straight_evil - 426q ( )

Size: px

Start display at page:

Download "straight_evil - 426q ( )"

Vivien Potter
6 years ago
Views:

1 straight_evil - 426q ( ) Number: Passing Score: 700 Time Limit: 170 min File Version: Exam TS: Upgrading from Windows Server 2003 MCSA to, Windows Server 2008, Technology Specializations Brought to you by v straight_evil About This Exam Q. What is the exam? A. Exam is an upgrade exam that is a composite of two stand-alone exams: and Exam validates skills related to the core technology features and functionality of Windows Server 2008 based on the existing knowledge set of a Microsoft Certified Systems Administrator (MCSA) on Windows Server Q. What are the prerequisites for the exam? A. The MCSA on Windows Server 2003 certification is a prerequisite for this exam. Q. What credit does the exam provide? A. Passing the Exam earns you the MCTS certifications that count as credit toward the following Professional Series certifications: MCITP: Server Administrator MCITP: Enterprise Administrator

2 Q. What certificate does it provide? A. Passing the Exam fulfills the requirements for the following certifications: Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure Configuration Q. How many questions are asked in the test? A. You will be required to attempt 32 questions in each of 2 sections, for a total of approximately 64 questions Q. What is the duration of the test? A. Users are required to attempt all questions in 170 minutes. Q. Which type of test is it? (Adaptive/Linear) A. This test consists of Multiple Choice, Hot Area, Drag and Drop, Build list and reorder, and Build a Tree questions. The test can be adaptive, and simulation questions might be asked. There are no case study type questions. Q. What is the passing score? A. You need a score of 700 out of 1000 to pass the exam. Each section is scored separately, and your final score is the lowest score of the 2 sections. This means every question is weighted very heavily! Q. What is the test retake policy? A. If you do not pass test the first time, you may retake it at any time. If you do not achieve a passing score the second time, you must wait at least 14 days to retake the test a third time. A 14-day waiting period will be imposed for all subsequent exam retakes. If you have passed an exam, you cannot take it again. Q. Is the exam right for me? A. If you currently hold an MCSA on Windows Server 2003 certification and work in a complex computing environment of mid-sized to large companies, this exam is intended for you. Q. Where can I take the test? A. Microsoft exams can be taken at Prometric testing facilities. Change Log This dump is derived from Microsoft.Pass4Sures v by.kazi.491q.vce with the following enhancements: Modified exam properties (passing score / time limit) to reflect actual test parameters. Added the wonderful exam description you are presented with as well. Organized questions into multiple exams, based on their relevant sections, so they better reflect the Microsoft objectives. Created exams for questions not immediately relevant to Microsoft objectives. The "Same Choices" exam allows you to practice the sets of questions that come up with the same dozen answers for each of 5 questions in a row. I was not prepared for these the first time I took the exam and failed, since I was certain 'ntdsutil' was the answer to everything :) The "Out-of-Scope" exam allows you to practice (or, more importantly, not practice!) questions out of the primary exam scope, but that can still be asked because they come from the original /

3 I updated questions to more accurately reflect the "Skills Measured" by the exam This involved the following edits: 1) Removed all duplicate questions I could find 2) Removed many questions for topics like DNS/WINS, file/print services, FSMO roles, forests and trusts, GPOs, - things likely to be asked only of 1st timers on the / I consider these "Outof-scope", and only kept questions here if they were related to new features in In my experience, this type of material does show up on the exam, but makes up 1 or 2 questions out of the 64 you'll get, so you will not fail if you skip these. 3) Imported other questions from and dumps that seemed relevant or involved new features in Server I also imported a few that showed up on my exams. This included many more "Exhibit" or "Select/Place" questions where possible, for a more accurate exam feel :) Cleaned up spelling, paragraph format, spacing, hyphens and other formatting issues. Also helped make commands distinguishable from their surrounding text so questions were more readable. No, I did not use Microsoft's official formatting (bolding a command), I used a format I thought was easiest to read :) Converted all questions with an "Exhibit" into the proper format in VCE, so the Exhibit button can be clicked and the image examined in a separate window. This makes the question easier to read, and provides a more accurate exam experience. Previously, the images were simply pasted below the question. Converted all "Select/Place" and "Hot Area" questions into the corresponding VCE question type, so they could actually be answered and count towards your score. Previously, only snapshots were available of the right answers, but the questions were multiple-choice with no correct answer specified. In VCE this is the same as missing the question!!! Made sure all questions provided an answer, except for Out-of-Scope questions (it's a time consuming process and these questions only rarely come up!). I tried to make sure answers for all questions were more thorough, but to-the-point (not Copy/Paste half an article from Technet). This includes not only saying why certain answers are right, but pointing out why others are wrong. I also referenced explanations as best as possible with relevant MS links. In my experience, being able to study this kind of stuff makes it much easier to remember the right answers - because you will be able to learn what all these other weird / obscure commands are that pop up in the multiple choices! Reviewed all questions for accuracy of answers and fixed all wrong answers. Many were already corrected in other dumps but not in the one I borrowed from. It was amazing how many wrong answers were there, too - enough to make a difference in my pass/fail when I took the exam. I failed using many of the "wrong" answers, but passed the next week after I correcting them and re-learning the material. In summary, it looks like I went to very much trouble over an almost expired exam. But consider my efforts a "proof-of-concept" - this VCE file is an example of what VCE files can look like, if people spend a little more time with them and a little less time doing...well, whatever is it that distracts people from checking answers and providing more detailed information! I would love to see other VCEs be as equally helpful and hope as I write more, that others will be inspired. At the very least, my answers for questions should be helpful to / dumps for another year! Sections Configuring Additional Active Directory Server Roles Maintaining the Active Directory Environment Configuring Active Directory Certificate Services Configuring IP Addressing and Services Configuring Network Access Monitoring and Managing A Network Infrastructure Configuring Domain Name System (DNS) for Active Directory Configuring the Active Directory Infrastructure Creating and Maintaining Active Directory Objects Configuring Names Resolution Configuring File and Print Services

Active Directory, Configuring QUESTION 1 A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD

Which three actions should you perform in sequence?

4 Active Directory, Configuring QUESTION 1 A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on the C: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform in sequence? (To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.) Select and Place: Correct Answer: Section: Configuring Additional Active Directory Server Roles /Reference: : To relocate AD LDS directory partition, use the NTDSUTIL tool. Take the following steps:

Stop the LDS by using the net stop command. (MY NOTE: The LDS instance runs on a service named after the instance, similar to SQL Server) Move the Database file through NTDSUTIL tool.

html QUESTION 2 You need to perform an offline defragmentation of an Active Directory database. Which four actions should you perform in sequence?

5 Stop the LDS by using the net stop command. (MY NOTE: The LDS instance runs on a service named after the instance, similar to SQL Server) Move the Database file through NTDSUTIL tool. Start the directory service using the net start command. Reference: QUESTION 2 You need to perform an offline defragmentation of an Active Directory database. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.) Select and Place: Correct Answer: Section: Maintaining the Active Directory Environment /Reference: : To perform offline defragmentation of the directory database (...) 3. At the command prompt, type the following command, and then press ENTER: net stop ntds 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER.

6 (...) 9. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to: (...) c. Manually copy the compacted database file to the original location, as follows: copy <temporarydrive>:\ntds.dit <originaldrive>: \<pathtooriginaldatabasefile> \ntds.dit (...) 14. Restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds Reference: QUESTION 3 Your network contains an Active Directory domain. You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA). You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computers can automatically enroll for certificates. Which command should you run on Computer1? A. certreq.exe -retrieve B. certreq.exe -submit C. certutil.exe -getkey D. certutil.exe -pulse Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : certutil.exe -pulse is used to check on the status ("pulse") of autoenrollment events. certutil.exe -getkey is used to retrieve or recover archived keys. certreq.exe -retrieve is used to retrieve responses from requests made to a CA. certreq.exe -submit is used to submit a certificate request to a CA. References: (Command-Line reference for certutil) (Command-Line reference for certreq) QUESTION 4 Your network contains an Active Directory forest named adatum.com. All domain controllers currently run Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows Server You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What should you do first? A. Run adprep.exe B. Raise the functional level of the domain to Windows Server 2008.

7 C. Raise the functional level of the forest to Windows Server D. Deploy a writable domain controller that runs Windows Server 2008 R2. Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : One of the 1st steps in preparing an RODC is to prepare the AD schema to handle the extensions and attributes necessary. RODC functionality works with Server 2003 forest and domain levels, so we do not need to raise them. For the same reason, we also do not need a Server 2008 R2 domain controller (it is not a requirement). To deploy an RODC, complete the following high-level tasks: Ensure that the forest functional level is Windows Server 2003 or higher (MY NOTE: In this scenario it obviously is) Run adprep /rodcprep You do not have to perform this step if you are creating a new forest that will have only domain controllers running Windows Server (MY NOTE: We are only adding 1 Server 2008 DC, so we can presume we still have Server 2003 DCs) (...) Reference: QUESTION 5 Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password. Which console should you use? A. Active Directory Rights Management Services B. Local Users and Groups C. Services D. Active Directory Users and Computers Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed. It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. Reference:

8 The AD RMS service account is a domain account, but does not appear to be something to change in ADUC. The AD RMS service account gets added to a local group on the RMS server, but the account itself clearly reside there. The service account for AD RMS on the local service could possibly be changed from the Services console, but this provides no functionality for changing the password. QUESTION 6 Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA). What should you configure in the adatum.com domain? A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings. B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings. C. From the Default Domain Policy, modify the Certificate Enrollment policy. D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : The question says you must ensure users have a certificate from the CA, so the Default Domain Policy is what needs editing, as it will affect all users. The Default Domain Controllers Policy would allow you to change settings on domain controllers only and would not affect all users or machines. The Certificate Enrollment policy option, as the name indicates, lets you configure enrollment options to control how/where users get their certificates. The Trusted Root Certification Authority policy would let you control the enterprise list of Trusted Root CA's. Since AD Cs is configured to allow users from both forests to automatically enroll, it is likely that both CA's are already trusted. QUESTION 7 You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed: Enterprise Root Certification Authority (CA) Certificate Enrollment Web Service Certificate Enrollment Policy Web Service

9 You create a new certificate template. External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users. You need to ensure that the external users can request certificates by using the new template. What should you do on Server1? A. Run iisreset.exe /restart. B. Run gpupdate.exe /force. C. Run certutil.exe dspublish. D. Restart the Active Directory Certificate Services service. Correct Answer: A Section: Configuring Active Directory Certificate Services /Reference: : All other templates are available to the users, so the certificate services are working correctly. The website is simply not aware of the new certificates available in the store, so IIS must be reset so that the list is updated. certutil.exe dspublish will publish a certificate toe AD, but this will already take place when the new certificate is issued since we are using an Enterprise Root. Reference: Restarting the AD CS service is likely not needed since all other aspects of certificate management are functioning as expected. gpupdate.exe /force will force a group policy update on the client it is run from, but group policy is not at issue in this question. QUESTION 8 Your network contains an enterprise root certification authority (CA). You need to ensure that a certificate issued by the CA is valid. A. Run syskey.exe and use the Update option. B. Run sigverif.exe and use the Advanced option. C. Run certutil.exe and specify the -verify parameter. D. Run certreq.exe and specify the -retrieve parameter. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : certutil.exe -verify is used to verify a certificate or CRL. Reference:

10 certreq.exe is used to submit or manage certificate requests. The -retrieve option will retrieve a specific certificate from the CA. syskey.exe is used to enable strong encryption on the security accounts (SAM) database. sigverif.exe is used to find unsigned hardware drivers. QUESTION 9 You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. Users are required to log on to the domain by using a smart card. Your company's corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked. An employee resigns. You need to immediately prevent the employee from logging on to the domain. A. Revoke the employee's smart card certificate. B. Disable the employee's Active Directory account. C. Publish a new delta certificate revocation list (CRL). D. Reset the password for the employee's Active Directory account. Correct Answer: B Section: Configuring Active Directory Certificate Services /Reference: : Only disabling the AD account will prevent logon to the domain. Resetting the password will prevent the user from logging on with the password he had been using, but if he could guess the password he would still be able to logon. Revoking the smart card certificate will not prevent the user from his smart card to login. This is also why publishin a new delta CRL will not work. QUESTION 10 Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping. You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. A. Run certutil.exe -crl. B. Run certutil.exe -delkey. C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.

11 D. From Active Directory Users and Computers, modify the Contact object for the external partner. Correct Answer: A Section: Configuring Active Directory Certificate Services /Reference: : certutil.exe -crl will publish a new CRL so that the web server knows the user's certificate is no longer valid. -delkey is not a valid parameter of certutil.exe, nor would the certificate need to be deleted. The equivalent of this was accomplished when you revoked the certificate. However, the website is still not aware of this revocation until the next CRL is published. Removing the user from the IIS_IUSRS group will restrict their access to the website files, but they will still likely have a minimum of read access to the site. Modifying contact information for the partner in no way restricts their access to the system. QUESTION 11 You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certification authority (CA) server that meets the following requirements: Allows the certification authority to automatically issue certificates Integrates with Active Directory Domain Services A. Purchase a certificate from a third-party certification authority. Import the certificate into the computer store of the schema master. B. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA. C. Purchase a certificate from a third-party certification authority. Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA. D. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : Both of these features are only available with an Enterprise CA. Standalone CAs do not integrate with Active Directory and do not allow automatic handling of certificate requests. Importing a 3rd party certificate into the schema master will only allow it to verify secure requests made to it, but will not allow it to function as a CA. QUESTION 12 Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server. When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that the Enterprise CA option is not available. You need to install the AD CS server role as an Enterprise CA.

12 What should you do first? A. Add the DNS Server server role. B. Join the server to the domain. C. Add the Web Server (IIS) server role and the AD CS server role. D. Add the Active Directory Lightweight Directory Services (AD LDS) server role. Correct Answer: B Section: Configuring Active Directory Certificate Services /Reference: : The question specifies it is a stand-alone server, meaning it is not part of the Active Directory domain. Enterprise CA's integrate with Active Directory, so the server must first be a member of the domain before it can serve as an Enterprise CA. The other server roles can be used in conjunction with certificate services, but are not requirements for establishing certificate services. QUESTION 13 You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed. You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). A. Install and configure an Online Responder. B. Install and configure an additional domain controller. C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations. D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. Correct Answer: A Section: Configuring Active Directory Certificate Services /Reference: : Online Responders are specifically designed to lighten the load of CRL transfers by only working with changes since the last CRL, rather than transferring the entire CRL. Domain controllers do not handle certificate requests. Updated the list of Trusted Root CA's will only ensure certain servers are trusted to handle CRLs, but will not lighten the traffic load of CRL downloads. QUESTION 14 You have a Windows Server 2008 R2 Enterprise Root CA. Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA. You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role. What should you do next?

13 A. Configure the Online Responder role service on a member server. B. Configure the Online Responder role service on a domain controller. C. Configure the Certificate Enrollment Web Service role service on a member server. D. Configure the Certificate Enrollment Web Service role service on a domain controller. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : The Certificate Enrollment Web Service role provides a web interface (ports 443/80) for requesting certificates from a CA. The question indicates that company security policy does not allow ports 443/80 to be open on a domain controller, so the role service would need to be installed on a member server to satisfy this requirement. The Online Responder role service helps reduce the traffic involved with CRL updates. It does not provide web access to certificate services. QUESTION 15 Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server. You need to audit changes to the CA configuration settings and the CA security settings. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Configure auditing in the Certification Authority snap-in. B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32% \CertSrv directory. C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory. D. Enable the Audit Object Access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server. Correct Answer: AD Section: Configuring Active Directory Certificate Services /Reference: : In order to audit changes to CA settings you must enable Audit Object Access on the CA itself. Like with other auditing procedures, however, this alone will not perform the audit; it only allows audits to take place on the server. In order for auditing to start, you must configure auditing on the CA using the Certification Authority snap-in. The CertLog and CertSrv directories contain the log and application files, respectively, associate with certificate services. Auditing access to these files will not allow you to be aware of specific configuration and security settings that are changed. QUESTION 16 Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1. You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by

14 Server1. A. Remove the Request Certificates permission from the Domain Users group. B. Remove the Request Certificates permission from the Authenticated Users group. C. Assign the Allow - Manage CA permission to only the Security Manager user account. D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager user account. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : The Allow - Issue and Manage Certificates permission is the only one that will allow a user to issue, approve or revoke certificates. The Allow - Manage CA permission will grant the user ability to configure CA settings, but not to handle certificate requests. The Request Certificates permission is not required or used for revoking certificates. QUESTION 17 You have a Windows Server 2008 R2 Enterprise Root certification authority (CA). You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates. You grant the Account Operators group the Issue and Manage Certificates permission on the CA. Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.) A. Enable the Restrict Enrollment Agents option on the CA. B. Enable the Restrict Certificate Managers option on the CA. C. Add the Basic EFS certificate template for the Account Operators group. D. Grant the Account Operators group the Manage CA permission on the CA. E. Remove all unnecessary certificate templates that are assigned to the Account Operators group. Correct Answer: BCE Section: Configuring Active Directory Certificate Services /Reference: : To manage a specific certificate template, a group or user first needs the Issue and Manage permission (already assigned). This will allow them to manage all certificates assigned to them, so we must do the following to prevent Account Operators from being able to manage other certificates: 1. Assign the Basic EFS template to the group so they are able to manage it 2. Remove all other templates assigned to Account Operators so they do not have access to other templates 3. Restrict Certificate Managers to the Account Operators group so other users/groups are not able to manage certificates The question specifies that the Account Operators group must manage Basic EFS certificates. The ability to enroll in certificates is not required, so restricting the Enrollment Agents will not achieve the desire outcome.

15 The Manage CA permission will allow the Account Operators permissions to configure CA settings but will not allow them to manage certificates. QUESTION 18 You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server1 to support the Online Responder. A. Import the enterprise root CA certificate. B. Configure the Certificate Revocation List Distribution Point extension. C. Configure the Authority Information Access (AIA) extension. D. Add the Server2 computer account to the CertPublishers group. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : The AIA extension informs the Online Responder where it can find up-to-date certificates in the enterprise. Importing the enterprise root CA certificate is needed when that CA needs to be added to a Trusted Root store (list of trusted CA's). As an Enterprise CA, Server1 would already be in the enterprise Trusted Root store. The CRL Distribution Point extension informs servers where the latest CRLs (revocation lists) can be located. Online Responders do not transfer the full CRL, only information about a particular certificate. Members of the CertPublishers group are allowed to publish certificates. An Online Responder does not need to publish certificates. QUESTION 19 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA). You need to ensure that only Administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Publish the Code Signing template. B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only Administrators to apply the policy. C. Edit the local computer policy of the Enterprise Root CA to allow only Administrators to manage Trusted Publishers. D. Modify the security settings on the template to allow only Administrators to request code signing certificates. Correct Answer: AD Section: Configuring Active Directory Certificate Services /Reference: :

16 For someone to sign code, the Code Signing template must be published to the CA. The question also specifies that only administrators should be assigned this template. This means we must update the template's Security tab to remove other groups from being able to receive the template. Management of Trusted Publishers will allow the administrators to determine who can sign drivers, but will not provide them the certificate necessary to do so. Allowing Administrators the ability to apply a policy that enables Trust Peer Certificates will allow them to trust self-issued certificates, but not to sign them. QUESTION 20 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA. The Enterprise Intermediate CA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server. B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server. C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object. D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : All computers must receive the certificate. This is only possible through the Default Domain policy. The Default Domain Controllers policy will only deploy the certificate to domain controllers. Importing the certificate to the Root CA or Intermediate CA will only deploy the certificate to that specific server, not to all computers in the enterprise. QUESTION 21 Your company has an Active Directory domain. You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2. You need to ensure that members of the Account Operators group are able to issue smartcard credentials. They should not be able to revoke certificates. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) A. Install the AD CS server role and configure it as an Enterprise Root CA. B. Install the AD CS server role and configure it as a Standalone CA. C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group. D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group. E. Create a Smartcard logon certificate. F. Create an Enrollment Agent certificate.

17 Correct Answer: ACE Section: Configuring Active Directory Certificate Services /Reference: : The question specifies you have an AD domain, so you would want to configure AD CS services as an Enterprise Root CA rather than Standalone. The use of smartcards in a domain requires the Smartcard logon certificate. You must ensure Account Operators can issue smartcards, meaning they must be able to enroll in Smartcard certificates. This is done by editing the Enrollment Agents for the certificate template. Restricting managers will allow the Account Operators to manage the template itself, including the ability to revoke certificates. QUESTION 22 Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highly available. A. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. B. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array. C. Publish the Trusted Certificate Authorities list to the domain by using a Group Policy Object (GPO). D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain. Correct Answer: A Section: Configuring Active Directory Certificate Services /Reference: : In order to ensure revoked certificate information is highly available, you should use Network Load Balancing. None of the other options ensure high availability of revocation lists. QUESTION 23 Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline Root CA and an online Issuing CA. The Enterprise Certification Authority is running Windows Server 2008 R2. You need to ensure users are able to enroll new certificates. A. Renew the Certificate Revocation List (CRL) on the Root CA. Copy the CRL to the CertEnroll folder on the Issuing CA. B. Renew the Certificate Revocation List (CRL) on the Issuing CA. Copy the CRL to the SystemCertificates folder in the users' profile. C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations. D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations.

18 Correct Answer: A Section: Configuring Active Directory Certificate Services /Reference: : The Root CA is offline, so it will not be aware of any new certificates that have been issued since it was taken offline. This means we must renew/update the CRL on the Root CA. In these scenarios, this is done by copying the CRL to C:\windows\system32\certsrv\certenroll on the Issuing CA The Issuing CA is online and should not need a new CRL, nor will copying the CRL to SystemCertificates achieve this. The client workstations should not need updated Certification Authority lists as both servers would have been placed in the proper Certification Authority stores when they were configured. Reference: Quick-Guide-Part3.html QUESTION 24 You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server2 to issue certificate revocation lists (CRLs) for the Enterprise Root CA. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Import the Enterprise Root CA certificate. B. Import the OCSP Response Signing certificate. C. Add the Server1 computer account to the CertPublishers group. D. Set the Startup Type of the Certificate Propagation service to Automatic. Correct Answer: AB Section: Configuring Active Directory Certificate Services /Reference: : Server2 is configured as an Online Responder, so it needs an OCSP Response Signing certificate to perform its duties (issuing modified CRLs on behalf of the Enterprise Root CA). Without the Enterprise Root CA server certificate, however, it will not be able to do this. The CertPublishers group determines who can publish certificates. An Online Responder does not publish certificates. The Certificate Propogation service on a machine is used to process smartcard logons for that machine. QUESTION 25 You have an Enterprise Root certification authority (CA) that runs Windows Server 2008 R2. You need to ensure that you can recover the private key of a certificate issued to a Web server.

19 A. From the CA, run the Get-PfxCertificate cmdlet. B. From the Web server, run the Get-PfxCertificate cmdlet. C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter. D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : certutil.exe -exportpfx will allow you to export certificate or keys from a certificate store. We need to recover a certificate issued to the web server, so we must run this command from the web server itself. Later, we would likely import the certificate to the CA. The Get-PfxCertificate cmdlet gets information about.pfx certificates from a computer, but does not allow recovery or management of them. QUESTION 26 You install a Standalone Root certification authority (CA) on a server named Server1. You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the local computer's Trusted Root Certification Authorities store. Which command should you run on Server1? A. certreq.exe and specify the -accept parameter B. certreq.exe and specify the -retrieve parameter C. certutil.exe and specify the -dspublish parameter D. certutil.exe and specify the -importcert parameter Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : certutil.exe -dspublish is used to publish a CRL to Active Directory. This is the only option that publishes a certificate, and specifically will do so for the entire AD domain. This satisfies the requirement that every computer in the forest receives information about the certificate. certutil.exe -importcert is used to import a certificate or private key. certreq.exe -accept is used to accept a response to a request from a CA. certreq.exe -retrieve is used to retrieve a response to a request from a CA. QUESTION 27 Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA). On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an Enterprise CA is disabled. You need to install an Enterprise Subordinate CA on the server.

20 What should you use to log on to the new server? A. an account that is a member of the Certificate Publishers group in the child domain B. an account that is a member of the Certificate Publishers group in the forest root domain C. an account that is a member of the Schema Admins group in the forest root domain D. an account that is a member of the Enterprise Admins group in the forest root domain Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : One requirement of configuring Enterprise certificate services is that the user must be a member of Enterprise Admins in the domain. Schema Admins are allowed to modify the AD schema but not to install Certificate Services. Certificate Publishers controls who is allowed to publish certificates, but the question does not specify that there has been a problem with publishing certificates. A certificate authority has not even been setup yet. QUESTION 28 You have an enterprise subordinate certification authority (CA). You have a group named Group1. You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates. A. Add Group1 to the local Administrators group. B. Add Group1 to the Certificate Publishers group. C. Assign the Manage CA permission to Group1. D. Assign the Issue and Manage Certificates permission to Group1. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : The Manage CA permission allows a user to publish CRLs but does not allow a user to revoke certificates. The Issue and Manage Certificates would grant the group the ability to revoke certificates. The Certificate Publishers group allows members to publish certificates, not CRLs. The local Administrators group allows full control of the CA itself, and would include the ability to revoke

21 certificates. QUESTION 29 You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents. You need to ensure that all of the recovery agent certificates can be used to recover all new private keys. A. Add a Data Recovery Agent to the Default Domain Policy. B. Modify the value in the Number of recovery agents to use box. C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates. D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates. Correct Answer: B Section: Configuring Active Directory Certificate Services /Reference: : The simple problem is we issued more recovery agent certificates (3) than we are configured the server to use (2). These numbers must match and we cannot do anything about certificates that have been issued other than revoke them. However, we are told all of the certificates must be used. This only leaves us with the option of increasing the number of recovery agents the server is configured for. We would not revoke the existing certificates only to issue 3 more. The problem is that we need the server to support the same # of agents as there are certificates. If this option had stated to issue 2 new certificates, it would be an alternative solution. Issue and Manage certificates permissions for the current recovery agents will allow them all sorts of extra access to modify certificates, but will not fix the issue at hand. Data Recovery Agents are used to recover data from BitLocker encrypted drives. QUESTION 30 You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module. You need to back up Active Directory Certificate Services on the CA. Which command should you run? A. certutil.exe -backup B. certutil.exe -backupdb C. certutil.exe -backupkey D. certutil.exe -store Correct Answer: B Section: Configuring Active Directory Certificate Services /Reference: : certutil -backupdb backs up the AD CS database, including the private key. This is important because

22 the CA is using a hardware module, which relies on the private key. References: certutil -backup only backs up the AD CS configuration certutil -backupkey backs up only the AD CS key and private key. We need to backup the certificate database as well. ceretutil -store dumps the entire certificate store but does not backup the private key. QUESTION 31 You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template is available on the Web enrollment pages. A. Run certutil.exe -pulse. B. Run certutil.exe installcert. C. Change the certificate template to a Version 2 certificate template. D. On the certificate template, assign the Autoenroll permission to the users. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : Our problem is that we can't use version 3 templates with the Web enrollment - only version 1 and 2 are supported. Certificate Web enrollment cannot be used with version 3 certificate templates. Reference: Version 3 templates cannot be requested via web enrollment using the out of box certificate web enrollment pages. Reference: templates.aspx certutil.exe -pulse is used to check on the status ("pulse") of autoenrollment events. certutil.exe -installcert is used to install a CA certificate Reference: QUESTION 32 You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template.

23 You increase the template key length to 2,048 bits. You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template. Which console should you use? A. Active Directory Administrative Center B. Certification Authority C. Certificate Templates D. Group Policy Management Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : Enrollment in a certificate is configured from the properties of the certificate template itself. This means we need to use the Certificate Templates snap-in. The Certification Authority snap-in is used for managing properties of the CA, not certificates. Group Policy is used to configure autoenrollment settings for the domain, but will not perform the initial enrollment. Active Directory Administrative Center is a GUI for AD that will let you work with user accounts properties, but this is not where certificates are assigned/enrolled. QUESTION 33 Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard. The functional level of the domain is Windows Server You have a certification authority (CA). The relevant servers in the domain are configured as shown in the following table: You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network. A. Upgrade Server1 to Windows Server 2008 R2. B. Upgrade Server2 to Windows Server 2008 R2. C. Raise the functional level of the domain to Windows Server D. Install the Windows Server 2008 R2 Active Directory Schema updates.

24 Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : Before installing the certificate enrollment Web services, ensure that your environment meets these requirements: A host computer as a domain member running Windows Server 2008 R2. (MY NOTE: We meet this criteria with Server3) An Active Directory forest with a Windows Server 2008 R2 schema. An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server (MY NOTE: We meet this criteria with both Server1 and Server2) Reference: QUESTION 34 You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template. You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. In a Group Policy object (GPO), configure the Autoenrollment settings. B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings. C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group. D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group. Correct Answer: AD Section: Configuring Active Directory Certificate Services /Reference: : To automatically enroll client computers for certificates in a domain environment, you must: To configure an autoenrollment policy for the domain. (...) 6. In Configuration Model, select Enabled to enable autoenrollment. To configure certificate templates for autoenrollment. (...) 6. In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish MY NOTE: It says Authenticated Users here, and the answer says Domain Users. However, it is also clear that the Enroll permission is needed in addition to Read and Autoenroll. My only thoughts here is that Authenticated Users is a sort of subset of Domain Users - literally representing only users who have an active ticket/token. Reference: QUESTION 35 Your company has a server that runs an instance of Active Directory Lightweight Directory Services (AD LDS).

25 You need to create new organizational units in the AD LDS application directory partition. A. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition. B. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units. D. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : To create new OUs in the AD LDS application directory partition, you should use the ADSI Edit snap-in. This is the main snap-in used for most AD LDS management. ADSI Edit is a snap-in that runs in a Microsoft Management Console (MMC). The default console containing ADSI Edit is AdsiEdit.msc. If this snap-in is not added in your MMC,you can do it by adding through Add/ Remove Snap-in menu option in the MMC or you can open AdsiEdit.msc from a Windows Explorer. QUESTION 36 Your company has a server that runs Windows Server 2008 R2. The server runs an instance of Active Directory Lightweight Directory Services (AD LDS). You need to replicate the AD LDS instance on a test computer that is located on the network. A. Run the repadmin /kcc <servername> command on the test computer. B. Create a naming context by running the dsmgmt command on the test computer. C. Create a new directory partition by running the dsmgmt command on the test computer. D. Create and install a replica by running the AD LDS Setup wizard on the test computer. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : Only the AD LDS Setup wizard has built-in features to save a configuration and reuse it when installing AD LDS on other computers. Reference: dsmgmt allows you to manage AD LDS directory partitions but does not replicate them. Creating a new partition on the test computer will not copy the data from the original machine. repadmin /kcc forces the KCC to recalculate replication on a domain controller. This is not the type of replication that is needed. QUESTION 37 Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.

26 You need to configure AD RMS so that users are able to protect their documents. A. Install the AD RMS client 2.0 on each client computer. B. Add the RMS service account to the local administrators group on the AD RMS server. C. Establish an account in Active Directory Domain Services (AD DS) for each RMS user. D. Upgrade the Active Directory domain to the functional level of Windows Server Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : For each user account and group that you configure with AD RMS, you need to add an address and then assign the users to groups. Reference: QUESTION 38 Your company has an Active Directory forest that runs at the functional level of Windows Server You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Restart IIS. B. Install Message Queuing. C. Start the MSSQLSVC service. D. Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD RMS. Correct Answer: AC Section: Configuring Additional Active Directory Server Roles /Reference: : The website is not detecting or is not able to connect to SQL Server, which the scenario states was installed. This likely means the service for the SQL instance is not running and it must be started. Doing this will also require a restart of IIS so that the website detects the new status of the service. AD RMS uses Message Queuing to log events, so that AD RMS can be audited. This will not fix the problem, it might only allow us to determine more information about what is causing it. The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. Deleting this would break AD RMS access. Reference:

QUESTION 39 Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).

27 QUESTION 39 Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one of the branch offices. You need to identify the user accounts that were cached on the stolen RODC server. Which utility should you use? A. dsmod.exe B. ntdsutil.exe C. Active Directory Sites and Services D. Active Directory Users and Computers Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : To view current credentials that are cached on an RODC 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. 2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers. 3. In the details pane, right-click the RODC computer account, and then click Properties. 4. Click the Password Replication Policy tab. 5. Click Advanced. 6. In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.

28 Reference: 29.aspx#bkmk_View_CredsOnRODC QUESTION 40 You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. What is the minimal forest functional level that you should use? A. Windows Server 2008 R2 B. Windows Server 2008 C. Windows Server 2003 D. Windows 2000 Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher Reference: QUESTION 41 Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) server role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. A. Add and configure a new account store. B. Add and configure a new account partner. C. Add and configure a new resource partner. D. Add and configure a Claims-aware application. Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : To configure the AD FS trust policy to populate AD FS tokens with employee's information from Active directory domain, you need to add and configure a new account store. AD FS allows the secure sharing of identity information between trusted business partners across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions. Because claims originate from an account store, you need to configure account store to configure the AD FS trust policy.

29 Reference: QUESTION 42 Your network contains two standalone servers named Server1 and Server2 that have Active Directory Lightweight Directory Services (AD LDS) installed. Server1 has an AD LDS instance. You need to ensure that you can replicate the instance from Server1 to Server2. What should you do on both servers? A. Obtain a server certificate. B. Import the MS-User.ldf file. C. Create a service user account for AD LDS. D. Register the service location (SRV) resource records. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : AD LDS has service account requirements for replication to succeed. Reference: For AD LDS instances that are joined to a configuration set, the service account is also used to authenticate against other AD LDS instances in the configuration set for replication. Reference: QUESTION 43 Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1. You need to create an additional AD LDS application directory partition in the existing instance. Which tool should you use? A. adaminstall B. dsadd C. dsmod D. ldp Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : ldp is used to bind to an AD server and run LDAP code. This would allow you to add a new diretory partition. dsadd and dsmod are used to add/modify AD objects but do not provide options for creating directory partitions. adaminstall is used for automating installation of ADAM / AD LDS

30 QUESTION 44 Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1. You connect to Instance1 by using ADSI Edit. You run the Create Object wizard and you discover that there is no User object class. You need to ensure that you can create user objects in Instance1. A. Run the AD LDS Setup Wizard. B. Modify the schema of Instance1. C. Modify the properties of the Instance1 service. D. Install the Remote Server Administration Tools (RSAT). Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : The schema is where object classes and attributes for a domain service are configured. The AD LDS setup wizard would help us setup a new instance, but cannot necessarily repair our instance, which is missing a critical object class. The Instance1 service would not have any properties to help add the User object to the schema. At best, it would allow us to run the service with different credentials. RSAT is used to remotely administer a server from a Windows Vista/7 workstation. This would not give us any extra functionality than we already have, and we can assume this has already been installed since we are using ADSI Edit to connect to Instance1. QUESTION 45 Your network contains an Active Directory domain. The domain contains a server named Server1. Server1 runs Windows Server 2008 R2. You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1. A. Run ldp.exe and use the Bind option. B. Run diskpart.exe and use the Attach option. C. Run dsdbutil.exe and use the snapshot option. D. Run imagex.exe and specify the /mount parameter. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : dsdbutil snapshot

31 Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). Reference: diskpart is for managing disk partitions. Reference: ldp.exe is for running LDAP code or queries against a directory database. Bind is the option used to specify which database you are attaching to for your code. imagex is for mounting VHD's used in a deployment system. Reference: QUESTION 46 Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network. You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month. You need to ensure that all the computers can use the most up-to-date version of the AD RMS template. You want to achieve this goal by using the minimum amount of administrative effort. A. Upgrade all of the Windows Vista computers to Windows 7. B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2). C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy. D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : Windows 7 clients should automatically get the latest templates, but Windows Vista requires at least SP1 level and we are not told that any clients are at SP1 or SP2 level. So we must upgrade them. In Windows Vista with Service Pack 1 (SP1), Windows Server 2008, Windows 7, and Windows Server 2008 R2, rights policy templates are automatically managed by the AD RMS client Reference: QUESTION 47 Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who have Windows Mobile 6 devices report that they cannot access documents that are protected by AD RMS. You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.

32 A. Modify the security of the ServerCertification.asmx file. B. Modify the security of the MobileDeviceCertification.asmx file. C. Enable anonymous authentication for the _wmcs virtual directory. D. Enable anonymous authentication for the certification virtual directory. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : AD RMS can provide rights account certificates (RACs) and use licenses to AD RMS-enabled applications that are running Windows Mobile 6. (...) AD RMS-enabled mobile applications can connect to the AD RMS mobile certification server by using the MobileDeviceCertification.asmx file. Reference: QUESTION 48 Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have several custom policy templates. The custom policy templates are updated frequently. Some users report that it takes as many as 30 days to receive the updated policy templates. You need to ensure that users receive the updated custom policy templates within seven days. A. Modify the registry on the AD RMS servers. B. Modify the registry on the users' computers. C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task. D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updatefrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM \TemplateManagement. In this registry key, you can also configure the updateiflastupdatedbeforetime, which forces the client computer to update its rights policy templates. Reference: QUESTION 49 Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1.

33 You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers. A. Run ntdsutil.exe and use the Roles option. B. Run dsmgmt.exe and use the Local Roles option. C. From Active Directory Sites and Services, modify the NTDS Site Settings. D. From Active Directory Users and Computers, add the user to the Server Operators group. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : To configure Administrator Role Separation for an RODC 1. Click Start, click Run, type cmd, and then press ENTER. 2. At the command prompt, type dsmgmt.exe, and then press ENTER. 3. At the DSMGMT prompt, type local roles, and then press ENTER. (...) Reference: ntdsutil roles is used for transferring operations master roles. Reference: QUESTION 50 You install a read-only domain controller (RODC) named RODC1. You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1. Which tool should you use? A. Active Directory Administrative Center B. Active Directory Users and Computers C. dsadd D. dsmgmt Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : There are a couple of ways to achieve this and two of them are mentioned in the listed answers, Active Directory Users and Computers and Dsmgmt. The article below explains the different ways to implement Administrator Role Separation on an RODC, and why the use of Active Directory Users is recommended over Dsmgmt. Delegating local administration of an RODC

Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group.

34 Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or a security group, the user or group is not added the Domain Admins group and therefore does not have additional rights to perform directory service operations. Steps and best practices for setting up ARS You can specify a delegated RODC administrator during an RODC installation or after it. To specify the delegated RODC administrator after installation, you can use either of the following options: Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedby attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators. Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC. Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. (...)using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.

35 Reference: QUESTION 51 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC). You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored and User1 reports that he is able to log on to the domain. You need to prevent the problem from reoccurring if the WAN link fails. A. Create a Password Settings object (PSO) and link the PSO to User1's user account. B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group. C. Add the computer account of the RODC to the Allowed RODC Password Replication Group. D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : When a network connection to a writeable domain controller is not available, a user is able to log on through an RODC only if the passwords of both the user account and the computer account (of the workstation that the user is accessing) are cached on the RODC. (MY NOTE: This means BOTH accounts must be in the Allowed RODC Password Replication group, and we are not given the option of adding User1's user account to the group) (...) Prepopulating the password cache helps ensure that a user can log on to the network using the RODC, even when a link to a writeable domain controller is not available. For example, suppose that a user who used to work in a data center transfers to a branch office with his computer. The RODC contacts the writable domain controller in the data center. If the PRP allows it, the RODC caches the password. However, if the wide area network (WAN) link is offline when the user attempts to log on, the logon attempt fails because the RODC has not cached the password for the account. To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with the password of the user and his computer. This makes it unnecessary for the RODC to replicate the password from the writeable Windows Server 2008 domain controller over the WAN link. Reference: QUESTION 52 Your company has a main office and a branch office. The network contains an Active Directory domain. The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named DC2. You discover that the password of an administrator named Admin1 is cached on DC2. You need to prevent Admin1's password from being cached on DC2.

36 A. Modify the NTDS Site Settings. B. Modify the properties of the domain. C. Create a Password Setting object (PSO). D. Modify the properties of DC2's computer account. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : To prevent a user from being cached on an RODC, they need to be added to the Denied RODC Password Replication group. These memberships are configured from the properties of the RODC's account in ADUC. To allow individual RODCs to cache user and computer credentials in specific locations, configure the Allowed and Denied Lists on the Password Replication Policy tab for the properties of each individual RODC account in the Domain Controllers OU. Reference: QUESTION 53 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 is not stored on RODC1. You need to ensure that User1's password is stored on RODC1. What should you modify? A. the Member Of properties of RODC1 B. the Member Of properties of User1 C. the Security properties of RODC1 D. the Security properties of User1 Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : For a user's password to be cached on an RODC, they need to be a member of the Allowed RODC Password Replication group. Therefore, we need to modify the group membership of User1, not RODC. This can also be done from the properties of RODC in ADUC, but not on the "Member Of" tab (it would be done on the Password Replication Policy tab). The Security properties would allow us to configure what permissions objects have over User1's account, but this will not help ensure his username is cached. QUESTION 54 Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC). A user from the branch office reports that his account is locked out. From a writable domain controller in the main office, you discover that the user's account is not locked out.

37 You need to ensure that the user can log on to the domain. A. Modify the Password Replication Policy. B. Reset the password of the user account. C. Run the Knowledge Consistency Checker (KCC) on the RODC. D. Restore network communication between the branch office and the main office. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : We confirmed the account is not locked out, but the user believes it is. This means he is likely receiving a message indicating that a domain controller could not be contacted. How? Since the branch office has an RODC, it would let him log in if his password was cached. But this is not happening, so his account must not be cached, and he is getting directed to a writeable DC. But if he's getting a message that it can't be contacted, then the network link between the 2 offices must be down. The KCC configures replication between DC's and is a fairly automated process. (we would not normally run it manually). Anyhow, there is no sign that replication is not working as the user did not recently change his account. We are only aware that the user's account is reporting a wrong status. Password Replication Policy allows us to configure who can cache passwords on an RODC, but we're not given any indication that he has not been able to use the RODC previously. Resetting the password would not help, as he did not receive a message indicating that his password had expired. QUESTION 55 You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named Server1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. Which protocol should you allow on Server1? A. SMB B. RPC C. SSL D. Kerberos Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : AD FS uses a website to allow external users to authenticate. Because of the secure nature of user credentials and internet traffic, as well as the requirement for certificates for AD FS, this is an SSL-based website. NOTE: This question can also show up and ask for port #'s rather than protocols.

