Q1. You are decommissioning one of the domain controllers in a child domain.
You need to transfer all domain operations master roles within the child domain to a newly installed domain controller in the same child domain.
Which three domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose three.)
A. RID master
B. PDC emulator
C. Schema master
D. Infrastructure master
E. Domain naming master
Answer: A,B,D
Explanation:
http://technet.microsoft.com/en-us/library/cc781578%28v=ws.10%29.aspx Transferring operations master roles Transferring an operations master role means moving it from one domain controller to another with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active
Directory consoles in Microsoft Management Console (MMC).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q2. Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed.
You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain.
What should you do?
A. Add and configure a new account partner.
B. Add and configure a new resource partner.
C. Add and configure a new account store.
D. Add and configure a Claims-aware application.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732095.aspx Understanding Account Stores Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS)
Q3. Your company has an Active Directory forest. The company has three locations. Each location has an organizational unit and a child organizational unit named Sales.
The Sales organizational unit contains all users and computers of the sales department.
The company plans to deploy a Microsoft Office 2007 application on all computers within the three Sales organizational units.
You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units.
What should you do?
A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain.
B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.
C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.
D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.
Answer: C
Q4. A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted.
You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online.
What should you do?
A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.
B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.
C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility.
D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility.
Answer: D
Explanation:
http://support.microsoft.com/kb/232122 Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ When to offline defrag the Active Directory database This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database. During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary. There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Search for event id 1646, usually together with event ids 700 and 701.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note that both the change of registry key and the actual offline defrag has to be done on
each domain controller, since neither does replicate.
As noted above we will not look at the commands for the offline defragmentation here,
since they are well documented already.
Q5. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.
You need to ensure that Attribute1 is replicated to the global catalog.
What should you do?
A. In Active Directory Sites and Services, configure the NTDS Settings.
B. In Active Directory Sites and Services, configure the universal group membership caching.
C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.
D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.
Answer: D
Explanation:
http://www.tech-faq.com/the-global-catalog-server.html The Global Catalog Server The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.
How to Include Additional Attributes in the GC The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC. To add the Active Directory Schema snap-in in the MMC:
1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.
3. Click OK to acknowledge that the dll was successfully registered.
4. Click Start, Run, and enter mmc in the Run dialog box.
5. When the MMC opens, select Add/Remove Snap-in from the File menu.
6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.
7. Close all open dialog boxes. To include additional attributes in the GC:
1. Open the Active Directory Schema snap-in.
2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu.
3. Additional attributes are added on the General tab.
4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
5. Click OK.
Q6. Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web.
You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA.
You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit.
What should you do?
A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /db webou.inf from the comand prompt.
B. Export the settings on IISServerA to create a security template. Import the security template into a GPO and link the GPO to the Web organizational unit.
C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf from the comand prompt.
D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.
Answer: B
Explanation:
http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates Using Secedit To Apply Security Templates Secedit /configure /db secedit.sdb /cfg"c:\temp\custom.inf" /silent >nul This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.
Q7. Your company has four offices. The network contains a single Active Directory domain. Each office has a domain controller. Each office has an organizational unit (OU) that contains the user accounts for the users in that office. In each office, support technicians perform basic troubleshooting for the users in their respective office.
You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only. The solution must prevent the technicians from creating user accounts.
What should you do?
A. For each OU, run the Delegation of Control Wizard.
B. For the domain, run the Delegation of Control Wizard.
C. For each office, create an Active Directory group, and then modify the security settings for each group.
D. For each office, create an Active Directory group, and then modify the controlAccessRights attribute for each group.
Answer: A
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/cc732524.aspx To delegate control of an organizational unit
1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. To open Active Directory Users and Computers in Windows Server. 2012, click Start, type dsa.msc.
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.
Explanation 2: http://technet.microsoft.com/en-us/library/dd145442.aspx Delegate the following common tasks The following are common tasks that you can select to delegate control of them: Reset user passwords and force password change at next logon
Q8. Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?
A. From the Default Domain Policy, modify the account lockout settings.
B. From the Default Domain Controller Policy, modify the account lockout settings.
C. From the properties of the user account, modify the Account options.
D. From the properties of the user account, modify the Session settings.
Answer: C
Explanation:
Account lockout settings deal with logon security, like how many times a wrong password
can be entered before an account gets locked out, or after how many minutes a locked out
user can try again.
To really restrict access to the User1 account it has to be disabled, by modifying the
account options.
Explanation:
http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx
Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online
data, but retains the user’s data. Disabling a user account also keeps the user license
associated with that account. This is the best option to utilize when a person leaves an
organization temporarily.
Q9. Your company has a DNS server that has 10 Active Directory integrated zones.
You need to provide copies of the zone files of the DNS server to the security department.
What should you do?
A. Run the dnscmd /ZoneInfo command.
B. Run the ipconfig /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutil > Partition Management > List commands.
Answer: C
Explanation:
http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/ DNS Zone Export In Non-AD Integrated DNS Zones DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder. When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In AD Integrated DNS Zones AD-integrated zones are stored in the directory they do not have corresponding zone files
i.e. they are not stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory. Now it is important task for us to take a backup of these AD integrated zones before making any changes to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is: DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile> <ZoneName> — FQDN of zone to export /Cache to export cache As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The command to export the file would be: Dnscmd server1 /ZoneExport habib.local habib.local.bak
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You can refer to a complete article on DNSCMD in Microsoft TechNet website
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx
Q10. Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office.
You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Raise the functional level of the forest to Windows Server 2008.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Run the adprep/rodcprep command.
Answer: B,D
Explanation:
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. There are different versions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2.
1. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows:
* Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema.
* Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role.
* If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep.
2. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.