Microsoft Exam Questions 70-640 Windows Server 2008 Active Directory - Configuring Version:Demo
1.Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2. You need to ensure users are able to enroll new certificates. A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA. B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users' profile. C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations. D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations. Answer: A http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx Offline Root Certification Authority (CA) A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self-validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path. CA Compromise If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access. To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA. How Do Offline CAs issue certificates? Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate and that certificate will be placed on removable media. Each CA receives its authorization to issue certificates from the CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain Services domain Since offline CAs should not be connected to a network, it does not make sense to join them to an Active Directory Domain Services (AD DS) domain, even with the Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2. Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by problem and better protect your CA by making
it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not attempt to install an offline CA as a Windows Server Enterprise CA. http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspx Renewing a certification authority A certification authority may need to be renewed for either of the following reasons: Change in the policy of certificates issued by the CA Expiration of the CA's issuing certificate 2.Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to capture all replication errors from all domain controllers to a central location. A. Start the Active Directory Diagnostics data collector set. B. Start the System Performance data collector set. C. Install Network Monitor and create a new a new capture. D. Configure event log subscriptions. Answer: D http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/enus/library/cc961808.aspx Replication Issues 3.A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails. You need to enable the user to join a single computer to the domain. You must ensure that the user is denied any additional rights beyond those required to complete the task. A. Prestage the computer account in the Active Directory domain.
B. Add the user to the Domain Administrators group for one day. C. Add the user to the Server Operators group in the Active Directory domain. D. Grant the user the right to log on locally by using a Group Policy Object (GPO). Answer: A http://technet.microsoft.com/en-us/library/cc770832%28v=ws.10%29.aspx#bkmk_1 Prestaging Client Computers Benefits of Prestaging Client Computers Prestaging clients provides three main benefits: An additional layer of security. You can configure Windows Deployment Services to answer only prestaged clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network. Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. For instructions on performing these tasks, see the Prestage Computers section of How to Manage Client Computers. * The computer account name and location within AD DS. * Which server the client should network boot from. * Which network boot program the client should receive. * Other advanced options for example, what boot image a client will receive or what Windows Deployment Services client unattend file the client should use. The ability for multiple Windows Deployment Services servers to service the same network segment. You can do this by restricting the server to answer only a particular set of clients. Note that the prestaged client must be in the same forest as the Windows Deployment Services server (trusted forests do not work). Further information: http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/howcan I PRESTAGE a computer for WDS? 4.Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You plan to create a new Active Directory-integrated zone. You need to ensure that the new zone is only replicated to four of your domain controllers. What should you do first? A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.
B. Create a new delegation in the ForestDnsZones application directory partition. C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter. D. Create a new delegation in the DomainDnsZones application directory partition. Answer: A Practically the same question as D/Q25 and K/Q17, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.
C:\Documents and Settings\usernwz1\Desktop\1.PNG Explanation 1: http://technet.microsoft.com/en-us/library/cc725739.aspx Store Data in an AD DS Application Partition You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition. Explanation 2: http://technet.microsoft.com/en-us/library/cc730970.aspx Partition management Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). This is a subcommand of Ntdsutil and Dsmgmt. Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator. 2. Type: ntdsutil 3. Type: Ac in ntds 4. Type: partition management 5. Type: connections 6. Type: Connect to server DC_Name 7. Type: quit 8. Type: list The following partitions will be listed: 0 CN=Configuration,DC=Contoso,DC=com 1 DC=Contoso,DC=com 2 CN=Schema,CN=Configuration,DC=Contoso,DC=com 3 DC=DomainDnsZones,DC=Contoso,DC=com 4 DC=ForestDnsZones,DC=Contoso,DC=com 9. At the partition management prompt, type: create nc dc=apppartition,dc=contoso,dc=com ConDc1.contoso.com 10. Run the list command again to refresh the list of partitions. 5.Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long. You need to decrease the amount of time it takes for the branch office users to logon. A. Configure DC1 as a Global Catalog server. B. Configure DC1 as a bridgehead server for the branch office site. C. Decrease the replication interval on the site link that connects the branch office to the corporate network. D. Increase the replication interval on the site link that connects the branch office to the corporate network. Answer: A http://technet.microsoft.com/en-us/library/cc728188.aspx What Is the Global Catalog? The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain
controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server. 6.Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA). You need to ensure that only administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers. B. Modify the security settings on the template to allow only administrators to request code signing certificates. C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy. D. Publish the code signing template. Answer: B,D http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be signed with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the Trusted Publishers store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the publisher of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the Trusted Publishers store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.