38 QUESTION 56 Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. At the command prompt, run adprep.exe /rodcprep. B. At the command prompt, run adprep.exe /forestprep. C. At the command prompt, run adprep.exe /domainprep. D. From Active Directory Domains and Trusts, raise the functional level of the domain. E. From Active Directory Users and Computers, pre-stage the RODC computer account. Correct Answer: BC Section: Configuring Additional Active Directory Server Roles /Reference: : We are adding our first R2 domain controller to the domain, so we need to prep the domain and forest for the R2 schema extensions. We would not raise the functional level of the domain. RODCs are supported in as low as a Server 2003 functional level, and all servers are on 2008 so our functional level is at least at 2003 or higher already. The scenario mentions that we already have a mix of RODCs and writable DCs, so we do not need to run adprep /rodcprep Pre-staging the account would only help with joining the server to the domain first, but this should already be done before the machine is promoted to a domain controller. QUESTION 57 You deploy a new Active Directory Federation Services (AD FS) federation server. You request new certificates for the AD FS federation server. You need to ensure that the AD FS federation server can use the new certificates. To which certificate store should you import the certificates? A. Computer B. IIS Admin Service service account C. Local Administrator D. World Wide Web Publishing Service service account Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : To import the server authentication certificate for adfsresource to adfsweb 4. Click Start, click Run, type mmc, and then click OK. 5. Click File, and then click Add/Remove Snap-in.

39 6. Select Certificates, click Add, click Computer account, and then click Next. 7. Click Local computer: (the computer this console is running on), click Finish, and then click OK. Reference: QUESTION 58 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed. You have an application named App1 that is configured to use Server1 for AD FS authentication. You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server. You need to ensure that App1 can use Server2 for authentication. What should you do on Server2? A. Add an attribute store. B. Create a relying party trust. C. Create a claims provider trust. D. Create a relaying provider trust. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : In order for App1 (on Server1) to authenticate against Server2, we need to make sure the right kind of trust is in place. A relying party trust allows an application to use a 2nd authentication server in the same domain (a relying party is where claims are sent after authentication has been done) A claims provider sends claims to a Federated Server, that is then passed on to relying party trusts. In this case, Server1 (which hosts App1) needs to be a relying party to Server2, so that Server2 can forward claims to it before the App is used. Attribute stores are used by applications to query for claim information. QUESTION 59 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store. A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application. You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company. What should you create on Server1? A. a new application B. a resource partner C. an account partner D. an organization claim

40 Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS) account store for an account Federation Service, you map an organization group claim to a security group in AD DS. This mapping is called a group claim extraction. Reference: Creating a resource partner or account partner is done during the setup up of the Federation Trust. We are not told that we need to create an application, rather, the partner company has the application that we need to use. QUESTION 60 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed. You plan to deploy AD FS 2.0 on Server2. You need to export the token-signing certificate from Server1, and then import the certificate to Server2. Which format should you use to export the certificate? A. Base-64 encoded X.509 (.cer) B. Cryptographic Message Syntax Standard PKCS #7 (.p7b) C. DER encoded binary X.509 (.cer) D. Personal Information Exchange PKCS #12 (.pfx) Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : If you are implementing a server farm of federation servers that share a single, exportable private key certificate that is issued by an enterprise certification authority (CA), the private key portion of the existing token-signing certificate must be exported to make it available for importing into the certificate store on the new server. (...) To export the private key of a token-signing certificate 1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services. 2. Right-click Federation Service, and then click Properties. 3. On the General tab, click View. 4. In the Certificate dialog box, click the Details tab. 5. On the Details tab, click Copy to File. 6. On the Welcome to the Certificate Export Wizard page, click Next. 7. On the Export Private Key page, select Yes, export the private key, and then click Next. 8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then click Next. (...) Reference: While initially setting up AD FS services, we would export the token-signing certificate to a DER file, but this is not what the scenario covers. Reference:

41 QUESTION 61 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server. You install AD FS 2.0 on Server2. You need to add Server2 to the existing AD FS farm. A. On Server1, run fsconfig.exe. B. On Server1, run fsconfigwizard.exe. C. On Server2, run fsconfig.exe. D. On Server2, run fsconfigwizard.exe. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : fsconfig.exe is used to configure an existing Federation Server. In this case, we need to add Server2, which already has AD FS, to the farm. So, in our scenario we would run the following command from Server2: fsconfig JoinFarm fsconfigwizard.exe is used to create a new Federation Server. The scenario states that we have already installed AD FS on both servers. Reference: 28v=ws.10%29.aspx QUESTION 62 Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to enable the Active Directory Recycle Bin. What should you use? A. the dsmod tool B. the Enable-ADOptionalFeature cmdlet C. the ntdsutil tool D. the Set-ADDomainMode cmdlet Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: :

42 After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe Reference: QUESTION 63 Your network contains an Active Directory domain. You need to restore a deleted computer account from the Active Directory Recycle Bin. A. From the command prompt, run recover.exe. B. From the command prompt, run ntdsutil.exe. C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet. D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : The Restore-ADObject cmdlet restores a deleted Active Directory object. (MY NOTE: Only in conjunction with the Recycle Bin feature in 2008 R2) Reference: Restore-Computer is a cmdlet for working with System Restore / restore points. Reference: ntdsutil is for maintaining AD databases offline. It allows us to defrag and perform authoritative restores, which is a process we could use to restore the computer account. However, this does not operate in conjunction with the new Recycle Bin, and is precisely why such feature was created! In computing, recover was a primitive filesystem error recovery utility included in MS-DOS / IBM PC DOS versions prior to DOS 6.0 Typing recover at the DOS command-line invoked the program file RECOVER.COM or RECOVER.EXE Reference: QUESTION 64 Your network contains a single Active Directory domain. You need to create an Active Directory Domain Services snapshot.

43 A. Use the Ldp tool. B. Use the ntdsutil tool. C. Use the wbadmin tool. D. From Windows Server Backup, perform a full backup. Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: : In order to create an Active Directory snapshot you need to use the NTDSUTIL command. NTDSUTIL is built into Windows Server It is available if you have the Active Directory Domain Services (AD DS) server role or the AD LDS server role installed. Reference: A full backup will give you a backup of the entire server, including the AD DS database file (ntds.dit), but this is much more than is needed. Similarly, wbadmin will not allow us to just get a snapshot of AD DS. Ldp is used to connect to AD DS databases and snapshots and run code against them, but does not create snapshots. QUESTION 65 You have an Active Directory snapshot. You need to view the contents of the organizational units (OUs) in the snapshot. Which tools should you run? A. explorer.exe, netdom.exe, and dsa.msc B. ntdsutil.exe, dsamain.exe, and dsa.msc C. wbadmin.msc, dsamain.exe, and netdom.exe D. wbadmin.msc, ntdsutil.exe, and explorer.exe Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: : We need ntdsutil.exe to mount the snapshot, dsamain.exe to connect to it and dsa.msc (ADUC) to view the contents. Before connecting to the snapshot we need to mount it. (...) In order to mount an Active Directory snapshot follow these steps: 1. Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers. 2. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. 3. In the CMD window, type the following command: ntdsutil (...)

44 In order to connect to the AD snapshot you've mounted you will need to use the DSAMAIN command. (...) After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that can connect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc, LDP.exe or others. Reference: QUESTION 66 Your network contains a domain controller that runs Windows Server 2008 R2. You need to change the location of the Active Directory log files. Which tool should you use? A. dsamain B. dsmgmt C. dsmove D. ntdsutil Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : To move the directory database and log files to a local drive 1. In Directory Services Restore Mode, open a command prompt and change directories to the current location of the directory database file (Ntds.dit) or the log files, whichever you are moving. 2. Run the dir command and make a note of the current size and location of the Ntds.dit file. 3. At the command prompt, type ntdsutil and then press ENTER. 4. At the ntdsutil: prompt, type files and then press ENTER. 5. To move the database file, at the file maintenance: prompt, use the following commands: (...) To move the log files, type: move logs to drive:\directory Reference: QUESTION 67 Your network contains an Active Directory domain that contains five domain controllers. You have a management computer that runs Windows 7. From the Windows 7 computer, you need to view all account logon failures that occur in the domain. The information must be consolidated on one list. Which command should you run on each domain controller? A. wecutil.exe qc B. wevtutil.exe gli C. winrm.exe quickconfig D. winrshost.exe Correct Answer: C Section: Maintaining the Active Directory Environment

45 /Reference: : To view account logon failures for the domain, we need each domain controller to be setup to forward events to the Windows 7 computer. This is done on each source computer by using the winrm quickconfig command. Reference: wecutil.exe qc would be run on the Windows 7 computer since it is going to collect the events. winrshost.exe is used in Remote Management (WinRM), which allows automatic various remote operations (like collecting logs). However, this type of configuration is precisely what the winrm quickconfig command was designed to assist with automating in Server wevtutil.exe gli displays the status of an event log or log file, but does not give us anything about the events themselves. QUESTION 68 You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. The domain contains five domain controllers. You need to monitor the replication of the group policy template files. Which tool should you use? A. dfsrdiag B. fsutil C. ntdsutil D. ntfrsutl Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : Group policy template files are in the SYSVOL share, and our domain level is Server 2008 R2, so DFSR is being used for replication of SYSVOL. ntfrsutl would be used to replicate SYSVOL if our domain was still Server mtdsutil is used for offline management of the AD database. fsutil is used for managing file shares, but the SYSVOL is not a standard file share. Instead, it is a distributed file service that replicates across the domain QUESTION 69 You create a new Active Directory domain. The functional level of the domain is Windows Server The domain contains five domain controllers that run Windows Server 2008 R2. You need to monitor the replication of the group policy template files. Which tool should you use? A. dfsrdiag B. fsutil

46 C. ntdsutil D. ntfrsutl Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : This is a tricky one, but note that the functional level of the domain is Server Without raising our functional level, we cannot use the new DFSR for replication. This means we are still using the old NTFRS, which we can manage with the ntfrsutl program. ntdsutil is for managing the AD database offline. fsutil is for managing and querying file shares and services, not replication. QUESTION 70 You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine the size of the Active Directory database on Server1. A. Run the Active Directory Sizer tool. B. Run the Active Directory Diagnostics data collector set. C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file. D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder. Correct Answer: C Section: Maintaining the Active Directory Environment /Reference: : The AD database is stored in the file %systemroot%\ntds\ntds.dit We just need to see how large this file is in Windows Explorer to get an idea of how much disk space it is using. The %systemroot%\sysvol\domain folder contains lots of things that are replicated for the domain, but this is also a public, distributed share and would not hold something as dear as the AD database! The Active Directory service Sizer tool lets you estimate the hardware required for deploying Active Directory in an organization based on the organization's profile, domain information and site topology. Reference: The AD Diagnostics DCS will give us performance information for AD, and if it did poorly that might hint to us that our database is getting large, but it would not necessarily report the size of the file. QUESTION 71 Your network contains a single Active Directory domain. The functional level of the forest is Windows Server The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server All domain controllers run Windows Server 2008 R2. You need to ensure that you can enable the Active Directory Recycle Bin.

47 A. Change the functional level of the forest. B. Change the functional level of the domain. C. Modify the Active Directory schema. D. Modify the Universal Group Membership Caching settings. Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. Reference: QUESTION 72 Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. You perform a full backup of the domain controllers every night by using Windows Server Backup. You update a script in the SYSVOL folder. You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script. What should you do first? A. Run the Restore-ADObject cmdlet. B. Restore the system state to its original location. C. Restore the system state to an alternate location. D. Attach the VHD file created by Windows Server Backup. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : Windows Server Backup uses VHD files for it's images, and we are told the DC's get backed up with this program nightly. Since VHDs are mountable as a filesystem in Server 2008, the quickest way to restore a folder is to mount the VHD and browse to where the old file is. Restoring the System State will undo any other changes to the SYSVOL folder aside from the script. Scripts in SYSVOL are just files in the distributed share, not objects in AD, so the Restore-ADObject cmdlet won't work. QUESTION 73

48 You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller. You need to perform a non-authoritative restore of the domain controller by using an existing backup file. A. Restart the domain controller in Directory Services Restore Mode. Use the wbadmin command to perform a critical volume restore. B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore. C. Restart the domain controller in Safe Mode. Use the Windows Server Backup snap-in to perform a critical volume restore. D. Restart the domain controller in Safe Mode. Use the wbadmin command to perform a critical volume restore. Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : To perform a non-authoritative restore, you must first stop the AD DS service or restart the domain controller in Directory Services Restore Mode. Because the entire volume needs restored, only Directory Services Restore Mode (built on top of Safe Mode) will work. Because we are in DSRM, only command-prompt is available to us. This prevents us from being able to use Windows Server Backup to perform the restore. Safe Mode does not allow or provide options for restoring critical data and system state. QUESTION 74 Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the Sales OU. A. Perform an authoritative restore of the Sales OU. B. Perform an authoritative restore of the Groups OU. C. Perform a non-authoritative restore of the Groups OU. D. Perform a non-authoritative restore of the Sales OU. Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: : An authoritative restore will overwrite the existing copy of the Groups OU. A non-authoritative restore would get deleted again, as the newer revision of the AD database does not have

49 the OU! We do not want to restore the Sales OU, as that also contains a Computers OU and Users OU that could be affected. QUESTION 75 Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1. You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort. A. On DC1, run the Restore-ADObject cmdlet. B. On DC3, run the Restore-ADObject cmdlet. C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services. D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. Reference: We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. Reference: QUESTION 76 Your company has a main office and a branch office. The network contains a single Active Directory domain. The main office contains a domain controller named DC1. You need to install a domain controller in the branch office by using an offline copy of the Active Directory database. What should you do first? A. From the ntdsutil tool, create an IFM media set. B. From the command prompt, run djoin.exe /loadfile.

50 C. From Windows Server Backup, perform a system state backup. D. From Windows PowerShell, run the Get-ADDomainController cmdlet. Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. Reference: A system state backup would backup much more than the AD database and is not usable to install a new DC. djoin.exe /loadfile is used to help join a machine to the domain while it is offline or unavailable to contact a DC. The Get-ADDomainController cmdlet will retrieve DC objects into the PowerShell pipeline for manipulation, such as retrieving or outputting properties or sending to other cmdlets. But at best this manipulates the computer object in AD, and is not helpful for provisioning a new DC. QUESTION 77 Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed. You need to move the Active Directory database on DC1 to an alternate location. The solution must minimize impact on the network during the database move. What should you do first? A. Restart DC1 in Safe Mode. B. Restart DC1 in Directory Services Restore Mode. C. Start DC1 from Windows PE. D. Stop the Active Directory Domain Services service on DC1. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : The first step in moving the Active Directory database to another location is to first bring down Active Directory services on that computer, as it locks the ntds.dit file containing the Active Directory database. This was traditionally done only by rebooting a computer in DSRM, but this would not minimize impact on the network for DC1 as it also operates the DHCP and file server roles. Server 2008 added the ability to manage AD as a service, which would only bring down AD but would not impact the DHCP and file server roles. Safe Mode does not provide access to directory services restoration and would not minimize impact to the network. The same applies for Windows PE. QUESTION 78 Your company has a main office and a branch office. The network contains an Active Directory forest. The forest contains three domains.

51 The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server. You remove the global catalog from DC5. You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impact on all users in the branch office. What should you do first? A. Start DC5 in Safe Mode. B. Start DC5 in Directory Services Restore Mode. C. On DC5, start the Protected Storage service. D. On DC5, stop the Active Directory Domain Services service. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : The first step in maintaining the Active Directory database (ie, compacting) is to first bring down Active Directory services on that computer, as it locks the ntds.dit file containing the Active Directory database. This was traditionally done only by rebooting a computer in DSRM, but this would not minimize impact on users for DC5 as it also operates the DHCP and file server roles. Server 2008 added the ability to manage AD as a service, which would only bring down AD but would not impact the DHCP and file server roles. Safe Mode does not provide access to directory services restoration and would not minimize impact to the network. Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification. (MY NOTE: In other words, it is used for setting up data that is not going to be changed. It is not used for AD, and as the referenced article also points out, it was only for Server 2003 / XP) Reference: QUESTION 79 A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted. You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online. A. Start the domain controller in the Directory Services Restore Mode. Run the Defrag utility. B. Start the domain controller in the Directory Services Restore Mode. Run the Ntdsutil utility. C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility. D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility. Correct Answer: D Section: Maintaining the Active Directory Environment

52 /Reference: : We can't use DSRM here because the scenario states that we 'need to ensure that the critical services remain online. Since a new feature of Server 2008 is supporting AD as a service, we merely just need to stop the service to work on AD without killing other critical services. Defrag is not designed for handling the AD database. Since AD is so critical, Microsoft designed their own utility for this (ntdsutil) Reference: There are a few variations of this question's wording so pay attention in case the scenario is slightly different. The answer will remain the same, even if worded differently. QUESTION 80 You need to receive an message whenever a domain user account is locked out. Which tool should you use? A. Active Directory Administrative Center B. Event Viewer C. Resource Monitor D. Security Configuration Wizard Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: : The Security log in Event Viewer lets us see when accounts are locked out or when they fail to acquire the rights to access an object in AD. In Server 2008 this has the added functionality of being able to attack tasks to certain events, whereby something like a notification could be configured when the event occurs. The Security Configuration Wizard is used to improve security on a computer by applying stricter policies for the services that are installed. Reference: QUESTION 81 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller. A. Review performance data in Resource Monitor. B. Review the Hardware Events log in the Event Viewer. C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report. D. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report. Correct Answer: D Section: Maintaining the Active Directory Environment

53 /Reference: : Active Directory Diagnostics This data collector set is present only on domain controllers. It logs kernel trace data, Active Directory trace data, performance counters, and Active Directory registry configuration. LAN Diagnostics You can use this data collector set when troubleshooting complex network problems such as network time-outs, poor network performance, or virtual private network (VPN) connectivity problems. It logs network performance counters, network configuration data, and diagnostics tracing data. Reference: MY NOTE: LDAP is the protocol used with AD/LDS, so we should run the AD Diagnostics DCS. As per the screenshot below it specifically reports LDAP statistics. Reference: Resource Monitor is a system application in Microsoft Windows operating systems. It is used to view information about the use of hardware (CPU, memory, disk, and network) and software (file handles and modules) resources in real time Reference: (MY NOTE: Under the hood, Resource Monitor is combining Perfmon, Event Logs and Task Manager. Perfmon is where we can get data like the scenario asks, but we would have to know what to look for and monitor.) Hardware Events log will show us what is going on with hardware changes in the system, and could give us a hint as to when CPU usage is high, but won't let us know anything fine-grained, such as which clients are using the CPU for LDAP only. QUESTION 82 You add an Online Responder to an Online Responder Array. You need to ensure that the new Online

54 Responder resolves synchronization conflicts for all members of the Array. A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1. B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32. C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller. D. From the Online Responder Management Console, select the new Online Responder, and then select Synchronize Members with Array Controller. Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : The role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members. Synchronize Members with Array Controller will resynchronize the Online Responder's configuration data to all Array members. This is not the desired effect. Reference: Modifying the priority ID of the server in NLB will determine it's priority in handling "all of the cluster's network traffic that is not covered by a port rule." This could potentially keep the server from handling necessary forms of traffic, or ensure it handles more than is necessary. Reference: QUESTION 83 Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller: dsamain.exe dbpath c:\$snap_ _volumec$\windows\ntds\ntds.dit ldapport 389 allownonadmin The command fails. You need to ensure that the command completes successfully. How should you modify the command? A. Include the path to Dsamain. B. Change the value of the -dbpath parameter. C. Change the value of the -ldapport parameter. D. Remove the allownonadminaccess parameter. Correct Answer: C Section: Maintaining the Active Directory Environment /Reference: : dsamain is used for working with offline snapshots of AD, and the path to the ntds.dit (c:

55 \$SNAP_ (...)) file here clearly indicates this is what is being done. However, port 389 is used by the live (running) AD environment, so trying to connect to the snapshot using port 389 can cause problems. We need to specify a different port, one that will not possibly conflict with any other directory services. QUESTION 84 Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2. You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1. What should you do first? A. At the command prompt, run net stop ntds. B. At the command prompt, run net stop netlogon. C. Restart DC1 in Safe Mode. D. Restart DC1 in Directory Services Restore Mode (DSRM). Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : To perform offline defragmentation of the directory database (...) 3. At the command prompt, type the following command, and then press ENTER: net stop ntds 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. (...) 9. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to: (...) c. Manually copy the compacted database file to the original location, as follows: copy <temporarydrive>:\ntds.dit <originaldrive>: \<pathtooriginaldatabasefile> \ntds.dit (...) 14. Restart AD DS. At the command prompt, type the following command, and then press ENTER: net start ntds Reference: QUESTION 85 Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1. You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.) You need to ensure that you can take a snapshot of Instance1. Exhibit:

56 A. At the command prompt, run net start VSS. B. At the command prompt, run net start Instance1. C. Set the Start Type for the Instance1 service to Disabled. D. Set the Start Type for the Volume Shadow Copy Service (VSS) to Manual. Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : How to fix the error "0x " in Windows 7? (...)Normally this error is related to backup and system restore. Check whether Volume Shadow Copy Service, System Restore Service is started and Set to Automatic 1. Type Services.msc in Start Menu search box, hit Enter. 2. Make sure that the Volume Shadow Copy Service is running and set on Automatic. 3. If the Status of System Restore Service is not Started, Start it. Also set it on Automatic if it is not. 4. Restart your computer. Reference: We could also arrive at this solution by a process of elimination. We don't need to start Instance1 - it is already running. If it weren't, we'd get a different message ("AD service must be running in order to perform this operation") We wouldn't disable the service for Instance1, as it is needed to access the instance so we can take a snapshot. Setting the Startup Type for the Volume Shadow Copy Service (VSS) to Manual would prevent it from running on-demand when the snapshot operation is requested. This would prevent us from taking the snapshot! So the only option left is to start VSS (meaning whatever is supposed to automatically trigger it, isn't working).

57 QUESTION 86 Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers. The servers are configure as shown in the following table. You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service. Which two actions should you perform? (Each current answer presents part of the solution. Choose two). A. Configure the policy module setting. B. Configure the issuance requirements for the certificate templates. C. Configure the Certificate Services Client - Certificate Enrollment Policy group policy setting. D. Configure the delegation setting for the Certification Enrollment Web Service application pool account. Correct Answer: BD Section: Configuring Active Directory Certificate Services /Reference: : If all of the following conditions are true, then you must configure delegation for the Web service account: The certification authority (CA) and the Certificate Enrollment Web Service are installed on separate computers. (MY NOTE: This is the case with Server1 and Server2) The Web service authentication type is Windows integrated authentication or client certificate authentication. The Web service is not configured for renewal-only mode. Reference: An issuance policy (also known as an enrollment or certificate policy) is a group of administrative rules that is implemented when issuing certificates. (MY NOTE: This is what controls the requirements for certificates before they can be issued after a template. If users are enrolling manually, we have to set this up so the server knows how to handle those requests and what info. to look for before approving them) Reference: The Certificate Services Client Certificate Enrollment Policy setting is used when we want to configure group policy to work with the Certificate Enrollment Policy Web Service (in this case, on Server3). This would be used if we were trying to automate the enrollment and renewal of certificates, but the scenario indicates we want users to do this manually. Reference: Policy modules are programs that receive requests from the Certificate Services, evaluate those requests, and

58 specify optional properties of the certificates that are built to fill these requests. (MY NOTE: We are not given any indication that a program is needed to evaluate requests the users are making) Reference: QUESTION 87 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard. You need to install an enterprise subordinate certification authority (CA) that support private key archival. You must achieve this goal by using the minimum amount of administrative effort. What do you do first? A. Initialize the Trusted Platform Module (TPM) B. Upgrade the menber server to Windows Server 2008 R2 Standard. C. Install the Certificate Enrollment Policy Web Service role service on the member server. D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services - Certification Authority server role template check box. Correct Answer: B Section: Configuring Active Directory Certificate Services /Reference: : Private key archival is a new feature to CA's in Server 2008 R2, so this is why the server needs upgraded. Reference: WRONG ANSWERS The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. Reference: The Security Configuration Wizard is used to improve security on a computer by applying stricter policies for the services that are installed. Reference: The Trusted Platform Module is used to manage microchips that handle basic security, such as key encryption. Reference: QUESTION 88 You need to compact an Active Directory database on a domain controller that runs windows Server 2008 R2. A. Run defrag.exe /a /c. B. Run defrag.exe /c /u. C. Form ntdsutil, use the files option D. From ntdsutil, use the metadata cleanup option. Correct Answer: C

59 Section: Maintaining the Active Directory Environment /Reference: : Compacting the AD database is also known as an offline defragmentation. This is why MS is trying to trick us with references to the defrag.exe command. To perform offline defragmentation of the directory database (...) 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. (...) Reference: Metadata cleanup removes data from Active Directory that identifies a domain controller to the replication system. This procedure is required only for Active Directory domain controllers that were not successfully demoted using Dcpromo. Reference: defrag.exe /a /c This command will try to analyze fragmentation status all volumes in the system. defrag.exe /c /u This command will try to defrag all volumes in the system and give us a progress indicator along the way. Reference: QUESTION 89 Your network contains an Active Directory forest. All client computers run Windows 7. The network contains a high-volume enterprise certification authority (CA). You need to minimize the amount of network bandwidth required to validate a certificate. A. Modify the settings of the delta certificate revocation list (CRL). B. Configure an Online Certification Status Protocol (OCSP) responder. C. Configure an LDAP publishing point for the certificate revocation list (CRL). D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS). Correct Answer: B Section: Configuring Active Directory Certificate Services /Reference: : An OCSP does not need a full CRL but can still respond to and validate certificate requests, so using it reduces the load from the enterprise CA. Changing settings for the delta CRL could reduce the amount of data transmitted with each CRL, but depending on the frequency of which it's published, could still generate high volume traffic compared to the OCSP. Using DFS does not reduce the amount of data that is being transmitted over the network.

60 QUESTION 90 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) named RODC1. You need to view the most recent user accounts authenticated by RODC1. What should you do first? A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate Now. B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate Now. C. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to DC1. D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : We view user accounts in a domain using ADUC, not AD Sites and Services. As per Technet, we must do this from a writeable DC, so we use our snap-in to connect to DC1 rather than RODC1. To view authenticated accounts using Active Directory Users and Computers 1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. (...) Reference: QUESTION 91 Your network contains a single Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that the encryption keys for certificates can be recovered from the CA database. You modify the certificate template to support key archival. What should you do next? A. Run certreq.exe -policy B. Run certutil.exe -recoverkey C. Issue the key recovery agent certificate template D. Modify the location of the Authority Information Access (AIA) distribution point Correct Answer: C Section: Configuring Active Directory Certificate Services

61 /Reference: : certutil.exe recoverkey recovers archived keys, but the certificate template does not have key archival by default. So we need to create a recovery agent. However, this cannot be done until we issue the recovery agent template. The AIA extension specifies where to find up-to-date certificates for the CA. Reference: certreq.exe -policy This command sets the policy for a request(...)if you type the certreq -policy without any additional parameter it will open a dialog window so you can select the requested fie Reference: QUESTION 92 You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC). A. Run the dsrm.exe command and specify the -u parameter. B. Run the repadmin.exe command and specify the /prp parameter. C. From Active Directory Sites and Services, modify the properties of the RODC computer object. D. From Active Directory Users and Computers, modify the properties of the RODC computer object. Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC. Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure. To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all. Substitute the actual host name of the RODC that you want to clear. Reference: QUESTION 93 Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server The functional level of the domain is Windows Server From a domain controller, you need to perform an authoritative restore of an organizational unit (OU). What should you do first?

62 A. Restore the system state. B. Raise the functional level of the forest. C. Raise the functional level of the domain. D. Modify the tombstone lifetime of the forest. Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : To do an authoritative restore, we need to load a previous version of the AD database (from before the time that replication occurred). The AD database is included in the System State backup, so this should suffice. Since the DC's run R2, we could raise the functional level of the forest and/or domain if we wanted to use the AD Recycle Bin feature, but this cannot be used to restore objects from before the feature was implemented. The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a tombstone ) is retained in Active Directory Domain Services (AD DS). Reference: QUESTION 94 As the Company administrator you had installed a read-only domain controller (RODC) server at remote location. The remote location doesn't provide enough physical security for the server. What should you do to allow administrative accounts to replicate authentication information to Read-Only Domain Controllers? A. Remove any administrative accounts from RODC's group B. Add administrative accounts to the domain Allowed RODC Password Replication group C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO) D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO. E. None of the above Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : The Allowed RODC Password Replication group in AD contains the accounts of users whose passwords are allowed to replicate with AD. QUESTION 95 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server. You plan to add a new token-signing certificate to Server1. You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable. You need to ensure that you can use the new certificate for AD FS. Exhibit: A.

63 When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable. You need to ensure that you can use the new certificate for AD FS. Exhibit: A. From the properties of the certificate, modify the Certificate Policy OIDs setting. B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store. C. From the properties of the certificate, modify the Certificate purposes setting. D. Import the certificate to the local computer Personal Certificate store. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server. Reference: QUESTION 96 Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) role installed. You need to perform an automated installation of an AD LDS instance. Which tool should you use? A. dism.exe

64 B. servermanagercmd.exe C. adaminstall.exe D. ocsetup.exe Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : To perform an unattended install of an AD LDS instance: 1. Create a new text file by using any text editor. 2. Specify the installation parameters. 3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD LDS setup files. 4. At the command prompt, type the following command, and then press ENTER: %systemroot%\adam\adaminstall.exe /answer:drive:\<pathname>\<filename>.txt Reference: servermanagercmd.exe, dism.exe and ocsetup.exe are all executables that can be used to manage the roles, features and services of Windows installations. They could be used to kick off the AD LDS installation wizard, but this would not be an unattend (automatic) install as the the scenario asks for. QUESTION 97 Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that only members of a group named Admin1 can create certificate templates. Which tool should you use to assign permissions to Admin1? A. the Certification Authority console B. Active Directory Users and Computers C. the Certificates snap-in D. Active Directory Sites and Services Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups. You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,ForestRootDomain container. 1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group. 2. Open the Active Directory Sites And Services console. 3. From the View menu, ensure that the Show Services Node setting is enabled. 4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates. 5. In the console tree, right-click Certificate Templates, and then click Delegate Control. 6. In the Delegation Of Control wizard, click Next. 7. On the Users Or Groups page, click Add. 8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.

65 9. On the Users Or Groups page, click Next. 10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next. 11. On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation Of New Objects In This Folder, and then click Next. 12. On the Permissions page, in the Permissions list, enable Full Control, and then click Next. 13. On the Completing The Delegation Of Control wizard page, click Finish. Reference: Windows Server PKI and Certificate Security (Microsoft Press, 2008) page 298 QUESTION 98 Your network contains an Active Directory forest named adatum.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. What should you install before you create the AD RMS root cluster? A. The Failover Cluster feature B. The Active Directory Certificate Services (AD CS) role C. Microsoft Exchange Server 2010 D. Microsoft SharePoint Server 2010 E. Microsoft SQL Server 2008 Correct Answer: E Section: Configuring Additional Active Directory Server Roles /Reference: : In addition to pre-installation requirements for AD RMS, we strongly recommend the following: Install the database server that is used to host the AD RMS databases on a separate computer. Reference: The RMS root cluster itself issues the certificates for RMS, so we don't need AD CS. An AD RMS root certification and licensing server running Windows Server 2008 This server has the AD RMS role installed and is used as the root of the AD RMS hierarchy. In most scenarios, this server issues client licensor certificates, issuance licenses, and end-user licenses. Reference: None of the other programs are requirements for implementing AD RMS. QUESTION 99 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2. A user logs on to a computer in the branch office site. You discover that the user's password is not stored on RODC1. You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office site computer.

66 A. Modify the RODC's password replication policy by removing the entry for the Allowed RODC Password Replication Group. B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowed users, groups, and computers. C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1. D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group. Reference: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages QUESTION 100 ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6,000 objects. You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state. Which three actions should you perform? Build List and Reorder: Correct Answer:

Section: 70-648 Maintaining the Active Directory Environment /Reference: If you are performing authoritative restore on a domain controller that has already received replication of the deletions,

67 Section: Maintaining the Active Directory Environment /Reference: If you are performing authoritative restore on a domain controller that has already received replication of the deletions, perform the following procedures on the recovery domain controller: (...) 2. (...)Restore from backup requires restarting the domain controller in DSRM. Taking the domain controller offline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup. 3. Restore AD DS from Backup (Nonauthoritative Restore) 4. Mark an Object or Objects as Authoritative(...) (MY NOTE: See 2nd article below where we are explicitly told this requires ntdsutil) 5. Restart the domain controller normally. (MY NOTE: Obviously restarting in Safe Mode won't help us much! The DC would not be able to synchronize!) Reference: You can use this procedure to mark Active Directory objects as authoritative when you perform an authoritative restore. In this procedure, you use the ntdsutil command to select objects that are to be marked authoritative when they replicate to other domain controllers. Reference: QUESTION 101 Your company plans to open a new branch office. The new office will have a Iow-speed connection to the Internet. You plan to deploy a read-only domain controller (RODC) in the branch office. You need to create an offline copy of the Active Directory database that can be used to install Active Directory on the new RODC. Which commands should you run from Ntdsutil? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Build List and Reorder: Correct Answer:

68 Section: Maintaining the Active Directory Environment /Reference: : Installing AD DS from Media You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently. To create installation media 1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: ntdsutil 3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds 4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm 5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in the table earlier in this topic), and then press ENTER. For example, to create RODC installation media, type the following command, and then press ENTER: create rodc C:\InstallationMedia where C:\InstallationMedia is the path to the folder where you want the installation media to be created. You can save the installation media to a network shared folder or to any other type of removable media. Reference: QUESTION 102 Your network contains an Active Directory domain named contoso.com. The Administrator deletes an OU named OU1 accidentally. You need to restore OU1. Which cmdlet should you use? A. Get-ADObject cmdlet. B. Get-ADOrganizationalUnit cmdlet. C. Get-ADUser cmdlet. D. Get-ADGroup cmdlet. Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: : You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject Active Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get- ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-

69 ADObject cmdlet. Reference: The other cmdlets are used to search for or retrieve the respective objects into the pipeline, so they can be manipulated. However, this will only retrieve certain properties of the objects. The Get-ADObject cmdlet, as its name implies, grabs the entire object (including all properties!) from the directory. QUESTION 103 Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com. From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com. You need to prevent users from impersonating contoso.com users. A. Configure trusted domains. B. Enable lockbox exclusion in AD RMS. C. Create a forest trust between adatum.com and contoso.com. D. Add a certificate from a third-party trusted certification authority (CA). Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : For each trusted user domain, you must specify which domains are trusted. It is an important security step to configure domains, otherwise it may be possible for a user from a trusted user domain to impersonate an internal user. Reference: A forest trust would have been needed to setup the RMS environment in the first place. If you have enabled exclusion based on lockbox version, clients that are using a version of the lockbox software that is earlier than the specified version cannot acquire rights account certificates or use licenses because their requests will be denied. Reference: QUESTION 104 Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to configure AD RMS to use Kerberos authentication. Which two actions should you perform? (Each correct answer presents part of the solution.choose two.) A. Register a service principal name (SPN) for AD RMS. B. Register a service connection point (SCP) for AD RMS. C. Configure the identity setting of the _DRMSAppPool1 application pool. D. Configure the useapppoolcredentials attribute in the Internet Information Services (IIS) metabase. Correct Answer: AD Section: Configuring Additional Active Directory Server Roles

70 /Reference: : If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures: Set the Internet Information Services (IIS) useapppoolcredentials variable to True Set the Service Principal Names (SPN) value for the AD RMS service account Reference: The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. Reference: The RMS Web services run within the context of an IIS application pool(...)the application pool for the Web site you provision is called "_DRMSAppPool1." Reference: QUESTION 105 Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network. A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation. The solution must minimize the administrative rights of User1. To which group should you add User1? A. AD RMS Auditors B. AD RMS Service Group C. Domain Admins D. Schema Admins Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority. Reference: MY NOTE: Based on this article, I would think this should be Enterprise Admins, but that's not a choice. So we have to use elimination. Per the article below, neither of the "AD RMS" groups provide the feature we need, and Schema Admins is only needed for updating the schema (which would be done when RMS is first deployed). That leaves is with the Domain Admins group. AD RMS Auditors Members of this group can only access the reports feature in the AD RMS console.

71 (...) There is also the AD RMS Service Group. Members of this group act as the AD RMS service account. During the installation of AD RMS, the user account designated as the service account is automatically added to this group. Reference: QUESTION 106 Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. A. Create an external trust from nwtraders.com to contoso.com. B. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. C. Create an external trust from contoso.com to nwtraders.com. D. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information (MY NOTE: This is why we don't need to create an external trust) between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. (MY NOTE: We add a TUD to the contoso.com cluster because it is hosting the content - it needs to be able to trust users for nwtraders.com) Reference: QUESTION 107 You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller. What tool should you use? A. dsmod B. ntdsutil C. Local Users and Groups snap-in D. Active Directory Users and Computers snap-in Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: :

72 The ntdsutil command is used for configuring and managing directory services. The official procedure for resetting the DSRM password is as follows: ntdsutil set dsrm password reset password on server null The DSRM password is not associated with a user account, so we would not use Local Users and Groups or Active Directory Users and Computers. Similarly, dsmod allows us to edit objects in AD, not manage directory service properties and configuration QUESTION 108 Your network contains an Active Directory domain named contoso.com. You need to identify whether the Active Directory Recycle Bin is enabled. A. From Ldp, search for the LostAndFound container. B. From Ldp, search for the Reanimate-Tombstones object. C. From Windows PowerShell, run the Get-ADObject cmdlet. D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : Q. How do I enable the Active Directory (AD) Recycle Bin? A. Once you've raised the forest level to Windows Server 2008 R2, you need to use the Enable- ADOptionalFeature cmdlet to enable the Recycle Bin for the forest. (...) You can check if the Recycle Bin is enabled by viewing the AD Option features: PS C:\> Get-ADOptionalFeature -filter \{name -like "*"\} Reference: WRONG ANSWERS Get-ADObject allows us to bring AD objects into PowerShell's pipe so we can manipulate them. We must specifically use this to restore objects from the Recycle Bin, but the scenario asks us how to identify if the Recycle Bin is even enabled. The LostAndFound container holds objects with conflicting states, before replication occurs. "In some cases, an administrator might create or move an object into a container on one domain controller and another administrator might delete that same container on a different domain controller before the object is replicated. In such cases, the object is added to the LostAndFound container for the domain." Reference: QUESTION 109 Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. The server is a backup server. The server has a single 500-GB hard disk that has three partitions for the operating system, applications, and data. You perform daily backups of the server.

73 The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart the computer on the installation media. You select the Repair your computer option. You need to restore the operating system and all files. A. Select the System Image Recovery option. B. Run the imagex utility at the command prompt. C. Run the wbadmin utility at the command prompt. D. Run the rollback utility at the command prompt. Correct Answer: C Section: Maintaining the Active Directory Environment /Reference: : We have to use wbadmin here because we have been taking backups of the server daily (implicitly by using Windows Server Backup). System Image recovery will overwrite a hard drive with a previously created system image, which would give us both OS and files, but we are not told that a system image was ever created. Even then, creating system images is something that is not often done regularly or nightly. Rollback is a developers tool. It was designed to purge the registry of any information added since the GUI phase of installation (MY NOTE: This means it wipes your registry back to a clean install of Windows - this is destructive, and will not give us the OS+files from before the hdd failure) Reference: WindowsNTGotchaRollback.exe.html imagex is for mounting VHD's used in a deployment system. Reference: QUESTION 110 Your network contains an Active Directory domain named Contoso.com. Contoso.com contains an enterprise certification authority (CA) named CA1. You enable Secure Socket Tunneling Protocol (SSTP) on a server named Server1. A user named User1 attempts to establish an SSTP connection to Server1 and receives the following error message: "Error 0x : The revocation function was unable to check revocation because the revocation server was offline." You verify that all certificates services are online. You need to ensure that User1 can connect to Server1 by using SSTP. What should you do first? A. Configure User1 for certificate auto enrollment. B. Configure a pre-shared key for IPSec on User1's computer. C. Add a certificate to Server1 that contains Server1.contoso.com as a Subject Alternative Name (SAN). D. Publish the certificate revocation list distribution point (CDP) to a location that is accessible from the

74 Internet. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: 1: Symptom6: Client tries to connect to SSTP VPN server and it fails to connect giving error message 0x Trouble-shooting steps: This will happen if client is failing the certificate revocation check of the SSL certificate obtained from server side. Ensure the CRL check servers on the server side are exposed on the Internet. This is because CRL check is done on the client side during SSL connection establishment phase and the CRL check query will be directly going on the Internet. Reference: 2: If all certificate services are indeed online locally, our problem must be that User1's computer can't access them from his internet connection. We can remedy this by specifying an appropriate CDP that is accessible from the Internet. The CDP extension specifies where to find up-to-date CRLs that are signed by the CA Reference: WRONG ANSWERS IPSec with SSL VPN is an alternative solution to SSTP, so certainly we don't need to configure anything for IPSec. Reference: Protocol.html Autoenrollment is not likely to be used over a tunnel, and the error message does not indicate a problem with enrollment. A new feature in digital certificates is the Subject Alternative Name property. This allows you to have a certificate for more than one URI (i.e. and in the same certificate. It also means that in web servers such as IIS you can bind this certificate to the site and use up only one IP address. Reference: SIDE NOTE: This question may also come up with a different error message, such as "Error 0xBC (...)Access not CRL Server". The answer is still the same. QUESTION 111 Your network contains an Active Directory domain. You create and mount an Active Directory snapshot. You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.) You need to ensure that you can browse the contents of the Active Directory snapshot. What should you?

Exhibit: A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe. B. Change the value of the dbpath parameter, and then rerun dsamain.exe. C. Change the value of the ldapport parameter, and then rerun dsamain.

75 Exhibit: A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe. B. Change the value of the dbpath parameter, and then rerun dsamain.exe. C. Change the value of the ldapport parameter, and then rerun dsamain.exe. D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe. Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: The error message says that the file is already in use. This makes sense, as in the exhibit, dbpath points to C: \Windows\NTDS\ntds.dit, the location of a running Active Directory database. We need to run this command against the snapshot, which would be stored in another path. Reference: If we stopped AD DS, we might be able to run our command, but we'd be doing so against the live AD database, not the snapshot! The ldapport parameter is fine, as it is configured for a port higher than and will not conflict with AD. Our error doesn't indicate a problem with VSS so we do not need to restart it. QUESTION 112 Your network contains an Active Directory domain. You need to activate the Active Directory Recycle Bin in the domain. Which tool should you use? A. Dsamain

76 B. Set-ADDomain C. Add-WindowsFeature D. Ldp Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe Reference: QUESTION 113 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The forest contains a single domain. You need to ensure that objects can be restored from the Active Directory Recycle Bin. Which tool should you use? A. Ntdsutil B. Set-ADDomain C. Dsamain D. Enable-ADOptionalFeature Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active Directory Recycle Bin by using the following methods: Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.) Ldp.exe Reference: QUESTION 114 Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch office are able to log on to the domain by using the RODC.

77 A. Add another RODC to the branch office. B. Configure a new bridgehead server in the main office. C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console. D. Configure the Password Replication Policy on the RODC. Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : To allow individual RODCs to cache user and computer credentials in specific locations, configure the Allowed and Denied Lists on the Password Replication Policy tab for the properties of each individual RODC account in the Domain Controllers OU. Reference: We wouldn't add another RODC, as users aren't even able to log on to the first one yet! It is not necessary to have more than 1 RODC at a branch office. We wouldn't change the replication interval, as we have no reason to suspect that replication is not happening or is out-of-date. A bridgehead server is a domain controller (DC) that functions as the primary route of Active Directory (AD) replication data moving into and out of sites. Reference: QUESTION 115 Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server There are four Windows Server 2003 domain controllers in the main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Raise the functional level of the forest to Windows Server B. Deploy a Windows Server 2008 domain controller at the main office. C. Raise the functional level of the domain to Windows Server D. Run the adprep /rodcprep command. Correct Answer: BD Section: Configuring Additional Active Directory Server Roles /Reference: : Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher (MY NOTE: The scenario specifies we are at the 2003 level so nothing needs to be done with functional leves) Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2(...)

78 1. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows: *) Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema. (...) *) Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role. (...) *) If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep. (...) Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC (...) Reference: QUESTION 116 One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (Each correct answer presents part of the solution. Choose two.) A. Configure RODC filtered attribute set on the server B. Configure RODC filtered set on the server that holds Schema Operations Master role. C. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set. E. None of the above Correct Answer: BD Section: Configuring Additional Active Directory Server Roles /Reference: : The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server (...) Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. Reference: We can restrict administrative permissions for an RODC but this will only control who is allowed to manage the server. Critical credential information will still be replicated. QUESTION 117 ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows server You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office.

79 What should you do to setup RODC on the computer in branch office? A. Execute an attended installation of AD DS B. Execute an unattended installation of AD DS C. Execute RODC through AD DS D. Execute AD DS by using deploying the image of AD DS E. none of the above Correct Answer: B Section: Configuring Additional Active Directory Server Roles /Reference: : To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS. Reference: QUESTION 118 You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper physical security. You need to activate non-administrative accounts' passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords? A. Delete all administrative accounts from the RODC's group B. Configure the permission to Deny on Receive As for administrative accounts on the security tab for Group Policy Object (GPO) C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators. E. None of the above Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : If we want only non-administrative users to have passwords populated on the RODC, we basically would want to deny replication to administrative accounts. We would have a limited number of administrative accounts so it would be easy to simply deny replication to them. We don't want to delete administrative accounts from the RODC's group, this would keep us from being able to administer the RODC. Adding a new GPO with Account Lockout settings would help us control how account lockouts are handled on the RODC but does not help us populate passwords. The "Receive As" permission is related to Exchange Servers.

80 QUESTION 119 ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed. Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server? A. Open the RODC computer account security tab and set Allow on Receive As permission only for the users that are unable to log on to their accounts B. Add a Password Replication Policy to the main domain RODC and add user accounts in the security group C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication Allowed group on the main RODC server D. Configure and add a separate Password Replication Policy on each RODC computer account Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: : The scenario basically says we have multiple sites, each with their own RODC. But we want each RODC to only cache accounts for that local site. Cached credentials are configured by assigning accounts to the groups in the Password Replication Policy tab on each computer account in ADUC. So the simplest way to do what we need is configure each RODC's Password Replication Policy to cache accounts for users only at that local site. Configuring a unique group for each office would be a possible way to start, but this answer goes on to suggest adding those groups to the PRP on the main RODC server. This will cache every branch office user at the main office, not on their individual branch office only. Similarly, adding a PRP to the main office's RODC with the user accounts would suffer the same fault. The "Receive As" permission is related to Exchange Servers. QUESTION 120 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link. You discover that the cached password for a user named User1 is compromised on the RODC. On a domain controller in Site1, you change the password for User1. You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC. Which tool should you use? A. Active Directory Sites and Services B. Active Directory Users and Computers C. Repadmin D. Replmon Correct Answer: C Section: Configuring Additional Active Directory Server Roles

81 /Reference: repadmin /rodcpwdrepl Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs). Reference: QUESTION 121 Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC). You need to configure the RODC to store only the passwords of users in the remote site. A. Create a Password Settings object (PSO). B. Modify the Partial-Attribute-Set attribute of the forest. C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group. D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group. These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. Reference: QUESTION 122 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllers run Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS) on DC3. What should you do first? A. Run dcpromo.exe /createdcaccount on DC3. B. Run ntdsutil.exe on DC2. C. Run dcpromo.exe /adv on DC3. D. Run ntdsutil.exe on DC1. Correct Answer: D Section: Maintaining the Active Directory Environment

82 /Reference: We can run dcpromo.exe /adv on DC3 to install a new writable DC using the Install From Media (IFM) option to reduce replication traffic. But before we can do that, we have to create the installation media first. This is done with ntdsutil. This must be done on DC1 rather than DC2, as DC2 is a RODC. "You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently." (...) "You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller." Reference: QUESTION 123 Your network contains an Active Directory domain. The domain contains several domain controllers. You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? A. Group Policy Management B. Active Directory Domains and Trusts C. Active Directory Users and Computers D. Computer Management E. Security Configuration Wizard Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: To configure the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers as a member of the Domain Admins group. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. (...) Reference: QUESTION 124 Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1. You need to identify which user accounts can have their password cached on RODC1. Which tool should you use? A. Repadmin B. Dcdiag C. Get-ADDomainControllerPasswordReplicationPolicyUsage D. Adtest

83 Correct Answer: A Section: Configuring Additional Active Directory Server Roles /Reference: : repadmin /prp Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). Syntax repadmin /prp view <RODC> {<List_Name> <User>} Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user. (...) <List_Name> Specifies all the security principals that are in the list that you want to view. The valid list names are as follows: (...) allow: The list of security principals in the msds-revealondemandgroup attribute. The RODC can cache passwords for this list of security principals only. deny: The list of security principals in the msds-neverrevealgroup attribute. The RODC cannot cache passwords for any security principals in this list. Reference: The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. DCDiag is used to test general problems that can occur in AD environments. Adtest is a performance testing tool for AD. Reference: QUESTION 125 Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Sitel and Site2. Site2 contains a read-only domain controller (RODC). You need to identify which user accounts attempted to authenticate to the RODC. Which tool should you use? A. Active Directory Users and Computers B. Ntdsutil C. Get-ADAccountResultantPasswordReplicationPolicy D. Adtest Correct Answer: A Section: (none) /Reference: :

84 Periodically, you should review whose accounts have been authenticated to an RODC. (...) You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have been authenticated to an RODC. Reference: #BKMK_Auth2 Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed list or denied list of a read-only domain controller's password replication policy. Get- ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed. Reference: ntdsutil is used for offline management of the AD database and files. Adtest is a performance testing tool for AD. Reference: QUESTION 126 Your company has an Active Directory forest that contains multiple domain controllers. The domain controllers run Windows Server You need to perform an authoritative restore of a deleted organizational unit and its child objects. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them in the correct order.) Select and Place: Correct Answer:

Taking the domain controller offline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup. 3. Restore AD DS from Backup (Nonauthoritative Restore) 4.

85 Section: Maintaining the Active Directory Environment /Reference: : If you are performing authoritative restore on a domain controller that has already received replication of the deletions, perform the following procedures on the recovery domain controller: (...) 2. (...)Restore from backup requires restarting the domain controller in DSRM. Taking the domain controller offline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup. 3. Restore AD DS from Backup (Nonauthoritative Restore) 4. Mark an Object or Objects as Authoritative(...) 5. Restart the domain controller normally. (MY NOTE: Obviously restarting in Safe Mode won't help us much! The DC would not be able to synchronize!) Reference: QUESTION 127 Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table: You need to ensure that all device certificate requests use the MD5 hash algorithm. A. On Server2, run the Certutil tool. B. On Server1, update the CEP Encryption certificate template. C. On Server1, update the Exchange Enrollment Agent (Offline Request) template. D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP \HashAlgorithm\HashAlgorithm registry key. Correct Answer: D Section: Configuring Active Directory Certificate Services

86 /Reference: : The hash algorithm for certificate requests is chosen when the CA is configured. After the CA is setup, it can only be modified by editing the appropriate registry entries for Microsoft's cryptography provider. certutil has options to apply a hash over existing files but cannot change the algorithm used for certificate requests. The CEP Encryption template allows a computer account to serve as a registration authority for simple enrollment requests. The Exchange Enrollment Agent (Offline Request) template is used to request certificates on behalf of another subject/user. QUESTION 128 Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA) named Server1 and a server named Server2. On Server2, you deploy Network Policy Server (NPS) and you configure a Network Access Protection (NAP) enforcement policy for IPSec. From the Health Registration Authority snap-in on Server2, you set the lifetime of health certificates to four hours. You discover that the validity period of the health certificates issued to client computers is one year. You need to ensure that the health certificates are only valid for four hours. A. Modify the Request Handling settings of the certificate template used for the health certificates. B. Modify the Issuance Requirements settings of the certificate template used for the health certificates. C. On Server1, run certutil.exe -setreg policy\editflags +editf_attributeenddate. D. On Server1, run certutil.exe Csetregdbflags +dbflags_enablevolatilerequests. Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : Use the following procedure to allow the CA to issue the new health certificate template. This procedure applies to an enterprise NAP CA only. To allow template validity period override 1. On the NAP CA, click Start, click Run, right-click Command Prompt, and then click Run as administrator. 2. In the command window, type Certutil.exe -setreg policy\editflags +EDITF_ATTRIBUTEENDDATE, and then press ENTER. 3. In the command window, type net stop certsvc && net start certsvc, and then press ENTER. 4. Verify that Active Directory Certificate Services (AD CS) stops and starts successfully. Reference:

87 QUESTION 129 An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume. A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command. B. Move the ntds.dit file to the new volume by using Windows Explorer. C. Move the ntds.dit file to the new volume by running the Move-Item command in Microsoft Windows PowerShell. D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : (...) QUESTION 130 Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need to implement key archival. A. Configure the certificate for automatic enrollment for the computers that store encrypted files. B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files. C. Apply the Hisecdc security template to the domain controllers. D. Archive the private key on the server. Correct Answer: D Section: (none) /Reference: : (...) QUESTION 131 Your company has an Active Directory domain. All servers run Windows Server. You deploy a Certification Authority (CA) server. You create a new global security group named CertIssuers. You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates. What should you do? A. Assign the Certificate Manager role to the CertIssuers group B. Place CertIssuers group in the Certificate Publisher group C. Run the certsrv -add CertIssuers command from the command prompt of the certificate server

88 D. Run the Add-Member -membertype memberset CertIssuers command by using Microsoft Windows Powershell Correct Answer: A Section: Configuring Active Directory Certificate Services /Reference: : (...) QUESTION 132 Company has servers on the main network that run Windows Server It also has two domain controllers. Active Directory services are running on a domain controller named CKDC1. You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to perform offline critical updates on CKDC1 without rebooting the server? A. Start the Active Directory Domain Services on CKDC1 B. Disconnect from the network and start the Windows update feature C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again. E. None of the above Correct Answer: C Section: Maintaining the Active Directory Environment /Reference: : (...) QUESTION 133 Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality? A. Configure an account in Active Directory Domain Services (AD DS) for each user. B. Add and configure ADRMSADMIN account in local administrators group on the user computers C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group D. Reinstall the Active Directory domain on user computers E. All of the above Correct Answer: A Section: Configuring Additional Active Directory Server Roles

89 /Reference: : (...) QUESTION 134 You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization. Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational. (Select all that apply) A. Go to Services tab, and check if Active Directory Federation Services is running B. In the event viewer, Applications, Event ID column look for event ID 674. C. Open a browser window, and then type the Federation Service URL for the new federation server. D. None of the above Correct Answer: BC Section: Configuring Additional Active Directory Server Roles /Reference: Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. 1. Log on to a client computer with Internet access. 2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy. 3. Press ENTER. Note - At this point your browser should display the error Server Error in '/adfs' Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS). 4. Log on to the federation server proxy. 5. Click Start, point to Administrative Tools, and then click Event Viewer. 6. In the details pane, double-click Application. 7. In the Event column, look for event ID 674. Reference: QUESTION 135 Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents,

90 spreadsheets and to provide user authentication. What do you need to configure, in order to complete the deployment of AD RMS? A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1 B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _DC1 C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5 D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5 E. None of the above Correct Answer: D Section: Configuring Additional Active Directory Server Roles /Reference: QUESTION 136 You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do to accomplish this task? A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance C. Move AD LDS database and log files on a separate volume and use windows server backup utility D. None of the above Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance. Reference: QUESTION 137 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.) When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable. You need to configure Server2 as an enterprise subordinate CA.

What should you do first? Exhibit: A. Upgrade Server2 to Windows Server 2008 R2 Enterprise. B. Log in as an administrator and run Server Manager. C. Import the root CA certificate. D.

91 What should you do first? Exhibit: A. Upgrade Server2 to Windows Server 2008 R2 Enterprise. B. Log in as an administrator and run Server Manager. C. Import the root CA certificate. D. Join Server2 to the domain. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : Is it to upgrade to R2 Enterprise instead? There is some confusion over this. (...) QUESTION 138 Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named Instance1 and Instance2. You need to remove Instance2 from Server1 without affecting Instance1. Which tool should you use?

92 A. NTDSUtil B. Dsdbutil C. Programs and Features in the Control Panel D. Server Manager Correct Answer: C Section: Configuring Additional Active Directory Server Roles /Reference: : To remove an AD LDS instance 1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features. 2. Locate and click the AD LDS instance that you want to remove. 3. Click Uninstall. Note It is not necessary to restart the computer after you remove an AD LDS instance. Reference: QUESTION 139 Your network contains an Active Directory forest named contoso.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder: Correct Answer: Section: Configuring Additional Active Directory Server Roles

93 /Reference: During the installation of the AD RMS root cluster we need to select a configuration database, so we need to install SQL Server 2008 first. Next we need to install the AD RMS root cluster; only then can we install the AD RMS licensing-only cluster. The last step is to deploy the AD RMS policy templates. Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server 2008 R2 for the first time, there are several requirements that must be met: (...) In addition to pre-installation requirements for AD RMS, we strongly recommend the following: Install the database server that is used to host the AD RMS databases on a separate computer. (...) Reference: A root AD RMS cluster must already be present in the AD DS forest before you can install the licensing-only cluster. Reference: QUESTION 140 You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? To answer, select the appropriate tool in the answer area. Point and Shoot: Correct Answer:

Section: 70-648 Configuring Additional Active Directory Server Roles /Reference: : To configure the PRP using Active Directory Users and Computers 1.

94 Section: Configuring Additional Active Directory Server Roles /Reference: : To configure the PRP using Active Directory Users and Computers 1. Open Active Directory Users and Computers as a member of the Domain Admins group. 2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. (...) Reference: QUESTION 141 Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 and a domain controller named DC1. On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription is configured to collect all events. After several days, you discover that Server1 failed to collect any events from DC1, although there are more than 100 new events in the Application log of DC1. You need to ensure that Server1 collects events from DC1. A. On Server1, run wecutil quick-config.

95 B. On Server1, run winrm quickconfig. C. On DC1, run wecutil quick-config. D. On DC1, run winrm quickconfig. Correct Answer: D Section: Maintaining the Active Directory Environment /Reference: : Since the subscription was created, wecutil quick-config has already run on Server1. The only thing left is to configure DC1 to forward the events, using winrm quickconfig. To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig Reference: QUESTION 142 A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured as shown in the following table. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00 A.M. every day. At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001. You need to restore the deleted user account. You must achieve this goal by using the minimum administrative effort. A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS. B. On DC001, run the Restore-ADObject cmdlet. C. On DC006, run the Restore-ADObject cmdlet. D. On DC001, stop AD DS, restore the system state, and then start AD DS. Correct Answer: A Section: Maintaining the Active Directory Environment /Reference: We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003."

96 We can perform the restore directly from DC006 because replication hasn't occurred yet (and won't occur until 8 PM). This is also why we don't need a backup from a previous state. Reference: Authoritative restore of AD DS has the following requirements: (...) You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete. Reference: QUESTION 143 A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module for private key storage. You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available. You need to install the AD CS server role as an Enterprise CA on CA1. What should you do first? A. Add the DNS Server server role to CA1. B. Add the Web Server (IIS) server role and the AD CS server role to CA1. C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1. D. Join CA1 to the domain. Correct Answer: D Section: Configuring Active Directory Certificate Services /Reference: : The scenario states the computer is currently part of a workgroup, in a perimeter network. An Enterprise CA must be a member of the domain, however, as it integrates information with AD.

Network Infrastructure, Configuring QUESTION 1 Your network contains a Windows Server Update Services (WSUS) server named Server1. All client computers are configured to download updates from Server1.

97 Network Infrastructure, Configuring QUESTION 1 Your network contains a Windows Server Update Services (WSUS) server named Server1. All client computers are configured to download updates from Server1. Server1 is configured only to synchronize manually to Microsoft Update. Your company deploys a new Microsoft application. You discover that the new application is not listed on the Products and Classifications list. You synchronize the WSUS server. You need to ensure that updates for the new application are available to all of the client computers. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Select and Place: Correct Answer:

Section: 70-648 Monitoring and Managing A Network Infrastructure /Reference: : We are explicitly told the application is not on the Products and Classifications list, so we need to first customize

98 Section: Monitoring and Managing A Network Infrastructure /Reference: : We are explicitly told the application is not on the Products and Classifications list, so we need to first customize that list to include our new application. After that is done, we'll have to synchronize the server again (see reference below). Finally, we need to approve the updates so they become available to clients. "You may have to do an initial synchronization to get some products to appear in the list of product classifications." Reference: QUESTION 2 Your network contains a server named Server1 that runs Windows Server 2008 R2. You enable IPSec on Server1. You need to identify which client computers have active IPSec associations to Server1. Which administrative tool should you use to achieve this task? To answer, select the appropriate tool from the answer area. Hot Area:

Correct Answer: Section: 70-648 Configuring IP Addressing and Services /Reference: : Newer IPSec settings must be managed through WFAS now, a centralized location for security concerns on Windows

99 Correct Answer: Section: Configuring IP Addressing and Services /Reference: : Newer IPSec settings must be managed through WFAS now, a centralized location for security concerns on Windows Server. "Firewall settings are now integrated with Internet Protocol security (IPsec) settings" References: QUESTION 3 You have an application server that runs Windows Server 2008 R2. You need to configure Windows Firewall to allow communications on the server as shown in the following table.

100 What is the minimum number of firewall rules you should create? A. 4 B. 2 C. 1 D. 3 Correct Answer: B Section: Configuring Network Access /Reference: : We can create at least 1 rule to cover the range of ports Outbound, and a separate rule for port 3433 Inbound. QUESTION 4 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two servers named Server1 and Server2 that run Windows Server 2008 R2. DirectAccess is deployed on Server2. You need to configure Server1 as a network location server (NLS). Which Web Server (IIS) role service should you install on Server1? A. IP and Domain Restrictions B. Request Filtering C. IIS Client Certificate Mapping Authentication D. URL Authorization Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: 1: If your DirectAccess server is acting as the network location server, you must install the Web Server (IIS) server role with the IP and Domain Restrictions role service. Reference: MY NOTE: At first this seems to be a direct reference specific to our scenario, and perhaps it is intended to be. But it says to install this role when the same server is acting as both Direct Access server (Server2) and NLS. The question asks what to install on Server1 to configure it as NLS. So I offer an attempt below to explain how this still is the right answer. 2:

101 When a DirectAccess client computer enters the internal network, it connects to the network location server over HTTPS (...) The network location server is a Web site with an HTTPS server certificate. (...) The network location server must not be accessible to DirectAccess clients connecting from the Internet. Reference: MY NOTE: The above explains why we need IIS for DirectAccess. It also states what we need to do with IIS - prevent clients from hitting the NL web server over the internet. This means we need to restrict access to the site in IIS, and that is is precisely the purpose of the "IP and Domain Restrictions" role for IIS. QUESTION 5 Your company hires 10 new employees. You want the new employees to connect to the main office through a VPN connection. You create new user accounts and grant the new employees the Allow Read and Allow Execute permissions to shared resources in the main office. The new employees are unable to access shared resources in the main office. You need to ensure that users are able to establish a VPN connection to the main office. A. Grant the new employees the Allow Full control permission. B. Grant the new employees the Allow Access Dial-in permission. C. Add the new employees to the Remote Desktop Users security group. D. Add the new employees to the Windows Authorization Access security group. Correct Answer: B Section: Configuring Network Access /Reference: : By default, Dial-in permissions in AD force a user to reference policy to determine if they're allowed for remote VPN access.since we're not told any specific policies are in place restricting access, they will essentially be denied access up front. We simply need to change allowed Dial-in permission for them explicitly in AD so they skip the evaluation of policies. We need to be sure users can establish a VPN connection, so we don't need to manage file share permissions (they already have Read and Execute!) by assigning Full Control. Adding users to the RD Users group will let them use RDP to get to the server, but the scenario states they need to be able to establish a VPN connection. Windows Authorization Access Group: Members of this group have access to the computed tokengroupsglobalanduniversal attribute on User objects (MY NOTE: This would give users access to certain AD attributes, not help them get connected to VPN) Reference: QUESTION 6 Your company has a main office and a branch office. You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.

102 You need to ensure that IPv6-only computers authenticate to domain controllers in the same site. A. Configure the NTDS Site Settings object. B. Create Active Directory subnet objects. C. Create Active Directory Domain Services connection objects. D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router. Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : IPv4 was disabled on the computer, forcing it to use IPv6 only. Because it authenticated against a domain controller in the main office, however, we can conclude that the branch office isn't completely setup for IPv6 yet. So we would have to use subnet objects in AD to force each office to authenticate against local site DC's. ISATAP tunnels IPv6 traffic over IPv4 networks, but the main office network clearly handles IPv6 fine. NTDS Site Settings and AD connection objects are used for configuring AD replication and topology. QUESTION 7 Your network contains one Active Directory domain. You have a member server named Server1 that runs Windows Server 2008 R2. The server has the Routing and Remote Access Services role service installed. You implement Network Access Protection (NAP) for the domain. You need to configure the Point-to-Point Protocol (PPP) authentication method on Server1. Which authentication method should you use? A. Challenge Handshake Authentication Protocol (CHAP) B. Extensible Authentication Protocol (EAP) C. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) D. Password Authentication Protocol (PAP) Correct Answer: B Section: Configuring Network Access /Reference: : All of these are valid authentication methods for PPP, but EAP is the most secure as it works with certificates. Most features of NAP require certificates also. QUESTION 8 You deploy a Windows Server 2008 R2 VPN server behind a firewall. Remote users connect to the VPN by using portable computers that run Windows 7. The firewall is configured to allow only secured Web communications. You need to enable remote users to connect as securely as possible. You must achieve this goal without opening any additional ports on the firewall.

103 A. Create an IPsec tunnel. B. Create an SSTP VPN connection. C. Create a PPTP VPN connection. D. Create an L2TP VPN connection. Correct Answer: B Section: Configuring Network Access /Reference: : The firewall only allows secure web (SSL) connections, so we need to setup a VPN that operates over SSL. SSTP is the only VPN type listed that will specifically do this. The other VPN types use non-standard ports, and an IPSec tunnel is for encrypting communication, not for connecting 2 networks. "Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel." Reference: QUESTION 9 Network Access Protection (NAP) is configured for the corporate network. Users connect to the corporate network by using portable computers. The company policy requires confidentiality of data when the data is in transit between the portable computers and the servers. You need to ensure that users can access network resources only from computers that comply with the company policy. A. Create an IPSec Enforcement network policy. B. Create an 802.1X Enforcement network policy. C. Create a Wired Network (IEEE 802.3) Group Policy. D. Create an Extensible Authentication Protocol (EAP) Enforcement network policy. Correct Answer: A Section: Configuring Network Access /Reference: : For the most secure and effective NAP deployment on your network, deploy strong enforcement methods, such as the Internet Protocol security (IPsec), 802.1X, and virtual private network (VPN) enforcement methods. (MY NOTE: We would choose IPSec here over 802.1X because IPSec performs encryption ("confidentiality of data"; 802.1x is merely a method of access control, specifying whether or not a certain client can connect) Reference: Wired Network (IEEE 802.3) Policies - Group Policy Management Console (GPMC). You can use the Wired Network (IEEE 802.3) Policies to specify and modify configuration settings for Windows Vista clients that are equipped with network adapters and drivers that support Wired AutoConfig Service.

104 Reference: "Confidentiality of data" implies that we need encryption. EAP is an authentication method, not an encryption method. QUESTION 10 Your company's corporate network uses Network Access Protection (NAP). Users are able to connect to the corporate network remotely. You need to ensure that data transmissions between remote client computers and the corporate network are as secure as possible. A. Apply an IPsec NAP policy. B. Configure a NAP policy for 802.1X wireless connections. C. Configure VPN connections to use MS-CHAP v2 authentication. D. Restrict Dynamic Host Configuration Protocol (DHCP) clients by using NAP. Correct Answer: A Section: Configuring Network Access /Reference: : IPSec is the most secure method of protecting data in NAP as it encrypts packets completely through transmission. MS-CHAPv2 is password-based (making it inherently insecure), and DHCP restrictions can be circumvented by using a static IP. Users are trying to connect remotely, so I'm not sure why you'd want to make a policy for wireless connections only. Remote users are not likely to be associating with your local access points :) QUESTION 11 Your company has Active Directory Certificate Services (AD CS) and Network Access Protection (NAP) deployed on the network. You need to ensure that NAP policies are enforced on portable computers that use a wireless connection to access the network. A. Configure all access points to use 802.1X authentication. B. Configure all portable computers to use MS-CHAP v2 authentication. C. Use the Group Policy Management Console to access the wireless Group Policy settings, and enable the Prevent connections to ad-hoc networks option. D. Use the Group Policy Management Console to access the wireless Group Policy settings, and disable the Prevent connections to infrastructure networks option. Correct Answer: A Section: Configuring Network Access /Reference: :

105 802.1x authentication is specifically useful for access control from an access point. It lets us apply policies to clients based on the access point they are using (which is helpful with wireless connections) MS-CHAPv2 is password-based authentication for communications; it will not let us enforce a particular NAP policy. Restricting the types of wireless networks a user can connect to will not help enforce NAP, and could prevent them from being connected to the network at all (depending on whether you have any use for ad-hoc networks). QUESTION 12 Your network contains a Network Policy Server (NPS) named NPS1. You deploy a new NPS named NPS2. You need to ensure that NPS2 sends all authentication requests to NPS1. What should you modify on NPS2? A. Health policies B. Network policies C. RADIUS clients D. Remote RADIUS Server groups Correct Answer: D Section: Configuring Network Access /Reference: : Remote RADIUS Server groups are used to specify which computers receive authentication requests. Reference: RADIUS clients are specify which machines (switches, APs, proxies, etc.) are able to communicate with the authentication server. Health policies allow checking a machine for specific criteria before they are authenticated. Network policies can be used to control which computers can communicate with each other, but do not necessarily control authentication. QUESTION 13 Your network contains a Network Policy Server (NPS) named Server1. NPS1 provides authentication for all of the VPN servers on the network. You need to track the usage information of all VPN connections. Which RADIUS attribute should you log? A. Acct-Session-Id B. Acct-Status-Type C. Class D. NAS-Identifier Correct Answer: C Section: Configuring Network Access

106 /Reference: : Use the RADIUS Class attribute to both track usage and simplify the identification of which department or user to charge for usage. Reference: The Class attribute is sent by the server to the client and is unique to the application in use. It is not changed in transmission. Because it is sent between server and client, it should help us determine usage regarding the connection. The NAS-Identifier attribute contains a string identifying the NAS that originates a request The Acct-Session-Id attribute provides a unique ID for matching start/stop records in a log file. The Acct-Status-Type attribute indicates whether a request marks the beginning of the user service (Start) or the end (Stop). References: QUESTION 14 Your network contains a Network Policy Server (NPS) named Server1. Server1 is configured to use SQL logging. You add a second NPS server named Server2. You need to ensure that Server2 has the same RADIUS authentication and logging settings as Server1. You export the NPS settings from Server1, and then import the settings to Server2. What should you do next on Server2? A. Create a new ODBC data source. B. Run netsh.exe nps reset config. C. Manually configure the SQL logging settings. D. Restart the Network Policy Server (NPS) role service. Correct Answer: C Section: Configuring Network Access /Reference: : Server was configured to use SQL logging for the NPS service. The correct procedure has been followed to restore RADIUS authentication settings on Server2, but the RADIUS logging settings have not yet been replicated. This means we must configure SQL logging on Server2. An ODBC data source is used to connect to a SQL database, and could be helpful in the configuration of SQL logging, but SQL logging has not even been configured. Restarting the NPS service is typically not needed when new settings are imported to RADIUS, and at best would only ensure the authentication settings that were imported are applied. Logging settings have still not been duplicated. netsh.exe nps reset config will restore all settings on Server2 to their defaults, undoing the work of importing the authentication settings from Server1. QUESTION 15

107 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. You install a Network Policy Server (NPS) named Server1 in the contoso.com domain. You need to ensure that Server1 can read the dial-in properties of the user accounts in the eu.contoso.com domain. A. In the contoso.com domain, add Server1 to the RAS and IAS Servers group. B. In the contoso.com domain, add Server1 to the Windows Authorization Access group. C. In the eu.contoso.com domain, add Server1 to the RAS and IAS Servers group. D. In the eu.contoso.com domain, add Server1 to the Windows Authorization Access group. Correct Answer: C Section: Configuring Network Access /Reference: : For NPS to have permission to access user account credentials and dial-in properties in AD DS, the server running NPS must be registered in AD DS.... To register the NPS server in the default domain using Active Directory Users and Computers 1. Log on to the NPS server by using an account that has administrative credentials for the domain. 2. Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. 3. In the console tree, click the Users folder in the appropriate domain. 4. In the details pane, right-click RAS and IAS Servers, and then click Properties. 5. In the RAS and IAS Servers Properties dialog box, on the Members tab, add each of the NPS servers. Reference: QUESTION 16 Your network contains a Network Policy Server (NPS) named Server1. You need to configure a network policy for a VLAN. Which RADIUS attributes should you add? A. Login-LAT-Service Login-LAT-Node Login-LAT-Group NAS-Identifier B. Tunnel-Assignment-ID Tunnel-Preference Tunnel-Client-Auth-ID NAS-Port-Id C. Tunnel-Client-Endpt Tunnel-Server-Endpt NAS-Port-Type Tunnel-Password D. Tunnel-Medium-Type Tunnel-Pvt-Group-ID Tunnel-Type Tunnel-Tag

108 Correct Answer: D Section: Configuring Network Access /Reference: : To configure a network policy for VLANs (...) 6. In Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following attributes: a. Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format). b. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. c. Tunnel-Type. Select Virtual LANs (VLAN). 7. In Add Standard RADIUS Attribute, click Close. 8. If your network access server (NAS) requires use of the Tunnel-Tag attribute... Reference: QUESTION 17 Your network contains a Network Policy Server (NPS) named NPS1 and a network access server named NAS1. NAS1 is configured to use NPS1 for authentication and accounting. A firewall separates NPS1 and NAS1. You need to ensure that NAS1 can successfully send authentication and accounting messages to NPS1. Which ports should you allow through the firewall? A. TCP ports 80, 443, 389 and 1645 B. TCP ports 88, 135, 139 and 1813 C. UDP ports 53, 67, 68 and 69 D. UDP ports 1812, 1813, 1645 and 1646 Correct Answer: D Section: Configuring Network Access /Reference: : RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting by the Internet Assigned Numbers Authority (IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially and became the default ports assigned by many RADIUS Client/Server implementations of the time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Server implementations monitor both sets of UDP ports for RADIUS requests Reference: Ports 80 and 443 are used for web. Port 389 is used for AD Port 88 is used for Kerberos. Port 135 is used for DCE endpoints (DirectAccess). Port 139 is used for the NetBIOS Session Service. Port 53 is used for DNS. Ports are used for BOOTP / DHCP. Port 69 is used for TFTP. QUESTION 18 Your network contains a Network Policy Server (NPS) named NPS1. NPS1 is configured for remote access

109 account lockout. A domain user named User1 has been locked out by NPS1. You need to unlock the User1 user account on NPS1. What should you use? A. the Netsh tool B. the Network Policy Server console C. the Registry Editor D. the Routing and Remote Access console Correct Answer: C Section: Configuring Network Access /Reference: : To manually reset a user account that has been locked out before it is automatically reset, delete the following registry subkey that corresponds to the user's account name on the remote access server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters \AccountLockout\domain name:user name When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted. NOTE Remote access account lockout is not related to the Unlock account setting on the Account tab on the properties of a user account. Reference: QUESTION 19 Your company has a single Active Directory domain. The company network is protected by a firewall. Remote users connect to your network through a VPN server by using PPTP. When the users try to connect to the VPN server, they receive the following error message: "Error 721: The remote computer is not responding." You need to ensure that users can establish a VPN connection. A. Open port 1423 on the firewall. B. Open port 1723 on the firewall. C. Open port 3389 on the firewall. D. Open port 6000 on the firewall. Correct Answer: B Section: Configuring Network Access /Reference: : A PPTP tunnel is instantiated by communication to the peer on TCP port 1723

110 Reference: Port 1423 currently is not assigned any specific application or use. Port 3389 is used for Remote Desktop. Port 6000 is used for network communication between X11 (UNIX Windowing system) client/servers Reference: QUESTION 20 Your company has a main office and 15 branch offices. The company has a single Active Directory domain. All servers run Windows Server 2008 R2. You need to ensure that the VPN connections between the main office and the branch offices meet the following requirements: All data must be encrypted by using end-to-end encryption. The VPN connection must use computer-level authentication. User names and passwords cannot be used for authentication. A. Configure an IPsec connection to use tunnel mode and pre-shared key authentication. B. Configure a PPTP connection to use version 2 of the MS-CHAP v2 authentication. C. Configure a L2TP/IPsec connection to use the EAP-TLS authentication. D. Configure a L2TP/IPsec connection to use version 2 of the MS-CHAP v2 authentication. Correct Answer: C Section: Configuring Network Access /Reference: : EAP-TLS authentication uses certificates. All other methods listed (MS-CHAP v2, pre-shared key) are password-based methods. However, the last requirement states: "User names and passwords cannot be used for authentication" QUESTION 21 Your network contains a server that runs Windows Server 2008 R2. The server has the Network Policy and Access Services server role installed. You need to allow only members of a global group named Group1 VPN access to the network. A. Add Group1 to the RAS and IAS Servers group. B. Add Group1 to the Network Configuration Operators group. C. Create a new network policy and define a group-based condition for Group1. Set the access permission of the policy to Access granted. Set the processing order of the policy to 1. D. Create a new network policy and define a group-based condition for Group1. Set the access permission of the policy to Access granted. Set the processing order of the policy to 3. Correct Answer: C Section: Configuring Network Access

111 /Reference: : We need to be able to restrict access to the VPN to Group1. This can be done through Network policies. A group-based condition allows us to evaluate all potential clients as members of the group before the appropriate action is taken. In this case, we want to Allow them access. Anyone not matching this criteria will, by default, be denied. A processing order of 1 means this is the 1st condition to be evaluated. If the processing order is 3, this implies there are other conditions that are going to be evaluated first, which is not guaranteed to meet our criteria. The RAS and IAS Servers group grants it's members permissions to determine if users have the appropriate Dial-in permissions on their account to even begin communication with remote servers. The Network Configuration Operators group is used to allow people to modify the network configuration of machines. QUESTION 22 Your company uses Network Access Protection (NAP) to enforce policies on client computers that connect to the network. Client computers run Windows 7. A Group Policy is used to configure client computers to obtain updates from Windows Server Update Services (WSUS). Company policy requires that updates labeled Important and Critical must be applied before client computers can access network resources. You need to ensure that client computers meet the company policy requirement. A. Enable Automatic Updates on each client. B. Enable the Security Center on each client. C. Quarantine clients that do not have all available security updates installed. D. Disconnect the connection until the required updates are installed. Correct Answer: C Section: Configuring Network Access /Reference: : Only by putting clients in a quarantine will they be able to download updates from the WSUS server while being prevented from accessing the corporate network. This is the purpose of the new Health Validation and NPS features in Server 2008 Enabling Automatic Updates will ensure the clients are trying to get the latest updates from the WSUS server, but it will not prevent them from accessing the network while the updates are being downloaded. Enabling Security Center will allow you to be aware of the health status of your clients, but will not help provide the clients with the updates they need or restrict them from accessing resources until they are updated. Disconnecting the connection will not allow client computers to access network resources or obtain updates. QUESTION 23 Your company has deployed Network Access Protection (NAP) enforcement for VPNs. You need to ensure that the health of all clients can be monitored and reported.

112 A. Create a Group Policy object (GPO) that enables Security Center and link the policy to the domain. B. Create a Group Policy object (GPO) that enables Security Center and link the policy to the Domain Controllers organizational unit (OU). C. Create a Group Policy object (GPO) and set the Require Trusted Path For Credential Entry option to Enabled. Link the policy to the domain. D. Create a Group Policy object (GPO) and set the Require Trusted Path For Credential Entry option to Enabled. Link the policy to the Domain Controllers organizational unit (OU). Correct Answer: A Section: Configuring Network Access /Reference: : Security Center is the client application that tracks health status of the machine. We need to force this to be enabled on all clients so they will report their health status to the central server. This would need to be done at the domain level so as to apply to all clients, not just Domain Controllers. The Require Trusted Path For Credential Entry option requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user s Windows credentials. Reference: QUESTION 24 Your company has deployed Network Access Protection (NAP). You configure secure wireless access to the network by using 802.1X authentication from any access point. You need to ensure that all client computers that access the network are evaluated by NAP. A. Configure all access points as RADIUS clients to the Remediation Servers. B. Configure all access points as RADIUS clients to the Network Policy Server (NPS). C. Create a network policy that defines Remote Access Server as a network connection method. D. Create a network policy that specifies EAP-TLS as the only available authentication method. Correct Answer: B Section: Configuring Network Access /Reference: : In order for all clients to be evaluated by NAP, the wireless access points they connect to must communicate with a RADIUS server that will direct them to NAP. This means the wireless access points must function as RADIUS clients that forward authentication requests to a Server 2008 RADIUS (NPS) server. Remediation servers provide updates for computers that fail the health check by the NAP, but do not necessarily function as RADIUS servers themselves. The Network connection method value in a Network Policy restricts NPS from evaluating a request unless it comes from the type of server specified. If we set this to RAS, then only Server 2008 routers would be able to be evaluated. All other clients on the network would fail to be checked. Reference: Configuring EAP-TLS as the only available authentication method would essentially prevent client connections

113 in the event another protocol is possibly used for 802.1X at the access points. At best, it enforces standardized security for the clients, but does not provide a method for them to be evaluated by NAP. QUESTION 25 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the Remote Access Service role service installed. Server1 is configured as a VPN server. You need to ensure that you can configure Server1 as a Network Address Translation (NAT) server. What should you do first on Server1? A. Enable IPv4 routing. B. Enable IPv6 routing. C. Add a new routing protocol. D. Add the Routing role service. Correct Answer: D Section: Configuring IP Addressing and Services /Reference: : To enable network address translation addressing 1. In the RRAS MMC snap-in, expand Your Server Name. If you are using Server Manager, expand Routing and Remote Access. Reference: MY NOTE: Basically, NAT is a role service of the RRAS / Routing roles. QUESTION 26 Your company has a single Active Directory domain. The domain has servers that run Windows Server 2008 R2. You have a server named NAT1 that functions as a NAT server. You need to ensure that administrators can access a server named RDP1 by using Remote Desktop Protocol (RDP). A. Configure NAT1 to forward port 389 to RDP1. B. Configure NAT1 to forward port 1432 to RDP1. C. Configure NAT1 to forward port 3339 to RDP1. D. Configure NAT1 to forward port 3389 to RDP1. Correct Answer: D Section: Configuring Network Access /Reference: : Remote Desktop Protocol (formerly Terminal Server) uses TCP port Reference: QUESTION 27

114 Your network has Network Access Protection (NAP) deployed. The network contains two servers named Server1 and Server2. Server1 is a Network Policy Server (NPS). Server2 has a third-party antivirus solution installed. Server1 is configured to use a custom system health validator provided by the antivirus vendor. The system health validator uses Server2 to identify the version of the current antivirus definition. You need to ensure that NAP clients are considered noncompliant if Server1 cannot connect to Server2. Which error code resolution setting should you configure? A. SHA not responding to NAP client B. SHA unable to contact required services C. SHV not responding D. SHV unable to contact required services Correct Answer: D Section: Configuring Network Access /Reference: : The following is a description of available error codes: SHV unable to contact required services. This error can occur if Network Policy Server (NPS) loses connectivity to a health requirement server, such as an antivirus signature server. (MY NOTE: The scenario states we need to ensure clients are non-compliant if Server1 loses connectivity to Server2, the NPS server) SHA unable to contact required services. This error can occur if the SHA is unable to successfully read the client configuration. SHA not responding to NAP Client. This error can occur if an SHA is not properly initialized and registered. SHV not responding. This error can occur if the performance of an SHV is degraded (for example, if NPS is out of memory). Vendor specific error code received. This error can occur if NPS receives an error code that is unique to the SHA or SHV vendor. Some vendors might return this code when NPS is unable to contact a health requirement server. Reference: QUESTION 28 Your company has computers in multiple locations that use IPv4 and IPv6. Each location is protected by a firewall that performs symmetric NAT. You need to allow peer-to-peer communication between all locations. A. Configure dynamic NAT on the firewall. B. Configure the firewall to allow the use of Teredo. C. Configure a link local IPv6 address for the internal interface of the firewall. D. Configure a global IPv6 address for the external interface of the firewall. Correct Answer: B Section: Configuring IP Addressing and Services

115 /Reference: : Since some locations use IPv4 and IPv6, they will not be able to talk to each other without Teredo tunneling at the firewall. Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network Reference: NAT simply masks source traffic; changing from symmetric to dynamic will not change the fact that some IPv6 connections are trying to communicate with IPv4 networks. An IPv6 global address is essentially a public address for the internet. This would be needed for internet communications for all networks, but will not allow peer-to-peer communication. An IPv6 link-local address is intended for communications with a local subnet; we need peer-to-peer communications. Reference: QUESTION 29 Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. A DHCP server is deployed on the network and configured to provide IPv6 prefixes. You need to ensure that when you monitor network traffic, you see the interface identifiers derived from the Extended Unique Identifier (EUI)-64 address. Which command should you run? A. netsh.exe interface ipv6 set global addressmaskreply=disabled B. netsh.exe interface ipv6 set global dhcpmediasense=enabled C. netsh.exe interface ipv6 set global randomizeidentifiers=disabled D. netsh.exe interface ipv6 set privacy state=enabled Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : netsh.exe interface ipv6 set global This context for netsh is to set global parameters for all IPv6-enabled interfaces on the computer. Per the scenario, we need to see interface identifiers for all our interfaces, so this is the context we should be in. randomizeidentifiers=disabled This command would specify that interface identifiers should NOT be randomized (in other words, that they would be unique). Of the 3 commands in the "set global" context, this one would achieve the desired effect. dhcpmediasense=enabled This command would enable DHCP media sense, which is what Windows uses to determine when a cable is plugged in to an interface. This would not help us with seeing interface identifiers in network packet captures. addressmaskreply=disabled This commands instructs the computer not to respond to ICMP address mask packets. This would not help us with seeing interface identifiers in network packet captures.

