Q1. Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.
Active Directory services are running on a domain controller named CKDC1.
You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.
What should you do to perform offline critical updates on CKDC1 without rebooting the server?
A. Start the Active Directory Domain Services on CKDC1
B. Disconnect from the network and start the Windows update feature
C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.
D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again.
E. None of the above
Answer: C
Explanation:
Personal comment: I don't believe you can avoid restarting the server when installing some (not all) updates http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on-ckdc1-withoutrebooting-the-server/ To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.
Q2. Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Register a service principal name (SPN) for AD RMS.
B. Register a service connection point (SCP) for AD RMS.
C. Configure the identity setting of the _DRMSAppPool1 application pool.
D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
Set the Service Principal Names (SPN) value for the AD RMS service account
Q3. Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7.
You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone.
You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.
What should you do first?
A. On the member server, add a conditional forwarder.
B. On the member server, install Active Directory Domain Services.
C. Add all computer accounts to the DNS UpdateProxy group.
D. Convert the standard primary zone to an Active Directory-integrated zone.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication.
Q4. Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on Server2.
You need to export the token-signing certificate from Server1, and then import the certificate to Server2.
Which format should you use to export the certificate?
A. Base-64 encoded X.509 (.cer)
B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
C. DER encoded binary X.509 (.cer)
D. Personal Information Exchange PKCS #12 (.pfx)
Answer: D
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/ff678038.aspx
Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.
[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in Explanation 2.]
Explanation 2: http://technet.microsoft.com/en-us/library/cc784075.aspx
Export the private key portion of a token-signing certificate
To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then click Active Directory Federation Services. Right-click Federation Service, and then click Properties. On the General tab, click View. In the Certificate dialog box, click the Details tab. On the Details tab, click Copy to File. On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next. On the Export File Format page, selectPersonal Information Exchange = PKCS #12 (.PFX), and then click Next. (...)
Q5. Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP.
You need to ensure that users are able to install approved application updates on their computers.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Set up Automatic Updates through Control Panel on the client computers.
B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site.
C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates.
Answer: C,D
Explanation:
http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
Configure Automatic Updates by Using Group Policy
When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO)
linked to an Active Directory container appropriate for your environment.
Q6. Your company, Contoso Ltd has a main office and a branch office. The offices are
connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.
What should you do?
A. Create a new stub zone named ad.contoso.com on DC2.
B. Create a new standard secondary zone named ad.contoso.com on DC2.
C. Configure the DNS server on DC2 to forward requests to DC1.
D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Answer: D
Explanation:
Q7. Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed.
You need to perform a non-authoritative restore of the doman controller using an existing backup file.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume
B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume
C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volume
D. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume
Answer: A
Explanation:
Almost identical to B42
http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx
Performing Nonauthoritative Restore of Active Directory Domain Services
A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.
Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system.
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup.
Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.
Q8. You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Answer: B
Explanation: Repadmin allows us to check the replication status and also allows us to
force a replication between domain controllers.
Explanation:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.
Q9. You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2.
You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2.
B. Use the Active Directory Sites and Services console to configure a new site link bridge object.
C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.
D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1.
Answer: A
Explanation:
http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-eplication.htm Inter-site Replication The process of creating a custom site link has five basic steps:
1. Create the site link.
2. Configure the site link's associated attributes.
3. Create site link bridges.
4. Configure connection objects. (This step is optional.)
5. Designate a preferred bridgehead server. (This step is optional)
http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx Replication between sites
Q10. You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2.
You need to monitor the replication of the group policy template files.
Which tool should you use?
A. Dfsrdiag
B. Fsutil
C. Ntdsutil
D. Ntfrsutl
Answer: D
Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with
DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level
2003.
With domain functional level 2003 you can only use Ntfrsutl.