aiotestking uk

70-640 Exam Questions - Online Test


70-640 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. Your network contains an Active Directory forest. 

You need to add a new user principal name (UPN) suffix to the forest. 

Which tool should you use? 

A. Active Directory Administrative Center 

B. Active Directory Domains and Trusts 

C. Active Directory Sites and Services 

D. Active Directory Users and Computers 

Answer:

Explanation: 

http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/ 

Demonstration adding a UPN Suffix 

To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest. 

Q2. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com. 

You need to ensure that the replication of the contoso.com zone is encrypted. 

You must not lose any zone data. 

What should you do? 

A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone. 

B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. 

C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone. 

D. On both servers, modify the interface that the DNS server listens on. 

Answer:

Explanation: 

Q3. You add an Online Responder to an Online Responder Array. 

You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array. 

What should you do? 

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1. 

B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32. 

C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller. 

D. From the Online Responder Management Console, select the new Online Responder, and then selectSynchronize Members with Array Controller. 

Answer:

Explanation: 

Explanation 1: http://technet.microsoft.com/en-us/library/cc770413.aspx Managing Array members For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members. 

Explanation 2: http://technet.microsoft.com/en-us/library/cc771281.aspx To designate an Array controller 

1. Open the Online Responder snap-in. 

2. In the console tree, click Array Configuration Members. 

3. Select the Online Responder that you want to designate as the Array controller. 

4. In the Actions pane, click Set as Array Controller. 

Q4. Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users. 

You perform nightly backups. An administrator deletes the Groups OU. 

You need to restore the Groups OU without affecting users and computers in the Sales OU. 

What should you do? 

A. Perform an authoritative restore of the Sales OU. 

B. Perform a non-authoritative restore of the Sales OU. 

C. Perform an authoritative restore of the Groups OU. 

D. Perform a non-authoritative restore of the Groups OU. 

Answer:

Explanation: 

Q5. Your company has two Active Directory forests as shown in the following table. 

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain. 

You need to configure the forest trust to meet the new security policy requirement. 

What should you do? 

A. Delete the outgoing forest trust in the contoso.com domain. 

B. Delete the incoming forest trust in the contoso.com domain. 

C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication. 

D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx How Domain and Forest Trusts Work Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. 

Trust Flow The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive). One-Way and Two-Way Trusts Trust relationships that are established to enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created. All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with: Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains. Kerberos V5 realms. Transitive and Nontransitive Trusts Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree. Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource. 

Default Transitive Trust Relationships 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts. Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest. Forest trust. A transitive trust between one forest root domain and another forest root domain. Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm. A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between: A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust) By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust A nontransitive trust between an Active Directory domain and a Kerberos V5 realm 

Q6. HOTSPOT 

Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table. 

You need to enable universal group membership caching in the Seattle site. 

Which object's properties should you modify? 

To answer, select the appropriate object in the answer area. 

Answer:  

Q7. Your network contains a single Active Directory forest. The forest contains two domains named contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following table. 

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integrated zones. 

You need to ensure that contoso.com records are available on DC3. 

Which command should you run? 

A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain 

B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest 

C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain 

D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_23 Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. dnscmd /zonechangedirectorypartition Changes the directory partition on which the specified zone resides. Syntax dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] | [<ZoneType>] } 

Parameters 

<ServerName> 

Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If 

this parameter is omitted, the local server is used. 

<ZoneName> The FQDN of the current directory partition on which the zone resides. 

<NewPartitionName> The FQDN of the directory partition that the zone will be moved to. 

<ZoneType> Specifies the type of directory partition that the zone will be moved to. 

/domain Moves the zone to the built-in domain directory partition. 

/forest Moves the zone to the built-in forest directory partition. 

/legacy Moves the zone to the directory partition that is created for pre–Active Directory 

domain controllers. These directory partitions are not necessary for native mode. 

Q8. Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering. 

You need to create a password policy for the engineering department that is different from your domain password policy. 

What should you do? 

A. Create a new GPO. Link the GPO to the Engineering OU. 

B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU. 

C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group. 

D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard. 

Answer:

Explanation: 

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-f1b69441175b Complex Password Policy on an OU 

Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user. A1: I beleive you are referering to PSC and PSO. The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Groups offer better flexibility for managing various sets of users than OUs. For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008. Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects. For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide A2: Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/A3: In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group. 

Find the step by step info. http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ Tutorial: How to setup Default and Fine Grain Password Policy One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy. Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard. How to set a Default Domain Password Policy 

Step 1 Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”). 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: I have elected to create a new GPO at the top of the domain in this case as I always 

try to avoid modifying the “Default Domain Policy”, see Explanations below. 

Explanation: 

http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx 

TechNet: Linking GPOs 

If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option. 

http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx 

TechNet: Establishing Group Policy Operational Guidelines 

Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies. 

Step 2 

Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows 

Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3 

Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order. 

TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Done… told you it was easy…. 

Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-useraccounts.aspx) 

How to set a Fine Grain Password Policy 

Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH! 

Pre-Requisites/Restrictions 

You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies The domain functional level must be Windows Server 2008. The other restriction with this option is that you can only apply FGPP to users object or 

users in global security groups (not computers). Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies Fine-grained password policies apply only to user objects … and global security groups. TIP: If you setup an “Automatic Shadow Group 

(http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-in-windows-server-2008/)” you can apply these password policies to users automatically to 

any users located in an OU. 

Creating a Password Setting Object (PSO) 

Step 1 Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\ 

Step 2 Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3 

Right click on “CN=Password Settings Container” and then click on “New” then “Object. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 4 

Click on “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 5 

Type the name of the PSO in the “Value” field and then click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”. 

Step 6 

Type in a number that will be the Precedence for this Password Policy then click “Next”. 

Note: This is used if a users has multiple Password Settings Object (PSO) applied to them. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 7 

Type “FALSE” in the value field and click “Next” 

Note: You should almost never use “TRUE” for this setting. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 8 

Type “24” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 9 

Type “TRUE” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 10 

Type “5” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 11 

Type “1:00:00:00” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 12 

Type “42:00:00:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 13 

Type “10” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 14 

Type “0:00:30:00” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 15 

Type “0:00:33:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 16 

Click “Finish” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

You have now created the Password Settings Object (PSO) and you can close the 

ADSIEdit tool. 

Now to apply the PSO to a users or group… 

Step 17 

Open Active Directory Users and Computers and navigate to “System > Password Settings 

Container” 

Note: Advanced Mode needs to be enabled. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 18 

Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 19 

Click “Add Windows Accounts….” button. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 20 

Select the user or group you want to apply this PSO and click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 21 

Click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 22 

Click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

And your are done… (told you it was hard). 

Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain. 

Q9. Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3. 

You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store. 

What should you do? 

A. Add your account to the Domain Admins group. 

B. Upgrade your client computers to Windows 7. 

C. Install .NET Framework 3.0 on your client computers. 

D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide 

Microsoft Windows Vista. and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows2003-environments.aspx Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was: “…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…” The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and Explanationd by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can. Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema. So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy PExplanations. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start! 

Q10. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA). 

You need to ensure that only administrators can sign code. 

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers. 

B. Modify the security settings on the template to allow only administrators to request code signing certificates. 

C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy. 

D. Publish the code signing template. 

Answer: B,D 

Explanation: 

http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.