116 Reference: netsh.exe interface ipv6 set privacy state=enabled This command would specify that temporary addresses for IPv6 are enabled. This is irrelevant to the task at hand. Reference: QUESTION 30 You have a DHCP server that runs Windows Server 2008 R2. The DHCP server has two network connections named LAN1 and LAN2. You need to prevent the DHCP server from responding to DHCP client requests on LAN2. The server must continue to respond to non-dhcp client requests on LAN2. A. From the DHCP snap-in, modify the bindings to associate only LAN1 with the DHCP service. B. From the DHCP snap-in, create a new multicast scope. C. From the properties of the LAN1 network connection, set the metric value to 1. D. From the properties of the LAN2 network connection, set the metric value to 1. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : By default, the service bindings depend on whether the network connection is configured dynamically or statically for TCP/IP. Based on the method of configuration it uses, reflected by its current settings in Internet Protocol (TCP/IP) properties, the DHCP Server service performs default service bindings as follows: If the first network connection uses a manually specified IP address, the connection is enabled in server bindings. For this to occur, a value for IP address must be configured and the Use the following IP address option selected in Internet Protocol (TCP/IP) properties. In this mode, the DHCP server listens for and provides service to DHCP clients. If the first network connection uses an IP address configured dynamically, the connection is disabled in server bindings. This occurs when the Obtain an IP address automatically option is selected in Internet Protocol (TCP/ IP) properties. For computers running Windows Server 2008 R2 operating systems, this is the default setting. In this mode, the DHCP server does not listen for and provide service to DHCP clients until a static IP address is configured. The DHCP server will bind to the first static IP address configured on each adapter. Note By design, DHCP server bindings are enabled and disabled on a per-connection, not per-address basis. All bindings are based on the first configured IP address for each connection appearing in the Network Connections folder. If additional static IP addresses (for example, as set in Advanced TCP/IP properties) are configured for the applicable connection, these addresses are never used by DHCP servers running Windows Server 2008 R2 and are inconsequential for server bindings. DHCP servers running Windows Server 2008 R2 never bind to any of the NDISWAN or DHCP-enabled interfaces used on the server. These interfaces are not displayed in the DHCP console under the current server bindings list because they are never used for DHCP service. Only additional network connections that have a primary static IP address configured can appear in the server bindings list (or be selectively enabled or disabled there).

117 Reference: QUESTION 31 You have a DHCP server that runs Windows Server 2008 R2. You restore the DHCP database by using a recent backup. You need to prevent DHCP clients from receiving IP addresses that are currently in use on the network. A. Add the DHCP server option 15. B. Add the DHCP server option 44. C. Set the Conflict Detection value to 0. D. Set the Conflict Detection value to 2. Correct Answer: D Section: Configuring IP Addressing and Services /Reference: : For Conflict detection attempts, type a number greater than 0 (zero) and less than six, and then click OK. The number you type determines how many times the DHCP server tests an IP address before leasing it to a client. Reference: Server option 15 is "Domain name" - the DNS domain the client should use for resolution. Server option 44 is for specifying WINS/NBNS servers. MY NOTE: Clearly neither of these options will prevent DHCP clients from getting addresses of a machine already on the network. Reference: QUESTION 32 Your company has a server named DC1 that runs Windows Server 2008 R2. Server1 has the DHCP Server server role installed. You find that a desktop computer named Computer1 is unable to obtain an IP configuration from the DHCP server. You install the Microsoft Network Monitor 3.0 application on Server1. You enable P-mode in the Network Monitor application configuration. You plan to capture only the DHCP server-related traffic between Server1 and Computer1. The network interface configuration for the two computers is shown in the following table. You need to build a filter in the Network Monitor application to capture the DHCP traffic between Server1 and Computer1.

118 Which filter should you use? A. IPv4.Address == && DHCP B. IPv4.Address == && DHCP C. Ethernet.Address == 0x000A5E1C7F67 && DHCP D. Ethernet.Address == 0x001731D55EFF && DHCP Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : Network Monitor is being run from Server1. In order to view only DHCP traffic between Server1 and Computer1, we must specify a filter that is specific to Computer1. Because Computer1 cannot receive an IP from the DHCP server, we should use the Ethernet.Address filter, assigning it to the MAC of Computer1 ( 0x001731D55EFF) If the Ethernet.Address filter is applied to 0x000A5E1C7F67 (the MAC of Server1), we would see all DHCP traffic on Server1 (the capture server). Similarly, the IPv4.Address filter cannot be used for The IPv4.Address filter cannot be used for because this is an APIPA address; the client is not guaranteed to receive this each time it tries (and fails) to receive a reservation. QUESTION 33 Your network contains two DHCP servers named Server1 and Server2. On Server1, you create a scope named Scope1. You need to ensure that DHCP clients receive IP addresses from the address range in Scope1 if Server1 is unavailable. The solution must prevent both servers from assigning duplicate IP addresses. What should you do from the DHCP console? A. On Server1, create a superscope. B. On Server1, select Scope1, and then run the Split-Scope wizard. C. On Server2, create a scope, and then reconcile each scope. D. On Server2, create a scope, and then enable Network Access Protection. Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : We basically want a split-scope to implement the 80/20 rule, as that will provide the best fault tolerance in DHCP (clients can receive addresses if Server1 is unavailable). This is now done with a Split-Scope wizard in Server A Dynamic Host Configuration Protocol (DHCP) split-scope configuration using multiple DHCP servers allows for increased fault tolerance and redundancy over using only one DHCP server. The new Split-scope Wizard in Windows Server 2008 R2 replaces the more error prone manual split-scope configuration method used in earlier versions of Windows Server. Reference:

119 WRONG ANSWERS A superscope is an administrative feature of DHCP servers running Windows Server 2003 that you can create and manage through the DHCP console. Using a superscope, you can group multiple scopes as a single administrative entity. (MY NOTE: This does not give us fault tolerance amongst scopes) Reference: Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to network resources based on a client computer s identity and compliance with corporate governance policy. Reference: Reconciling a scope will "fix inconsistencies, such as incorrect or missing information for client IP addresses, that are stored in scope lease information." Reference: QUESTION 34 Your network contains an Active Directory domain. The domain contains a DHCP server named Server1. You create a scope named Scope1 on Server1. You need to prevent unauthorized DHCP clients from receiving addresses from Server1. A. From the DHCP console, configure filters. B. From the Local Security Policy console, modify the network settings. C. From the Local Users and Groups console, modify the membership of the DHCP Users group. D. From the Netsh tool, change to the DHCP Server context, and then run the initiate auth command. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : DHCP filters are MAC-level filters to specify clients that should not be given an address. Link layer-based filtering for Dynamic Host Configuration Protocol (DHCP) enables administrators to control network access based on media access control (MAC)address, providing a low-level security method. Reference: WRONG ANSWERS The Local Security Policy console lets us configure policy options that apply only to the local server. We could use a GP in conjunction with NAP to enable DHCP enforcement, but we are not told we have a NAP server, and this would not be done at the local policy in any manner. netsh dhcp server initiate auth Initiates authorization of the specified DHCP server in Active Directory. Reference: Members of the DHCP Users group have read-only DHCP console access to the server Reference: QUESTION 35

Your network contains two DHCP servers named Server1 and Server2. Server1 and Server2 are located in the same subnet. You configure a split scope named Scope1 on the DHCP servers.

120 Your network contains two DHCP servers named Server1 and Server2. Server1 and Server2 are located in the same subnet. You configure a split scope named Scope1 on the DHCP servers. You need to ensure that Server2 only responds to DHCP client requests if Server1 is unavailable. What should you modify? A. the Scope1 properties for Server1 B. the Scope1 properties for Server2 C. the server options for Server1 D. the server options for Server2 Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : Basically, we want Server1 to always respond to requests first, and Server2 to only be used when Server1 is not responding. Since both servers are live, we do this by configuring a delay on Server2. This is done in the Scope properties. QUESTION 36 Your network contains a DHCP server named DHCP1. You have a DHCP reservation for a computer named

121 Computer1. You add a DNS server option to the reservation. You need to ensure that Computer1 immediately receives the new option. A. Run ipconfig.exe /renew. B. Run ipconfig.exe /registerdns. C. On DHCP1, recreate the reservation. D. On DHCP1, delete the active lease for the reservation. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : For Computer1 to get the new option, it has to renew it's lease with the server. This is what the ipconfig.exe /renew. command will do. We only added a DNS server option, so we do not need to re-register Computer1's DNS with the server. We would only do this if DNS queries did not resolve Computer1 to an IP. Modifying settings for the reservation on DHCP1 will not force Computer1, a client, to receive the new options. QUESTION 37 Your network contains a Routing and Remote Access server named RRAS1 and a DHCP server named DHCP1. RRAS1 and DHCP1 are located in different subnets. RRAS1 is configured to support VPN connections from the Internet. DHCP1 has a scope that provides IP addresses for the VPN connections. You need to ensure that VPN clients that connect to RRAS1 can receive IP addresses from DHCP1. A. On DHCP1, configure a DHCP Relay Agent. B. On DHCP1, install the Routing role service. C. On RRAS1, configure a DHCP Relay Agent. D. On RRAS1, install the Routing role service. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : We don't need to do anything to DHCP1, as it already has the scope configured. Instead, we need to make sure VPN clients (who get into the network through RRAS1) can forward DHCP requests to DHCP1 - this is known as a Relay Agent. We configure it on RRAS1 because it is a feature of RRAS and is needed by the clients connecting in through RRAS1. For each IP network segment that contains DHCP clients, either a DHCP server or a computer acting as a DHCP Relay Agent is required.

122 Reference: QUESTION 38 Your company has a server named Server1 that runs Windows Server 2008 R2. Server1 runs the DHCP Server server role and the DNS Server server role. You also have a server named ServerCore that runs a Server Core installation of Windows Server 2008 R2. All computers are configured to use only Server1 for DNS resolution. The IP address of Server1 is The network interface on all the computers is named LAN. Server1 is temporarily offline. A new DNS server named Server2 has been configured to use the IP address You need to configure ServerCore to use Server2 as the preferred DNS server and Server1 as the alternate DNS server. A. Run the netsh interface ipv4 add dnsserver "LAN" static index=1 command. B. Run the netsh interface ipv4 set dnsserver "LAN" static both command. C. Run the netsh interface ipv4 set dnsserver "LAN" static primary command and the netsh interface ipv4 set dnsserver "LAN" static both command. D. Run the netsh interface ipv4 set dnsserver "LAN" static primary command and the netsh interface ipv4 add dnsserver "LAN" static index=1 command. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : To make Server2 the preferred DNS server, we basically just need to change it's index value. add dnsserver Adds a DNS server to a list of DNS servers for a specified interface. Syntax add dnsserver [name=]interfacename [addr=] DNSAddress [[index=]dnsindex] Parameters (...) [index=] DNSIndex Specifies the position of the added DNS server in the list of DNS servers for the interface. WRONG ANSWERS netsh interface ipv4 set dnsserver "LAN" static primary netsh interface ipv4 add dnsserver "LAN" static index=1 For the 1st command here, the primary option registers the computer's name to only the primary DNS suffix.

123 This would not affect preferred/alternate DNS server configurations. The 2nd command essentially designates Server1 as 1st in the list, which is not what we want (it is already there!) netsh interface ipv4 set dnsserver "LAN" static both For this command here, the both option specifies to register the computer's name to both DNS suffixes (primary and connection-specific). This would not affect preferred/alternate DNS server configurations. netsh interface ipv4 set dnsserver "LAN" static primary netsh interface ipv4 set dnsserver "LAN" static both As in the examples above, these commands essentially affect which DNS suffixes the computer will try to register it's record with. This would not affect preferred/alternate DNS server configurations. Reference: QUESTION 39 Your company runs Windows Server Update Services (WSUS) on a server named Server1. Server1 runs Windows Server 2008 R2. Server1 is located on the company intranet. You configure the WSUS Web site to use SSL. You need to configure a Group Policy object (GPO) to specify the Intranet Update Locations. Which URLs should you use? A. B. C. D. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : Since we configured the website for SSL, we will need to use the prefix. Port 8080 is the default port used for web proxying and caching servers. QUESTION 40 You have 10 standalone servers that run Windows Server 2008 R2. You install the Windows Server Update Services (WSUS) server role on a server named Server1. You need to configure all of the servers to receive updates from Server1. A. Configure the Windows Update settings on each server by using the Control Panel. B. Run the wuauclt.exe /detectnow command on each server. C. Run the wuauclt.exe /reauthorization command on each server. D. Configure the Windows Update settings on each server by using a local group policy. Correct Answer: D

124 Section: Monitoring and Managing A Network Infrastructure /Reference: : For all servers to be configured to point at Server1, we need to use Group Policy. Configuring Windows Update settings on each server would not let us specify which server the computer uses. This is only done via the registry, which we can use Group Policy to control for all servers and simplify our job :) wuauclt.exe /detectnow This would force each server to look for new updates at the time the command was executed. wuauclt.exe /reauthorization This would re-register the servers with the WSUS server (Server1), but does not inform them to get their updates from Server1. QUESTION 41 Your network contains a Windows Server Update Services (WSUS) server. All computers on the network are configured to download and install updates once a week. You need to deploy a critical update to a WSUS client as soon as possible. Which command should you run? A. dism.exe /online /check-apppatch B. gpupdate.exe /force C. secedit.exe /refreshpolicy D. wuauclt.exe /detectnow Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : wuauclt.exe /detectnow This would force the client to look for new updates immediately, rather than waiting on the pre-configured interval (once a week). dism.exe /online /check-apppatch These parameters would check an online (running) deployment of Windows to see if any MSP patches from an deployment source need to be applied. References: gpupdate.exe /force This will force a group policy update on the client it is run from, not a WSUS update. secedit.exe /refreshpolicy This would impose group policy settings on the client (similar to gpupdate /force) Reference: QUESTION 42 Your network contains a Windows Server Update Services (WSUS) server named Server1. Server1 provides updates to client computers in two sites named Site1 and Site2.

125 A WSUS computer group named Group1 is configured for automatic approval. You need to ensure that new client computers in Site2 are automatically added to Group1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a new automatic approval update rule. B. Modify the Computers options in the Update Services console. C. Modify the Automatic Approvals options in the Update Services console. D. Configure a Group Policy object (GPO) that enables client-side targeting. Correct Answer: BD Section: Monitoring and Managing A Network Infrastructure /Reference: : With client-side targeting, you enable client-computers to add themselves to the computer groups you create in the WSUS console. You can enable client-side targeting through Group Policy (in an Active Directory network environment) or by editing registry entries (in a non-active Directory network environment) for the client computers. When the client computers connect to the WSUS server, they will add themselves into the correct computer group. Client-side targeting is an excellent option if you have many client computers and want to automate the process of assigning them to computer groups. To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings on client computers option on the Computers Options page. Reference: WRONG ANSWERS On the Automatic Approval Options page, you can configure your WSUS server to automatically approve installation or detection for updates and associated metadata when they are downloaded to the WSUS server during synchronization. Reference: MY NOTE: Basically, Automatic Approvals are for making sure updates are automatically let out into the network, but we were asked about having clients being automatically added into Group1. QUESTION 43 Your network contains an Active Directory domain. The domain contains a Windows Server Update Services (WSUS) server named Server1. A Group Policy object (GPO) named GPO1 configures all computers in the domain to use Server1 for Windows Update. You add a new Windows 7 computer named Computer1 to the domain. From the Update Services console, you discover that Computer1 is not listed as a member of any computer groups. You verify that GPO1 is applied to Computer1. You need to ensure that Computer1 is available in the Update Services console. A. On Computer1, run wuauclt.exe /detectnow.

126 B. On Computer1, run wuauclt.exe /reportnow. C. On Server1, run wsusutil.exe reset. D. On Server1, run wsusutil.exe listinactiveapprovals. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : wuauclt.exe /reportnow This will force the client to report it's status to the server, at which point it should show up in the Update Services console. WRONG ANSWERS wuauclt.exe /detectnow This would force the client to look for new updates from it's server immediately, but would not ensure it is officially registered with the server. So likely it would receive these updates from Microsoft. wsusutil.exe reset This will check that every update in the database has corresponding update files stored in the file system. In other words, it would make sure that your client has all the right files for reinstalling patches. wsusutil.exe listinactiveapprovals This will return a list of updates with approvals in a permanently inactive state because of a change in server language settings. Reference: QUESTION 44 Your network contains a Windows Server Update Services (WSUS) server. A Group Policy object (GPO) configures all WSUS client computers to detect updates hourly and install updates weekly. You download a critical update. You need to ensure that the WSUS client computers install the critical update during the next detection interval. A. From the client computers, run wuauclt.exe /force. B. From the client computers, run gpupdate.exe /force. C. From the server, configure the Deadline settings. D. From the server, configure the Synchronization Schedule options. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : To force a client to install the update during a specific time, you can configure a deadline for the update. Reference:

127 WRONG ANSWERS Synchronization in WSUS is used to make sure a server is up-to-date with it's upstream server or with Microsoft. This is not what has been scheduled or what needs editing. wuauclt.exe /detectnow This would force the client to search for new updates immediately, but would not install it and would not operate on the pre-configured interval (once a week) to install an update. gpupdate.exe /force This will force a group policy update on the client it is run from, not a WSUS update. QUESTION 45 Your network contains a Windows Server Update Services (WSUS) server. You need to ensure that the WSUS server automatically downloads service packs. What should you do first? A. From the Automatic Approvals options, modify the Update Rules list. B. From the Automatic Approvals options, modify the Advanced settings. C. From the Products and Classifications options, modify the Products settings. D. From the Products and Classifications options, modify the Classifications settings. Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : Service Packs are an Update Classification. By specifying Service Packs from the Classifications settings, we will ensure WSUS downloads all Service Packs, regardless of the product they are available for. Reference: WRONG ANSWERS The Automatic Approvals options is for handling how updates are determined for automatic approval. For instance, we could specify we only want certain Classifications of downloads to be automatically approved, but this is not directly related to whether the server downloads them, and it could have negative affects for other Classifications of updates. Reference: Products settings determine which programs WSUS will get updates for (ie, Windows, Office, SQL Server, Visual Studio). QUESTION 46 Your network contains a Windows Server Update Services (WSUS) Server infrastructure that has three servers named WSUS1, WSUS2, and WSUS3. WSUS2 is a downstream replica server of WSUS1. WSUS3 is a downstream replica server of WSUS2. You need to ensure that the Update Services console on WSUS2 only displays computers that receive updates from WSUS2.

128 What should you configure on WSUS2? A. Downstream servers B. Personalization C. Reporting Rollup D. Synchronizations Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : Of the options available, only Personalization of the Update Services console will allow you to control what servers you are viewing. WRONG ANSWERS The remaining options control WSUS updates but do not affect the display of the console. Downstream servers have already been configured - these control which servers a WSUS server receives its metadata from. Reporting Rollup is a tool for generating reports about WSUS updates. Synchronization downloads updates from an upstream server. QUESTION 47 Your network contains a Windows Server Update Services (WSUS) server named Server1. You need to configure all WSUS client computers to download approved updates directly from the Microsoft Update servers. The solution must ensure that all WSUS client computers report successful installation of updates to Server1. A. From Active Directory, deploy a Group Policy object (GPO). B. From Server1, modify the Update Source and Proxy options. C. From Server1, modify the Update Files and Languages options. D. From the WSUS client computers, modify the local computer policy. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : You can specify whether to store update files on your local WSUS server or on Microsoft Update. If you choose to store the updates locally, you can limit the updates downloaded to your server by language. If you choose to store the update files on Microsoft Update, then your WSUS server obtains only update information (metadata) for the criteria you have specified on the Synchronization Options page. (...) To specify where to store downloaded update files 1. On the WSUS console toolbar, click Options, and then click Synchronization Options. 2. Under Update Files and Languages, click Advanced. 3. Under Update Files, select whether to store update files on the server running Windows Server Update

129 Services (WSUS) or on Microsoft Update. If you choose to store update files on your server, you can choose either to download update files only when they are approved, or to download express installation files. 4. If you selected to store the files on the WSUS server, under Languages, select whether you want to limit the updates downloaded to your WSUS server by language, and then click OK. Note that if you select to download all languages (which is selected by default) that this will take more disk space. If possible, consider limiting the languages you download if you are also choosing to store update files on your WSUS server. 5. In Tasks, click Save settings, and then click OK. Reference: QUESTION 48 Your network contains two Windows Server Update Services (WSUS) servers named Server1 and Server2. Server1 is a member of a domain named contoso.com. Server2 is a standalone server. Server2 is configured as an autonomous downstream server. You need to ensure that all updates approved on Server1 are automatically approved on Server2. Which options should you modify? A. Automatic Approvals B. Products and Classifications C. Synchronization Schedule D. Update Source and Proxy Server Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : A WSUS server running in replica mode inherits the update approvals and computer groups created on its parent WSUS administration server. You will typically have a single parent server with one or more downstream replica WSUS servers. You approve updates and create computer groups on the parent server, which the replica servers will then mirror. You may now designate any WSUS server as a downstream replica at any time. In the WSUS administration console, select Options, then Update Source and Proxy Server, and on the Update Source tab, select the Synchronize from another Windows Server Update Services server check box, and then the This server is a replica of the upstream server check box. Reference: QUESTION 49 Your network contains a Windows Server Update Services (WSUS) server. You have an organizational unit (OU) named Sales. The Sales OU contains all of the computer objects for the sales department. You enable client-side targeting for the Sales OU and set the target group name to Sales-Computers. You restart a sales computer. You discover that the computer is not added to the Sales-Computer computer group in WSUS. You need to ensure that all sales computers are added to the Sales-Computers group. Which options should you configure?

130 A. Automatic Approvals B. Computers C. Personalization D. Products and Classifications Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : With client-side targeting, you enable client-computers to add themselves to the computer groups you create in the WSUS console. You can enable client-side targeting through Group Policy (in an Active Directory network environment) or by editing registry entries (in a non-active Directory network environment) for the client computers. When the client computers connect to the WSUS server, they will add themselves into the correct computer group. Client-side targeting is an excellent option if you have many client computers and want to automate the process of assigning them to computer groups. To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings on client computers option on the Computers Options page. Reference: QUESTION 50 Your company has an IPv4 Ethernet network. A router named R1 connects your segment to the Internet. A router named R2 joins your subnet with a segment named Private1. The Private1 segment has a network address of /26. Your computer named WKS1 requires access to servers on the Private1 network. The WKS1 computer configuration is as shown in the following table. WKS1 is unable to connect to the Private1 network by using the current configuration. You need to add a persistent route for the Private1 network to the routing table on WKS1. Which command should you run on WKS1? A. route add -p / B. route add -p / C. route add -p mask D. route add -p mask

131 Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : This question can be tricky, since is an interface on R1, and is an interface on R2. WKS1 is currently using as its gateway, which is interface 1 on R1. As the table shows, this is the internet router. Our Private1 segment is /26, which is a host range of This is what we need a route to, which as the table shows is interface 2 on R2. Of the commands listed, only route add -p / will route traffic for our Private1 segment (the first parameter) to an interface on R2. WRONG ANSWERS route add -p / This route points to the right router/interface, but is a much larger host range than our Private1 segment, so traffic intended for hosts outside of Private1 will still get sent R2 interface 2. route add -p mask This route specifies the right host range (IP/submask) but is the current gateway, so the routes will not change. If this were , we'd have a working route (which is why I mentioned this can be tricky) route add -p mask This route will simply not even work, it basically says all traffic dessigned for R2 interface 1 ( ) should be routed through , which is not a valid interface. QUESTION 51 Your company is designing its public network. The network will use an IPv4 range of /22. The network must be configured as shown in the following exhibit.

You need to configure subnets for each segment. Which network addresses should you assign? A. Segment A: 131.107.40.0/23 Segment B: 131.107.42.0/24 Segment C: 131.107.43.0/25 Segment D: 131.107.43.128/27 B.

132 You need to configure subnets for each segment. Which network addresses should you assign? A. Segment A: /23 Segment B: /24 Segment C: /25 Segment D: /27 B. Segment A: /25 Segment B: /26 Segment C: /27 Segment D: /30 C. Segment A: /23 Segment B: /24 Segment C: /25 Segment D: /27 D. Segment A: /23 Segment B: /24 Segment C: /25 Segment D: /27 Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : We should know right away our first subnet would not use a /25 mask, as this is only gives our largest segment 126 hosts, but we need 280. That's one answer eliminated. The remaining options all seem plausible at first glance, since a /23 subnet allows 510 hosts, a /24 subnet = 254, a /25 subnet = 126 hosts and /27 = 30 hosts. This allows us enough room for the segments specified in the diagram. What we have to do is figure out which subnets are valid ranges. Starting with SegmentA, /23 gives a host range of This means our next range (SegmentB) should start with , but only one answer has this. That automatically eliminates the rest!

133 Reference: QUESTION 52 Your company is designing its network. The network will use an IPv6 prefix of 2001:DB8:BBCC:0000::/53. You need to identify an IPv6 addressing scheme that will support 2,000 subnets. Which network mask should you use? A. /61 B. /62 C. /63 D. /64 Correct Answer: D Section: Configuring IP Addressing and Services /Reference: : IPv6 also uses subnets, but the subnet ID is built into the address. In an IPv6 address, the first 48 bits are the network prefix. The next 16 bits are the subnet ID and are used for defining subnets. The last 64 bits are the interface identifier (which is also known as the Interface ID or the Device ID). If necessary, the bits that are normally reserved for the Device ID can be used for additional subnet masking. However, this is normally not necessary, as using a 16-bit subnet and a 64-bit device ID provides for 65,535 subnets with quintillions of possible device IDs per subnet. Reference: Any of the other network masks would simply increase the # of available networks (each with 65,535 subnets available) in IPv6. We are only being asked to support 2,000 subnets in 1 network. QUESTION 53 Your company uses DHCP to lease IPv4 addresses to computers at the main office. A WAN link connects the main office to a branch office. All computers in the branch office are configured with static IP addresses. The branch office does not use DHCP and uses a different subnet. You need to ensure that the portable computers can connect to network resources at the main office and the branch office. How should you configure each portable computer? A. Use a static IPv4 address in the range used at the branch office. B. Use an alternate configuration that contains a static IP address in the range used at the main office. C. Use the address that was assigned by the DHCP server as a static IP address. D. Use an alternate configuration that contains a static IP address in the range used at the branch office. Correct Answer: D Section: Configuring IP Addressing and Services

134 /Reference: : Since the branch office does not use DHCP, we can specify a valid static IP for it in the alternate configuration on the adapter. This still allows us connections in the main office to use the default DHCP options for the primary configuration. WRONG ANSWERS Using a static IP at the main office is not necessary, since the main office has DHCP. This also means the DHCP will still try to get an IP at the branch office, but fail, since it does not have DHCP. Using any kind of static address in the branch office range (whether assigned by DHCP or not) would kill communication in the branch office, but we need connectivity at both offices. QUESTION 54 You have a Windows Server 2008 R2 computer that has an IP address of /21. The server is configured to use IPv6 addressing. You need to test IPv6 communication to a server that has an IP address of /21. What should you do from a command prompt? A. Type ping :: B. Type ping :: C. Type ping followed by the Link-local address of the server. D. Type ping followed by the Site-local address of the server. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : In IPv6, the link-local address is intended for communications with the same subnet. Both servers are on the same subnet ( x x), so we can use this address. Site-local addresses are the IPv6 equivalent of an IPv4 private IP. The scope is the private site, but both servers here are on the same subnet :: is the wrong format for pinging an IPv4 address in an IPv6 environment. Not to mention, this octet is for the server you are testing from, not the server you need to test communication with. :: is the correct format for pinging an IPv4 address in an IPv6 environment, but the octets are reversed. (not to mention, they are the octets for the server you are testing from, not the server you need to test communication with) QUESTION 55 Your network uses IPv4. You install a server that runs Windows Server 2008 R2 at a branch office. The server is configured with two network interfaces. You need to configure routing on the server at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

135 A. Install the Routing and Remote Access Services role service. B. Run the netsh ras ip set access ALL command. C. Run the netsh interface ipv4 enable command. D. Enable the IPv4 Router Routing and Remote Access option. Correct Answer: AD Section: Configuring IP Addressing and Services /Reference: : We need to configure routing on the branch server, which is on an IPv4 network. Routing in Server 2008 is performed through the Routing and Remote Access service, which is available only after the more broad Routing and Remote Access Services role is first installed. netsh ras ip set access ALL Specifies whether IPv4 network traffic from any client are forwarded to the network or networks to which the remote access server is connected. The all parameter allows clients to reach networks through the server. (MY NOTE: This command could be useful for us, but we need RAS installed 1st before we could use this netsh context.) Reference: netsh interface ipv4 This command for netsh basically enabled the IPv4 interface on the server, but will not configure routing. QUESTION 56 Your network contains a server named Server1. Server1 has DirectAccess deployed. A group named Group1 is enabled for DirectAccess. Users report that when they log on to their computers, the computers are not configured to use DirectAccess. You need to ensure that the users' computers are configured to use DirectAccess. What should you do first? A. On each client computer, add Group1 to the Distributed COM Users group. B. On each client computer, add Group1 to the Network Configuration Operators group. C. From Active Directory Users and Computers, add the users' user accounts to Group1. D. From Active Directory Users and Computers, add the users' computer accounts to Group1. Correct Answer: D Section: Configuring Network Access /Reference: : Group1 is enabled for DirectAccess, so without being a member of this group, DirectAccess will not work. The scenario states the users' computers need to be configured for DirectAccess, so we add the computer accounts to the group, as opposed to the user accounts. QUESTION 57 Your network contains an Active Directory domain named contoso.com. The network has DirectAccess deployed.

136 You deploy a new server named Server1 that hosts a management application. You need to ensure that Server1 can initiate connections to DirectAccess client computers. Which settings should you modify from the DirectAccess Setup console? A. Application Servers B. DirectAccess Server C. Infrastructure Servers D. Remote Clients Correct Answer: C Section: Configuring Network Access /Reference: : Client computers need to know that Server1 is available when connected through DA. Infrastructure servers are where we tell DirectAccess which DNS, location and management servers are accessible on the network. "The Infrastructure Servers wizard is likely the one you ll revisit the most often. This is where you will specify which hosts the computer accounts can access prior to a user logging onto the computer (like Domain Controllers and virus update servers) and which hosts should not be accessible over DirectAccess (like the NLS and resources you truly want to be available on the Intranet only)." Reference: QUESTION 58 Your network contains a client computer named Computer1 that runs Windows 7. Computer1 is configured to use DirectAccess. You need to identify the URL of the network location server that Computer1 is configured to use. A. From a command prompt, run ipconfig.exe /displaydns. B. From a command prompt, run netsh.exe namespace show policy. C. From Control Panel, run the Network Adapter Troubleshooter. D. From the Network Connection Status window, view the Network Connection Details. Correct Answer: B Section: Configuring Network Access /Reference: : To ensure that the FQDN of the network location server is reachable for a DirectAccess client with Forefront UAG DirectAccess-based rules in the NRPT, the Forefront UAG DirectAccess Configuration Wizard by default adds the FQDN of the network location server as an exemption rule to the NRPT. MY NOTE: So, the NRPT shows us where the network location server is. How do we find that information? netsh.exe namespace show policy. This command shows the rules in the NRPT (Name Resolution Policy Table) on a DirectAccess client Reference:

137 Network Connection Details will let us know what the connectivity status is with the DA servers but will not show us information about the NL server that has been configured. ipconfig.exe /displaydns This command would show us the currently configured DNS servers on the local interfaces, not the NL server being used for DA. The Network Adapter Troubleshooter, as the name implies, is used to troubleshoot problems with the adapter. We just need to identify information associated with it. QUESTION 59 Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2. You plan to deploy DirectAccess. You need to configure the DNS servers on your network to support DirectAccess. A. Modify the GlobalQueryBlockList registry key and restart the DNS Server service. B. Modify the EnableGlobalNamesSupport registry key and restart the DNS Server service. C. Create a Trust Anchor that uses a certificate issued by an internal certification authority (CA). D. Create a Trust Anchor that uses a certificate issued by a publicly trusted certification authority (CA). Correct Answer: A Section: Configuring Network Access /Reference: : In order for DNS to support DirectAccess, ISATAP (IPv6 tunneling) must be removed from the DNS Global Query Block list. This can be done using dnscmd, as follows: dnscmd /config / globalqueryblocklist wpad But this edit can also be done by removing the name ISATAP from the list in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS \Parameters For the changes to take effect, you must restart the DNS Server service. net stop dns net start dns Reference: WRONG ANSWERS EnableGlobalNamesSupport, as it implies, would allow support for a Global Names zone, but this is not something we need. A Trust anchor is a cryptographic key used in DNSSEC validation of zone data. This is used to encrypt/secure DNS, but is not needed for DirectAccess. Reference: QUESTION 60 Your network contains a server named Server1.contoso.com. Server1 is located on the internal network.

138 You have a client computer named Computer1 that runs Windows 7. Computer1 is located on a public network that is connected to the Internet. Computer1 is enabled for DirectAccess. You need to verify whether Computer1 can resolve Server1 by using DirectAccess. Which command should you run on Computer1? A. nbtstat.exe -a server1.contoso.com B. netsh.exe dnsclient show state C. nslookup.exe server1.contoso.com D. ping.exe server1.contoso.com Correct Answer: D Section: Configuring Network Access /Reference: : ping.exe is the tool we use for verifying connectivity, regardless of whether DirectAccess is being used or not. WRONG ANSWERS netsh.exe dnsclient show state This command shows the settings for the Name Resolution Policy Table (NRPT) on a DirectAccess client, including where the client is located (either on the intranet or on the Internet), whether the client has been configured with DirectAccess NRPT rules, and whether the rules are enabled. (MY NOTE: We don't need location or configuration info. for our client,we need to know if'ts able to resolve the address for Server1.) Reference: nslookup.exe will help try to verify Server1 is working as a DNS server and returning the right records to clients that query it. nbtstat.exe will show the NetBIOS resolution table of Server1. This is not used in DirectAccess. QUESTION 61 Your network contains a server named Server1 that runs Windows Server 2008 R2. You plan to deploy DirectAccess on Server1. You need to configure Windows Firewall on Server1 to support DirectAccess connections. What should you allow from Windows Firewall on Server1? A. ICMPv6 Echo Requests B. ICMPv6 Redirect C. IGMP D. IPv6-Route Correct Answer: A Section: Configuring Network Access /Reference:

139 : To provide connectivity for Teredo-based DirectAccess clients, you need to configure Windows Firewall with Advanced Security rules for all of your domain member computers to allow Internet Control Message Protocol for Internet Protocol version 6 (IPv6) (ICMPv6) Echo Request messages Reference: QUESTION 62 Your network contains a computer named Computer1 that runs Windows 7. You need to verify if Computer1 has active DirectAccess connections to the network. A. From Network Connections, right-click the active network connection, and then click Status. B. From Network Connections, select the active network connection, and then click Diagnose this connection. C. From Windows Firewall with Advanced Security, click Monitoring, and then click Connection Security Rules. D. From Windows Firewall with Advanced Security, click Monitoring, click Security Associations, and then click Main Mode. Correct Answer: D Section: Configuring Network Access /Reference: : DirectAccess uses IPSEC for encryption and authentication. In Server 2008, IPSEC is managed through Windows Firewall with Advanced Security. Main Mode negotiation is used to establish secure channels, so this is the area of WFAS we need to check to be sure the connection is active and working. WRONG ANSWERS Connection Security Rules are applied before machines can communicate and secure information. Monitoring this information would not let us see if the connection is active. Viewing the status of the active network connection will only provide us information about Computer1's adapter, and will not report any information about the DirectAccess connection. 'Diagnose this connection' is used to fix a broken connection by performing a series of common troubleshooting steps for resetting connections. We do not have any indication that a connection is broken here, we just need to verify DA is working (which assumes the network adapter is working) QUESTION 63 Your network contains a server that has the SNMP Service installed. You need to configure the SNMP security settings on the server. Which tool should you use? A. Local Security Policy B. scw C. secedit D. Services console

140 Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : SNMP settings are configured from the properties of the service in the Services console. WRONG ANSWERS secedit configures and analyzes system security by comparing your current configuration to at least one template. Reference: scw is a shortcut for launching the Server Configuration Wizard. We might be able to add/remove the SNMP feature here but not configure it's settings. There are 3 local policies for SNMP that can be configured, but they manage how traps are configured, who can configure SNMP, and which communities can be queried from the server. Reference: QUESTION 64 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the SNMP Service installed. You perform an SNMP query against Server1 and discover that the query returns the incorrect identification information. You need to change the identification information returned by Server1. A. From the properties of the SNMP service, modify the Agent settings. B. From the properties of the SNMP service, modify the General settings. C. From the properties of the SNMP Trap service, modify the Logon settings. D. From the properties of the SNMP Trap service, modify the General settings. Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : SNMP agent information is found on the Agent tab on the SNMP service properties. To configure SNMP agent information: 1. Click Start, point to Control Panel, point to Administrative Tools, and then click Computer Management. 2. In the console tree, expand Services and Applications, and then click Services. 3. In the right pane, double-click SNMP Service. 4. Click the Agent tab. (...) Reference: WRONG ANSWERS

141 The General settings tab of a service allows you to control how the startup type of the service, and lets you Start/Stop/Restart services as well. The SNMP Trap service is used to allow a server to forward it's SNMP data to another server. QUESTION 65 You need to capture the HTTP traffic to and from a server every day between 09:00 and 10:00. A. Create a scheduled task that runs the Netsh tool. B. Create a scheduled task that runs the Nmcap tool. C. From Network Monitor, configure the General options. D. From Network Monitor, configure the Capture options. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : Network Monitor does not provide it's own scheduling options, but instead works with MS' built-in task scheduler. So we need to create a new task, but this means we have to specify a fully working command. nmcap is the fully functional command-line interface for Network Monitor. netsh is used for configuring a variety of server roles and networking components. QUESTION 66 You perform a security audit on a server named Server1. You install the Microsoft Network Monitor 3.0 application on Server1. You find that only some of the captured frames display host mnemonic names in the Source column and the Destination column. All other frames display IP addresses. You need to display mnemonic host names instead of IP addresses for all the frames. A. Create a new display filter and apply the filter to the capture. B. Create a new capture filter and apply the filter to the capture. C. Populate the Aliases table and apply the aliases to the capture. D. Configure the Network Monitor application to enable the Enable Conversations option. Recapture the data to a new file. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : Aliases allow you to turn IP addresses into names that make sense in a particular network capture. For example, you could label one machine as Server and another machine as Client. Reference:

142 QUESTION 67 Your network contains an Active Directory domain named contoso.com. The network is configured to use ISATAP. You have a server named Server1 that runs Windows Server 2008 R2. On Server1, you discover that a tunnel adapter named isatap.contoso.com has a media state of "Media disconnected". You confirm that Server1 has a valid network connection and can query the DNS server. You need to ensure that the isatap.contoso.com tunnel adapter has an IPv6 address. A. Start the IP Helper service. B. Start the IPsec Policy Agent service. C. Add a new rule to Windows Firewall. D. Add an entry for ISATAP to the Hosts file. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : The IP Helper service works with the IPv6 protocol, of which ISATAP tunneling is a feature. This service specifically loads network configuration, so starting it should restore the ISATAP tunnel. (the question specifies that the network connection of the server is valid - only the tunnel is down) WRONG ANSWERS The purpose of the IPSec Policy Agent is to retrieve policy information and pass it to other IPSec components that require this information to perform security services. We are not dealing with an IPSec tunnel, so you would not start this service. Reference: Windows Firewall rules are used to work with IPSec tunnels, not ISATAP tunnels. The Hosts file controls name resolution. This would let us specify what IP address isatap.contoso.com gets resolved to by other clients, but would not restore the ISATAP tunnel. We are told Server1 already has a valid connection, so its endpoint should be able to resolve the address. QUESTION 68 Your company has a branch office that contains 1,000 computers. You need to select a network address that supports 1,000 computers in the same subnet. The solution must minimize the number of unused addresses in the subnet. Which address range should you configure? A /16 B /18 C /22

143 D /24 Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : A standard /24 subnet allows for 254 hosts, so it will not work. We need more hosts, so we have to shrink our subnet mask. Each bit we remove allows us to double the # of supported hosts. This means a /22 subnet gives us 1,022 hosts - just enough to cover our scenario. The /16 and /18 subnets might work, but would allow for a massive number of hosts beyond the 1,000 needed. QUESTION 69 Your network contains a computer named Computer1. Computer1 is assigned an IP address of /26. Your company's corporate policy states that the first usable address in each subnet is allocated to the default gateway. You need to configure the default gateway for Computer1. Which address should you choose? A B C D Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : A /26 subnet is 2 bits more than the Class C (/24) that allows 256 addresses. For each bit higher, we half the # of available hosts. This means we have 64 addresses on each subnet. So our first network in our scenario would end with , and the next network would start with , which is also the gateway address. QUESTION 70 Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You have an IPv6-only infrastructure that has multiple subnets. You deploy a new server named Server1. You need to ensure that Server1 can communicate with the client computers in all of the internal subnets. The solution must use an address that is reserved for internal networks. Which address should you assign? A. 2001::68c0:9f7c:8393:c214 B. fc00::68c0:9f7c:8393:c214 C. fe80::68c0:9f7c:8393:c214

144 D. ff02::68c0:9f7c:8393:c214 Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : The fc00:: prefix is resrved for unique local (internal network) addressing. This is the prefix we should be assigning an address from. WRONG ANSWERS The fe80:: prefix is reserved for link-local addressing (local subnet only). This would restrict communication to only 1 subnet, not allow communication with all of them. The ff02:: prefix is reserved for multicasting - sending a packet to multiple addresses at once. This does not necessarily ensure communication with all such clients or subnets. The 2001:: prefix is reserved for Teredo addressing (IPv6 clients in an IPv4 network). Reference: QUESTION 71 Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has a single network connection. The connection is configured to use a default gateway address of The default gateway has a metric value of 100. You configure a second default gateway that uses an address of You need to ensure that is only used as the default gateway if is unreachable. A. For the interface, set the interface metric to 100. B. For the gateway, set the metric to 50. C. For the gateway, set the metric to 200. D. For the gateway and the gateway, enable automatic metric. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : Each of the answers mentions configuring a metric, which you hopefully know is a value to specify which routes should "cost" more than others. A lower metric is a "cheaper" route and will be used by the router before other options. We want to be used only if is unreachable, so we basically want it to have a higher "cost", or metric. Since the default gateway has a metric of 100, only specifying the metric of 200 for will work.

