not applied to his account. Which of the following is the reason Ian was able to specify an eight-character password?

    1. Ian needs to associate the PSO with a global security group to which his user account belongs before it is applied.

    2. Ian needs to associate the PSO with an OU to which his user account belongs before it is applied.

    3. Ian needs to upgrade all domain controllers in the domain to Windows Server 2008 or Windows Server 2008 R2 and set the domain functional level to Windows Server 2008 or higher before the PSO is effective.

    4. Ian needs to upgrade all domain controllers in both domains of the forest to Windows Server 2008 or Windows Server 2008 R2 and set the domain and forest functional levels to Windows Server 2008 or higher before the PSO is effective.

    119.Kas is a systems engineer for a company that operates an AD DS domain with two Windows Server 2003 domain controllers and three Windows Server 2008 domain controllers. She is responsible for assigning the flexible single-master operations (FSMO) roles to specific domain controllers for optimum network functionality.

    Kas needs to ensure proper synchronization of the system clocks on all computers on the network. To this end, she wants to have one of the Windows Server 2008 domain controllers look after this requirement. Which of the following roles should she assign to this domain controller?

    1. Domain naming master

    2. Schema master

    3. Infrastructure master

    4. PDC emulator

    5. RID master

    120.Nellie is the network administrator for a financial company that operates a series of branch offices in major North American cities. The company operates an AD DS network consisting of a single domain, in which each office is configured as its own site. To improve the efficiency of intersite replication, Nellie has decided that she needs to create a site link bridge.

    Which of the following steps should Nellie perform to accomplish this task? (Each correct answer represents part of the solution. Choose three answers.)

    1. In the console tree of Active Directory Sites and Services, right-click the Inter-Site Transports folder and choose New Site Link Bridge.

    2. In the console tree of Active Directory Sites and Services, right-click the Simple Mail Transport Protocol (SMTP) folder and choose New Site Link Bridge.

    3. In the console tree of Active Directory Sites and Services, right-click the IP folder and choose New Site Link Bridge.

    4. In the New Object—Site Link Bridge dialog box, type a name for the site link bridge.

    5. In the New Object—Site Link Bridge dialog box, select at least two sites she wants bridged and then click Add.

    6. In the New Object—Site Link Bridge dialog box, select at least two site links she wants bridged and then click Add.

    7. In the New Object—Site Link Bridge dialog box, select the check box labeled Bridge all site links.

     


      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial