Q1. Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared
folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Answer: B
Explanation:
http://kb.iu.edu/data/ajlt.html In Microsoft Active Directory, what are security and distribution groups? In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below: Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists. Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings. http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx Group types
Q2. You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and Services?
A. From the IP properties, select Ignore all schedules.
B. From the IP properties, select Disable site link bridging.
C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects.
D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site.
Answer: B
Explanation:
http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm What is Site Link Bridge and How to create Site Link Bridge A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing the default value of "Bridge all site links" (enabled by default).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
We may need to disable "Bridge all site links" and create a site link bridge design if
. When the IP network is not fully routed.
. When we need to control the replication flow in Active Directory.
Q3. You have a Windows PowerShell script that contains the following code:
import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword $_. password}
When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.
You need to run a script that successfully creates the user accounts by using the password contained in accounts.csv.
Which script should you run?
A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)}
B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)}
C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword(Read-Host -AsSecureString "Password")}
D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(Read-Host -AsSecureString $_.Password)}
Answer: B
Explanation:
import-csv Accounts.csv | Foreach { New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)} Personal comment: import comma separated values file (most probably containing a column for Name and one for Password) for each line of values create a new AD user with the name contained in the Name column enable the account and set the password with the value contained in the Password column; import the password from plain text as a secure string and ignore warnings/errors http://technet.microsoft.com/en-us/library/hh849818.aspx ConvertTo-SecureString
Parameters -AsPlainText Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter. -Force Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.
Q4. You have an enterprise subordinate certification authority (CA).
You have a group named Group1.
You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates.
What should you do?
A. Add Group1 to the local Administrators group.
B. Add Group1 to the Certificate Publishers group.
C. Assign the Manage CA permission to Group1.
D. Assign the Issue and Manage Certificates permission to Group1.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules.
Revoking certificates is an activity of the Certificate Manager role.
Q5. Your network contains an Active Directory domain named contoso.com.
You need to identify whether the Active Directory Recycle Bin is enabled.
What should you do?
A. From Ldp, search for the Reanimate-Tombstones object.
B. From Ldp, search for the LostAndFound container.
C. From Windows PowerShell, run the Get-ADObject cmdlet.
D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.
Answer: D
Explanation:
http://www.frickelsoft.net/blog/?p=224
How can I check whether the AD Recycle-Bin is enabled in my R2 forest?
[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.]
Q6. You need to purge the list of user accounts that were authenticated on a read-only domain
controller (RODC).
What should you do?
A. Run the repadmin.exe command and specify the /prp parameter.
B. From Active Directory Sites and Services, modify the properties of the RODC computer object.
C. From Active Directory Users and Computers, modify the properties of the RODC computer object.
D. Run the dsrm.exe command and specify the -u parameter.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx
Clearing the authenticated accounts list
In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC.
Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure.
To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all.
Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.
Q7. Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema.
You discover that the Active Directory replication traffic to the Global Catalogs has increased.
You need to prevent the new attributes from being replicated to the Global Catalog.
You must achieve this goal without affecting application functionality.
What should you do?
A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.
B. Change the cost for the DEFAULTIPSITELINK object to 9990.
C. Make the new attributes in the Active Directory as defunct.
D. Modify the properties in the Active Directory schema for the new attributes.
Answer: D
Explanation:
http://support.microsoft.com/kb/248717 How to Modify Attributes That Replicate to the Global Catalog The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic. After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article. Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes is kept. When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a "full sync" of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to "True." Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition. In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the "Schema Admins" group. In addition to being a member of this group, a registry key must be set on the Schema master.
Q8. Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC).
A user from the branch office reports that his account is locked out.
From a writable domain controller in the main office, you discover that the user's account is not locked out. You need to ensure that the user can log on to the domain.
What should you do?
A. Modify the Password Replication Policy.
B. Reset the password of the user account.
C. Run the Knowledge Consistency Checker (KCC) on the RODC.
D. Restore network communication between the branch office and the main office.
Answer: D
Explanation:
Not sure if:
Run the Knowledge Consistency Checker (KCC) on the RODC.
or
Restore network communication between the branch office and the main office.
Q9. Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.
You create a GPO.
You need to track which employees access the Payroll files on the file servers.
What should you do?
A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder.
Answer: B
Explanation:
Q10. Your company has an Active Directory domain. You install a new domain controller in the
domain. Twenty users report that they are unable to log on to the domain.
You need to register the SRV records.
Which command should you run on the new domain controller?
A. Run the netsh interface reset command.
B. Run the ipconfig /flushdns command.
C. Run the dnscmd /EnlistDirectoryPartition command.
D. Run the sc stop netlogon command followed by the sc start netlogon command.
Answer: D
Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam Question might ask you how to troubleshoot the nonregistration of SRV resource records.