145 WRONG ANSWERS Automatic metric sounds like something that would work, but according to Microsoft: The Automatic Metric feature can be useful when the routing table contains multiple routes for the same destination. For example, if you have a computer with a 10 megabit (Mb) network interface and a 100 Mb network interface, and the computer has a default gateway that is configured on both network interfaces, the Automatic Metric feature assigns a higher metric to the slower network interface. This feature can force all of the traffic that is destined for the Internet, for example, to use the fastest network interface that is available. Reference: A metric of 50 will force to always be used before achieving the opposite of what we want. I am not clear on what "interface" we might set a metric for, but notice a metric of 100 matches the metric of the current default gateway, balancing the load of your traffic. This is not the desired effect. QUESTION 72 Your network contains a server named Server1 that has the Routing role service installed. Server1 has two network connections. One network connection connects to the internal network. The other network connection connects to the Internet. All network connections connected to the internal network use private IP addresses. You install a Web server named Web1. Web1 hosts a secured Web site that only allows connections over TCP port Web1 is connected to the internal network. You need to ensure that the secure Web site can be accessed from the Internet. What should you do from the Routing and Remote Access console? A. Configure Routing Information Protocol (RIP), and then activate authentication on the RIP interface. B. Configure Routing Information Protocol (RIP), and then configure the incoming packet protocol settings on the RIP interface. C. Configure Network Address Translation (NAT), and then add a new service to the NAT interface. D. Configure Network Address Translation (NAT), and then enable the Secure Web Server (HTTPS) service on the NAT interface. Correct Answer: C Section: Configuring Network Access /Reference: : Web1 is part of the internal network. In order for private clients like Web1 to be reached from the internet, NAT must be used to translate requests to the specific interface. You would not enable the HTTPS service because this uses port 443. The secure web site on Web1 is configured for port Thus, we need to to create a custom service on the NAT interface for this port. RIP is used for configuring routes between 2 routing servers. QUESTION 73 Your network contains the servers configured as shown in the following table.

146 Your company is assigned the public IP addresses from to You need to ensure that Web1 is accessible from the Internet by using What should you do from the Routing and Remote Access console? A. From the Static Routes node, configure a static route. B. From the server properties, configure SSL Certificate Binding. C. From the NAT interface, add an address pool and a reservation. D. From the NAT interface, configure the Secure Web Server (HTTPS) service. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : Web1 currently doesn't have a public IP assigned to it, so it won't be accessible from the internet by a public IP in our reserved range. This means we need to assign a public IP to it from our pool. In the RRAS console, this is done from the Address Pool Tab (which specifically appears only when NAT is configured as a public interface connected to the internet!). Unfortunately, as per the article below, we must configure at least 1 address pool before creating a reservation. That is why both things need to be done here. Reference: QUESTION 74 Your network contains multiple servers that run Windows Server 2008 R2. The servers have the Routing and Remote Access Services (RRAS) role service installed. The servers are configured to support Routing Information Protocol (RIP). You need to prevent the server from receiving routes for the network. What should you do from the Routing and Remote Access console? A. From the RIP properties page, modify the General settings. B. From the RIP properties page, modify the Security settings. C. From the RIP interface properties page, modify the Security settings. D. From the RIP interface properties page, modify the Neighbors settings. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : IPv4 - RIP - Interface Properties - Security Tab Dialog box element: Ignore all routes in the ranges listed Description: For incoming routes: Specifies that the router looks at each route entry in an incoming RIP announcement and discards the route if it falls into one of the ranges listed. Reference:

147 WRONG ANSWERS IPv4 - RIP Properties - Security Tab This contains settings for how announcements are accepted from routers, as well as the IP of the router and other routers in the setup. Reference: IPv4 - RIP - Interface Properties - Neighbors Tab This contains settings to specify how RIP announcements are sent to neighboring routers. Reference: IPv4 - RIP Properties - General Tab This contains settings for how to log data and what interval to use for updates to routes Reference: QUESTION 75 Your network contains a server named Server1 that runs Windows Server 2008 R2. The network contains multiple subnets. An administrator reports that Server1 fails to communicate with computers on remote subnets. You run route.exe print on Server1 as shown in the exhibit. (Click the Exhibit button.) You need to ensure that Server1 can communicate with all computers on the network. Exhibit:

148 A. Disable IPv6. B. Change the subnet mask. C. Add a default gateway address. D. Change the default metric to 100. Correct Answer: C Section: Configuring Network Access /Reference: : Communication with remote subnets requires a valid gateway for the packets to be routed to. In the exhibit, however the gateway for all routes is "on-link". This means that these addresses will not be routed through another network. Therefore, we need to specify a gateway so that the addresses are routed to the remote networks. Reference: WRONG ANSWERS Changing the metric to 100 will specify a certain route as "cheaper" for the interface to use for traffic, but

149 currently remote communication isn't even working. While having IPv6 enabled can cause problems at times with servers trying to communicate on networks not designed around IPv6, disabling it will not allow communication with other subnets. Changing the subnet mask will make the problem worse, as it will define Server1 to be in a different network segment altogether (not even able to communicate with hosts on the same physical network!) QUESTION 76 Your network contains two servers named Server1 and Server2. Server1 and Server2 run the Server Core installation of Windows Server 2008 R2. You need to duplicate the Windows Firewall configurations from Server1 to Server2. What should you use? A. the Get-Item and the Set-Item cmdlets B. the Get-Service and the Set-Service cmdlets C. the netsh tool D. the sconfig tool Correct Answer: C Section: Configuring Network Access /Reference: : NETSH (Network Shell) Configure Network Interfaces, Windows Firewall, Routing & remote access. (...) =dump - Display a configuration script. netsh dump - Create a script that contains the current configuration. If saved to a file, this can be used to restore the configuration settings. =exec - Run a script file. exec - Load a script file and run it. Reference: WRONG ANSWERS...in Windows Server 2008 R2, there's an easy to use CLI, SCONFIG. SCONFIG dramatically eases server configuration for Windows Server 2008 R2 core deployments. Reference: The Get-Service and the Set-Service let you view services and their properties, or change their parameters. Similarly, Get-Item and the Set-Item allow you to retrieve, edit and save namespace objects (files, registry entries, etc.)

150 QUESTION 77 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has several custom inbound rules and connection security rules. You need to duplicate the Windows Firewall rules from Server1 to Server2. What should you do on Server1? A. At the Command Prompt, run netsh.exe advfirewall dump. B. At the Command Prompt, run netsh.exe advfirewall show > firewall.txt. C. From the Windows Firewall with Advanced Security console, click Export Policy. D. From the Windows Firewall with Advanced Security console, click the Connection Security Rules node, and then click Export List. Correct Answer: C Section: Configuring Network Access /Reference: : We need to export the settings from Server1 and then import them to Server2. You can replicate firewall configurations using the WFAS Import Policy and Export Policy options found in the WFAS snap-in or console. Reference: WRONG ANSWERS Clicking Export List from the Connection Security Rules context will give us a way to duplicate Connection Security Rules only, not Windows firewall rules. netsh.exe advfirewall dump This command is available for some netsh contexts, but is not implemented for the netsh advfirewall context or any of its three subcontexts. It produces no output, but also generates no error. netsh.exe advfirewall show Displays settings that apply globally, or to the per-profile configurations of Windows Firewall with Advanced Security. (MY NOTE: The > firewall.txt will redirect this display to a file called firewall.txt) Reference: QUESTION 78 Your network contains two Active Directory sites named Site1 and Site2. Site1 contains a server named Server1. Server1 runs a custom application named App1. Users in Site2 report that they cannot access App1 on Server1. Users in Site1 can access App1. Server1 has a Windows Firewall with Advanced Security rule named Rule1. You discover that Rule1 blocks the connection to App1. You verify that Server1 has no connection security rules. You need to ensure that the Site2 users can connect to Server1. What should you modify in Rule1? A. the Authorized Computers list B. the Authorized Users list

151 C. the Edge Traversal settings D. the Scope Correct Answer: D Section: Configuring Network Access /Reference: : We are informed that there are no Connection Security Rules. This simplifies troubleshooting, in that it allows to focus only on what aspect of Rule1 may be blocking the connection. Authorized Users and Authorized Computers lists allow us to limit connections from specific users/computers, but we are not told that only specific users/computers are being restricted. We are informed all users in Site2 cannot access App1. This is likely because the firewall rule does not have a scope limiting it to Site1 only. So if we change the scope, we can make sure the rule does not apply to users in Site2's subnet. Edge traversal is used to allow and application, service or port to be accessible from outside a NAT or edge device (when tunneling between 2 networks of different security levels). Site1 and Site2 are 2 AD sites but we are given no indication they are separated by uniquely different network devices (and we would not expect this, since they are both on the internal network) QUESTION 79 Your network contains a server named Server1 that has Windows Server 2008 R2. An administrator runs the following command on Server1: netsh.exe advfirewall reset You discover that you can no longer access Server1 on port You need to ensure that you can access Server1 on port Which firewall rule should you enable? A. File and Printer Sharing (Echo Request ICMPv4-In) B. File and Printer Sharing (SMB-In) C. Remote Desktop (TCP-In) D. Remote Service Management (RPC) Correct Answer: C Section: Configuring Network Access /Reference: : Port 3389 is used by Remote Desktop RPC uses TCP and UDP ports 80, 443 and 593 (HTTP), as well as 445 (Named Pipes) and 135 (Endpoint Mapper), and a dynamic port for each program that uses the service. File and Printer Sharing (SMB) uses TCP ports 139 and 445, and UDP ports 137 and 138. Reference: Enabling the File and Printer Sharing (Echo Request ICMPv4-In) rule would allow IPv4 ping requests to Server1. QUESTION 80

152 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 hosts a custom application named App1. App1 is accessible on TCP port You need to encrypt App1 data on the network. A. From the Local Security Policy console, configure the Security options. B. From the Local Security Policy console, configure the Application Control policies. C. From the Windows Firewall with Advanced Security console, create an Inbound Rule. D. From the Windows Firewall with Advanced Security console, create a Connection Security Rule. Correct Answer: D Section: Configuring Network Access /Reference: : Since we want to encrypt data on the local network, we have to create a Connection Security rule in WFAS. WRONG ANSWERS An Inbound Rule would allow us to block / allow certain traffic coming into the server, but does not provide encryption. Application control policies specify which programs are allowed to run on the local computer and which are not. Reference: In the Local Security Policy console, Security options allows to configure a number of policies related to user accounts, logons, network access, devices and network security - restricting access to certain features of Windows. This does not provide encryption. QUESTION 81 Your network contains an Active Directory domain. All client computers run Windows XP Service Pack 3 (SP3). The domain contains a member server named Server1 that runs Windows Server 2008 R2. On Server1, you create a connection security rule that requires authentication for inbound and outbound connections. You configure the connection security rule to use Kerberos authentication. You need to ensure that the client computers can connect to Server1. The solution must ensure that all connections to Server1 are encrypted. A. From the Windows Firewall with Advanced Security console, create an inbound rule on Server1. B. From the Windows Firewall with Advanced Security console, create an outbound rule on Server1. C. From a Group Policy object (GPO), enable the Client (Respond Only) IPSec policy on all client computers. D. From a Group Policy object (GPO), configure the Network Security: LDAP client signing requirements policy setting for all client computers. Correct Answer: C Section: Configuring Network Access /Reference:

153 : You've created a rule that requires authentication, but have not configured clients with an IPSec policy to respond to these requests. So the simplest fix is obviously to deploy a Client (Respond Only) policy. WRONG ANSWERS LDAP client signing requirements: This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests Reference: WFAS rules are for restricting packets to a server, not encrypting. Creating a connection security rule was the right, so we should be able to encrypt our connections if we configure everything right. QUESTION 82 Your network contains one Active Directory domain. You have a member server that runs Windows Server 2008 R2. You need to immediately disable all incoming connections to the server. A. From the Services snap-in, disable the IP Helper. B. From the Services snap-in, disable the Netlogon service. C. From Windows Firewall, enable the Block all connections option on the Public profile. D. From Windows Firewall, enable the Block all connections option on the Domain profile. Correct Answer: D Section: Configuring Network Access /Reference: : If we block all connections on the Domain profile, then all network connections on the domain will get dropped. WRONG ANSWERS The scenario states we are setup in an AD domain, and we are not explicitly told that we are in any kind of perimeter network (which would usually not involve a domain computer but a standalone). So blocking connections for the Public profile will not stop connections from the domain. Every Windows NT workstation, server, or domain controller has a Netlogon service. This service is responsible for communication between systems in response to a logon request, a domain synchronization request, and a request to promote a Backup Domain Controller (BDC) to a Primary Domain Controller (PDC). (MY NOTE: This would prevent the server from processing logon requests) Reference: IP Helper (service name 'iphlpsvc') is apparently designed to improve a Windows PC's support for IPv6 network protocol. Reference: QUESTION 83 Your network consists of a single Active Directory domain. The domain contains a server named Server1 that runs Windows Server 2008 R2.

154 All client computers run Windows 7. All computers are members of the Active Directory domain. You assign the Secure Server (Require Security) IPsec policy to Server1 by using a Group Policy object (GPO). Users report that they fail to connect to Server1. You need to ensure that users can connect to Server1. All connections to Server1 must be encrypted. A. Restart the IPsec Policy Agent service on Server1. B. Assign the Client (Respond Only) IPsec policy to Server1. C. Assign the Server (Request Security) IPsec policy to Server1. D. IPsec policy to all client computers. Correct Answer: D Section: Configuring IP Addressing and Services /Reference: : You've assigned a policy that requires security, but have not configured clients with an IPSec policy to respond to these requests. So the simplest fix is obviously to deploy a Client (Respond Only) policy. This needs to be assigned to all client computers that will connect to Server1, not to Server1 itself. WRONG ANSWERS Server (Request Security) would conflict with the existing Require Security policy, and could potentially allow clients to communicate that are not encrypting. The purpose of the policy agent is to retrieve IPSec policy information and pass it to the other IPSec mechanisms that require that information to perform security services. (MY NOTE: Although IPSec communication is not working, we have no indication the clients have been assigned a policy, so we shouldn't worry yet about the Policy Agent) Reference: QUESTION 84 Your company has a server that runs Windows Server 2008 R2. You have a new application that locates remote resources by name. The new application requires IPv6. You need to ensure that the application can locate remote resources by using IPv6. A. Create a new Pointer (PTR) DNS record. B. Create a new Quad-A (AAAA) DNS record. C. Create a new Signature (SIG) DNS record. D. Create a new Route Through (RT) DNS record. Correct Answer: B Section: Configuring IP Addressing and Services

155 /Reference: : DNS host records (A) are used to locate remote resources by name (translating them to an IP). In IPv6, the host record is known as a Quad-A (AAAA) record. WRONG ANSWERS PTR records are used for reverse DNS (locating a name for a particular IP), so adding a new PTR records achieves the opposite of what we need. A SIG record is used in DNSSEC (secure DNS). We are not told we have or need such an environment. Reference: The route through (RT) resource record specifies an intermediate host that routes packets to a destination host. This is typically used in conjunction with X.121 addresses on an X.25 network. Reference: QUESTION 85 Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You configure RAS1 to use the Routing and Remote Access Services (RRAS). The company's remote access policy allows members of the Domain Users group to dial in to RAS1. The company issues smart cards to all employees. You need to ensure that smart card users are able to connect to RAS1 by using a dial-up connection. A. Install the Network Policy Server (NPS) server role on RAS1. B. Create a remote access policy that requires users to authenticate by using SPAP. C. Create a remote access policy that requires users to authenticate by using EAP-TLS. D. Create a remote access policy that requires users to authenticate by using MS-CHAP v2. Correct Answer: C Section: Configuring Network Access /Reference: : VPN server software requirements for smart card access are relatively straightforward. The remote access servers must run Windows 2000 Server or later, have Routing and Remote Access enabled, and must support Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). Reference: QUESTION 86 You perform a security audit of a server named DC1. You install the Microsoft Network Monitor 3.0 application on DC1. You plan to capture all the LDAP traffic that comes to and goes from the server between 20:00 and 07:00 the next day and save it to the E:\data.cap file. You create a scheduled task. You add a new Start a program action to the task. You need to add the application name and the application arguments to the new action.

156 A. Add nmcap.exe as the application name. Add the /networks * /capture LDAP /file e: \data.cap /stopwhen /timeafter 11hours line as arguments. B. Add netmon.exe as the application name. Add the /networks * /capture LDAP /file e: \data.cap /stopwhen /timeafter 11hours line as arguments. C. Add nmcap.exe as the application name. Add the /networks * /capture!ldap /file e: \data.cap /stopwhen /timeafter 11hours line as arguments. D. Add nmconfig.exe as the application name. Add the /networks * /capture &LDAP /file e: \data.cap /stopwhen /timeafter 11hours line as arguments. Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : nmcap.exe is the command-line utilty for capturing packets with Network Monitor. Specifying!LDAP will capture everything but LDAP traffic, so we would not want the! in front of LDAP. netmon.exe is the executable for the graphical Network Monitor application. nmconfig.exe is used for managing the Network Monitor driver that is needed to capture packets on a network adapter. QUESTION 87 Your network contains 100 servers that run Windows Server 2008 R2. A server named Server1 is deployed on the network. Server1 will be used to collect events from the Security event logs of the other servers on the network. You need to define the Custom Event Delivery Optimization settings on Server1. Which tool should you use? A. Event Viewer B. Task Scheduler C. wecutil D. wevtutil Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : Set event delivery optimization. wecutil ss "subscription-name" /cm:normal minlatency minbandwidth custom You can modify a subscription with the ss (set subscription) command. The /cm switch enables you to change the Event Delivery Optimization settings (shown as the Advanced Subscription Settings in Figure 26-7 after clicking the Advanced button). You can use the /cm:custom switch to configure more advanced settings, such as changing the latency. This requires an additional switch as shown in the next example.

157 Reference: %20with%20event%20subscriptions%20-%20managing%20subscriptions%20with%20wecutil%20%20% 20logging%20events%20with%20eventcreate.aspx You wouldn't figure any of this out from Microsoft's bulky article, unfortunately. QUESTION 88 Your network contains a server that runs Windows Server 2008 R2. You plan to create a custom script. You need to ensure that each time the script runs, an entry is added to the Application event log. Which tool should you use? A. eventcreate B. eventvwr C. wecutil D. wevtutil Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : Eventcreate Enables an administrator to create a custom event in a specified event log. Reference: WRONG ANSWERS wevtutil Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs. Reference: wecutil is for configuring event subscriptions from a collector computer. eventvwr is simply for viewing event logs. QUESTION 89 Your company has a main office and a branch office. The branch office has three servers that run a Server Core installation of Windows Server 2008 R2. The servers are named Server1, Server2, and Server3. You want to configure the Event Logs subscription on Server1 to collect events from Server2 and Server3. You discover that you cannot create a subscription on Server1 from another computer. You need to configure a subscription on Server1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Run the wecutil cs subscription.xml command on Server1. B. Run the wevtutil im subscription.xml command on Server1. C. Create an event collector subscription configuration file. Name the file subscription.xml. D. Create a custom view on Server1 by using Event Viewer. Export the custom view to a file named

158 subscription.xml. Correct Answer: AC Section: Monitoring and Managing A Network Infrastructure /Reference: : If we can't create the subscription remotely from the server, then we can do so locally. We first need to create a subscription configuration, in this case subscription.xml, then import that configuration on Server1. Run the wecutil cs subscription.xml command on Server1. This would create a new subscription on Server1, based on the subscription.xml created previously. WRONG ANSWERS Custom views only define what kinds of events are shown while browsing event logs; they do not help us with creating a subscription. wevtutil im subscription.xml would attempt to install event publishers and logs based on the subscription.xml file. This is certainly not what we want to do! Reference: QUESTION 90 Your company has an Active Directory domain that has two domain controllers named DC1 and DC2. You prepare both servers to support event subscriptions. On DC1, you create a new default subscription for DC2. You need to review system events for DC2. Which event log should you select? A. System log on DC1 B. Application log on DC2 C. Forwarded Events log on DC1 D. Forwarded Events log on DC2 Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : The Forwarded Events log on DC1 should show us events from DC2 that have been forwarded to DC1. We would not want to view any standard event logs on either server, as they would not show us events that were forwarded as a result of the subscription. They'd show us all events in the specified log, QUESTION 91 Your company has a network that has 100 servers. A server named Server1 is configured as a file server. Server1 is connected to a SAN and has 15 logical drives. You want to automatically run a data archiving script if the free space on any of the logical drives is below 30 percent.

159 You need to automate the script execution. You create a new Data Collector Set. What should you do next? A. Add the Event Trace data collector. B. Add the Performance counter alert. C. Add the Performance counter data collector. D. Add the System Configuration Information data collector. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : You can create a custom Data Collector Set containing performance counters and configure alert activities based on the performance counters exceeding or dropping below limits you define. After creating the Data Collector Set, you must configure the actions the system will take when the alert criteria are met. (...) To create a Data Collector Set to monitor Performance counters 1. In the Windows Performance Monitor navigation pane, expand Data Collector Sets, right-click User Defined, point to New, and click Data Collector Set. The Create new Data Collector Set Wizard starts. 2. Enter a name for your Data Collector Set. 3. Select the Create manually option and click Next. 4. Select the Performance Counter Alert option and click Next. Reference: QUESTION 92 Your company has a network that has 100 servers. You install a new server that runs Windows Server 2008 R2. The server has the Web Server (IIS) server role installed. After a week, you discover that the Reliability Monitor has no data, and that the Systems Stability chart has never been updated. You need to configure the server to collect the Reliability Monitor data. A. Run the perfmon.exe /sys command on the server. B. Configure the Task Scheduler service to start automatically. C. Configure the Remote Registry service to start automatically. D. Configure the Secondary Logon service to start automatically. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : Reliability Monitor uses data provided by the RACAgent scheduled task, a pre-defined task that runs by default on a new installation of Windows Vista. If it is disabled, it must be enabled manually from the Task Scheduler

160 snap-in for MMC. Reference: QUESTION 93 Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. You have a server named Server1 that hosts shared documents. Users report extremely slow response times when they try to open the shared documents on Server1. You log on to Server1 and observe real-time data indicating that the processor is operating at 100 percent of capacity. You need to gather additional data to diagnose the cause of the problem. A. In the Performance Monitor console, create a counter log to track processor usage. B. In Event Viewer, open and review the Application log for Performance events. C. In Resource Monitor, use the Resource View to see the percentage of processor capacity used by each application. D. In Performance Monitor, create performance counter alert that will be triggered when processor usage exceeds 80 percent for more than five minutes on Server1. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : We need additional data, and we need it now! Resource Monitor will let us see how much CPU is used by each application, after which we should be able to kill whatever is hogging the CPU. Performance Monitor will not necessarily give us additional data related to the CPU that would be helpful for diagnosis. The Application log will not likely give us detailed information for troubleshooting, at best it will let us know that the system has recognized certain processes are running slower than expected. QUESTION 94 Your network contains 200 servers that run Windows Server 2008 R2. You need to archive the Security log for each server on a daily basis. Which tool should you use? A. netsh B. secedit C. wecutil D. wevtutil Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : Enables you to retrieve information about event logs and publishers. You can also use this command to install

161 and uninstall event manifests, to run queries, and to export, archive, and clear logs. Reference: WRONG ANSWERS wecutil is used for configuring event subscriptions from a collector. netsh is used for configuring server roles and components, not for working with event logs. secedit configures and analyzes system security by comparing your current configuration to at least one template. Reference: QUESTION 95 Your network contains a server named Server1 that runs Windows Server 2008 R2. You have a user named User1. You need to ensure that User1 can view the events in the Security event log. The solution must minimize the number of rights assigned to User1. A. In Event Viewer, filter the Security log. B. In Event Viewer, configure the properties of the Security log. C. In the Local Security Policy console, modify the Security Options. D. In the Registry Editor, add a Security Descriptor Definition Language (SDDL) value. Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL) syntax. (...) To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string: 1= Read 2 = Write 4 = Clear MY NOTE: Basically, we can restrict access to event logs using SDDL syntax to specify Read-only access for a user. Reference: QUESTION 96 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. From Server1, you create a collector-initiated subscription that uses Server2 as a source computer. You verify the event subscription and discover the error message shown in the exhibit. (Click the Exhibit button.)

You need to ensure that the subscription collection runs successfully. Exhibit: A. On Server1, run winrm quickconfig. B. On Server2, run winrm quickconfig. C.

162 You need to ensure that the subscription collection runs successfully. Exhibit: A. On Server1, run winrm quickconfig. B. On Server2, run winrm quickconfig. C. From the properties of the subscription, modify the User Account options. D. From the properties of the subscription, modify the Protocol and Port options. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : The exhibit shows that currently, the account that is being used is getting denied. This means we need an account with the right privileges. "On the Advanced Subscription Settings dialog box, you can either specify an event delivery optimization or specify the account used to manage the process of collecting events." Reference: winrm quickconfig This command is used to configure remote operations on a Server 2008 machine, but if this were not configured our error message would indicate it could not find the services.

163 Protocol and Port options - I cannot find anything online about what this is. QUESTION 97 Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to ensure that an administrator is notified by if the Event Viewer logs any error. What should you do from the Event Viewer console? A. Create a custom view, and then click the Filter Current Custom View action. B. Create a custom view, and then click the Attach Task to This Custom View action. C. From the System log, click the Filter Current Log action. D. From the System log, select an Error event, and then click the Attach Task to This Event action. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : To send s when certain events are logged, we need to Attach a Task in Event Viewer. The scenario states any error in the event logs should be ed, so we would attach the task to a custom view (displaying all errors) rather than only the System Log. We would not click Filter Current Custom View, as this does not create the task we need to send an . QUESTION 98 Your network contains a server named Server1 that runs Windows Server 2008 R2. You have a user named User1. You need to ensure that User1 can schedule Data Collector Sets (DCS) on Server1. The solution must minimize the number of rights assigned to User1. A. Add User1 to the Performance Log Users group. B. Add User1 to the Performance Monitor Users group. C. Assign the Profile Single Process user right to User1. D. Assign the Bypass Traverse Checking user right to User1. Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : Windows Performance Monitor uses a consistent scheduling method for all data collection. During Data Collector Set creation, you can configure the schedule by selecting Open properties for this data collector set at the end of the Create New Data Collector Set Wizard After a Data Collector Set has been created, you can access the schedule options by right-clicking the Data Collector Set name in the Microsoft Management Console (MMC) navigation pane and selecting Properties. Membership in the local Performance Log Users or Administrators group, or equivalent, is the minimum required to complete this procedure.

164 Reference: QUESTION 99 Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to identify which processes perform the most disk writes and disk reads per second. Which tool should you use? A. Disk Management B. Reliability Monitor C. Resource Monitor D. Storage Explorer Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : Resource Monitor displays per-process and aggregate CPU, memory, disk, and network usage information, in addition to providing details about which processes are using individual file handles and modules. Advanced filtering allows users to isolate the data related to one or more processes (either applications or services), start, stop, pause, and resume services, and close unresponsive applications from the user interface. It also includes a process analysis feature that can help identify deadlocked processes and file locking conflicts so that the user can attempt to resolve the conflict instead of closing an application and potentially losing data. Reference: WRONG ANSWERS The Reliability Monitor snap-in for Microsoft Management Console (MMC) provides a system stability overview and details about events that impact reliability. Reference: You can use Disk Management in this version of Windows to perform disk-related tasks such as creating and formatting partitions and volumes, and assigning drive letters Reference: With Storage Explorer, you can view and manage the Fibre Channel and iscsi fabrics that are available in your storage area network (SAN). Reference: QUESTION 100 You need to document the following configurations of a server that runs Windows Server 2008 R2: System services Startup programs Hardware configuration Current CPU, network, disk, and memory utilization Which command should you run? A. mrinfo.exe localhost B. msinfo32.exe C. perfmon.exe /report

165 D. systeminfo.exe Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : perfmon.exe /report without any other parameters will generate the System Diagnostics report. This is a report detailing the status of local hardware resources, system response times, and processes on the local computer along with system information and configuration data. (MY NOTE: Keep in mind that system reliability info. is new for PerfMon in Server 2008, which is why it is being tested and also why it is the answer. Essentially, the report it generates is using a load of WMI queries) Reference: msinfo32.exe can be used to obtain information on the first 3 items, but not the current resource utilization. systeminfo.exe can be used to view some very basic hardware and OS information, and memory usage, but does not report services, startup programs or current CPU / network / disk resources. mrinfo.exe queries multicast routers. Reference: QUESTION 101 Your network contains a server named Server1 that runs Windows Server 2008 R2. You discover that the server unexpectedly shut down several times during the past week. You need to identify what caused the shutdowns and which software was recently installed. What should you click from Action Center? A. Maintenance, and then View Reliability History B. Troubleshooting, and then Programs C. Troubleshooting, and then System and Security D. Troubleshooting, and then View history Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : Reliability Monitor is an advanced tool that measures hardware and software problems and other changes to your computer. (...) The Reliability Monitor is intended for advanced computer users, such as software developers and network administrators. 1. Open Action Center by clicking the Start button Picture of the Start button, clicking Control Panel, and then, under System and Security, clicking Review your computer's status. 2. Click Maintenance. Then, under Check for solutions to problem reports, click View reliability history. 3. In Reliability Monitor, you can: Click any event on the graph to view its details. Click Days or Weeks to view the stability index over a specific period of time. Click items in the Action column to view more information about each event.

166 Click View all problem reports to view only the problems that have occurred on your computer. This view doesn't include the other computer events that show up in Reliability Monitor, such as events about software installation. Reference: QUESTION 102 You create a Data Collector Set (DCS). You need prevent the DCS from logging data if the server has less than 1 GB of available disk space. A. Create a passive file screen. B. Create an active file screen. C. Modify the Data Manager settings of the DCS. D. Modify the Stop Conditions settings of the DCS. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : I believe this should be 'Modify the Stop Conditions settings of the DCS' but have not seen a dump provide details here. An explanation for Data Manager settings is provided further down, but here is an excerpt from MS on Stop Conditions: A single stop condition, or a combination of multiple criteria, can be used to automatically halt or restart the collection of data from a Data Collector Set. Reference: The scenario states we want to prevent logging when the disk space is maxed, so this would seem to work. All options in the Data Manager tab seem to simply delete old performance data so logging can continue when the size limit is reached! To configure data management for a Data Collector Set 1. In Windows Performance Monitor, expand Data Collector Sets and click User Defined. 2. In the console pane, right-click the name of the Data Collector Set that you want to configure and click Data Manager. 3. On the Data Manager tab, you can accept the default values or make changes according to your data retention policy. See the table below for details on each option. (...) Data Manager Properties Minimum free disk The amount of disk space that must be available on the drive where log data is stored. If selected, previous data will be deleted according to the Resource policy that you choose when the limit is reached. Reference: QUESTION 103 Your network contains an Active Directory domain. The domain contains two servers named Server1 and Server2. All servers run Windows Server 2008 R2 and have Windows Firewall turned on.

167 You need to ensure that you can use Event Viewer on Server2 to access the Application log on Server1. A. On Server2, create a new Event Subscription. B. On Server2, modify the Outbound firewall rules. C. On Server1, modify the Inbound firewall rules. D. On Server1, modify the settings on the Application log. Correct Answer: C Section: Configuring Network Access /Reference: : Firewall has been enabled for all servers, so remote connections to those servers (via snap-ins, etc.) are likely being blocked. We need to modify firewall rules on Server1 to allow the remote connection. The settings of the Application log will let us control the size, location, security, etc. but nothing that affects remote access. QUESTION 104 Your network contains an Active Directory domain. The domain contains a member server named Server1. Server1 has a single network connection. You need to log every attempt to connect to Server1 on a restricted port. A. Change the settings of the Private firewall profile. B. Change the settings of the Domain firewall profile. C. Modify the properties of the Inbound firewall rules. D. Modify the properties of the Outbound firewall rules. Correct Answer: C Section: Configuring Network Access /Reference: : Attempts to connect to Server1 would be inbound, so we need to modify Inbound firewall rules for that restricted port. A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, that are applied to the computer depending on where the computer is connected. Reference: QUESTION 105 Your company has a network that has an Active Directory domain. The domain has two servers named DC1 and DC2. You plan to collect events from DC2 and transfer them to DC1. You configure the required subscriptions by selecting the Normal option for the Event delivery optimization setting and by using the HTTP protocol.

168 You discover that none of the subscriptions work. You need to ensure that the servers support the event collectors. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) A. Run the wecutil qc command on DC1. B. Run the wecutil qc command on DC2. C. Run the winrm quickconfig command on DC1. D. Run the winrm quickconfig command on DC2. E. Add the DC2 account to the Administrators group on DC1. F. Add the DC1 account to the Administrators group on DC2. Correct Answer: ADF Section: Monitoring and Managing A Network Infrastructure /Reference: : To collect events on DC1, we need to run wecutil qc. To collect events from DC2, we need to run winrm quickconfig The question does not specify that only certain logs are being forwarded, so it is implied that all are going to be forward. Therefore, in order for DC1 to read Security events, it needs to be an administrator on DC2. To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector computer. 3. On the collector computer, type the following at an elevated command prompt: wecutil qc 4. Add the computer account of the collector computer to the local Administrators group on each of the source computers. Reference: QUESTION 106 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the Routing and Remote Access service (RRAS) role service installed. You need to view all inbound VPN packets. The solution must minimize the amount of data collected. A. From RRAS, create an inbound packet filter. B. From Network Monitor, create a capture filter.

169 C. From the Registry Editor, configure File Tracing for RRAS. D. At the command prompt, run netsh.exe ras set tracing rasauth enabled. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : To view live packets, we simply need to use Network Monitor. WRONG ANSWERS RRAS inbound packet filters function to prevent certain types of incoming traffic. Reference: File tracing for RRAS is the equivalent of logging, when you need to troubleshoot connection problems. netsh.exe ras set tracing rasauth This command, as is implied by it's syntax, would enable tracing (logging) specifically for RAS authentication. Reference: QUESTION 107 Your network contains an Active Directory domain. The network has DirectAccess deployed. You deploy the DirectAccess Connectivity Assistant (DCA) to all client computers. You need to ensure that users can view their DirectAccess status by using the DCA. Which two Group Policy settings should you configure? (Each correct answer presents part of the solution. Choose two.) A. Dynamic Tunnel Endpoints (DTEs) B. Corporate Portal Site C. Corporate Resources D. Portal Name Correct Answer: AC Section: Configuring Network Access /Reference: : The Dynamic Tunnel Endpoints policy specifies the endpoints of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources specified in the CorporateResources setting. Corporate Portal Site specifies the URL to an externally accessible Web site to which the DCA can refer users to help troubleshoot DirectAccess issues. PortalName specifies the friendly name of the corporate portal Web site. Reference: QUESTION 108

170 Your network contains two Active Directory forests named contoso.com and fabrikam.com. You have a standalone Network Policy Server (NPS) named NPS1. You have a VPN server named VPN1. VPN1 is configured as a RADIUS client to NPS1. You need to ensure that users from both forests can establish VPN connections by using their own domain accounts. A. On NPS1, configure Remediation Server groups. B. On NPS1, configure Connection Request Policies. C. On VPN1, modify the DNS Suffix Search Order. D. On VPN1, modify the IKEv2 Client Connection Controls. Correct Answer: B Section: Configuring Network Access /Reference: : You can create connection request policies so that some RADIUS request messages sent from RADIUS clients are processed locally (NPS is being used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is being used as a RADIUS proxy). (MY NOTE: In our case, each forest needs a server to forward requests to the other, depending on the domain, since users need to connect 'by using their own domain accounts') Reference: WRONG ANSWERS Remediation server groups are used to specify servers that are available to noncompliant Network Access Protection (NAP) clients for the purpose of remediating their health state to comply with health requirements. The type of remediation servers that are required depend on your health requirements and network access methods. Reference: DNS Suffix Search Order would control which DNS domain is attempted first when resolving hostnames while connected to the VPN. We need people to use their own accounts when they are first trying to connect! Routing and Remote Access Service (RRAS) supports Internet Key Exchange version 2 (IKEv2), a VPN tunneling protocol described in RFC The primary advantage of IKEv2 is that it tolerates interruptions in the underlying network connection. Reference: QUESTION 109 Your network contains a domain controller named DC1 and a member server named Server1. You save a copy of the Active Directory Web Service (ADWS) event log on DC1. You copy the log to Server1. You open the event log file on Server1 and discover that the event description information is unavailable. You need to ensure that the event log file displays the same information when the file is open on Server1. What should you do on Server1?

171 A. Create a custom view. B. Import a custom view. C. Copy the SYSVOL folder to DC1. D. Copy the LocaleMetaData folder from DC1. Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : To troubleshoot events that were logged on a remote computer, you must export and archive the log with the display information. The display information for the saved events is stored in the LocaleMetaData folder and should be moved with the log information when the information is viewed on another computer. Reference: SYSVOL does not contain information about how to interpret Event logs. Custom views simply allow us to control which events we can view, but do not provide the metadata required to interpret certain types of events. QUESTION 110 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. The network contains an client named Computer1 that runs Windows 7. All comunication between Server1 and Server2 is encrypted by using IPSec. Comunication between the server and the client does not require IPSec encryption. You need to ensure that you can connect to Server1 by using the IP Security Monitor on Computer1. A. Apply an IP Security policy to Computer1. B. Create a Connection Security rule on Computer1. C. Add a value to the PolicyAgent registry key on Server1. D. Modify the Advanced Audit Policy Configuration on Server1. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : "Before you can monitor IPsec on a remote computer, you must first add the computer to the snap-in. You must have administrator-level access to the remote computer to add it and monitor IPsec." "If the IPsec services are not started on the computer that is being monitored, the server icon is displayed as a stopped service." "On computers running Windows Server 2003 and later, you must set the EnableRemoteMgmt registry key to 1 on the remote computer and restart the IPsec service. Otherwise, you will get an "IPsec service not running" error from the snap-in. The registry key is located at HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet\Services\PolicyAgent." Reference:

172 WRONG ANSWERS Applying an IPSec policy to Computer1 will encrypt communications between the 2 servers, but we are being asked about how to connect to Server1 using the IP Security Monitor snap-in. Similarly, Connection Security rules help configure authentication for IPSec but this is not needed to remotely manage Server1 using the snap-in. Advanced Audit Policy Configuration is a subset of 53 security audit policies for Windows. Reference: QUESTION 111 Your network contains a server that runs Windows Server 2008 R2. You create a User Defined Data Collector Set (DCS) named Set1. You need to ensure that the reports generated for Set1 are stored for at least one year. A. From the properties of Set1, modify the Task settings. B. From the properties of Set1, modify the Shedule settings. C. From Data Manager for Set1 modify the Actions settings. D. From Data Manager for Set1, modify the Data Manager settings. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : "Folder actions allow you to choose how data is archived before it is permanently deleted. You may decide to disable the Data Manager limits in favor of managing all data according to these folder action rules." So we need to configure a folder action. This is available from the "Actions" tab. "With Data Management, you can configure how log data, reports, and compressed data are stored for each Data Collector Set." We need to configure how much data is stored, not how it is stored (small difference, I know! Which is what makes the question tricky) Reference: QUESTION 112 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the IIS role installed. You need to review the contents of the IIS-Configuration Analytic event log on Server1. You configure Event Viewer to show the Analytic log. What should you do next. A. Attach a task to the log. B. Create a custom view to the log. C. Modify the Subscriptions list for the log. D. Modify the General properties of the log.

173 Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : Analytic and Debug logs are disabled by default. (...) To enable Analytic and Debug logs by using the Windows interface 1. Start Event Viewer. 2. Ensure that Analytic and Debug logs are visible by following the steps in Show or Hide Analytic and Debug Logs. 3. In the console tree, navigate to and select the Analytic or Debug log you want to enable. 4. On the Action menu, click Properties. 5. On the properties dialog box, select Enable logging and click OK. (MY NOTE: Properties always brings up the default tab first. In this case, it is the General tab) Reference: QUESTION 113 Your network contains two separate subnets named Subnet1 and Subnet2. Subnet1 contains a Windows Server 2008 R2 Core installation named Server1. Computers on Subnet1 can access resources on the Internet. Subnet2 is an isolated subnet. You deploy a new WSUS Server named Server2 in Subnet2. You need to replicate the metadata from Server1 to Server2. What should you do on Server1? A. Run wsusutil.exe and specify the export parameter. B. Run wsusutil.exe and specify the movecontent parameter. C. Run wbadmin.exe and specify the start backup parameter. D. Run wbadmin.exe and specify the start systemstatebackup parameter. Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : wsusutil.exe export will export update metadata to an export package file. This could later be transferred to Server2 for replication of Server1's configuration. wsusutil.exe movecontent will move the WSUS store from one server to another. We were asked only to replicate the data - leaving it on both servers. Reference: wbadmin.exe would backup the entire volume, or system state, on Server1. This is much more data than is needed for WSUS. QUESTION 114 Your network contains an Active Directory domain named contoso.com. An Administrator named Admin1 plans to install the Routing and Remote Access service (RRAS) role service on a server named Server1. Admin1 is not member of the Domain Admins group.

