Windows Server 2008 Active Directory, Configuring
Question No: 361 – (Topic 4)
Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The computers are configured as shown in the following table.
An administrator creates a script that contains the following commands:
You need to identity which computers can successfully run all of the commands in the script.
Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.)
Answer: C,D Explanation:
Original answer was B, D (quot;Server1quot;, quot;Server2quot;).
According to Technet the quot;Auditpol /resourceSACLquot; command applies only to Windows 7 and Windows
Server 2008 R2 (and I suppose Windows 8 and Windows Server 2012), so the answer should be Computer2 and Server2
Applies only to Windows 7 and Windows Server 2008 R2.
Question No: 362 – (Topic 4)
You have a DNS zone that is stored in a custom application partition.
You need to add a domain controller to the replication scope of the custom application partition.
Which tool should you use?
After you create a Domain Name System (DNS) application directory partition to store a zone, you must enlist the DNS server that hosts the zone in the application directory partition.
To enlist a DNS server in a DNS application directory partition
Open a command prompt.
Type the following command, and then press ENTER: dnscmd lt;ServerNamegt; / EnlistDirectoryPartition lt;FQDNgt;
Question No: 363 – (Topic 4)
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2.
The DNS zone for contoso.com is Active Directory-integrated.
You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1.
You discover that RODC1 does not have any DNS application directory partitions.
You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.
What should you do? (Each correct answer presents a complete solution. Choose two.)
From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.
Run ntdsutil.exe. From the Partition Management context, run the create nc command.
Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.
Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.
Run dnscmd.exe and specify the /enlistdirectorypartition parameter.
RODC Post-Installation Configuration
If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions.
To enlist a DNS server in a DNS application directory partition
Open an elevated command prompt.
At the command prompt, type the following command, and then press ENTER: dnscmdlt;ServerNamegt; /EnlistDirectoryPartition lt;FQDNgt;
For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command:
dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com You might encounter the following error when you run this command: Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF
If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:
Connect to a writeable domain controller (not an RODC): connect to server
To enlist this server in the replication scope for this zone, run the following command: add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com lt;rodc Servergt;.Child.
Please Check but I think this should be A and C and not A and D. I have changed it to A and C.
Reason: Once the application directory partition is created, contoso.com should replicate to it.
Dnscmd /enlistdirectorypartition — Adds the DNS server to the specified directory partition#39;s replica set.
Dnscmd /createbuiltindirectorypartitions Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. Use this command to create DNS application directory partitions that were deleted or never created. With no parameter, this command creates a built-in DNS directory partition for the domain.
To create the default DNS application directory partitions Using the Windows interface
In the console tree, right-click the applicable DNS server. Where?
DNS/applicable DNS server
Click Create Default Application Directory Partitions.
Follow the instructions to create the DNS application directory partitions.
Question No: 364 – (Topic 4)
Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs.
The solution must prevent GPO1 from being applied to users in the Dev OU. What should you do?
Modify the security settings of the Dev OU.
Link GPO1 to the Finance OU.
Modify the security settings of the Finance OU.
Answer: C Explanation:
The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. This means that GPO1 will not be applied to those OUs. For the Dev OU that#39;s ok, but not for the Finance OU. So we have to link GPO1 to the Finance OU.
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.
If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree.
Question No: 365 – (Topic 4)
Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.
You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 and ADFS3.
In which format should you export the certificate?
Personal Information Exchange PKCS #12 (.pfx)
DER encoded binary X.509 (.cer)
Cryptographic Message Syntax Standard PKCS #7 (.p7b)
Base-64 encoded X.S09 (.cer)
Answer: A Explanation:
Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0
If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.
[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.]
Export the private key portion of a token-signing certificate
To export the private key of a token-signing certificate
->Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
->Right-click Federation Service, and then click Properties.
->On the General tab, click View.
->In the Certificate dialog box, click the Details tab.
->On the Details tab, click Copy to File.
->On the Welcome to the Certificate Export Wizard page, click Next.
->On the Export Private Key page, select Yes, export the private key, and then click Next.
->On the Export File Format page, selectPersonal Information Exchange = PKCS
#12 (.PFX), and then click Next.
Question No: 366 – (Topic 4)
Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller:
dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 -allowNonAdminAccess
The command fails.
You need to ensure that the command completes successfully. How should you modify the command?
Change the value of the -dbpath parameter.
Include the path to Dsamain.
Change the value of the -ldapport parameter.
Remove the CallowNonAdminAccess parameter.
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690
Use the AD DS database mounting tool to load the snapshot as an LDAP server. dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport portnumber
Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the
-ldapport value to ensure that you do not conflict with AD DS.
Also note that you can use the minus (-) sign or the slash (/) for the options in the command.
Question No: 367 – (Topic 4)
Your network contains an Active Directory forest named contoso.com.
You plan to migrate all user accounts to a new forest named litwareinc.com.
The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains four servers.
The servers are configured as shown in the following table.
The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains four servers.
The servers are configured as shown in the following table.
You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration Tool version 3.2 (ADMT v3.2).
Which server should you identify?
Prerequisites for installing ADMT v3.2
Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments that have a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a server running Windows Server 2008 R2.
In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 must not be installed under the Server Core installation option or be running as a read-only domain controller (RODC).
Question No: 368 – (Topic 4)
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to create a new child domain and you receive the following error message: quot;An LDAP read of operational attributes failed.quot;
You need to ensure that you can add a new child domain to the forest. What should you do?
Move the PDC emulator role.
Move the RID master role.
Move the infrastructure master role.
Move the schema master role.
Move the domain naming master role.
Move the global catalog server.
Move the bridgehead server.
Install a read-only domain controller (RODC).
Deploy an additional global catalog server.
Restart the Active Directory Domain Services (AD DS) service.
Answer: E Explanation:
This message appears when the domain naming master is unavailable. It needs to be moved to another domain controller to resolve this.
http://technet.microsoft.com/en-us/library/bb727058.aspx Troubleshooting Active Directory Installation Wizard Problems
Symptom or Error
An LDAP read of operational attributes failed. Root Cause
The domain naming master for the forest is offline or cannot be contacted.
Solution Make the current domain naming master accessible. If necessary, see quot;Seizing Operations Master Rolesquot; in this guide.
Question No: 369 – (Topic 4)
Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) role installed.
You need to perform an automated installation of an AD LDS instance. Which tool should you use?
http://technet.microsoft.com/en-us/library/cc816774.aspx To perform an unattended install of an AD LDS instance
Create a new text file by using any text editor.
Specify the installation parameters.
At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD LDS setup files.
At the command prompt, type the following command, and then press ENTER:
Question No: 370 – (Topic 4)
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2003. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can connect to the snapshot by using LDAP.
What should you do?
Run the Get-ADDomain cmdlet.
Run the dsget.exe command.
Run the ntdsutil.exe command.
Run the ocsetup.exe command.
Run the dsamain.exe command.
Run the eventcreate.exe command,
Create a Data Collector Set (DCS).
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Import the Active Directory module for Windows PowerShell.
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
Requirements for using the Active Directory database mounting tool
You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (…)
Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|