Windows Server 2008 Active Directory, Configuring
Question No: 231 – (Topic 3)
Your company has a main office and a branch office.
The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server.
You remove the global catalog from DC5.
You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impact on all users in the branch office. What should you do first?
Start DC5 in Safe Mode.
Start DC5 in Directory Services Restore Mode.
On DC5, start the Protected Storage service.
On DC5, stop the Active Directory Domain Services service.
Answer: D Explanation:
http://allcomputers.us/windows_server/windows-server-2008-r2–manage-the-active- directory-database-(part-2)–defragment-the-directory-database–audit-active- directory-service.aspx
Windows Server 2008 R2 : Manage the Active Directory Database (part 2) – Defragment the Directory Database amp; Audit Active Directory Service
3. Defragment the Directory Database
A directory database gets fragmented as you add, change, and delete objects to your database. Like any file system-based storage, as the directory database is changed and updated, fragments of disk space will build up so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directory performs an online defragmentation of the directory database every 12 hours with the garbage collection process, an automated directory database cleanup, and IT pros should be familiar with it. However, online defragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data around for easier access. Depending on how much fragmentation you actually have in the database, running an offline defragmentation-which does decrease the size of the database-could have a significant effect on the overall size of your NTDS.DIT database file.
There is a little problem associated with defragmenting databases. They have to be taken offline in order to have the fragments removed and the database resized. In Windows Server 2008 R2, there is a great feature that allows you to take the database offline without shutting down the server. It#39;s called Restartable Active Directory, and it could not be much easier to stop and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service.
Start the Services tool from the Control Panel.
Right-click Active Directory Domain Services, and select Stop.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Figure 4. You can use the Services tool to stop and restart Active Directory.
That#39;s it! Now when you stop Active Directory Domain Services, any other dependent services will also be stopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network. The really cool thing about Restartable AD is that while the directory services and its dependent services are stopped, other services on the local machine are not. So, perhaps you have a shared printer running on your DC. Print services still run, and print operations do not stop. Nice!
3.1. Offline Directory Defragmentation
Now that you have stopped Active Directory services, it is time to get down to the business of offline defragmentation of the directory database:
Back up the database.
Open a command prompt, and type NTDSUTIL.
Type ACTIVATE INSTANCE NTDS.
Type FILES, and press Enter.
Type INFO, and press Enter. This will tell you the current location of the directory database, its size, and the size of the associated log files. Write all this down.
Make a folder location that has enough drive space for the directory to be stored.
Type COMPACT TO DRIVE:\DIRECTORY, and press Enter. The drive and directory are the locations you set up in step 5. If the drive path contains spaces, put the whole path in quotation marks, as in quot;C:\database defragquot;.
A new defragmented and compacted NTDS.DIT is created in the folder you specified.
Type QUIT, and press Enter.
Type QUIT again, and press Enter to return to the command prompt.
If defragmentation succeeds without errors, follow the NTDSUTIL prompts.
Delete all log files by typing DEL x:\pathtologfiles\*.log where x is the drive letter of your drive.
Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4.
Close the command prompt.
Open the Services tool, and start Active Directory Domain Services.
Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size of your database depending on how long it has been since your last offline defrag. The hard thing about offline defrag is that every network is different, so making recommendations about how often to use the offline defrag process is somewhat spurious. I recommend you get to know your directory database. Monitor its size and growth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using offline defragmentation on a frequency that works well for your network and your directory database. One of the cool things about offline defragmentation is that if you should happen to have an error occur during the
defragmentation process, you still have your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues.
Question No: 232 – (Topic 3)
You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller.
You need to create a WMI script query to retrieve information from the bios of each domain controller.
Which format should you use to write the query?
Answer: C Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606(v=vs.85).aspx WQL (SQL for WMI)
The WMI Query Language (WQL) is a subset of the American National Standards Institute Structured Query Language (ANSI SQL)-with minor semantic changes.
Question No: 233 – (Topic 3)
Your network contains an Active Directory domain. The domain contains 1,000 user accounts.
You have a list that contains the mobile phone number of each user. You need to add the mobile number of each user to Active Directory.
What should you do?
Create a file that contains the mobile phone numbers, and then run ldifde.exe.
Create a file that contains the mobile phone numbers, and then run csvde.exe.
From Adsiedit, select the CN=Users container, and then modify the properties of the container.
From Active Directory Users and Computers, select all of the users, and then modify the properties of the users.
Answer: A Explanation:
Creates, modifies, and deletes directory objects.