7.Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2. The DNS servers are configured as shown in the following table. Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites. You need to enable Internet name resolution for all client computers. A. Update the list of root hints servers on DNS2. B. Create a copy of the.(root) zone on DNS1. C. Delete the.(root) zone from DNS2. Configure conditional forwarding on DNS2. D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1. Answer: C http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone. 8.Your company has an Active Directory domain. The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link. You add a new server to the main office. Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server. You need to ensure that the user is able to connect to the new server. A. Clear the cache on DNS2.
B. Reload the zone on DNS1. C. Refresh the zone on DNS2. D. Export the zone from DNS1 and import the zone to DNS2. Answer: C Old Answer: Refresh the zone on DNS2. http://technet.microsoft.com/enus/library/cc794900%28v=ws.10%29.aspx Adjust the Refresh Interval for a Zone You can use this procedure to adjust the refresh interval for a Domain Name System (DNS) zone. The refresh interval determines how often other DNS servers that load and host the zone must attempt to renew the zone. By default, the refresh interval for each zone is set to 15 minutes. http://blog.ijun.org/2008/11/difference-between-dnscmdclearcache.htmldifference between dnscmd /clearcache and ipconfig /flushdns Q: Do "dnscmd /clearcache" and "ipconfig /flushdns" the exact same thing, on a windows 2003 server? What is the difference, if any? A: Ipconfig /flushdns will flush the local computer cache. And dnscmd /clearcache will clear the dns server cache. Meaning that with the first you will clear the "local" cache of the server you work on. (Even if it is the dns server. It will NOT clear the dns server cache.) While with dnscmd you will clear the dns server cache. 9.Your company has two Active Directory forests named contoso.com and fabrikam.com. The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table. All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server. Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain. You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries. A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3. B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server. C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server. D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Answer: D http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders. C:\Documents and Settings\usernwz1\Desktop\1.PNG Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. 10.Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. A. Add and configure a new account partner. B. Add and configure a new resource partner. C. Add and configure a new account store. D. Add and configure a Claims-aware application.
Answer: C http://technet.microsoft.com/en-us/library/cc732095.aspx Understanding Account Stores Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores: Active Directory Domain Services (AD DS) Active Directory Lightweight Directory Services (AD LDS) 11.ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boasts 40 Windows Vista client machines. As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificate settings on all machines in a domain from one main location? A. Configure Enterprise CA certificate settings B. Configure Enterprise trust certificate settings C. Configure Advance CA certificate settings D. Configure Group Policy certificate settings E. All of the above Answer: D http://technet.microsoft.com/en-us/library/cc725911.aspx AD CS: Policy Settings In the Windows Server. 2008 operating system, certificate-related Group Policy settings enable administrators to manage certificate validation settings according to the security needs of the organization. What are certificate settings in Group Policy? Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location. 12.Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2. You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.
A. Run ldp.exe and use the Bind option. B. Run diskpart.exe and use the Attach option. C. Run dsdbutil.exe and use the snapshot option. D. Run imagex.exe and specify the /mount parameter. Answer: C http://technet.microsoft.com/en-us/library/cc753151%28v=ws.10%29.aspx Dsdbutil Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer. Commands snapshot Manages snapshots. http://technet.microsoft.com/enus/library/cc731620%28v=ws.10%29.aspx snapshot Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server. This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Syntax activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit] Parameters Mount %s Mounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of its GUID. 13.Your network contains an Active Directory domain. The domain is configured as shown in the following table. Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure that users inbranch2 only authenticate to the domain controllers in Main. A. On DC3, set the AutoSiteCoverage value to 0. B. On DC3, set the AutoSiteCoverage value to 1. C. On DC1 and DC2, set the AutoSiteCoverage value to 0. D. On DC1 and DC2, set the AutoSiteCoverage value to 1.