174 You need to ensure that Server1 can authenticate users from Active Directory by using Windows authentication. A. Add the computer account to the RAS and IAS Servers group. B. Add the computer account for Server1 to the Windows Authorization Access Group. C. Install the Network Policy Server (NPS) role service on a domain controller. D. Install the Active Directory Lightweight Directory Services (AD LDS) role on Server1. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : To enable the Routing and Remote Access service 1. If this server is a member of an Active Directory domain and you are not a domain administrator, instruct your domain administrator to add the computer account of this server to the RAS and IAS Servers security group in the domain of which this server is a member. Reference: WRONG ANSWERS NPS allows you to provide local and remote network access and to define and enforce policies for network access authentication, authorization Reference: Windows Authorization Access Group Members of this group can read the constructed tokengroupsglobalanduniversal (TGGAU) attribute on user, inetorgperson, group, and computer objects. TGGAU contains a list of the object's global and universal group memberships, and an application can use this information, for example, to make decisions about users that are not logged on. Reference: By using the Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS) role, formerly known as Active Directory Application Mode (ADAM), you can provide directory services for directory-enabled applications without incurring the overhead of domains and forests and the requirements of a single schema throughout a forest. Reference: QUESTION 115 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the Network Policy Server (NPS) role installed. You need to ensure that the NPS log files on Server1 contain information of client connections. A. Enable the Accounting requests settings. B. Enable the Authentication requests settings. C. Configure the IAS (Legacy) log file format. D. Configure the DTS Compliant log file format.

175 Correct Answer: D Section: Configuring Network Access /Reference: : The DTS Compliant log format is the newest one and only its XML has attributes for session duration. As per the Technet article below, it is also the recommended log format for NPS logging. WRONG ANSWERS "ODBC and IAS legacy file types contain a subset of the information that NPS sends to its SQL Server database." This means Reference: In Forwarding Connection Request, you can select either Authentication or Accounting to specify whether NPS forwards the authentication request or accounting request to a remote RADIUS server group or whether NPS processes the authentication or accounting request locally. Reference: QUESTION 116 You need to use link-local IPv6 addresses to perform multicasting. Which IPv6 prefix should you use? A. fd00::/8 B. fe80::/10 C. fec0::/10 D. ff00::/8 Correct Answer: D Section: Configuring IP Addressing and Services /Reference: : The ff00:: prefix is specifically reserved for IPv6 multicasting. The fd00:: prefix is used for random, local addressing. The fe80:: prefix is used for link-local (same subnet) addressing. Multicasting is sending packets to multiple hosts at once, on any connected subnet. The fec0:: prefix is used for site-local (same company) addressing. This could help make sure communication would be performed with all necessary subnets but is not usable for multicasting. Note: this is now obsolete (though may not have been when the MS tests were designed). References: QUESTION 117 Your network contains a server named Server1 that runs Windows Server 2008 R2.

On Server1, you run route add 192.168.10.0 mask 255.255.255.0 172.23.1.2 metric 10. You restart Server1, and then run route command as shown in the exhibit. (Click the Exhibit button.

176 On Server1, you run route add mask metric 10. You restart Server1, and then run route command as shown in the exhibit. (Click the Exhibit button.) You need to ensure that after you restart Server1, Server1 routes all of the traffic for /24 by using the route of Which command should you run on Server1? Exhibit: A. netstat -f B. netstat -p ip C. route add mask metric 10 -p D. route add mask metric 1 -f Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : Since the route that was added is not persisting on a reboot, we need to make it persistent. This is done with the -p parameter for the route add command. To make a static route persistent, you can either enter route add commands in a batch file that is run during system startup or use the -p option when adding routes.

177 Reference: The -f parameter for route add will clear the routing tables for the gateway before running the command. netstat is used to view current TCP/IP connections on the local computer, and does not have a -f or -p parameter. QUESTION 118 Your network has Network Access Protection (NAP) policies deployed. You need to identify the health agent compliance status of a client computer. Which command should you run? A. net config workstation B. net statistics workstation C. netsh nap client show config D. netsh nap client show state Correct Answer: D Section: Configuring Network Access /Reference: : netsh nap client show state Displays state information, including client access restriction state, the state of installed enforcement clients and system health agents, and the client compliance and remediation results. MY NOTE: In English, this basically means this is the command to view compliance status of NAP clients. netsh nap client show config Displays configuration settings and state information for NAP client, including CSP, enforcement client, tracing, and trusted server group configurations. Reference: net config workstation Displays and allows you to make changes to the settings for the Workstation service while the service is running. Reference: net statistics workstation Displays the statistics log for the local Workstation service Reference: QUESTION 119 You network contains a Windows Server Update Services (WSUS) server named Server1. You discover that certain updates listed in the WSUS administrative console are unavailable on Server1. You need to ensure that all of the updates listed in the WSUS administrative console are available on Server1. What should you do on Server1? A. Restart the Update Services service. B. Run wsusutil.exe and specify the reset parameter. C. Run wuauclt.exe and specify the detectnow parameter.

178 D. Run wsusutil.exe and specify the deleteunneededrevisions parameter. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : wsusutil.exe reset checks that every update metadata row in the database has corresponding update files stored in the file system. If update files are missing or have been corrupted, WSUS downloads the update files again. wsusutil.exe deleteuneededrevisions purges the update metadata for unnecessary update revisions from the database. We are not storing unnecessary revisions, but rather missing specific updates on the local WSUS server. Reference: wuauclt.exe /detectnow will force Server1 to check and see if new updates are available. However, our problem is that the updates themselves are not even installed - the files are not available. The question mentions that the administrative console does list the updates as being available already. Other than the updates not being downloaded, WSUS is functioning normally. Restarting the Update Services service is not likely to help. QUESTION 120 Your company has a main office and five branch offices. The branch offices connect to the main office by using a WAN link. Each branch office has 100 client computers that run Windows XP or Windows Vista. All servers run Windows Server 2008 R2. The main office has a Windows Server Update Services (WSUS) server. You need to minimize the amount of WAN traffic used to download updates from the WSUS server. A. From Windows Explorer, enable Offline Files. B. From a Group Policy, enable Allow BITS Peercaching. C. From a Group Policy, enable the Set BranchCache Hosted Cache mode setting. D. From a Group Policy, enable the Set BranchCache Distributed Cache mode setting. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : Windows Update and Microsoft Update use the Background Intelligent Transfer Service (BITS) to download updates. You can optimize download performance by configuring BITS through Group Policy. (...) Peer caching can optimize bandwidth in the following ways: Decreases the data that is transferred from the WSUS server to client computers because computers in the same subnet will usually download the updates from each other. Decreases the data that is transferred across the WAN when some or all of the client computers of a WSUS

179 server are located in different locations. Decreases the data that is transferred across the Internet if WSUS client computers that are located in the same subnet are configured to download updates from Microsoft Update. Reference: QUESTION 121 Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers. The servers are configured as shown in the following table. You plan to give users access to the files shares on Server2 by using DirectAccess. You need to ensure that you can deploy DirectAccess on Server3. A. Add a static IPv6 address to DC1. B. Add a static IPv6 address to Server2. C. Upgrade DC1 to Windows Server 2008 R2. D. Upgrade Server2 to Windows Server 2008 R2. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : DirectAccess requires the following: One or more DirectAccess servers running Windows Server 2008 R2 (with or without UAG) (MY NOTE: this would be Server3 once DA is deployed) with two network adapters: one that is connected directly to the Internet and one that is connected to the intranet. DirectAccess servers must be a member of an AD DS domain. On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet. DirectAccess client computers that are running Windows 7 Enterprise or Windows 7 Ultimate. DirectAccess clients must be members of an AD DS domain. At least one domain controller and DNS server that is running Windows Server 2008 SP2 or Windows Server 2008 R2. When UAG is used, DirectAccess can be deployed with DNS servers and domain controllers that are running Windows Server 2003 when NAT64 functionality is enabled. (MY NOTE: DC1 is our DNS server but is currently running Server 2003, so unless NAT64 is enabled we must upgraded DC1) A public key infrastructure (PKI) to issue computer certificates (MY NOTE: this would be Server1), and optionally, smart card certificates for smart card authentication and health certificates for NAP. For more information, see Public Key Infrastructure on the Microsoft Web site.

180 Without UAG, an optional NAT64 device to provide access to IPv4-only resources for DirectAccess clients. DirectAccess with UAG provides a built-in NAT64. Reference: Server2 is merely a file server; the OS present on it is irrelevant to the use of DirectAccess. Adding a static address to it, or to DC1, might be important for many reasons but will not allow our environment to meet the requirements for DirectAccess. QUESTION 122 Your network contains an Active Directory domain. The domain contains 10 domain controllers that run Windows Server 2008 R2. You need to monitor the following information on the domain controllers during the next five days: Memory usage Processor usage The number of LDAP queries A. Use the System Performance Data Collector Set (DCS). B. Use the Active Directory Diagnostics Data Collector Set (DCS). C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template. D. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : Memory usage and processor usage are part of the System Performance DCS, but LDAP queries are not. The opposite applies to the AD Diagnostics DCS. To get both sets of data, we have to create a custom (user-defined) DCS. The AD Diagnostics template would have the LDAP information, so we can customize it to easily add the memory and processor use. QUESTION 123 Your network contains a server that runs a Server Core installation of Windows Server 2008 R2. You need to configure outbound firewall rules on the server. Which tool should you use? A. netcfg B. netsh C. ocsetup D. servermanagercmd Correct Answer: B Section: Configuring Network Access /Reference: : netsh advfirewall add rule

Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the specified criteria. Reference: http://technet.microsoft.

181 Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the specified criteria. Reference: WRONG ANSWERS netcfg Installs the Windows Preinstallation Environment (WinPE), a lightweight version of Windows used to deploy workstations. Reference: servermanagercmd Installs and removes roles, role services, and features. Also displays the list of all roles, role services, and features available, and shows which are installed on this computer Reference: You can use OCSetup.exe on a computer running Windows Vista or Windows Server 2008 to install or uninstall: Microsoft System Installer (MSI) files that are passed to the Windows Installer service (MSIExec.exe) Component-Based Servicing (CBS) components that are passed to Package Manager CBS or MSI packages that have an associated custom installer.exe file Reference: QUESTION 124 Your network contains a server that runs Windows Server 2008 R2. On the server, you run ipconfig.exe as shown in the exhibit. (Click the Exhibit button.) You need to ensure that the server can access remote TCP/IPv6 hosts. Exhibit: A. Add a default gateway. B. Modify the subnet mask. C. Configure an IPv6 address. D. Disable Internet Protocol Version 4 (TCP/IPv4).

182 Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : In the exhibit, the interface is using a link-local IPv6 address - the IPv6 equivalent of APIPA. This means it really has no access to IPv6 hosts that are assigned a specific address in that environment. Configuring a static address would remedy this. WRONG ANSWERS We do not need to add a default gateway, one is already available for IPv4. As long as that gateway can handle IPv6, we would be able to send requests to it once we are on the IPv6 network. If that gateway couldn't handle IPv6 then we would need to change the gateway. The IPv4 subnet mask is correct for the currently assigned IPv4 address. Disabling IPv4 at this point would kill all connectivity the machine has, as it currently is not assigned an IPv6 address on the network (it's merely using link-local addressing) QUESTION 125 You need to configure a static IPv6 address for a server that runs a Server Core installation of Windows Server 2008 R2. Which tool should you use? A. ipconfig B. netsh C. ocsetup D. servermanagercmd Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : We basically need to use the netsh int ip add address command to add a static address to the interface. You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol (including addresses, default gateways, DNS servers, and WINS servers) and to display configuration and statistical information. (...) add address Adds an IP address and a default gateway on a specified interface configured with a static IP address. Reference:

183 WRONG ANSWERS ipconfig Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Reference: servermanagercmd Installs and removes roles, role services, and features. Also displays the list of all roles, role services, and features available, and shows which are installed on this computer Reference: You can use OCSetup.exe on a computer running Windows Vista or Windows Server 2008 to install or uninstall: Microsoft System Installer (MSI) files that are passed to the Windows Installer service (MSIExec.exe) Component-Based Servicing (CBS) components that are passed to Package Manager CBS or MSI packages that have an associated custom installer.exe file Reference: QUESTION 126 Your network contains three servers named Server1, Server2, and Server3 that have the Network Policy Server (NPS) role service installed. On Server1, you configure a Remote RADIUS Server Group that contains Server2 and Server3. On Server2 and Server3, you configure Server1 as a RADIUS client. You configure Server2 and Server3 to authenticate remote users. You need to configure Server1 to forward RADIUS authentication requests to Server2 and Server3. What should you create on Server1? A. a Connection Request policy B. a Server Health policy C. a Network policy D. a Remediation Server group Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: :...if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you can configure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusted domain. To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of the information required for NPS to evaluate which messages to forward and where to send the messages. Reference: WRONG ANSWERS Remediation server groups are used to specify servers that are available to noncompliant Network Access Protection (NAP) clients for the purpose of remediating their health state to comply with health requirements. The type of remediation servers that are required depend on your health requirements and network access

184 methods. Reference: Network policies use conditions, settings, and constraints in order to determine who can connect to the network. Reference: QUESTION 127 Your network contains two servers named Server1 and Server2 that run a Server Core installation of Windows Server 2008 R2. Server1 has the SNMP Service installed. You need to ensure that Server2 can send SNMP traps to Server1. A. On Server1, run oclist snmp-sc. B. On Server2, run oclist snmp-sc. C. On Server1, run dism /online /enable-feature /featurename:snmp-sc. D. On Server2, run dism /online /enable-feature /featurename:snmp-sc. Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : First of all, oclist was superseded by dism with the release of R2, so we would use dism. Secondly, all of the commands listed essentially install the SNMP service for ServerCore, so we need to do this from Server2, since Server1 already has SNMP installed. Server2 is essentially just going to be setup to send it's SNMP traps to Server1 for management/monitoring. Reference: QUESTION 128 Your network contains a server that runs Windows Server 2008 R2 named Server1. You install a new application on Server1. After the installation, you discover that Server1 frequently becomes unavailable. You need to identify whether the issues on Server1 coincide with the installation of the application. A. From Reliability Monitor, review the reliability details. B. From Administrative Tools, run Windows Memory Diagnostic. C. From the System Configuration utility, select Diagnostic startup. D. From the command prompt, run the Program Compatibility Wizard. Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : Reliability Monitor shows you your system stability history at a glance and lets you see details on a day-by-day

185 basis about events that impact reliability. (MY NOTE: This will basically let us see what kind of errors and events are associated with system lockups, so we can see what was happening around the time the application was installed) Reference: WRONG ANSWERS...the Program Compatibility Wizard, which can be used to make setting adjustments for an incompatible application and run the application successfully. (MY NOTE: This lets us try to run applications with different settings, in hopes that they might run on a newer version of Windows, when they otherwise fail. The application here is running fine at first, but merely becomes unreliable over time. ) Reference: Diagnostic startup. Starts Windows with basic services and drivers only. This mode can help rule out basic Windows files as the problem. Reference: If Windows detects possible problems with your computer s memory, it will prompt you to run the Memory Diagnostics Tool. Reference: QUESTION 129 Your network contains a server named Server1 that runs a Server Core installation of Windows Server 2008 R2. The network contains a client computer named Computer1 that runs Windows 7. You need to ensure that you can collect events from Server1 on Computer1. What should you run on Server1? A. eventcreate /so B. net config server C. wecutil cs D. winrm quickconfig Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector computer. 3. On the collector computer, type the following at an elevated command prompt: wecutil qc 4. Add the computer account of the collector computer to the local Administrators group on each of the source

computers. Reference: http://technet.microsoft.com/en-us/library/cc748890(v=ws.10).aspx QUESTION 130 Your network is configured as shown in the exhibit. (Click the Exhibit button.

186 computers. Reference: QUESTION 130 Your network is configured as shown in the exhibit. (Click the Exhibit button.) The network contains a server named TMG1. TMG1 runs Microsoft Forefront Threat Management Gateway (TMG) 2010 and has a default gateway of You need to ensure that TMG1 can connect to the Internet and to the client computers in all of the internal subnets. What should you do on TMG1? Exhibit: A. Change the default gateway to B. Change the default gateway to C. Run route -p add netmask D. Run route -p add netmask Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : Because TMG1 has an interface with an IP on the x network, it should be able to communicate with Subnet2 ( /24) fine. What it needs a route to Subnet1. Router1 has this route on it's interface, and is connected to Subnet2. Without TMG1 knowing about that interface or router, however, it won't be able to communicate beyond Subnet2. So the correct command is as follows: route -p add netmask This tells TMG1 that traffic for the /24 network should be handled by the router with , which is correct. WRONG ANSWERS route -p add netmask This command would say that all traffic for Subnet2 should be routed through , but we already have an interface connected directly to Subnet2.

Changing the default gateway won't help, as this only allows us to communicate with 1 subnet or the other, not both. QUESTION 131 You deploy Network Access Protection (NAP) on your network.

187 Changing the default gateway won't help, as this only allows us to communicate with 1 subnet or the other, not both. QUESTION 131 You deploy Network Access Protection (NAP) on your network. An administrator configures a network policy as shown in the exhibit. (Click the Exhibit button.) You discover that noncompliant client computers cannot access the remediation network. You need to configure the network policy to ensure that noncompliant client computers can access the remediation network. Exhibit: A. In the Type of network access server list, click HCAP Server.

188 B. In the Type of network access server list, click Health Registration Authority, C. In Access Permission, select the Ignore user account dial-in properties check box. D. In Access Permission, select the Grant access. Grant access if the connection request matches this policy option button. Correct Answer: D Section: Configuring Network Access /Reference: : Currently, the policy (specified and named for noncompliant computers) states that access will be denied. We must change this so that access is Granted. WRONG ANSWERS Checking the Ignore user account dial-in properties box would allow clients to connect, even if their dial-in tab in AD is not configured to do so. In fact, this would force all clients on the policy setting, which is still configured to Deny access to all clients. Changing the server to an HCAP or HRA would allow it to send clients to the remediation network QUESTION 132 You perform a security audit of a server named CRM1. You want to build a list of all DNS requests that are initiated by the server. You install the Microsoft Network Monitor 3.0 application on CRM1. You capture all local traffic on CRM1 for 24 hours. You save the capture file as data.cap. You find that the size of the file is more than 1 GB. You need to create a file named DNSdata.cap from the existing capture file that contains only DNS related data. A. Apply the display filter!dns and save the displayed frames as a DNSdata.cap file. B. Apply the capture filter DNS and save the displayed frames as a DNSdata.cap file. C. Add a new alias named DNS to the aliases table and save the file as DNSdata.cap. D. Run the nmcap.exe /inputcapture data.cap /capture DNS /file DNSdata.cap command. Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : nmcap.exe /inputcapture data.cap /capture DNS /file DNSdata.cap This command will "record" the data.cap capture, applying the DNS filter to it, and save it to an output file called DNSdata.cap WRONG ANSWERS A display filter could be used, but!dns will contain anything but DNS related data.

189 Capture filters can only be setup before a capture is run. Aliases in Network Monitor allow friendly names to be displayed for various hosts in the capture file. QUESTION 133 Your network contains a server that runs a Server Core installation of Windows Server 2008 R2. You need to log the CPU utilization of the server. Which tool should you use? A. relog.exe B. dism.exe C. logman.exe D. sc.exe Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : logman.exe creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line. Reference: WRONG ANSWERS relog.exe extracts performance counters in other formats. This will not help us actually log performance data. Reference: dism.exe (which, as of R2, replaced oclist.exe and ocsetup.exe) is used to service windows images and installations (adding/removing features, roles, etc.) sc.exe is used to control (stop/start) or get information about running services. QUESTION 134 Your network contains a server that has the Network Policy Server (NPS) role service installed. You need to configure a network policy that will apply to wireless clients only. Which condition should you configure? A. NAS port Type B. Service Type C. MS-Service Class D. Framed Protocol E. NAS Identifier Correct Answer: A Section: Configuring Network Access

/Reference: : NAS port Type Allows you to specify the type of media used by the client computer to connect to the network. (MY NOTE: This would allow us to restrict connection to wireless media only.

190 /Reference: : NAS port Type Allows you to specify the type of media used by the client computer to connect to the network. (MY NOTE: This would allow us to restrict connection to wireless media only. None of the other conditions are applicable) Service Type Allows you to specify the name of the network access server that sent the connection request to NPS NAS Identifier Allows you to specify the name of the network access server that sent the connection request to NPS MS-Service Class This condition is used only when you are deploying NAP with the DHCP enforcement method Framed Protocol Restricts the policy to clients that specify a certain framing protocol for incoming packets, such as PPP or SLIP. Reference: QUESTION 135 Your network contains an Active Directory forest. The forest contains the member servers configured as shown in the following table. All servers run Windows Server 2008 R2. You deploy a new server named Server1. You need to configure Server1 to provide central authentication for all dial-up connections and all VPN connections. What should you install on Server1? A. Active Directory Lightweight Directory Services (AD LDS) B. Active Directory Federation Services (AD FS) C. Network Policy Server (NPS) D. Routing and Remote Access service (RRAS) Correct Answer: C Section: Configuring Network Access /Reference: : You can use NPS to centrally manage network access through a variety of network access servers, including wireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. (MY NOTE: NPS is

191 the newer implementation of RADIUS, which is what is needed) Reference: WRONG ANSWERS RRAS is used for routing between 2 networks, not authentication. This would be used to deploy the VPN and dial-up services but does not provide authentication mechanisms. AD LDS is used for creating application-specific or customized user stores. AD FS is used for trusting and sharing resources between 2 organizations. QUESTION 136 Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to log performance counter data from Server1 to a SQL database. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Select and Place: Correct Answer:

Section: 70-648 Monitoring and Managing A Network Infrastructure /Reference: : Be careful on this one, it is asking for us to log performance data to a SQL database, not to log the performance of a

192 Section: Monitoring and Managing A Network Infrastructure /Reference: : Be careful on this one, it is asking for us to log performance data to a SQL database, not to log the performance of a SQL database. So do not drag ODBC tracing over at all! We basically have to setup a DSN on the local computer and create a custom (user-defined) DCS that points to the DSN for storage. Pushing the Performance Monitor Data into a Database (...) 1. Making a Data Collector: First for pushing any perfmon in the database first we need to build a Data Collector set from the perfmon (...) 2. Making a System DSN Now for pushing this Performance Monitor from the blg file to the Database we need to create a System DSN from the ODBC of the server. You need to select the Database where you are going to push the perfmon. MY NOTE: I'm not sure why we wouldn't create the DSN first, as per the instructions here: (...) MY NOTE: This site does not mention modifying the DSN for the Data Collector, but it would be implied: you can't tell the Data Collector to send data to a database if it doesn't know which database to talk to! Reference: QUESTION 137 Your company has an Active Directory forest that contains client computers that run Windows Vista and Windows XP. You need to ensure that users are able to install approved application updates on their computers. Which two actions should you perform? (Each correct answer presents part of the solution.choose two.)

193 A. Set up Automatic Updates through Control Panel on the client computers. B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site. C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates. D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates. Correct Answer: CD Section: Monitoring and Managing A Network Infrastructure /Reference: : To be able to "approve" updates at all, WSUS must be installed in the AD environment. Creating a GPO for client computers (linked to the domain) will ensure they all receive only the "approved" updates by forcing them to communicate with the WSUS server instead of Microsoft's servers. WRONG ANSWERS Configured Automatic Updates on each client will only control the download and (optional) automatic installation of updates. Linking a GP to the Domain Controllers OU only affects domain controllers. Both of these options would also not allow "approval" or management of updates - all updates would be downloaded. QUESTION 138 Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7. You need to forward the logon events of all the domain controllers in contoso.com to Computer1. All new domain controllers must be dynamically added to the subscription. A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node. B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node. C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU). D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU). Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: :

194 Since we can't specify a static list (all new domain controllers must be dynamically added) of computers we are gathering logs from, we need to create a source-initiated subscription. We can use a policy on the Domain Controllers OU to ensure they are all configured for Computer1 as a node to forward logs to. "Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription." Reference: QUESTION 139 Your company has an IPv6 network that has 25 segments. You deploy a server on the IPv6 network. You need to ensure that the server can communicate with all segments on the IPv6 network. A. Configure the IPv6 address as fd00::2b0:d0ff:fee9:4143/8. B. Configure the IPv6 address as fe80::2b0:d0ff:fee9:4143/64. C. Configure the IPv6 address as ff80::2b0:d0ff:fee9:4143/64. D. Configure the IPv6 address as 0000::2b0:d0ff:fee9:4143/64. Correct Answer: A Section: Configuring IP Addressing and Services /Reference: : The fd00:: prefix is used for unique, local addressing. This is the address we need for communication with other IPv6 segments. The fe80:: prefix is used for link-local (same subnet) addressing. The would only allow for communication with the local segment. The ff80:: prefix is used for multicasting. (sending a packet to multiple addresses at once). This would not necessarily ensure all segments are reachable. The 0000:: prefix is currently reserved by IANA. References: QUESTION 140 Your network contains a server named Server1 that runs Windows Server 2008 R2. The network for Server1 is configured as shown in the table.

You plan to deploy DirectAccess on Server1. You need to configure the network interfaces on Server1 to support DirectAccess. A. Remove the IP address of 131.107.1.13 from Internet2, and then add the address to LAN1.

195 You plan to deploy DirectAccess on Server1. You need to configure the network interfaces on Server1 to support DirectAccess. A. Remove the IP address of from Internet2, and then add the address to LAN1. B. Add the IP address of to LAN1. C. Remove the IP of address from Internet2, and then add the address to Internet1. D. Add the default gateway of to Internet2. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : Remove the IP of address from Internet2, and then add the address to Internet1. This would give us 2 public IPs on the Internet1 interface. See below where this is the recommended procedure for DA setup from Microsoft. Moving the address to LAN1 would certainly confuse the system, and there is no need for 2 private IPs on the LAN1 interface. Adding a Gateway seems like it would work, but is apparently not the appropriate method per Microsoft. Step 1: Build and Provision a DirectAccess Server Start by provisioning a Windows Server 2008 R2 machine with two NICs. Make sure it s a member of your internal Active Directory domain. Connect the two NICs, one to an external subnet and the other to your internal network. Next, you ll be installing certificates and the DirectAccess components. Because this server will bridge the inside and outside network, double-check to ensure it has all the required updates. You ll also need two consecutive, static, public IP addresses. For example, these two addresses could be and The important thing is that they re consecutive.... Configure the two external addresses on the external adapter of your DirectAccess server. (MY NOTE: For whatever reason, this is basically saying the 2 consecutive public IPs, and , need to be on the same, single interface. The article below also mentions how the internal adapter should only be assigned a single IP for the internal network.)

Reference: http://technet.microsoft.com/en-us/magazine/hh922970.aspx QUESTION 141 Your network contains a server named Server1.

196 Reference: QUESTION 141 Your network contains a server named Server1. An administrator named Admin1 installs the Windows Server Update Services (WSUS) server role on Server1. You open the Windows Server Update Services console and view the Products and Classifications options as shown in the exhibit. (Click the Exhibit button.) You need to ensure that you can select updates for Windows Server 2008 R2 Service Pack 1 (SP1) from the Products and Classifications options. Exhibit: A. From the Service console, restart the Update Services service. B. From the WSUS Administration console, synchronize Server1. C. From a command prompt, run gpudate /force.

197 D. From a command prompt, run wuauclt /detectnow. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : We can see the "Product" (Server 2008 R2 SP1) is not on the Products and Classifications list. Per the article below, this means we need to synchronize the server. "You may have to do an initial synchronization to get some products to appear in the list of product classifications." Reference: WRONG ANSWERS Restarting the Update Services does not reload the WSUS config or synchronize the server. gpudate /force This would force the server to grab the latest group policy settings or changes, but Products and Classifications are not configured through Group Policy. wuauclt /detectnow This would for the server to look for the latest updates to be installed on the server, but does not affect the configuration of the Products and Classifications list. QUESTION 142 Your network contains an Active Directory forest named contoso.com. The forest contains a server named Server1 that is configured as an enterprise certification authority (CA). The forest contains a server named Server2 that has the Network Policy Server (NPS) role service installed. You deploy Network Access Protection (NAP). You discover that Server1 fails to issue health certificates. You need to ensure that health certificates can be issued. A. Install an additional server, configure the new server as a standalone CA, and then configure the Health Registration Authority (HRA) to use the CA. B. From the Network Policy Server console, create a new health policy. C. From the Network Policy Server console, modify the Windows System Health Validators settings. D. Install the Host Credential Authorization Protocol (HCAP) role service on Server1. Correct Answer: A Section: Configuring Network Access /Reference: : (...) QUESTION 143

198 Your network contains an Active Directory forest. The forest contains a member server named VPN1 that runs Windows Server 2008 R2. You configure VPN1 as a VPN server. You need to ensure that only client computers that have Windows Update enabled can establish VPN connections to VPN1. What should you install on VPN1? A. Windows Server Update Services (WSUS) B. Network Policy Server (NPS) C. Health Registration Authority (HRA) D. Connection Manager Administration Kit (CMAK) Correct Answer: B Section: Configuring Network Access /Reference: : We can do these kinds of verification on VPN connections with NAP, which is a service of the NPS role. In addition, if NAP-capable client computers are running Windows Update Agent and are registered with a Windows Server Update Service (WSUS) server, NAP can verify that the most recent software security updates are installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). Reference: Health Registration Authority (HRA) provides a service for the Network Access Protection (NAP) platform that is commonly referred to as a registration authority in an X.509 public key infrastructure (PKI). As a registration authority, HRA is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of the client. (MY NOTE: It should be noted that HRA works with NAP, with requires NPS!) Reference: Installing WSUS on VPN1 might give us a place from which udpates could be downloaded for remediation of VPN clients, but it will not be able to perform the checking of client computers that we need. Connection Manager is a versatile client dialer and connection software that you can customize by using the Connection Manager Administration Kit (CMAK) wizard. (Basically, we can use this to customize connections using a connection wizard, but it will not help the VPN server know if clients are up-to-date or not) Reference: QUESTION 144 You have a perimeter network that contains 20 servers. All of the servers run Windows Server 2008 R2 and are members of a workgroup. You add an additional server named Server21 to the perimeter network. You plan to configure Server21 to collect events forwarded from the other servers. You need to ensure that the events are available on Server21 as quickly as possible. Which event delivery optimization option should you enable?

199 A. Normal B. Custom C. Minimize Bandwidth D. Minimize Latency Correct Answer: D Section: Monitoring and Managing A Network Infrastructure /Reference: : Normal This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. Minimize Bandwidth This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. Minimize Latency This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. Reference: QUESTION 145 You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a sourceinitiated subscription. You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1. The subscription is configured to use the HTTP protocol. You discover that events from the Security log of DC1 are not collected on Computer1. Events from the Application log of DC1 and the System log of DC1 are collected on Computer1. You need to ensure that events from the Security log of DC1 are collected on Computer1. A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller. B. Add the Network Service security principal to the Event Log Readers group on the domain. C. Configure the subscription to use custom Event Delivery Optimization settings. D. Configure the subscription to use the HTTPS protocol. Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account to the Built-in Event Log Readers group. Reference:

200 WRONG ANSWERS The computer account does not need permissions to Event Log Readers. We do not need the HTTPS protocol. If anything, the reverse might be possible: if HTTPS were being used, if there were firewall concerns or an improper HTTPS setup, we might want to configure HTTP instead. Event Delivery Optimization specifies how to optimize collection of events for bandwidth / latency concerns. Reference: QUESTION 146 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to capture all replication errors from all domain controllers to a central location. A. Configure Event Log Subscriptions. B. Start the System Performance data collector set. C. Start the Active Directory Diagnostics data collector set. D. Install Network Monitor and create a new capture. Correct Answer: A Section: Monitoring and Managing A Network Infrastructure /Reference: : In order to see replication errors from multiple computers in 1 place, we should setup an Event Log subscription. We could customize the subscription so that only Event IDs relevant to replication are captured, and each domain controller could be setup to forward these events to the collector computer. WRONG ANSWERS Capturing data in Network Monitor will allow inspection of data packets passed between servers, but will not easily provide us useful information to determine when replication has failed. It would be a very involved process to find and obtain information that anything has happened, let alone what may have happened. The Active Directory Diagnostics DCS collects general information about the performance of AD. The System Performance DCS collects general information about the computer's performance. Neither of these will give us information about replication. QUESTION 147 The corporate network of CompanyA consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Company1 and Company2. To ensure central monitoring of events, you decided to collect all the events on one server, Company2, and transfer them to Company1. You configure the required event subscriptions. You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol. However, you discovered that none of the subscriptions work.

201 Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution). A. From the Run window, execute the winrm quickconfig command on Company2. B. From the Run window, execute the wecutil qc command on Company2. C. Add the Company1 account to the Administrators group on Company2. D. From the Run window, execute the winrm quickconfig command on Company1. E. Add the Company2 account to the Administrators group on Company1. F. From the Run window, execute the wecutil qc command on Company1. Correct Answer: ACF Section: Monitoring and Managing A Network Infrastructure /Reference: : Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). To configure computers in a domain to forward and collect events 1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges. 2. On each source computer, type the following at an elevated command prompt: winrm quickconfig Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector computer. 3. On the collector computer, type the following at an elevated command prompt: wecutil qc 4. Add the computer account of the collector computer to the local Administrators group on each of the source computers. 5. The computers are now configured to forward and collect events. Follow the steps in Create a New Subscription to specify the events you want to have forwarded to the collector. Reference: QUESTION 148 Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to ensure that you can log performance counter data from Server1 to a SQL database. Which tool should you use? A. Component Services B. Data Sources (ODBC) C. Share and Storage Management D. Storage Explorer Correct Answer: B Section: Monitoring and Managing A Network Infrastructure /Reference: : We basically need to configure a DSN that points to our SQL database, so the Data Collector we create can communicate with it. This is done through the Data Sources console.

202 WRONG ANSWERS Share and Storage Management provides a central location for you to manage shared resources, such as folders and volumes, as well as storage resources. Reference: With Storage Explorer, you can view and manage the Fibre Channel and iscsi fabrics that are available in your storage area network (SAN). Reference: You can use the Component Services snap-in in Microsoft Management Console (MMC) to configure and administer Component Object Model (COM) components, COM+ applications, and the Distributed Transaction Coordinator (DTC). Reference: QUESTION 149 Your network contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2008 R2. The servers have the Network Policy Server (NPS) role service installed. You configure a Remote RADIUS Server Group named Group1. Group 1 contains Server2, Server3, and Server4. You need to configure load balancing for the members of Group1 to meet the following requirements: Server1 must send 25 percent of all authentication requests to Server3. Server1 must send 75 percent of all authentication requests to Server2. Server1 must only send authentication requests to Server4 if Server2 and Server3 are unavailable. What should you do from the Network Policy Server console? A. For Server2, set the weight to 75 and the priority to 75, For Server3, set the weight to 25 and the priority to 25. For Server4, set the weight to 100 and the priority to 200. B. For Server2, set the weight to 75 and the priority to 1. For Server3, set the weight to 25 and the priority to 1. For Server4, set the weight to 100 and the priority to 100. C. For Server2, set the weight to 1 and the priority to 75. For Server3, set the weight to 1 and the priority to 25. For Server4, set the weight to 100 and the priority to 1. D. For Server2, set the weight to 75 and the priority to 25. For Server3, set the weight to 25 and the priority to 75. For Server4, set the weight to 100 and the priority to 1. Correct Answer: B Section: Configuring Network Access /Reference: Correct answer: B MY NOTE: To word the requirements differently, Server2 must get 75% of requests, Server3 must get 25% of requests, and Server4 should only get requests if Server2/Server3 are unavailable. Based on the reference below, this means Server2 needs a weight of 75, Server 3 needs a weight of 25, and Server4 needs the highest priority value (for it to be lowest in priority). Of the options available, 2 of them have the correct weights, but only 1 has a high priority value (200) for Server4. A priority of 1,

203 with weight of 100, would mean Server4 handles all requests!!! During the NPS proxy configuration process, you can create remote RADIUS server groups and then add RADIUS servers to each group. To configure load balancing, you must have more than one RADIUS server per remote RADIUS server group. While adding group members, or after creating a RADIUS server as a group member, you can access the Add RADIUS server dialog box to configure the following items on the Load Balancing tab: Priority: Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority the NPS proxy gives to the RADIUS server. For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS servers, and then use the Weight setting to load balance between them. Weight: NPS uses this Weight setting to determine how many connection requests to send to each group member when the group members have the same priority level. Weight setting must be assigned a value between 1 and 100, and the value represents a percentage of 100 percent. For example, if the remote RADIUS server group contains two members that both have a priority level of 1 and a weight rating of 50, the NPS proxy forwards 50 percent of the connection requests to each RADIUS server. Reference: QUESTION 150 Your network contains a server named Server1 that has the Routing and Remote Access service (RRAS) role service installed. Server1 provides access to the internal network by using Point-to-Point Tunneling Protocol (PPTP). Static RRAS filters on the external interface of Server1 allow only PPTP. The IP address of the external interface is You install the Web Server (IIS) role on Server1. You need to ensure that users on the Internet can access a Web site on Server1 by using HTTP. The solution must minimize the number of open ports on Server1. Which two static RRAS filters should you configure on Server1? (Each correct answer presents part of the solution. Choose two.) A. An outbound filter that has the following configurations: Source network: /32 Destination network: Any Protocol: TCP (established) Port: 80 B. An outbound filter that has the following configurations: Source network: /32 Destination network: Any Port: 80 C. An outbound filter that has the following configurations: Source network: /32 Destination network: Any Protocol: TCP Port: Any D. An inbound filter that has the following configurations: Source network: Any Destination network: /32 Protocol: TCP Port: 80

204 E. An inbound filter that has the following configurations: Source network: /32 Destination network: Any Protocol: TCP Port: Any Correct Answer: AD Section: Configuring Network Access /Reference: : We are told the solution must minimize the # of open ports. Right away, this eliminates the 2 answers specifying "Port: Any" We need users to access the web site on Server1 using HTTP (port 80), so we need an oubtound and inbound filter. Only 1 inbound filter meets the requirements, so we need to determine which outbound filter is correct. The only difference between the 2 outbound filters for port 80 is that one specifies the protocol must be TCP, the other says TCP (established). In other words, this means it will only allow previously established TCP connections to get out from the web. This is the rule we want, as it is the most secure and will only let packets out to clients that have connected to the site first. If we allow all TCP connections out, any compromise of the computer or malfunction of TCP program on the server could cause undesired effects for our users.

205 Same Choices QUESTION 1 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server6 that runs a third-party POP3 server. Server6 only supports encrypted POP3 connections You need to configure the Windows Firewall on Server6 to allow client computers access to the POP3 server. Which port or ports should you allow through Windows Firewall? A. UDP 546 and UDP 547 B. UDP 993 C. TCP 993 D. TCP 995 E. UDP 995 F. TCP 67 and TCP 68 G. TCP 636 H. TCP 587 and UDP 587 I. TCP 546 and TCP 547 J. UDP 67 and UDP 68 K. UDP 1433 L. TCP 1433 M. TCP 53 and UDP 53 Correct Answer: D Section: Configuring Network Access /Reference: : Be careful here, the scenario states Server6 only supports encrypted POP3, aka POP3 over SSL. This operates on TCP port 995. Reference: QUESTION 2 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server2 that has the DNS Server server role installed. You need to configure the Windows Firewall on Server2 to allow client computers access to the DNS Server service. Which port or ports should you allow through Windows Firewall? A. UDP 546 and UDP 547 B. UDP 993

206 C. TCP 993 D. TCP 995 E. UDP 995 F. TCP 67 and TCP 68 G. TCP 636 H. TCP 587 and UDP 587 I. TCP 546 and TCP 547 J. UDP 67 and UDP 68 K. UDP 1433 L. TCP 1433 M. TCP 53 and UDP 53 Correct Answer: M Section: Configuring Network Access /Reference: : Reference: QUESTION 3 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that has the DHCP Server server role installed. You need to configure Windows Firewall on Server3 to allow IPv4 client computers access to the DHCP Server service. Which port or ports should you allow through Windows Firewall? A. UDP 546 and UDP 547 B. UDP 993 C. TCP 993 D. TCP 995 E. UDP 995 F. TCP 67 and TCP 68 G. TCP 636 H. TCP 587 and UDP 587 I. TCP 546 and TCP 547 J. UDP 67 and UDP 68 K. UDP 1433 L. TCP 1433 M. TCP 53 and UDP 53 Correct Answer: J Section: Configuring Network Access /Reference:

207 : Both BOOTP and DHCP servers use UDP port 67 to listen for and receive client request messages. BOOTP and DHCP clients typically reserve UDP port 68 for accepting message replies from either a BOOTP server or DHCP server. References: QUESTION 4 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that has Microsoft SQL Server 2008 R2 installed. You need to configure the Windows Firewall on Server1 to allow client computers access to the SQL Server installation. Which port or ports should you allow through Windows Firewall? A. UDP 546 and UDP 547 B. UDP 993 C. TCP 993 D. TCP 995 E. UDP 995 F. TCP 67 and TCP 68 G. TCP 636 H. TCP 587 and UDP 587 I. TCP 546 and TCP 547 J. UDP 67 and UDP 68 K. UDP 1433 L. TCP 1433 M. TCP 53 and UDP 53 Correct Answer: L Section: Configuring Network Access /Reference: : SQL Server listens for incoming connections on a particular port. The default port for SQL Server is The port doesn't need to be 1433, but 1433 is the official Internet Assigned Number Authority (IANA) socket number for SQL Server. References: QUESTION 5 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all.

208 Your company contains an active directory domain name contoso.com. The network contains three subnets that they are separated by firewall. The domain has a server named Server5 that has active directory lightweight services. Server5 only support encrypted LDAP connection. You need to configure to ensure the client computers can access the LDAP services on Server5. Which port or ports should you allow through Windows Firewall? A. UDP 546 and UDP 547 B. UDP 993 C. TCP 993 D. TCP 995 E. UDP 995 F. TCP 67 and TCP 68 G. TCP 636 H. TCP 587 and UDP 587 I. TCP 546 and TCP 547 J. UDP 67 and UDP 68 K. UDP 1433 L. TCP 1433 M. TCP 53 and UDP 53 Correct Answer: G Section: Configuring Network Access /Reference: : Be careful here, the scenario states Server5 only supports encrypted LDAP, aka LDAP over SSL. This uses port 636. Reference: QUESTION 6 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer. A. Run the eventcreate.exe command. B. Create a Data Collector Set (DCS). C. Configure subscriptions from Event Viewer. D. Create custom views from Event Viewer. E. Run the Get-ADForest cmdlet. F. Run the ntdsutil.exe command. G. Configure the Active Directory Diagnostics Data Collector Set (DCS).