Question No: 234 – (Topic 3)
Your network contains an Active Directory domain. All domain controller run Windows Server 2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2.
You need to minimize the amount of SYSVOL replication traffic on the network. What should you do?
Raise the functional level of the forest to Windows Server 2008 R2.
Modify the path of the SYSVOL folder on all of the domain controllers.
On a global catalog server, run repadmin.exe and specify the KCC parameter.
On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.
Answer: D Explanation:
Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions.
The migration takes place on a domain controller holding the PDC Emulator role.
Using DFS Replication for replicating SYSVOL in Windows Server 2008
DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share.
When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated.
http://technet.microsoft.com/en-us/library/dd639809.aspx Migrating to the Prepared State
The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication).
This migration phase includes the tasks in the following list.
Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state.
Question No: 235 – (Topic 3)
Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1.
You link a new Group Policy object (GPO) named GPO10 to OU1.
You need to ensure that GPO10 is applied only to client computers that run Windows 7. What should you do?
Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.
Enable block inheritance on OU1.
Create a WMI filter and assign the filter to GPO10.
Modify the permissions of OU1.
To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer.
Question No: 236 – (Topic 3)
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard.
You need to install an enterprise subordinate certification authority (CA) that supports private key archival.
You must achieve this goal by using the minimum amount of administrative effort. What should you do first?
Initialize the Trusted Platform Module (TPM).
Upgrade the member server to Windows Server 2008 R2 Standard.
Install the Certificate Enrollment Policy Web Service role service on the member server.
Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services – Certification Authority server role template check box.
Answer: B Explanation:
Not sure about this one. See my thoughts below.
to MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival
is not available in the Windows Server 2008 R2 Standard edition, so that would leave out answer B.
C:\Documents and Settings\usernwz1\Desktop\1.PNG Another dump gives the following for answer B:
quot;Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise.quot;
Should the actual exam mention to upgrade to the Enterprise edition for answer B, I#39;d go for that. In this VCE it doesn#39;t seem to make sense to go for B as it shouldn#39;t work, I think. Certificate Enrollment Policy Web Service role of answer C was introduced in Windows Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008 machine.
Trusted Platform Module is quot;a secure cryptographic integrated circuit (IC), provides a hardware-based approach to manage user authentication, network access, data protection and more that takes security to higher level than software-based security.quot; (http://www.trustedcomputinggroup.org/resources/ how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/)
Pfff… I#39;m bothered that answer B speaks of the Standard edition, and not the Enterprise edition. Hope the VCE is wrong.
Question No: 237 – (Topic 3)
Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC).
A user from the branch office reports that his account is locked out.
From a writable domain controller in the main office, you discover that the user#39;s account is not locked out. You need to ensure that the user can log on to the domain.
What should you do?
Modify the Password Replication Policy.
Reset the password of the user account.
Run the Knowledge Consistency Checker (KCC) on the RODC.
Restore network communication between the branch office and the main office.
Answer: D Explanation: Not sure if:
Run the Knowledge Consistency Checker (KCC) on the RODC. or
Restore network communication between the branch office and the main office.
Question No: 238 – (Topic 3)
You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.
You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.
Which inbound TCP port should you allow on Server1?
A. 88 B. 135 C. 443 D. 445
Question No: 239 – (Topic 3)
Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2.
You need to ensure that you can enable the Active Directory Recycle Bin. What should you do?
Change the functional level of the forest.
Change the functional level of the domain.
Modify the Active Directory schema.
Modify the Universal Group Membership Caching settings.
http://technet.microsoft.com/en-us/library/dd392261.aspx Active Directory Recycle Bin Step-by-Step Guide
By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2.
Question No: 240 – (Topic 3)
Your network contains an Active Directory forest.
You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the network.
You create a Windows PowerShell script named new-users.ps1 that contains the following lines:
On the domain controller, you double-click the script and the script runs. You discover that the script fails to create the user accounts.
You need to ensure that the script creates the user accounts. Which cmdlet should you add to the script?
Answer: A Explanation:
PowerShell: Creating new users from CSV with password and enabled accounts or How to Pipe into multiple cmdlets
import-csv e:\users\newusers.csv |
New-ADUser -path quot;ou=test1,dc=contoso,dc=comquot; -passthru |
$_ | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString – AsPlainText quot;Pa$$w0rdquot; –
$_ | Enable-ADAccount }
EnsurePass ExamCollection Testking Lowest Price Guarantee Yes No No Up-to-Dated Yes No No Real Questions Yes No No Explanation Yes No No PDF VCE Yes No No Free VCE Simulator Yes No No Instant Download Yes No No