Answer: A 14.You want users to log on to Active Directory by using a new Principal Name (UPN). You need to modify the UPN suffix for all user accounts. Which tool should you use? A. Dsmod B. Netdom C. Redirusr D. Active Directory Domains and Trusts Answer: A http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx Dsmod user dsmod user -upn <UPN> Specifies the user principal names (UPNs) of the users that you want to modify, for example, Linda@widgets.contoso.com. 15.Your company asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you do to create a backup copy of Windows Cardspace cards to be used at home? A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive C. Back up the system state data by using backup status tool on your USB drive D. Employ Windows Cardspace application to backup the data on your USB drive. E. Reformat the C: Drive F. None of the above Answer: D
http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros# BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer Windows CardSpace for IT pros Microsoft Windows CardSpace. is a system for creating relationships with websites and online services. Windows CardSpace provides a consistent way for: Sites to request information from you. You to review the identity of a site. You to manage your information by using Information Cards. You to review card information before you send it. Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites and online services. 15. How do I back up my cards or transfer them to another computer? Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of your cards or to use a card on a different computer, you can save cards to a backup card file. To back up your cards: 1. Start Windows CardSpace. 2. View all your cards. 3. In the pane on the right of your screen, click Back up cards. 4. Select the cards that you want to back up. 5. Browse to the folder where you want to save the backup card file, and then give it a name. When you complete these steps, you save a file containing some or all of your cards. You can copy the backup card file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup card file on this computer or on another computer. To restore your cards 1. Save the backup card file to the computer. 2. Browse to the location of the file on the computer. 3. Double-click the file, and then follow the instructions to restore the cards.
16.Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You have several custom policy templates. The custom policy templates are updated frequently. Some users report that it takes as many as 30 days to receive the updated policy templates. You need to ensure that users receive the updated custom policy templates within seven days. A. Modify the registry on the AD RMS servers. B. Modify the registry on the users' computers. C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task. D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task. Answer: B http://technet.microsoft.com/en-us/library/cc771971.aspx Configuring the AD RMS client The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updatefrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM \TemplateManagement. In this registry key, you can also configure the updateiflastupdatedbeforetime, which forces the client computer to update its rights policy templates. 17.You have a DNS zone that is stored in a custom application directory partition. You install a new domain controller. You need to ensure that the custom application directory partition replicates to the new domain controller. What should you use? A. the Active Directory Administrative Center console B. the Active Directory Sites and Services console C. the DNS Manager console D. the Dnscmd tool
Answer: D http://technet.microsoft.com/en-us/library/cc772069.aspx dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition's replica set. 18.You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. Users are required to log on to the domain by using a smart card. Your company's corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked. An employee resigns. You need to immediately prevent the employee from logging on to the domain. A. Revoke the employee's smart card certificate. B. Disable the employee's Active Directory account. C. Publish a new delta certificate revocation list (CRL). D. Reset the password for the employee's Active Directory account. Answer: B http://blog.imanami.com/blog/bid/68864/delete-or-disable-an-active-directory-account-one-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back. 19.Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2. You need to identify if all of the DNS records used for Active Directory replication are correctly registered.
A. From the command prompt, use netsh.exe. B. From the command prompt, use dnslint.exe. C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet. D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet. Answer: B http://technet.microsoft.com/en-us/library/dd197560.aspx Dnslint.exe DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct. 20.Your network contains two Active Directory forests. One forest contains two domains named contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configured between the two forests. You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.com domain by using the user name NA\User1. Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain. You need to ensure that User1 can log on to the computer in the nwtraders.com domain. A. Enable selective authentication over the forest trust. B. Create an external one-way trust from na.contoso.com to nwtraders.com. C. Instruct User1 to log on to the computer by using his user principal name (UPN). D. Instruct User1 to log on to the computer by using the user name nwtraders\user1. Answer: C http://apttech.wordpress.com/2012/02/29/what-is-upn-and-why-to-use-it/ What is UPN and why to use it? UPN or User Principal Name is a logon method of authentication when you enter the
credentials as username@domainname.com instead of Windows authentication method: domainname\username to be used as login. So UPN is BASICALLY a suffix that is added after a username which can be used in place of "Samaccount" name to authenticate a user. So lets say your company is called ABC, then instead of ABC\Username you can use username@abc.com at the authentication popup. The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of username@this.is.my.long.domain.name.in.atlanta.com", change it to "username@atlanta", if you create an UPN suffix called Atlanta. http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-acrossforest-and-achieve-single-signon-part1.aspx Accessing Resources across forest and achieve Single Sign ON (Part1) http://technet.microsoft.com/en-us/library/cc772808%28v=ws.10%29.aspx Accessing resources across forests When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are replicated to the global catalog.
Powered by TCPDF (www.tcpdf.org) 70-640 Exam Questions Demo Thank You for Trying Our Product We offer two products: 1st - We have Practice Tests Software with Actual Exam Questions 2nd - Questons and Answers in PDF Format 70-640 Practice Exam Features: * 70-640 Questions and Answers Updated Frequently * 70-640 Practice Questions Verified by Expert Senior Certified Staff * 70-640 Most Realistic Questions that Guarantee you a Pass on Your FirstTry * 70-640 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year 100% Actual & Verified Instant Download, Please Click Order The 70-640 Practice Test Here