209 H. Run the repadmin.exe command. I. Run the dsquery.exe command. J. Run the dsamain.exe command. Correct Answer: C Section: Maintaining the Active Directory Environment /Reference: : Event subscriptions allow us to collect events from multiple computers onto a single source computer, simplifying the troubleshooting of a problem that affects multiple computers. QUESTION 7 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to compact the Active Directory database. A. Run the eventcreate.exe command. B. Create a Data Collector Set (DCS). C. Configure subscriptions from Event Viewer. D. Create custom views from Event Viewer. E. Run the Get-ADForest cmdlet. F. Run the ntdsutil.exe command. G. Configure the Active Directory Diagnostics Data Collector Set (DCS). H. Run the repadmin.exe command. I. Run the dsquery.exe command. J. Run the dsamain.exe command. Correct Answer: F Section: Maintaining the Active Directory Environment /Reference: : Compacting the AD database is also known as an offline defragmentation. To perform offline defragmentation of the directory database (...) 4. At the command prompt, type ntdsutil, and then press ENTER. 5. At the ntdsutil prompt, type activate instance ntds, and then press ENTER. 6. At the ntdsutil prompt, type files, and then press ENTER. (...) Reference: QUESTION 8 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all.

210 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to receive a notification when more than 100 Active Directory objects are deleted per second. A. Run the eventcreate.exe command. B. Create a Data Collector Set (DCS). C. Configure subscriptions from Event Viewer. D. Create custom views from Event Viewer. E. Run the Get-ADForest cmdlet. F. Run the ntdsutil.exe command. G. Configure the Active Directory Diagnostics Data Collector Set (DCS). H. Run the repadmin.exe command. I. Run the dsquery.exe command. J. Run the dsamain.exe command. Correct Answer: B Section: Maintaining the Active Directory Environment /Reference: : (This one may also show up with a different # of objects but answer is always the same) We basically need to setup a performance alert. We would not set one up on the AD DCS, as it does not provide information about deleted objects in AD. Rather, we would have to create a custom DCS with the appropriate performance counter. From Microsoft: You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs. To configure an alert, follow these steps: 1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set. (...) Reference: QUESTION 9 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to create a snapshot of Active Directory. A. Run the eventcreate.exe command. B. Create a Data Collector Set (DCS). C. Configure subscriptions from Event Viewer.

211 D. Create custom views from Event Viewer. E. Run the Get-ADForest cmdlet. F. Run the ntdsutil.exe command. G. Configure the Active Directory Diagnostics Data Collector Set (DCS). H. Run the repadmin.exe command. I. Run the dsquery.exe command. J. Run the dsamain.exe command. Correct Answer: F Section: Maintaining the Active Directory Environment /Reference: : To create an AD DS or AD LDS snapshot 1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group. 2. Click Start, right-click Command Prompt, and then click Run as administrator. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot 6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 7. At the snapshot prompt, type the following command, and then press ENTER: create Reference: QUESTION 10 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You mount an Active Directory snapshot. You need to ensure that you can query the snapshot by using LDAP. A. Run the eventcreate.exe command. B. Create a Data Collector Set (DCS). C. Configure subscriptions from Event Viewer. D. Create custom views from Event Viewer. E. Run the Get-ADForest cmdlet. F. Run the ntdsutil.exe command. G. Configure the Active Directory Diagnostics Data Collector Set (DCS). H. Run the repadmin.exe command. I. Run the dsquery.exe command. J. Run the dsamain.exe command. Correct Answer: J Section: Maintaining the Active Directory Environment

/Reference: : (This one may also show up asking about connection to the snapshot - the answer remains the same) The Active Directory database mounting tool (Dsamain.

212 /Reference: : (This one may also show up asking about connection to the snapshot - the answer remains the same) The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. (...) You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (...) Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers Reference: QUESTION 11 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains a server named DC1 that has the DHCP Server server role installed. You discover that clients are not being assigned IP addresses from DC1. You open the DHCP console as shown in the exhibit. (Click the Exhibit button.) You need to ensure that the clients can be assigned IP addresses from DC1. Exhibit: A. Compact the database. B. Configure DHCP link layer-based filtering. C. Configure a DHCP Relay Agent. D. Restore the database from a backup. E. Configure Routing Information Protocol version 2 (RIPv2) on the router F. Increase the database cleanup interval. G. Configure Open Shortest Path First (OSPF) on the router

213 H. Configure name protection. I. Reconcile the scope. J. Modify the start address. K. Authorize DC1 in Active Directory. Correct Answer: K Section: Configuring IP Addressing and Services /Reference: : Typically, on the setup of a new DHCP server, it will not hand out addresses until it is explicitly authorized to do so. We can see under DC1, both IPv4 and IPv6 are showing red down arrows. This confirms that the server is not active or authorized, and that is why the clients are not getting an IP. QUESTION 12 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains a server named DC1 that has the DHCP Server server role installed. You need to prevent devices that are neither company-owned nor company-managed from being assigned DHCP addresses. What should you enable on the DHCP server? A. Compact the database. B. Configure DHCP link layer-based filtering. C. Configure a DHCP Relay Agent. D. Restore the database from a backup. E. Configure Routing Information Protocol version 2 (RIPv2) on the router F. Increase the database cleanup interval. G. Configure Open Shortest Path First (OSPF) on the router H. Configure name protection. I. Reconcile the scope. J. Modify the start address. K. Authorize DC1 in Active Directory. Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : Link-layer filtering provides network access control for the issuance or denial of DHCP leases of IP addresses based on a media access control (MAC) address. Link layer filtering can be configured at the IPv4 node for all clients across all IPv4 scopes. This feature is currently available only for IPv4 networks. Reference: QUESTION 13 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all.

214 Your network contains a server named DC1 that has the DHCP Server server role installed. You discover the following warning message in the Event log on DC1: "There were orphaned entries deleted in the configuration due to the deletion of a class and option definition. Please recheck the server configuration." You need to resolve the warning message. A. Compact the database. B. Configure DHCP link layer-based filtering. C. Configure a DHCP Relay Agent. D. Restore the database from a backup. E. Configure Routing Information Protocol version 2 (RIPv2) on the router F. Increase the database cleanup interval. G. Configure Open Shortest Path First (OSPF) on the router H. Configure name protection. I. Reconcile the scope. J. Modify the start address. K. Authorize DC1 in Active Directory. Correct Answer: I Section: Configuring IP Addressing and Services /Reference: : Message: There were some orphaned entries deleted in the configuration due to the deletion of a class or an option definition. Please recheck the server configuration. Resolve: Reconcile the DHCP scope Reference: QUESTION 14 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains a server named DC1 that has the DHCP Server server role installed. Clients located on the same subnet as DC1 are assigned valid IP addresses from DC1. Clients located on a different subnet are not assigned IP addresses from DC1. You verify that there is network connectivity between the two subnets. You need to ensure that the clients on both of the subnets can receive IP addresses from DC1. A. Compact the database. B. Configure DHCP link layer-based filtering. C. Configure a DHCP Relay Agent. D. Restore the database from a backup. E. Configure Routing Information Protocol version 2 (RIPv2) on the router

215 F. Increase the database cleanup interval. G. Configure Open Shortest Path First (OSPF) on the router H. Configure name protection. I. Reconcile the scope. J. Modify the start address. K. Authorize DC1 in Active Directory. Correct Answer: C Section: Configuring IP Addressing and Services /Reference: : "For each IP network segment that contains DHCP clients, either a DHCP server or a computer acting as a DHCP Relay Agent is required." Reference: MY NOTE: We know connectivity is working, but have no indication that the remote subnet has a DHCP server itself. So, we need to configure a Relay Agent. QUESTION 15 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains a server named DC1 that has the DHCP Server server role installed. DC1 has a DHCP scope for the /24 network ID. You discover the following warning message in the Event log on DC1: "Scope, Scope1, is 98 percent full with only two IP addresses remaining." You need to ensure that DC1 has enough IP addresses to assign to clients. The solution must not cause any IP conflicts. A. Compact the database. B. Configure DHCP link layer-based filtering. C. Configure a DHCP Relay Agent. D. Restore the database from a backup. E. Configure Routing Information Protocol version 2 (RIPv2) on the router F. Increase the database cleanup interval. G. Configure Open Shortest Path First (OSPF) on the router H. Configure name protection. I. Reconcile the scope. J. Modify the start address. K. Authorize DC1 in Active Directory. Correct Answer: F Section: Configuring IP Addressing and Services /Reference: :

216 Message: Scope, %1, is %2 percent full with only %3 IP addresses remaining. Resolve: Extend DHCP scopes, reduce lease times, or decrease cleanup interval (MY NOTE: The answer in the question says "Increase the database cleanup interval"; I think it means to imply you would increase the frequency of database cleanup, which is done by decreasing the amount of time that passes before each cleanup occurs.) Reference: QUESTION 16 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains a server named DC1 that has the DHCP Server server role installed. You discover the following warning message in the Event log of DC1: "The DHCP service encountered the following error while cleaning up the database: An error occurred while accessing the DHCP database. Look at the DHCP server event log for more information on this error." You need to resolve the warning message. A. Compact the database. B. Configure DHCP link layer-based filtering. C. Configure a DHCP Relay Agent. D. Restore the database from a backup. E. Configure Routing Information Protocol version 2 (RIPv2) on the router F. Increase the database cleanup interval. G. Configure Open Shortest Path First (OSPF) on the router H. Configure name protection. I. Reconcile the scope. J. Modify the start address. K. Authorize DC1 in Active Directory. Correct Answer: D Section: Configuring IP Addressing and Services /Reference: : If the server is having problems accessing the DHCP database, it makes the most sense to restore it from a backup. Compacting it would help it take up less space, but that's not going to help the server access it, as it appears to have been corrupted. QUESTION 17 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. The domain contains several VPN servers that have the Routing and Remote Access service (RRAS) role service installed. You need to collect information about the duration of the VPN connections. The information must be stored in a central location.

217 What should you configure on the VPN servers? A. the Windows Accounting accounting provider B. the RADIUS Accounting accounting provider C. Connection Request policies D. Health policies E. the Windows Authentication authentication provider F. the RADIUS Authentication authentication provider G. Remediation Server groups H. Group Policy preferences I. System Health Validators (SHVs) J. IKEv2 client connections Correct Answer: B Section: Configuring Network Access /Reference: : RADIUS Accounting The RADIUS server also collects a variety of information sent by the NAS that can be used for accounting and for reporting on network activity. The RADIUS client sends information to designated RADIUS servers when the User logs on and logs off. The RADIUS client may send additional usage information on a periodic basis while the session is in progress. The requests sent by the client to the server to record logon/logoff and usage information are generally called "accounting requests." Reference: MY NOTE: This question is tricky. The original answer in some dumps was RADIUS Authentication provider. And indeed, a RADIUS server like this needs to be in place before RADIUS Accounting can be configured. But this question has been seen with only 4 choices, and RADIUS Accounting was a possible answer and not RADIUS Authentication. Other dumps have made this correction to the answer as well. QUESTION 18 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. The domain contains several VPN servers that have the Routing and Remote Access service (RRAS) role service installed. You need to configure all of the VPN servers to use the same network policies. The solution must ensure that any changes to the network policies automatically apply to all of the VPN servers. What should you configure on the VPN servers? A. the Windows Accounting accounting provider B. the RADIUS Accounting accounting provider C. Connection Request policies D. Health policies E. the Windows Authentication authentication provider F. the RADIUS Authentication authentication provider

218 G. Remediation Server groups H. Group Policy preferences I. System Health Validators (SHVs) J. IKEv2 client connections Correct Answer: F Section: Configuring Network Access /Reference: : Network Policy and Access Services provides the following network connectivity solutions: (...) Central network policy management with RADIUS server and proxy Reference: MY NOTE: So our VPNs need to use RADIUS as an authentication provider in order for us to have centralized network policies for the VPNs. QUESTION 19 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. Your company is implementing Network Access Protection (NAP). You need to define which network resources non-compliant client computers can access. What should you configure? A. the Windows Accounting accounting provider B. the RADIUS Accounting accounting provider C. Connection Request policies D. Health policies E. the Windows Authentication authentication provider F. the RADIUS Authentication authentication provider G. Remediation Server groups H. Group Policy preferences I. System Health Validators (SHVs) J. IKEv2 client connections Correct Answer: G Section: Configuring Network Access /Reference: : Remediation server groups are used to specify servers that are available to noncompliant Network Access Protection (NAP) clients for the purpose of remediating their health state to comply with health requirements. Reference:

219 QUESTION 20 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. You deploy Network Access Protection (NAP). You need to verify whether VPN clients have Windows Firewall enabled. What should you configure? A. the Windows Accounting accounting provider B. the RADIUS Accounting accounting provider C. Connection Request policies D. Health policies E. the Windows Authentication authentication provider F. the RADIUS Authentication authentication provider G. Remediation Server groups H. Group Policy preferences I. System Health Validators (SHVs) J. IKEv2 client connections Correct Answer: I Section: Configuring Network Access /Reference: : System health validators (SHVs) define configuration requirements for NAP client computers. All SHVs include five error code conditions. If an error code is returned to the SHV, you can choose to have the SHV evaluate the client as either compliant or noncompliant. Reference: QUESTION 21 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain. Your company provides VPN access for multiple organizations. You need to configure Network Policy Server (NPS) to forward authentication requests to the appropriate organization. What should you configure on the NPS server? A. the Windows Accounting accounting provider B. the RADIUS Accounting accounting provider C. Connection Request policies D. Health policies E. the Windows Authentication authentication provider F. the RADIUS Authentication authentication provider G. Remediation Server groups

220 H. Group Policy preferences I. System Health Validators (SHVs) J. IKEv2 client connections Correct Answer: C Section: Configuring Network Access /Reference: : Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. Reference: This question can show up with slightly different wording or even more limited answer choices. Focus on the fact that Connection Request policies allow us to forward authentication to the right domains in partnered domains. QUESTION 22 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA). You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management Correct Answer: G Section: Configuring Active Directory Certificate Services /Reference: : To give non-administrator users access to read-only access to event logs, add them to the built-in Event Log Readers group.

221 Reference: So if we make Group1 a member of the Event Log Readers group, they can view all event logs (including Certificate Services). This is a local group on the server, so we need to assign this membership using Group Policy. Therefore, we would use the Group Policy Management console. We would not use ADUC here, because Event Log readers is a local group on the server. The various certificate snap-ins allow us to manage certificates but do not provide access to event logs for certificate services. QUESTION 23 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates. You need to archive the private key for all new EFS certificates. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss(...) To configure a certificate template for key archival and recovery 1. Open the Certificate Templates snap-in. Reference: QUESTION 24 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate

222 template. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : The only snap-in for managing templates is the Certificate Templates snap-in. On the Security tab of a specific certificate template, you can configure access and permissions for the certificate, including Enroll permissions (allows a user to enroll in that certificate). The Enterprise PKI snap-in is used for viewing properties for multiples CA's; we need to modify the properties of a single certificate template. The Certification Authority snap-in is used for configuring various properties of a CA. The Certificates snap-in lets us view the certificates installed on a local machine, and make requests for a certificate. None of the other tools are used with certificate services. QUESTION 25 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to approve a pending certificate request. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management

223 Correct Answer: E Section: Configuring Active Directory Certificate Services /Reference: : To issue a pending certificate request: 1. Log on to your root CA by using an account that is a certificate manager. 2. Start the Certification Authority snap-in. 3. In the console tree, expand your root CA, and click Pending Requests. 4. In the details pane, right-click the pending CA certificate, and click Issue. Reference: QUESTION 26 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional. The network contains an enterprise certification authority (CA). You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA. You need to ensure that all of the members of a group named Sales can enroll for certificates that use Sales_Temp. Which snap-in should you use? A. Active Directory Administrative Center B. Authorization Manager C. Certificate Templates D. Certificates E. Certification Authority F. Enterprise PKI G. Group Policy Management H. Security Configuration Wizard I. Share and Storage Management Correct Answer: C Section: Configuring Active Directory Certificate Services /Reference: : After creating a new certificate template, the next step is to deploy the certificate template so that a certification authority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to one or more CAs, defining which security principals have Enroll permissions for the certificate template, and deciding whether to configure autoenrollment for the certificate template. To define permissions to allow a specific security principal to enroll for certificates based on a certificate template 1. Open the Certificate Templates snap-in (Certtmpl.msc). (...)

224 Reference: QUESTION 27 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a network address translation (NAT) server. Which server role, role service, or feature should you install? A. Health Registration Authority (HRA) B. Routing and Remote Access service (RRAS) C. Windows Server Update Services (WSUS) D. Network Load Balancing (NLB) E. Wireless LAN Service F. Windows Internal Database G. Network Policy Server (NPS) H. File Server Resource Manager (FSRM) I. Services for Network File System (NFS) J. Group Policy Management K. Connection Manager Administration Kit (CMAK) L. Windows System Resource Manager (WSRM) M. Simple TCP/IP Services Correct Answer: B Section: Configuring IP Addressing and Services /Reference: : Network address translation (NAT) allows you to share a connection to the public Internet through a single interface with a single public IP address. (...) To enable network address translation addressing In the RRAS MMC snap-in, expand Your Server Name. If you are using Server Manager, expand Routing and Remote Access. (MY NOTE: In other words, as most books will tell you, NAT is a role service for the RRAS server role) Reference: QUESTION 28 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You configure Server1 as a VPN server. You need to ensure that only client computers that have up-to-date virus definitions can establish VPN connections to Server1.

225 Which server role, role service, or feature should you install? A. Health Registration Authority (HRA) B. Routing and Remote Access service (RRAS) C. Windows Server Update Services (WSUS) D. Network Load Balancing (NLB) E. Wireless LAN Service F. Windows Internal Database G. Network Policy Server (NPS) H. File Server Resource Manager (FSRM) I. Services for Network File System (NFS) J. Group Policy Management K. Connection Manager Administration Kit (CMAK) L. Windows System Resource Manager (WSRM) M. Simple TCP/IP Services Correct Answer: G Section: Configuring IP Addressing and Services /Reference: : This one is strange. We need to setup NAP, which is a service of the NPS server role. However, we are also told that Server1 was configured as a VPN server, so NPS should already be installed. I would think we should be able to go straight to configured the NAP service. "By using NAP, you can establish health policies that define such things as software requirements, security update requirements, and required configuration settings for computers that connect to your network." References: QUESTION 29 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to ensure that UNIX-based client computers can access shared folders on Server1. Which server role, role service, or feature should you install? A. Health Registration Authority (HRA) B. Routing and Remote Access service (RRAS) C. Windows Server Update Services (WSUS) D. Network Load Balancing (NLB) E. Wireless LAN Service F. Windows Internal Database G. Network Policy Server (NPS) H. File Server Resource Manager (FSRM) I. Services for Network File System (NFS) J. Group Policy Management K. Connection Manager Administration Kit (CMAK)

226 L. Windows System Resource Manager (WSRM) M. Simple TCP/IP Services Correct Answer: I Section: Configuring IP Addressing and Services /Reference: : Services for Network File System (NFS) provides a file-sharing solution for enterprises that have a mixed Windows and UNIX environment. Services for NFS enables users to transfer files between computers running the Windows Server 2008 operating system and UNIX-based computers using the NFS protocol. Reference: QUESTION 30 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to create folder quotas on Server1. Which server role, role service, or feature should you install? A. Health Registration Authority (HRA) B. Routing and Remote Access service (RRAS) C. Windows Server Update Services (WSUS) D. Network Load Balancing (NLB) E. Wireless LAN Service F. Windows Internal Database G. Network Policy Server (NPS) H. File Server Resource Manager (FSRM) I. Services for Network File System (NFS) J. Group Policy Management K. Connection Manager Administration Kit (CMAK) L. Windows System Resource Manager (WSRM) M. Simple TCP/IP Services Correct Answer: H Section: Configuring IP Addressing and Services /Reference: : By using File Server Resource Manager (FSRM) to create a quota for a volume or folder, you can limit the disk space that is allocated for it. Reference: QUESTION 31 Note: This question is part of a series of question that use the same set of answer choices. Each answer choice may be used once, more than once, or not at all. Your network contains an Active Directory forest. The forest contains a member server named Server1 that

227 runs Windows Server 2008 R2. You need to configure Server1 to provide central authentication of dial-up, VPN, and wireless connections to the network. Which server role, role service or feature should you install? A. Health Registration Authority (HRA) B. Routing and Remote Access service (RRAS) C. Windows Server Update Services (WSUS) D. Network Load Balancing (NLB) E. Wireless LAN Service F. Windows Internal Database G. Network Policy Server (NPS) H. File Server Resource Manager (FSRM) I. Services for Network File System (NFS) J. Group Policy Management K. Connection Manager Administration Kit (CMAK) L. Windows System Resource Manager (WSRM) M. Simple TCP/IP Services Correct Answer: G Section: Configuring IP Addressing and Services /Reference: : You can use NPS to centrally manage network access through a variety of network access servers, including wireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. Reference:

228 Out-of-Scope QUESTION 1 Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domain controllers hold the DNS Server server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You need to enable dynamic DNS updates on DC3. A. Run the ntdsutil.exe DS Behavior command on DC3. B. Run the dnscmd.exe /ZoneResetType command on DC3. C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller. D. Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones. Correct Answer: C Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : The problem is that DC3, being an RODC, only has read-only access to the DNS zone as well. The scenario specifies that we need to enable dynamic DNS updates on DC3, meaning that DC3 needs to be able to write and update the DNS zone. This is only achieved by reinstalling AD. Creating a custom application partition for AD-integrated zones would provide an alternative solution for DNS on DC3, but would still not provide DC3 with the ability to accept updates to DNS, since it is functioning as an RODC (and by extension, read-only DNS). dnscmd.exe /ZoneResetType is used to change the zone type of a DNS zone. The zones are ADintegrated and as such should already be allowing dynamic updates. Reference: ntdsutil.exe DS Behavior is used to manage password operations over unsecured connections. Reference: QUESTION 2 Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com. When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. A. From the command prompt, use the netsh tool. B. From the command prompt, use the dnscmd tool. C. From DNS Manager, modify the properties of the GlobalNames zone.

229 D. From DNS Manager, modify the advanced settings of the DNS server. Correct Answer: B Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd <ServerName> /config /enableglobalnamessupport 1 Reference: netsh has a context for adding/managing DNS servers in your client's IP configuration, but a new server has not been added and the scenario states that zones are AD-integrated as well. The scenario states your client can resolve server2 to it's contoso.com suffix, so DNS and network connectivity is functioning properly. This means we do not need to modify anything in DNS Manager. QUESTION 3 Your company has a main office and a branch office. The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory- integrated zone and is replicated to all domain controllers in the domain. The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You uninstall the DNS server role from RODC1. You need to prevent DNS records from replicating to RODC1. A. Modify the replication scope for the contoso.com zone. B. Flush the DNS cache and enable cache locking on RODC1. C. Configure conditional forwarding for the contoso.com zone. D. Modify the zone transfer settings for the contoso.com zone. Correct Answer: A Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : Since all DNS zones are AD-integrated, RODC1 will, by nature, automatically replicate DNS for the contoso.com zone. In order to prevent this, we need to update the replication scope for the zone so as to explicitly exclude RODC1 from the replication partners. Zone transfer settings can be modified to only transfer zones to specific servers, but that would mean specifying an unknown number of servers you do want replication for, rather than merely excluding 1 server. Reference: Conditional forwarding is used to specify which servers can handle queries for certain domains. This would be useful if we wanted to ensure queries other than contoso.com were resolved by RODC1, but this is not what is

being asked. This issue is not being caused by anything related to DNS caching. QUESTION 4 Your network contains an Active Directory domain named contoso.com.

230 being asked. This issue is not being caused by anything related to DNS caching. QUESTION 4 Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table: The functional level of the forest is Windows Server The functional level of the domain is Windows Server DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise. You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC. What should you do first? A. Change the functional level of the forest. B. Change the functional level of the domain. C. Upgrade DC1 to Windows Server 2008 R2. D. Upgrade DNS1 to Windows Server 2008 R2. Correct Answer: D Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : In Windows Server 2003 and Windows Server 2008, DNSSEC is implemented on secondary zones as described in RFC Because RFC 2535 has been made obsolete by the previously mentioned RFCs, the Windows Server 2003 and Windows Server 2008 implementations are not interoperable with the Windows Server 2008 R2 or Windows 7 implementation. (MY NOTE: Because we have Windows7 clients, we must use the Server 2008 R2 implementation of DNSSEC, which requires us to upgrade DNS1 to R2) Reference: QUESTION 5 Your network contains a single Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone for contoso.com. DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept secure dynamic updates only. You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone. Which command should you run?

231 A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary C. dnslint.exe /ql D. repadmin.exe /syncall /force Correct Answer: B Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary DC2 currently hosts a secondary zone. Secondary zones are merely copies of primary zones, and are not able to accept dynamic updates. In order for DC2 to receive dynamic updates, it must be converted to a primary zone. This is precisely what the command above does. The zoneresettype parameter to dnscmd is used to change zone types, and dsprimary obviously specifies a primary zone. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com This command will create a new directory partition to hold a zone, dns.contoso.com This could be assigned to DC2 for updates, but is essentially a new zone. We need to allow updates to the original contoso.com zone repadmin.exe /syncall /force will force DC2 to replicate with all it's partners. This will update the DNS database with the latest records available, but will not allow clients to submit their updates to DNS2, as is required. Reference: dnslint.exe /ql requests DNS query tests fromt a list of servers specified in an input file. Reference: QUESTION 6 Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2. You need to identify if all of the DNS records used for Active Directory replication are correctly registered. A. From the command prompt, use netsh.exe. B. From the command prompt, use dnslint.exe. C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet. D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet. Correct Answer: B Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct. Reference: QUESTION 7

232 Your network contains a single Active Directory forest. The forest contains two domains named contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following table: All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory-integrated zones. You need to ensure that contoso.com records are available on DC3. Which command should you run? A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest Correct Answer: B Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : Since DC3 is hosting a child domain from contoso.com, it will not be able to host records for contoso.com unless they are moved to the forest partition. We perform this operation from DC1, since it currently holds the contoso.com zone. dnscmd /zonechangedirectorypartition Changes the directory partition on which the specified zone resides. Syntax dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] [<ZoneType>] } (...) <ZoneType> Specifies the type of directory partition that the zone will be moved to. /domain Moves the zone to the built-in domain directory partition. /forest Moves the zone to the built-in forest directory partition.

233 QUESTION 8 Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned. You need to remove the child domain from the Active Directory forest. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role. D. Run the dcpromo tool that has individual answer files on each domain controller in the child domain. Correct Answer: CD Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : To remove the domain, we need to remove the AD services from the Domain Controllers that are hosting it (also known as "demoting"). When the last server is "demoted", we can tell the AD install wizard to remove the domain completely. As you should know already, Server Manager and dcpromo each provide access to the AD install wizard that is used for this process. Deleting the accounts and the trust will make the domain inaccessible, since the SRV records pointing to the servers will be deleted. But this does not remove the domain itself from AD. Stopping services does not remove the domain from the AD environment, it merely means requests for the domain will not be resolved. QUESTION 9 Your company has a DNS server that has 10 Active Directory integrated zones. You need to provide copies of the zone files of the DNS server to the security department. A. Run the dnscmd /ZoneInfo command. B. Run the ipconfig /registerdns command. C. Run the dnscmd /ZoneExport command.

234 D. Run the ntdsutil > Partition Management > List commands. Correct Answer: C Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : (...) QUESTION 10 Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain. You need to register the SRV records. Which command should you run on the new domain controller? A. Run the netsh interface reset command. B. Run the ipconfig /flushdns command. C. Run the dnscmd /EnlistDirectoryPartition command. D. Run the sc stop netlogon command followed by the sc start netlogon command. Correct Answer: D Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records. Reference: MCTS Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 QUESTION 11 Company has an active directory forest on a single domain. Company needs a distributed application that employs a custom application. The application is directory partition software named PARDAT. You need to implement this application for data replication. Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution) A. dnscmd. B. ntdsutil. C. ipconfig D. dnsutil E. All of the above

235 Correct Answer: AB Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : (...) QUESTION 12 Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated. You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1. You discover that RODC1 does not have any DNS application directory partitions. You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com. (Each correct answer presents a complete solution. Choose two.) A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions. B. Run ntdsutil.exe. From the Partition Management context, run the create nc command. C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter. D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command. E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter. Correct Answer: DE Section: Configuring Domain Name System (DNS) for Active Directory /Reference: : If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions. To enlist a DNS server in a DNS application directory partition 1. Open an elevated command prompt. 2. At the command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /EnlistDirectoryPartition <FQDN> For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command: dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com You might encounter the following error when you run this command: Command failed: ERROR_DS_COULDNT_CONTACT_FSMO x20AF If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated: 1. ntdsutil 2. partition management

236 3. connections 4. Connect to a writeable domain controller (not an RODC): connect to server <WriteableDC>.Child.contoso.com 5. quit 6. To enlist this server in the replication scope for this zone, run the following command: add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com <rodc Server>.Child.contoso.com Reference: QUESTION 13 Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering. You need to create a password policy for the engineering department that is different from your domain password policy. A. Create a new GPO. Link the GPO to the Engineering OU. B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU. C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group. D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard. Correct Answer: C Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 14 Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2. Your company's corporate security policy states that the password for each user account must be changed at least every 45 days. You have a user account named Service1. Service1 is used by a network application named Application1. Every 45 days, Application1 fails. After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy. A. Run the Set-ADAccountControl cmdlet. B. Run the Set-ADServiceAccount cmdlet. C. Create a new password policy. D. Create a new Password Settings object (PSO).

237 Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 15 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You need to ensure that all client computers can apply Group Policy preferences. A. Upgrade all Windows XP client computers to Windows 7. B. Create a central store that contains the Group Policy ADMX files. C. Install the Group Policy client-side extensions (CSEs) on all client computers. D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2). Correct Answer: C Section: Creating and Maintaining Active Directory Objects /Reference: : The problem is that our clients are not aware of the newer policy settings available in Server 2008 R2. Policy settings, however, are primarily handled through registry entries. Windows XP SP3 and Windows Vista support group policy and registry entries, so we do not need to upgrade the computers. We need to enable them to understand the new settings. This is the purpose of the client-side extensions. ADMX is the new file extension for Group Policy templates and is not understood by Windows XP / Windows Vista policy editor, which uses the older.adm files. QUESTION 16 You configure and deploy a Group Policy object (GPO) that contains AppLocker settings. You need to identify whether a specific application file is allowed to run on a computer. Which Windows PowerShell cmdlet should you use? A. Get-AppLockerFileInformation B. Get-GPOReport C. Get-GPPermissions D. Test-AppLockerPolicy Correct Answer: D Section: Creating and Maintaining Active Directory Objects /Reference: :

238 Test-AppLockerPolicy Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy. Reference: QUESTION 17 You create a Password Settings object (PSO). You need to apply the PSO to a domain user named User1. A. Modify the properties of the PSO. B. Modify the account options of the User1 account. C. Modify the security settings of the User1 account. D. Modify the password policy of the Default Domain Policy Group Policy object (GPO). Correct Answer: A Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 18 You need to create a Password Settings object (PSO). Which tool should you use? A. Active Directory Users and Computers B. ADSI Edit C. Group Policy Management Console D. ntdsutil Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 19 Your network contains an Active Directory domain. The domain contains several domain controllers. All domain controllers run Windows Server 2008 R2. You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings. A. Run dcgpofix.exe /target:dc. B. Run dcgpofix.exe /target:domain. C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.

239 D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force. Correct Answer: A Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 20 Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. You need to create multiple password policies for users in your domain. A. From the Active Directory Schema snap-in, create multiple class schema objects. B. From the ADSI Edit snap-in, create multiple Password Setting objects. C. From the Security Configuration Wizard, create multiple security policies. D. From the Group Policy Management snap-in, create multiple Group Policy objects. Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : PSO's (Password Setting objects) are created using ADSI Edit and allow us to manage more fine-grained password policies for needs that don't fit the default domain policy. Reference: The Security Configuration Wizard is used to improve security on a computer by applying stricter policies for the services that are installed. Reference: QUESTION 21 Your company has a main office and 50 branch offices. Each office contains multiple subnets. You need to automate the creation of Active Directory subnet objects. What should you use? A. the dsadd tool B. the netsh tool C. the New-ADObject cmdlet D. the New-Object cmdlet Correct Answer: C Section: Creating and Maintaining Active Directory Objects /Reference: :

240 (...) QUESTION 22 Your network contains an Active Directory forest. You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the network. You create a Windows PowerShell script named new-users.ps1 that contains the following lines: new-aduser user1 new-aduser user2 new-aduser user3 new-aduser user4 new-aduser user5 On the domain controller, you double-click the script and the script runs. You discover that the script fails to create the user accounts. You need to ensure that the script creates the user accounts. Which cmdlet should you add to the script? A. Import-Module B. Register-ObjectEvent C. Set-ADDomain D. Set-ADUser Correct Answer: A Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 23 Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest. Which should you use? A. the dsquery tool B. the Export-CSV cmdlet C. the Get-ADUser cmdlet D. the net.exe user command Correct Answer: C Section: Creating and Maintaining Active Directory Objects /Reference: : (...)

241 QUESTION 24 You need to back up all of the group policies in a domain. The solution must minimize the size of the backup. What should you use? A. the Add-WBSystemState cmdlet B. the Group Policy Management console C. the wbadmin tool D. the Windows Server Backup feature Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 25 Your network consists of a single Active Directory domain. All domain controllers run Windows Server You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R). A. From the command prompt, run netdom /reset. B. From the command prompt, run dfsutil /addroot:sysvol. C. Raise the functional level of the domain to Windows Server 2008 R2. D. From the command prompt, run dcpromo /unattend:unattendfile.xml. Correct Answer: C Section: Configuring the Active Directory Infrastructure /Reference: : (...) QUESTION 26 Your network contains an Active Directory domain. All domain controllers run Windows Server The functional level of the domain is Windows Server All client computers run Windows 7. You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline domain join of Server1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. From Server1, run djoin.exe. B. From Server1, run netdom.exe. C. From a Windows 7 computer, run djoin.exe. D. Upgrade one domain controller to Windows Server 2008 R2. E. Raise the functional level of the domain to Windows Server 2008.

242 Correct Answer: AC Section: Configuring the Active Directory Infrastructure /Reference: : (...) QUESTION 27 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes. A. Enable the Audit Account Management policy in the Default Domain Controller Policy. B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU. C. Run auditpol.exe and then enable the Audit Directory Service Access setting in the Default Domain policy. D. From the Default Domain Controllers policy, enable the Audit Directory Service Access setting and Audit Directory Service Changes setting Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : auditpol.exe is used to set and manipulate group policy, so this is the application we need to run to enforce the policies that have been already configured in the scenario. The scenario specifies that 'Audit directory service access' and 'Audit account management' are already enabled for the entire domain (which would include the domain controllers). This means there is not only no need to perform the other options listed, but they would not apply the policy. QUESTION 28 Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers. You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Run the adprep /forestprep command. B. Run the adprep /domainprep command. C. Raise the forest functional level to Windows Server D. Raise the domain functional level to Windows Server Correct Answer: AB Section: Configuring the Active Directory Infrastructure

243 /Reference: : (...) QUESTION 29 Your company has a single Active Directory domain. All domain controllers run Windows Server You install Windows Server 2008 R2 on a server. You need to add the new server as a domain controller in your domain. What should you do first? A. On the new server, run dcpromo /adv. B. On the new server, run dcpromo /createdcaccount. C. On a domain controller run adprep /rodcprep. D. On a domain controller, run adprep /forestprep. Correct Answer: D Section: Configuring the Active Directory Infrastructure /Reference: : We are creating our first 2008 R2 domain controller on the network, so we need to prepare the forest for the 2008 R2 AD schema. dcpromo is indeed used to add a new domain controller to a domain, but since all current DCs run 2003, the forest schema will not be able to support a 2008 R2 DC. The scenario does not mention that an RODC is being installed, and even if so we would need to prep the forest with the new schema first. QUESTION 30 You have a Windows PowerShell script that contains the following code: import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword $_.password} When you run the script, you receive an error message indicating that the format of the password is incorrect. The script fails. You need to run a script that successfully creates the user accounts by using the password contained in accounts.csv. Which script should you run? A. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)} B. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)} C. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString "Password")} D. import-csv Accounts.csv Foreach {New-ADUser -Name $_.Name -Enabled $true - AccountPassword (Read-Host -AsSecureString $_.Password)}

244 Correct Answer: B Section: Configuring the Active Directory Infrastructure /Reference: : (...) QUESTION 31 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2). You need to audit user access to the administrative shares on the client computers. A. Deploy a logon script that runs icacls.exe. B. Deploy a logon script that runs auditpol.exe. C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration. D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration. Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 32 Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network. You need to ensure that the new server is already joined to the domain when it first connects to the internal network. A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter. B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter. C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter. D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter. Correct Answer: C Section: Configuring the Active Directory Infrastructure /Reference: : (...)

245 QUESTION 33 Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3. You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store. A. Add your account to the Domain Admins group. B. Upgrade your client computers to Windows 7. C. Install.NET Framework 3.0 on your client computers. D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder. Correct Answer: B Section: Creating and Maintaining Active Directory Objects /Reference: : (...) QUESTION 34 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server You have a member server named Server1 that runs Windows Server You need to ensure that you can add Server1 to contoso.com as a domain controller. What should you run before you promote Server1? A. dcpromo.exe /CreateDCAccount B. dcpromo.exe /ReplicaOrNewDomain:replica C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest Correct Answer: C Section: Configuring the Active Directory Infrastructure /Reference: : (...) QUESTION 35 Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six characters. You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long.

246 What should you do first? A. Run the New-ADFineGrainedPasswordPolicy cmdlet. B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet. C. From the Default Domain Policy, modify the password policy. D. From the Default Domain Controller Policy, modify the password policy. Correct Answer: A Section: Creating and Maintaining Active Directory Objects /Reference: : To create a different password policy for users in Group1, we first need to create a fine-grained password policy object. This is achieved with the The New-ADFineGrainedPasswordPolicy cmdlet. After the policy is setup, we will then be able to apply that policy to Group1. This would be done with the Add- ADFineGrainedPasswordPolicySubject cmdlet. Modifying the password policy will affect the passwords for all users in the domain, not just those in Group1. QUESTION 36 Your network contains an Active Directory domain. All domain controller run Windows Server You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2. You need to minimize the amount of SYSVOL replication traffic on the network. A. Raise the functional level of the forest to Windows Server 2008 R2. B. Modify the path of the SYSVOL folder on all of the domain controllers. C. On a global catalog server, run repadmin.exe and specify the KCC parameter. D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe. Correct Answer: D Section: Configuring the Active Directory Infrastructure /Reference: : Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role. QUESTION 37 Your network contains an Active Directory forest named contoso.com. The password policy of the forest requires that the passwords for all of the user accounts be changed every 30 days. You need to create user accounts that will be used by services. The passwords for these accounts must be

changed automatically every 30 days. Which tool should you use to create these accounts? To answer, select the appropriate tool in the answer area.

247 changed automatically every 30 days. Which tool should you use to create these accounts? To answer, select the appropriate tool in the answer area. Point and Shoot: Correct Answer: Section: Creating and Maintaining Active Directory Objects /Reference: : Use the Active Directory module for Windows PowerShell to create a managed service account. Reference:

QUESTION 38 Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The computers are configured as shown in the following table.

248 QUESTION 38 Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The computers are configured as shown in the following table. An administrator creates a script that contains the following commands: auditpol /get /sd auditpol /list /user auditpol /resourcesacl /type:file /clear auditpol /remove /user:{s } You need to identity which computers can successfully run all of the commands in the script. Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.) A. Computer1 B. Server1 C. Computer2 D. Server2 Correct Answer: CD Section: Creating and Maintaining Active Directory Objects /Reference: : auditpol /resourcesacl applies only to Windows 7 and Windows Server 2008 R2. So only these computers can run all of the commands in the script. Reference: QUESTION 39 Your network contains an Active Directory domain named contoso.com. You need to create one password policy for administrators and another password policy for all other users. Which tool should you use? A. ntdsutil B. Active Directory Users and Computers C. ADSI Edit D. Group Policy Management Console (GPMC) Correct Answer: C Section: Creating and Maintaining Active Directory Objects

249 /Reference: : To create a PSO using ADSI Edit 1. Click Start, click Run, type adsiedit.msc, and then click OK. 2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to. 3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK. 4. Double-click the domain. 5. Double-click DC=<domain_name>. 6. Double-click CN=System. 7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domain appear. 8. Right-click CN=Password Settings Container, click New, and then click Object. 9. In the Create Object dialog box, under Select a class, click msds-passwordsettings, and then click Next. 10.In Value, type the name of the new PSO, and then click Next. 11. Continue with the wizard, and enter appropriate values for all musthave attributes. Reference: QUESTION 40 Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2. The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings. On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration settings by using a local GPO. You need to identify what will be audited on DC1. Which tool should you use? A. Get-ADObject B. secedit C. Security Configuration and Analysis D. auditpol Correct Answer: D Section: Creating and Maintaining Active Directory Objects /Reference: : auditpol get Retrieves the system policy, per-user policy, auditing options, and audit security descriptor object. Reference: QUESTION 41 You remotely monitor several domain controllers. You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query to retrieve information from the bios of each domain controller. Which format should you use to write the query?

250 A. XrML B. XML C. WQL D. HTML Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : (...) QUESTION 42 Your network contain 10 domain controller that run Windows Server 2008 R2. The network contain a member server that is configured to collect all of events that occur on the domain controllers. Your need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve the goal by using the minimum amount effort. A. From Event Viewer on the member server, create a subscription. B. From Event Viewer on each domain controller, create a subscription. C. From Event Viewer on the member server, run the Create Basic Task Wizard. D. From Event Viewer on each domain controller, run the Create Basic Task Wizard. Correct Answer: C Section: Monitoring and Managing A Network Infrastructure /Reference: : In order to have notifications sent when specific events occur, we need to create a Task on the Event Log. This is done through Event Viewer. Because the scenario states there is a member server that is collecting event logs, we need to run the Create Basic Task Wizard from that member server rather than the domain controllers. Event subscriptions are used to forward event logs to a centralized management computer. This does not provide any kind of notification of events to individual users, and the scenario indicates a member server has already been configured for this as well. QUESTION 43 Your company has 10 servers that run Windows Server 2008 R2. The servers have Remote Desktop Protocol (RDP) enabled for server administration. RDP is configured to use default security settings. All administrators' computers run Windows 7. You need to ensure the RDP connections are as secure as possible. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Set the security layer for each server to the RDP Security Layer. B. Configure the firewall on each server to block port 3389.

251 C. Acquire user certificates from the internal certification authority. D. Configure each server to allow connections only to Remote Desktop client computers that use Network Level Authentication. Correct Answer: CD Section: Configuring File and Print Services /Reference: : (...) QUESTION 44 Your company has a server named Server1 that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on Server1. Server1 fails. You install a new server named Server2 that runs Windows Server 2008 R2. You need to restore the company's Windows SharePoint Services (WSS) site to Server2. A. Use wbadmin to restore the system state from backup. B. Run wbadmin with the Get Versions option. Install WSS. C. Run wbadmin with the Start Recovery option. Install WSS. D. Use wbadmin to restore the application and the sites from backup. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 45 Your network contains a server that runs Windows Server 2008 R2. Windows BitLocker Drive Encryption (BitLocker) is enabled for all drives. You need to perform a bare metal recovery of the server. What should you do first? A. From the BIOS, disable the Trusted Platform Module. B. From the BIOS, disable the processor's No Execute feature. C. Start the computer in Safe Mode. D. Start the computer from the Windows Server 2008 R2 installation media. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...)

252 QUESTION 46 Your network contains two servers named Server1 and Server2. Server1 runs Windows Server 2008 R2. Server2 runs Windows Server You need to ensure that you can initiate a full server backup of Server2 from Server1. A. Install Windows Server Backup on Server2. B. Upgrade Server2 to Windows Server 2008 R2. C. Add an exception to Windows Firewall on Server2. D. Add your user account to the Backup Operators group on Server2. Correct Answer: B Section: Configuring File and Print Services /Reference: : Windows Server Backup supports operations on a remote computer via the snap-in, without the need to configure firewall rules. However, this option (Connect To Another Computer) of the snap-in is only available on Server 2008 R2, so we must upgrade Server2. You do not need to add your user account to the Backup Operators group on Server2. Only network access and general permissions to the server are required. You would not install WSB on Server2 because you want to complete the backup from Server1. This is completely possible without Server2 having the WSB software. QUESTION 47 Your network contains a server that runs Windows Server 2008 R2. You need to schedule backups of the server. The solution must ensure that multiple versions of the backup are available. Which two possible backup locations should you use? (Each correct answer presents a complete solution.choose two.) A. external hard disk B. internal hard disk C. optical media D. remote shared folder Correct Answer: AB Section: Configuring File and Print Services /Reference: : (...) QUESTION 48 Your network contains a server named Server1 that runs Windows Server 2008 R2. The disks on Server1 are configured as shown in the following table.

You run the Backup Once wizard and discover that the option for Full Server backup is unavailable. You need to ensure that you can run a full server backup of Server1. A. Take Disk 1 offline. B. Take Disk 2 offline.

253 You run the Backup Once wizard and discover that the option for Full Server backup is unavailable. You need to ensure that you can run a full server backup of Server1. A. Take Disk 1 offline. B. Take Disk 2 offline. C. Run the Set-WBPolicy cmdlet. D. Run Windows Server Backup as an Administrator. Correct Answer: B Section: Configuring File and Print Services /Reference: : (...) QUESTION 49 You manage a server that runs Windows Server 2008 R2. The D:\Payroll folder is corrupted. The most recent backup version is 10/29/ :00. You need to restore all the files in the D:\Payroll folder back to the most recent backup version without affecting other folders on the server. What should you do on the server? A. Run the recover d:\payroll command. B. Run the wbadmin restore catalog -backuptarget:d: -version:10/29/ :00 quiet command. C. Run the wbadmin start recovery -backuptarget:d: -version:10/29/ :00 overwrite Quiet command. D. Run the wbadmin start recovery -version:10/29/ :00 -itemtype:file -items:d: \Payroll - overwrite -recursive quiet command. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...)

254 QUESTION 50 Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to configure scheduled backups on Server1 to meet the following requirements: Maintain 60 days of backups. Minimize the performance impact on Server1 while a backup is running. A. From Windows PowerShell, run the New-WBPolicy cmdlet. B. From Windows PowerShell, run the Set-WBVssBackupOptions cmdlet. C. From the Backup Schedule Wizard, click the Backup to a volume option. D. From the Backup Schedule Wizard, click the Backup to hard disk that is dedicated for backups (recommended) option. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 51 Your network contains an Active Directory domain. The functional level of the domain is Windows Server The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2. You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR). What should you do first? A. Run dfsrdiag.exe PollAD. B. Run dfsrmig.exe /SetGlobalState 0. C. Upgrade all domain controllers to Windows Server 2008 R2. D. Raise the functional level of the domain to Windows Server Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 52 Your company has a main office and one branch office. The main office has a print server named Printer1. The branch office has a print server named Printer2. Printer1 manages 15 printers and Printer2 manages seven printers. You add Printer2 to the Print Management console on Printer1. You need to send an automatic notification when a printer is not available.

255 A. Configure an notification for the Printers With Jobs printer filter. B. Configure an notification for the Printers Not Ready printer filter. C. Enable the Show informational notifications for local printers option on both print servers. D. Enable the Show informational notifications for network printers option on both print servers. Correct Answer: B Section: Configuring File and Print Services /Reference: : (...) QUESTION 53 Your network contains a print server named Server1. Server1 has three shared printers named Printer1, Printer2, and Printer3. Each shared printer uses a different driver. You need to ensure that if Printer1 causes an exception, users can still print to Printer2 and Printer3. A. Add a Driver filter. B. Add a Printer filter. C. Modify the Print Processor options. D. Modify the Driver Isolation settings. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 54 Your network contains an Active Directory domain. The domain contains a print server named Server1. Server1 runs Windows Server 2008 R2. You need to ensure that users can locate all shared printers on Server1 by using Active Directory. What should you do from Server1? A. Run the pubprn.vbs script. B. Run dism.exe. C. Run the Set-ADObject cmdlet. D. Modify the Print Server properties. Correct Answer: A Section: Configuring File and Print Services /Reference: :

256 (...) QUESTION 55 Your company has a server named FS1. FS1 hosts the domain-based DFS namespace named \ \contoso.com\dfs. All domain users store their data in subfolders within the DFS namespace. You need to prevent all users, except administrators, from creating new folders or new files at the root of the \ \contoso.com\dfs share. A. Run the dfscmd.exe \\FS1\dfs /restore command on FS1. B. Configure the NTFS permissions for the C:\DFSroots\dfs folder on FS1. Set the Create folders/append data special permission to Deny for the Authenticated Users group. Set the Full Control permission to Allow for the Administrators group. C. Start the Delegate Management Permissions Wizard for the DFS namespace named \\contoso.com \dfs. Remove all groups that have the permission type Explicit except the Administrators group. D. Configure the \\FS1\dfs shared folder permissions. Set the permissions for the Authenticated Users group to Reader. Set the permissions for the Administrators group to Co-owner. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 56 Your network contains a single Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Server1 and Server2 are namespace servers for the \\contoso.com\dfs1 namespace. You need to ensure that users only connect to the \\contoso.com\dfs1 namespace on Server1 if Server2 is unavailable. How should you configure the \\contoso.com\dfs1 namespace? A. From the properties of the \\contoso.com\dfs1 namespace, modify the referrals settings. B. From the properties of the \\contoso.com\dfs1 namespace, modify the advanced settings. C. From the properties of the \\SERVER1\DFS1 namespace servers entry, modify the advanced settings. D. From the properties of the \\SERVER2\DFS1 namespace servers entry, modify the advanced settings. Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 57 Your network contains a domain-based namespace named DFS1. DFS1 has Windows 2008 Server mode enabled.

257 You need to ensure that only files and folders in DFS1 that users have permissions to access are displayed. A. Disable referrals. B. Modify the system access control list. C. Enable Access-Based Enumeration (ABE). D. Modify the discretionary access control list. Correct Answer: C Section: Configuring File and Print Services /Reference: : (...) QUESTION 58 Your company has a main office and a branch office. The network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 is located in the main office. Server2 is located in the branch office. You have a domain-based namespace named \\contoso.com\dfs1. Server1 is configured as the namespace server for \\contoso.com\dfs1. \\contoso.com\dfs1 has a folder named Folder1. The folder targets for Folder1 are \\Server1\Folder1 and \\Server2\Folder1. Users in the main office report that they view different content in Folder1 than users in the branch office. You need to ensure that the content in Folder1 is identical for all of the users. A. Create a new Replication Group. B. Configure Server2 as a namespace server. C. From Server2, run dfsutil.exe cache domain. D. From Server2, run dfsutil.exe root forcesync \\contoso.com\dfs1. Correct Answer: A Section: Configuring File and Print Services /Reference: : The fact that Server2 is not displaying the same files as Server1 indicates that replication is not occurring on Server2. A replication group is a set of servers, known as members, that participates in the replication of one or more replicated folders. Reference: dfsutil.exe root forcesync \\contoso.com\dfs1 will force a resync of the namespace. However, Server2 is being used in the namespace. The files would be in sync if replication were working.

258 dfsutil.exe cache domain will display or flush the DFS domain cache. Server2 does not need to be configured as a namespace server. QUESTION 59 Your network contains a Distributed File System (DFS) target folder named Folder1 that contains 100 GB of data. You plan to create a new DFS replica of Folder1 on a server named Server2. You need to prestage the data in Folder1 on Server2. The solution must ensure that the amount of initial DFS replication traffic is minimized. Which tool should you use to prestage the Folder1 data? A. dfscmd B. dfsrmig C. dfsutil D. wbadmin Correct Answer: D Section: Configuring File and Print Services /Reference: : The hashes of prestaged data are affected by the following: Permissions Audit properties Inheritance The copy tool, such as Robocopy.exe or Xcopy.exe, that is used Because the possible combinations of these factors are so wide and varied, predicting the success of prestaging operations is very difficult. However, the Backup program in Windows Server is a reliable mechanism to prestage data. Reference: QUESTION 60 Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com \DFS1. You have two servers named Server1 and Server2 that are configured as namespace servers for \ \contoso.com\dfs1. You need to verify that the DFS namespace replicates successfully between Server1 and Server2. Which tool should you use? A. dfscmd B. dfsdiag C. dfsrdiag D. dfsutil Correct Answer: B Section: Configuring File and Print Services

259 /Reference: : (...) QUESTION 61 Your company has a domain with multiple sites. You have a domain-based DFS namespace called \ \contoso.com\management. The \\contoso.com\management namespace hierarchy is updated frequently. You need to configure the \\contoso.com\management namespace to reduce the workload of the PDC emulator. A. Enable the Optimize for scalability option. B. Enable the Optimize for consistency option. C. Set the Ordering method option to Lowest cost. D. Set the Ordering method option to Random order. Correct Answer: A Section: Configuring File and Print Services /Reference: : "Choose Optimize for consistency if there are 16 or fewer namespace servers hosting the namespace." "Choose Optimize for scalability if there are more than 16 namespace servers. This reduces the load on the Primary Domain Controller (PDC) Emulator" Reference: A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target. Targets on the client's site are always listed first in a referral. Targets outside of the client's site are listed according to the ordering method. Reference: MY NOTE: So the ordering method tells us which offsite clients to use as a namespace target. Randomizing this would randomize hits to the different namespace servers and possibly reduce some load on the PDC, but clearly is not the recommended method for large amounts of namespace servers. QUESTION 62 Your network contains a server that runs Windows Server 2008 R2. You need to enable access-based enumeration (ABE) on a shared folder. Which console should you use? A. Disk Management B. File Server Resource Manager C. Share and Storage Management D. Storage Explorer

260 Correct Answer: C Section: Configuring File and Print Services /Reference: : ABE is a feature for shared folders that prevents users from seeing folders they do not have access to. Share and Storage Management provides a central location for you to manage shared resources, such as folders and volumes, as well as storage resources. Reference: We do not need to manage quotes, file screens or reports, so FSRM is not the right tool. File Server Resource Manager is a suite of tools for Windows Server 2008 that allows administrators to understand, control, and manage the quantity and type of data that is stored on their servers. By using File Server Resource Manager, administrators can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports. Reference: Storage Explorer is used for viewing fabrics in a SAN. Disk Management is used to configure hard disk volumes and partitions and defragment hard disks. QUESTION 63 Your network contains a server named Server1. Server1 is configured as a BranchCache server. The cache is located at D:\Branchcache. You need to remove all existing files and hashes from the cache. Which command should you run? A. hashgen.exe d B. branchcache C. net.exe stop PeerDistSvc & net.exe start PeerDistSvc D. netsh.exe branchcache flush E. rd.exe d:\branchcache /s /q Correct Answer: C Section: Configuring File and Print Services /Reference: : (...) QUESTION 64 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is located in a branch office. You view the BranchCache configuration of Server1 as shown in the exhibit. (Click the Exhibit button.) You need to ensure that client computers in the branch office retrieve cached files from Server1 only. What should you do on Server1?

Exhibit: A. Install the BranchCache for Network Files role service. B. Install the Services for Network File System role service. C. Run netsh.exe branchcache set service mode=distributed. D.

261 Exhibit: A. Install the BranchCache for Network Files role service. B. Install the Services for Network File System role service. C. Run netsh.exe branchcache set service mode=distributed. D. Run netsh.exe branchcache set service mode=hostedclient Correct Answer: D Section: Configuring File and Print Services /Reference: : (...) QUESTION 65 Your network contains the servers shown in the following table.

262 Office1 and Office2 connect to each other by using a WAN link. Users in Office2 frequently access the same set of files stored in Data1. You need to reduce the amount of file transfer traffic across the WAN link. What should you add to Server1? A. the Background Intelligent Transfer Service (BITS) feature B. the BranchCache feature C. the BranchCache For Network Files role service D. the Distributed File System (DFS) role service Correct Answer: C Section: Configuring File and Print Services /Reference: : In general, Branch Cache allows caching of file content to reduce WAN traffic. However, because Data1 is a file share (SMB), we must specifically use the BranchCache for Network Files role service over the BranchCache role. BITS is used to reduce traffic for Windows Updates. DFS is used to synchronize files between a shared namespace, and could be used to allow Data1 to be replicated on servers in both offices. QUESTION 66 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is located in a branch office. You discover that users cannot obtain cached documents from Server1. The BranchCache configuration on Server1 is shown in the exhibit. (Click the Exhibit button.) You need to ensure that Server1 hosts cached content for client computers in the branch office. Exhibit:

A. Enable Peer Discovery firewall rules. B. Set the Startup Type of the BranchCache service to Automatic, and then start the service. C. At the command prompt, run netsh.

263 A. Enable Peer Discovery firewall rules. B. Set the Startup Type of the BranchCache service to Automatic, and then start the service. C. At the command prompt, run netsh.exe branchcache set service mode=distributed. D. At the command prompt, run netsh.exe branchcache set service mode=hostedclient. Correct Answer: B Section: Configuring File and Print Services /Reference: : (...) QUESTION 67 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has Microsoft Exchange Server 2010 deployed. You schedule a backup of the server. You discover that the Exchange Server 2010 transaction log files are purged during the backup. You need to prevent the Exchange Server 2010 transaction log files from being purged. A. From the properties of the backup, add an exclusion.

264 B. From the properties of the backup, modify the VSS settings. C. From Windows PowerShell, run the New-WBFileSpec cmdlet. D. From Windows PowerShell, run the New-WBBackupTarget cmdlet. Correct Answer: B Section: Configuring File and Print Services /Reference: : So, when you do a VSS full backup, you create backup of all the files but after that, the backup application may truncate logs on the file system. On the other hand, when you do a VSS copy backup, all files are backed up and you preserve the all the applications files including log files on the live system. Reference: MY NOTE: Basically, to purge (truncate) logs from a backup, we have to do a VSS full backup. This option is available from the properties of the backup job, under VSS settings. WRONG ANSWERS... QUESTION 68 Your network contains a file server that runs Windows Server 2008 R2. The server has File Server Resource Manager (FSRM) installed. A file screen is created for a folder named Data. Data is located on the C drive. The file screen is configured to block files contained in the Audio and Video file group. You need to allow users in the sales department to upload video files to C:\Data\Sales. A. Create a file screen exception. B. Modify the Audio and Video file group. C. Implement an active file screen on C:\Data\Sales. D. Implement a passive file screen on C:\Data\Sales. Correct Answer: A Section: Configuring File and Print Services /Reference: : (...) QUESTION 69 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the File Services role installed.

265 You configure a file classification rule. You discover that scanned documents stored as JPG files are not being classified. You need to ensure that all file classification rules apply to scanned documents. A. Enable the Windows TIFF IFilter feature. B. Modify the properties of the file classification rule. C. Modify the properties of the Windows Search Service. D. Install the Office 2007 System Converter: Microsoft Filter Pack. Correct Answer: A Section: Configuring File and Print Services /Reference: : (...) QUESTION 70 Your network contains a file server named Server1 that runs Windows Server 2008 R2. On Server1, you create a disk quota for volume E that limits storage to 200 MB for all users. You need to ensure that a user named User1 can store files that are larger than 200 MB on volume. What would you do? A. From a command prompt, run dirquota.exe. B. From Disk Management, create a new quota entry. C. From Windows Explorer, modify the Security properties of the volume. D. From File Server Resource Manager, create a file screen exception. Correct Answer: A Section: Configuring File and Print Services /Reference: : To do this, we simply need to update the quota assigned to User1. We can issue the following command to modify quotas: dirquota quota modify Reference: We would not create a new quota entry, as quotas are per-user and the user already has an assigned quota at the volume level. The Security properties in Windows Explorer will let us control who can access the volume, but is not where quotas are configured or managed. We do not need a file screen exception, as we are not told an exception is even in place. Rather, a quota limit has been put in place. QUESTION 71 Your network contains a file server named Server1 that runs Windows Server 2008 R2. You have a folder

named Folder1. You need to ensure that files in Folder1 that are older than 365 days are automatically moved to an archive folder. What should you create from the File Server Resource Manager console?

266 named Folder1. You need to ensure that files in Folder1 that are older than 365 days are automatically moved to an archive folder. What should you create from the File Server Resource Manager console? A. a file group B. a file management task C. a file screen D. a quota Correct Answer: B Section: Configuring File and Print Services /Reference: : (...) QUESTION 72 Your network contains an Active Directory domain named contoso.com. The functional level of the domain and the functional level of the forest are Windows Server All domain controllers run Windows Server You have a member server that runs Windows Server 2008 R2 named Server1. You install the Distributed Scan Server role service on Server1. From the Scan Management console, you attempt to add a scan process and you receive the following error. You need to ensure that you can add a scan process. A. Install the Fax Server role. B. Install the Print Server role service. C. Update the Active Directory schema. D. Set the functional level of the forest to Windows Server Correct Answer: C Section: Configuring File and Print Services /Reference: :

267 (...) QUESTION 73 You have a server that runs Windows Server 2008 R2. You create a new quota template. You apply quotas to 100 folders by using the quota template. You need to modify the quota settings for all 100 folders. You must achieve this goal by using the minimum amount of administrative effort. A. Modify the quota template. B. Delete and recreate the quota template. C. Create a new quota template. Modify the quota for each folder. D. Create a file screen template. Apply the file screen template to the root of the volume that contains thefolders. Correct Answer: A Section: Configuring File and Print Services /Reference: : (...) QUESTION 74 You have a file server that runs Windows Server 2008 R2. You configure quotas on the server. You need to view each user's quota usage on a per folder basis. A. From File Server Resource Manager, create a File Screen. B. From File Server Resource Manager, create a Storage Management report. C. From the command prompt, run dirquota.exe quota list. D. From the properties of each volume, review the Quota Entries list. Correct Answer: B Section: Configuring File and Print Services /Reference: : (...) QUESTION 75 Your network contains an Active Directory domain named contoso.com. All server run Windows Server 2008 R2. The topology of the Active Directory site is configured as shown in the exhibit. (Click the Exhibit button) Server1 and Server2 host a Distributed File System (DFS) replica named \\contoso.com\dfs\folder1. You discover that client computers in Site3 and Site4 always contact Server1 when they access files in \ \contoso.com\dfs\folder1. You need to ensure that client traffic from Site3 and Site4 is distributed between Server1 and Server2.

$Exhibit: A. From the properties of the \\contoso.com\dfs\folder1 folder, modify the Referrals settings. B. From the properties of the \\contoso.com\dfs\folder1 folder, modify the Advanced settings. C.$

268 Exhibit: A. From the properties of the \\contoso.com\dfs\folder1 folder, modify the Referrals settings. B. From the properties of the \\contoso.com\dfs\folder1 folder, modify the Advanced settings. C. From the properties of the \\contoso.com\dfs\ namesspace, modify the Polling settings of the name. D. From the properties of the \\contoso.com\dfs\ namesspace, modify the Ordering Method of the name. Correct Answer: D Section: Configuring File and Print Services /Reference: : Site3 and Site4 have a lower cost to connect with Server1 than with Server2, which is why they are always contacting it. We can configure DFS to use a different cost method from the Ordering Method tab of the namespace properties. Polling settings control how often the most recent information about a namespace is retrieved. We are not having problems with the staleness of namespace data. DFS referrals control whether or not a particular server is used in the namespace. Server2 is already participating in the namespace. The Advanced settings for a folder is used to configure the location and size of a folder. QUESTION 76 Your network contains an Active Directory domain. You have 100 remote users who have client computers that run Windows 7. The client computers are joined to the domain. The corporate security policy states that users working offline must be denied access to the files on the corporate file servers. You need to configure the network to meet the following requirements: Support the corporate security policy.

269 Minimize the amount of time it takes for remote users to access the files on the corporate file servers. What should you enable? A. Shadow Copies on the client computers B. Shadow Copies on the corporate file servers C. Transparent Caching on the client computers D. Trasnparent Caching on the corporate file servers Correct Answer: C Section: Configuring File and Print Services /Reference: : (...) QUESTION 77 Your network contains a file server that runs Windows Server 2008 R2. You create a shared folder on the server. You need to ensure that an administrator is notified whenever a user saves.exe files to the shared folder. A. Configure access-based enumeration (ABE). B. Create a file screen. C. Modify the NTFS permissions and the share permissions. D. Create a soft quota. Correct Answer: B Section: Configuring File and Print Services /Reference: : Create file screens to block files that belong to particular file groups from being saved on a volume or in a folder tree. A file screen affects all folders in the designated path. For example, you might create a file screen to prevent users from storing audio and video files in their personal folders on the server. You can configure File Server Resource Manager to generate or other notifications when a file screening event occurs. Reference: A soft quota is a disk quota limit that is not enforced but still notifies individuals when the limit has been reached. We do not need notifications on disk quotas, however. ABE is used to control which folders are shown on a file share. Only the folders a user has access to are displayed when browsing the share. NTFS and share permissions control who can access certain files, but does not let us setup notifications, and must be applied separately to each.exe file

270 QUESTION 78 Your network contains a DNS server named DNS1 that runs Windows Server 2008 R2. You need to be notified by if the DNS service logs errors or warnings. The solution must minimize the number of notifications you receive. A. Create an alert in Performance Monitor. B. Run the Configure a DNS Server Wizard. C. Select the DNS Server log from Event Viewer and attach a task to the log. D. Create a custom view from Event Viewer and attach a task to the custom view. Correct Answer: C Section: Configuring File and Print Services /Reference: : (...) QUESTION 79 Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com \dfs. \\contoso.com\\dfs is configured to use Windows 2000 Server mode. The domain contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 is configured as a namespace server for \\contoso.com\dfs. You need to migrate \\contoso.com\dfs to Windows Server 2008 mode. You install the Distributed File System role service on Server2. What should you do next? A. Configure Server2 as a namespace server for \\contoso.com\dfs. B. At the command prompt, run dfsutil root export \\contoso.com\dfs c:\dfs.xml. C. At the command prompt, run dfsutil root adddom \\contoso.com\dfs v2. D. Create a new shared folder named DFS on Server2. Correct Answer: B Section: Configuring File and Print Services /Reference: : To migrate a domain-based namespace to Windows Server 2008 mode 1. Open a Command Prompt window and type the following command to export the namespace to a file, where \\domain\namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file: dfsutil root export \\domain\namespace c:\filename.xml Reference:

271 QUESTION 80 You manage a server named Server1 that runs Windows Server 2008 R2 Service Pack 1 (SP1). Server1 has the File Services server role installed. You have a file share named Share1. You need to ensure that any Microsoft Word files saved to Share1 that contain the word "confidential" are moved automatically to a folder named Confidential. What should you configure in File Server Resource Manager? (Each correct answer presents part of the solution. Choose three.) A. a classification rule B. a file management task C. a file screen D. a file group E. a classification property Correct Answer: ABE Section: Configuring File and Print Services /Reference: : (...) QUESTION 81 Your network contains an Active Directory domain. The domain contains a server that runs Windows Server 2008 R2. The server contains 10 shared folders. You need to be notified by when users save.mp3 files to the shared folders. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Select and Place:

272 Correct Answer:

Section: 70-642 Configuring File and Print Services /Reference: : You can configure File Server Resource Manager to generate e-mail or other notifications when a file screening event occurs. (.

273 Section: Configuring File and Print Services /Reference: : You can configure File Server Resource Manager to generate or other notifications when a file screening event occurs. (...) Passive screening monitors users saving specific file types and generates any configured notifications, but does not prevent users from saving files. Reference: MY NOTE: An active screen would prevent saving the.mp3 file, but we have not been asked for this functionality. QUESTION 82 Your company has a single Active Directory forest that has a domain in North America named na.contoso. com and a domain in South America named sa.contoso.com. The client computers run Windows 7. You need to configure the client computers in the North America office to improve the name resolution response time for resources in the South America office. A. Configure a new Group Policy object (GPO) that disables the Local-Link Multicast Name Resolution feature.apply the policy to all the client computers in the North America office.

274 B. Configure a new Group Policy object (GPO) that enables the Local-Link Multicast Name Resolution feature. Apply the policy to all the client computers in the North America office. C. Configure a new Group Policy object (GPO) that configures the DNS Suffix Search List option to sa.contoso.com, na.contoso.com. Apply the policy to all the client computers in the North America office. D. Configure the priority value for the Service Location (SRV) records on each of the North America domain controllers to 5. Correct Answer: C Section: Configuring Names Resolution /Reference: : (...) QUESTION 83 Your company has two servers that run Windows Server 2008 R2 named Server2 and Server3. Both servers have the DNS Server server role installed. Server3 is configured to forward all DNS requests to Server2. You update a DNS record on Server2. You need to ensure that Server3 is able to immediately resolve the updated DNS record. A. Run the dnscmd /clearcache command on Server3. B. Run the ipconfig /flushdns command on Server3. C. Decrease the Time-to-Live (TTL) on the Start of Authority (SOA) record of na.contoso.com to 15 minutes. D. Increase the Retry Interval value on the Start of Authority (SOA) record of na.contoso.com to 15 minutes. Correct Answer: A Section: Configuring Names Resolution /Reference: : The DNS record for Server2 has just changed, so we need to update the DNS resolver cache so requests do not attempt to resolve to the old IP. ipconfig /flushdns clears the resolver cache for a local client. dnscmd /clearcache clears the server cache. Because Server3 has DNS services, it will not store a client cache but resolve queries directly through the server. Therefore, we need to clear the server cache. We are not having troubles with finding authoritative results, so any modifications to the SOA record will not help The Start of Authority (SOA) record declares the host that's the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Reference: QUESTION 84 Your company has a server named Server1 that runs a Server Core installation of Windows Server 2008 R2, and the DNS Server server role. Server1 has one network interface named Local Area Connection. The static

275 IP address of the network interface is configured as You need to create a DNS zone named local.contoso.com on Server1. Which command should you use? A. ipconfig /registerdns:local.contoso.com B. dnscmd Server1 /ZoneAdd local.contoso.com /DSPrimary C. dnscmd Server1 /ZoneAdd local.contoso.com /Primary /file local.contoso.com.dns D. netsh interface ipv4 set dnsserver name="local.contoso.com" static primary Correct Answer: C Section: Configuring Names Resolution /Reference: : (...) QUESTION 85 Your company has an Active Directory forest. All domain controllers run the DNS Server server role. The company plans to decommission the WINS service. You need to enable forest-wide single name resolution. A. Enable WINS-R lookup in DNS. B. Create Service Location (SRV) records for the single name resources. C. Create an Active Directory-integrated zone named LegacyWINS. Create host (A) records for the single name resources. D. Create an Active Directory-integrated zone named GlobalNames. Create host (A) records for the single name resources. Correct Answer: D Section: Configuring Names Resolution /Reference: : Consider deploying a GlobalNames zone if: You are retiring WINS or you are planning to deploy only IPv6 in your environment, so that all name resolution will depend on DNS. Reference: WINS is being decommissioned, so we do not want to allow WINS servers to still provide name resolution. Similarly, we do not want to allow WINS-R (reverse WINS) lookups. SRV records tell clients where to find specific services. WINS services are being retired and the setup of DNS will have created the necessary SRV records to respond to client requests. QUESTION 86 Your company has a single Active Directory domain. All servers run Windows Server 2008 R2. You install an additional DNS server that runs Windows Server 2008 R2.

276 You need to delete the pointer record for the IP address A. Use DNS manager to delete the 127.in-addr.arpa zone. B. Run the dnscmd /RecordDelete command at the command prompt. C. Run the dnscmd /ZoneDelete 127.in-addr.arpa command at the command prompt. D. Run the dnscmd /RecordDelete 10.in-addr.arpa PTR command at the command prompt. Correct Answer: D Section: Configuring Names Resolution /Reference: : (...) QUESTION 87 You are building a test environment to evaluate DNS Security Extensions (DNSSEC). You have a domain controller named Server1 that runs Windows Server 2008 R2 in your test environment. Server1 has the DNS Server server role installed. You need to configure Server1 to support the DNSSEC evaluation. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a new Quad-A (AAAA) DNS record. B. Create a new Signature (SIG) DNS record. C. Create a new Public key (KEY) DNS record. D. Create a new Well-known service (WKS) DNS record. Correct Answer: BC Section: Configuring Names Resolution /Reference: : KEY Description: Public key resource record. Contains a public key that is associated with a zone. In full DNSSEC implementation, resolvers and servers use KEY resource records to authenticate SIG resource records received from a signed zones. SIG Description: Signature resource record. Encrypts a RRset to a signer's (RRset's zone owner) domain name and a validity interval. WKS Description: Well-known service (WKS) resource record. Describes the well-known TCP/IP services supported by a particular protocol on a specific IP address AAAA Description: IPv6 host address (AAAA) resource record. Maps a DNS domain name to an Internet Protocol (IP)

277 version bit address. Reference: QUESTION 88 Your company has a main office and a branch office. The main office has a domain controller named DC1 that hosts a DNS primary zone. The branch office has a DNS server named SRV1 that hosts a DNS secondary zone. All client computers are configured to use their local server for DNS resolution. You change the IP address of an existing server named SRV2 in the main office. You need to ensure that SRV1 reflects the change immediately. A. Restart the DNS Server service on DC1. B. Run the dnscmd command by using the /zonerefresh option on DC1. C. Run the dnscmd command by using the /zonerefresh option on SRV1. D. Set the refresh interval to 10 minutes on the Start of Authority (SOA) record. Correct Answer: C Section: Configuring Names Resolution /Reference: : (...) QUESTION 89 Your company has a single Active Directory domain. The company has a main office and a branch office. Both the offices have domain controllers that run Active Directory-integrated DNS zones. All client computers are configured to use the local domain controllers for DNS resolution. The domain controllers at the branch office location are configured as Read-Only Domain Controllers (RODC). You change the IP address of an existing server named SRV2 in the main office. You need the branch office DNS servers to reflect the change immediately. A. Run the dnscmd /ZoneUpdateFromDs command on the branch office servers. B. Run the dnscmd /ZoneUpdateFromDs command on a domain controller in the main office. C. Change the domain controllers at the branch offices from RODCs to standard domain controllers. D. Decrease the Minimum (default) TTL option to 15 minutes on the Start of Authority (SOA) record for the zone. Correct Answer: A Section: Configuring Names Resolution /Reference: : (...) QUESTION 90 Your network contains a DNS server named DNS1 that runs Windows Server 2008 R2.

278 You need to ensure that DNS1 only responds to DNS queries from computers that are located in the same subnet. What should you configure? A. Interfaces from DNS Manager B. Security from DNS Manager C. Trust Anchors D. Windows Firewall Correct Answer: D Section: Configuring Names Resolution /Reference: : If we want DNS1 to only respond to DNS queries from it's local subnet, then we must configure a firewall rule on DNS1 that will block all DNS traffic, except from that subnet (in the rule's "scope"). The Interfaces tab of DNS Manager will allow you to configure the server to only listen to requests from certain computers, but an IP is needed for each individual computer. This would be cumbersome to configure and maintain. Reference: The Security tab of DNS Manager is used to restrict users/groups that are able to manage DNS services for the server. A Trust anchor is a cryptographic key used in DNSSEC validation of zone data. We have not been told DNSSEC is being used, and this only is used to encrypt/secure DNS, not restrict it. Reference: QUESTION 91 Your network contains an Active Directory domain named contoso.com. The domain contains two sites named Site1 and Site2. The servers for the sites are configured as shown in the following table. Server1 hosts a standard primary zone for contoso.com. Server2 hosts a secondary zone for contoso.com. You need to ensure that all DNS replication traffic between Server1 and Server2 is encrypted. A. On Server1, configure DNSSEC for the contoso.com zone. B. On Server1, convert the contoso.com zone to an Active Directory-integrated zone. C. On each server, create Connection Security Rules. D. On each server, enable Encrypting File System (EFS) encryption for the contoso.com.dns file. Correct Answer: C Section: Configuring Names Resolution

279 /Reference: : Zone replication can occur either by means of zone transfer or as part of Active Directory replication. If you do not secure zone replication, you run the risk of exposing the names and IP addresses of your computers to attackers. You can secure DNS zone replication by doing the following: Using Active Directory replication. Encrypting zone replication sent over public networks such as the Internet. (MY NOTE: This is what we need to do, as the servers are in separate sites so the traffic will travel over the internet) Restricting zone transfer to authorized servers. (...) Encrypt all replication traffic sent over public networks by using IPSec or VPN tunnels. (MY NOTE: This means we need to setup a Connection Security Rule on the VPN between the sites, that will specify the traffic must be encrypted. None of the other options are related to IPSEC or VPN) Reference: QUESTION 92 Your network contains an Active Directory forest. The forest contains three domain trees. Each domain tree contains multiple domains. You have an Active Directory-integrated DNS zone. You install a Web server named Web1. All of the users in the company will use Web1. You need to ensure that the users can access Web1 by using the URL web1. You want to achieve this goal by using the minimum amount of administrative effort. A. Configure a GlobalNames zone and add a Host (A) resource record for Web1. B. Create an Alias (CNAME) resource record for Web1 in the forest root domain zone. C. Create a reverse lookup zone and add an Alias (CNAME) resource record for Web1. D. Create a Host Information (HINFO) resource record for Web1 in the forest root domain zone. Correct Answer: A Section: Configuring Names Resolution /Reference: : A GlobalNames zone allows multiple domains in an environment to access a host or resource without needing to specify the DNS suffix. A CNAME record allows us to specify an alternate host portion of the FQDN (in this case, something other than web1) A reverse lookup zone is used with PTR records to allow lookup of the host, when given the IP. An HINFO-record specifies the host / server's type of CPU and operating system. Reference: QUESTION 93 Your network contains two servers named Server1 and Server2 that run a Server Core installation of Windows Server Server1 and Server2 are configured as DNS servers.

280 Server1 has an IP address of Server2 has an IP address of Server1 contains a standard primary zone named contoso.com. Zone transfers are enabled for contoso.com. You need to ensure that Server2 hosts a copy of the contoso.com zone. Which command should you run on Server2? A. dnscmd /zoneadd contoso.com /primary B. dnscmd /zoneadd contoso.com /primary C. dnscmd /zoneadd contoso.com /secondary D. dnscmd /zoneadd contoso.com /secondary Correct Answer: C Section: Configuring Names Resolution /Reference: : Secondary zones are copies of primary zones, so we need to create secondary zone on Server2. Of the commands specifying a new secondary zone, only one specifies as the address of the master zone to be copied from. From Microsoft: dnscmd /zoneadd Adds a zone to the DNS server. Syntax dnscmd [<ServerName>] /zoneadd <ZoneName> <ZoneType> [/dp <FQDN> {/domain / enterprise /legacy}] Reference: QUESTION 94 Your network contains an Active Directory forest named contoso.com. Contoso.com contains three domain controllers that run Windows Server 2008 R2 and three domain controllers that run Windows Server All domain controllers are configured as DNS servers. You configure the contoso.com zone to use DNSSEC. You need to ensure that the zone only replicates to DNS servers that support DNSSEC. What should you do first? A. Modify the Notify settings of the contoso.com zone. B. Create an application directory partition. C. Move the contoso.com zone to the ForestDnsZones application directory partition. D. Add a server certificate to the Windows Server 2003 DNS servers. Correct Answer: B Section: Configuring Names Resolution /Reference:

281 : (...) QUESTION 95 Your network contains a DNS server that runs Windows Server 2008 R2 Service Pack 1 (SP1). You need to prevent the DNS server from accepting updates for cached resource records until the time-to-live (TTL) value of the cached resource records expires. Which tool should you use? (Each correct answer presents a complete solution. Choose two.) A. Server Manager B. netsh C. DNS Manager D. regedit E. dnscmd F. dns Correct Answer: DE Section: Configuring Names Resolution /Reference: : Cache locking is a new security feature available with Windows Server 2008 R2 that allows you to control whether or not information in the DNS cache can be overwritten. When a recursive DNS server responds to a query, it will cache the results obtained so that it can respond quickly if it receives another query requesting the same information. The period of time the DNS server will keep information in its cache is determined by the Time to Live (TTL) value for a resource record. Until the TTL period expires, information in the cache might be overwritten if updated information about that resource record is received. To configure cache locking using a command line 1. Open an elevated command prompt. 2. Type the following command, and then press ENTER: dnscmd /Config /CacheLockingPercent <percent> 3. Restart the DNS Server service. To configure cache locking using the Windows interface 1. Click Start, click Run, type regedit.exe, and then press ENTER. 2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS \Parameters. 3. If the CacheLockingPercent registry key is not present, right-click Parameters, click New, click DWORD (32-bit) Value, and then type CacheLockingPercent for the name of the new registry key. 4. Double-click the CacheLockingPercent registry key. 5. Under Base, choose Decimal, under Value data type a value from 0 to 100 for the cache locking percent, and then click OK. 6. Close Registry Editor. 7. Restart the DNS Server service. Reference: QUESTION 96 Your network contains an Active Directory forest. The forest contains a server named Server1.contoso.com. You need to ensure that all DNS clients can use DNS to resolve the single-label name of a server named Server1.

282 To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Select and Place: Correct Answer:

Section: 70-642 Configuring Names Resolution /Reference: : What the scenario requires is a GlobalNamesZone, wherein all domains in the forest could use the single-label name of Server1 to

283 Section: Configuring Names Resolution /Reference: : What the scenario requires is a GlobalNamesZone, wherein all domains in the forest could use the single-label name of Server1 to resolve/access it's IP. Deploying a GlobalNames Zone Step 1: Create the GlobalNames zone Step 2: Enable GlobalNames zone support (...) dnscmd <ServerName> /config /enableglobalnamessupport 1 Step 3: Replicate the GlobalNames zone Step 4: Populate the GlobalNames zone For each server that you want to be able to provide single-label name resolution for, add an alias (CNAME) resource record to the GlobalNames zone. Reference: QUESTION 97 Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2008 R2. All client computers run Windows 7. You discover that users can use Encrypting File System (EFS) when the smart cards on their computers are removed. You need to prevent the users from accessing EFS-encrypted files when their smart cards are removed. From the EFS properties, you click Require a smart card for EFS.

What should you do next? A. Set the Elliptic Curve Cryptography to Allow. B. Set the Elliptic Curve Cryptography to Require. C. Disable the Allow delegating saved credentials setting. D. Disable the Create caching-capable user key from smart card option.

284 What should you do next? A. Set the Elliptic Curve Cryptography to Allow. B. Set the Elliptic Curve Cryptography to Require. C. Disable the Allow delegating saved credentials setting. D. Disable the Create caching-capable user key from smart card option. Correct Answer: D Section: Configuring File and Print Services /Reference: Correct answer(s): D : QUESTION 98 Your network contains an Active Directory forest named contoso.com. The forest contains a server named Server1 that runs Windows Server 2008 R2 Service Pack 1 (SP1) Standard. The forest contains a server named Server2 that runs Windows Server 2008 R2 SP1 Enterprise. Server1 and Server2 have the Print and Document Services server role installed. You need to migrate the print queues, printer settings, printer ports, and language monitors from Server1 to Server2. Which tool should you use?

285 A. Printbrm B. Active Directory Users and Computers C. Active Directory Sites and Services D. Devices and Printers Correct Answer: A Section: (none) /Reference: : To migrate print servers by using a command prompt To open a Command Prompt window, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Type: CD %WINDIR%\System32\Spool\Tools Printbrm -s \\<sourcecomputername> -b -f <filename>.printerexport Type: Printbrm -s \\<destinationcomputername> -r -f <filename>.printerexport Reference: QUESTION 99 Your company has a main office and a branch office. All servers are located in the main office. The network contains an Active Directory forest named adatum.com. The forest contains a domain controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runs Windows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connected to the network. You need to join Public_Computer to the adatum.com domain. To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order. Build List and Reorder:

286 Correct Answer: Section: (none) /Reference: Four major steps are required to join a computer to the domain by using offline domain join: 1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain. 2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file. 3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory. 4. When you start or restart the computer, it will be a member of the domain. Reference: MS Press - Self-Paced Training Kit (Exam ) (2nd Edition, July 2012) pages 217, 218 QUESTION 100 A corporate network includes a single Active Directory Domain Services (AD DS) domain. The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-ous: HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a security group named HR Employees. All HR department computers belong to a security group named HR PCs. Company policy requires that passwords are a minimum of 6 characters.

TS: Upgrading from Windows Server 2003 MCSA to, Windows Server 2008, Technology Specializations

Microsoft 70-648 TS: Upgrading from Windows Server 2003 MCSA to, Windows Server 2008, Technology Specializations Version: 46.0 Topic 1, Volume A QUESTION NO: 1 Your network contains an Active Directory