Vendor: 70-640(true) Exam Code: TS: Windows Server 2008 Active Directory, Configuring Exam Name: Microsoft Version:

3.00

: A
1: Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the schema master role. DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the schema master role. You need to ensure that DC2 holds the schema master role. What should you do? A.Register the Schmmgmt.dll. Start the Active Directory Schema snap-in. B.Configure DC2 as a bridgehead server. C.On DC2, seize the schema master role. D.Log off and log on again to Active Directory by using an account that is a member of the Schema Admins group. Start the Active Directory Schema snap-in. Correct Answers: C Explanation: 2: Your company has a single Active Directory domain. All domain controllers run Windows Server 2003. You install Windows Server 2008 on a server. You need to add the new server as a domain controller in your domain. What should you do first? A.On the new server, run dcpromo /adv. B.On the new server, run dcpromo /createdcaccount. C.On a domain controller run adprep /rodcprep. D.On a domain controller, run adprep /forestprep. Correct Answers: D Explanation: 3: Your company has an Active Directory forest that contains only Windows Server 2003 domain controllers. You need to prepare the Active Directory domain to install Windows Server 2008 domain controllers. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

 A.Run the adprep /forestprep command. B.Run the adprep /domainprep command. C.Raise the forest functional level to Windows Server 2008. D.Raise the domain functional level to Windows Server 2008. Correct Answers: A B 4: You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2. You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller. You create the site link between Site1 and Site2. What should you do next? A.Use the Active Directory Sites and Services console to configure a new site link bridge object. B.Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2. C.Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2. D.Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1. Correct Answers: C Explanation: 5: You are decommissioning domain controllers that hold all forest-wide operations master roles. You need to transfer all forest-wide operations master roles to another domain controller. Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.) A.RID master B.PDC emulator C.Schema master D.Infrastructure master E.Domain naming master

Correct Answers: C E 6: Your company, Contoso, Ltd., has offices in North America and Europe. Contoso has an Active Directory forest that has three domains. You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain. What should you do? A.Decrease the replication interval for all Connection objects. B.Decrease the replication interval for the DEFAULTIPSITELINK site link. C.Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com. D.Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com. Correct Answers: C Explanation: 7: Your company has an Active Directory forest. Not all domain controllers in the forest are configured as Global Catalog Servers. Your domain structure contains one root domain and one child domain. You modify the folder permissions on a file server that is in the child domain. You discover that some Access Control entries start with S-1-5-21 and that no account name is listed. You need to list the account names. What should you do? A.Move the RID master role in the child domain to a domain controller that holds the Global Catalog. B.Modify the schema to enable replication of the friendlynames attribute to the Global Catalog. C.Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog. D.Move the infrastructure master role in the child domain to a domain controller that does not hold the Global Catalog. Correct Answers: D Explanation: 8: Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikams security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network. You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain. What should you do?

A.Create a new stub zone for the intranet.fabrikam.com domain. B.Configure conditional forwarding for the intranet.fabrikam.com domain. C.Create a standard secondary zone for the intranet.fabrikam.com domain. D.Create an Active Directoryintegrated zone for the intranet.fabrikam.com domain. Correct Answers: B Explanation: 9: Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller. The Active Directory site requires a local Global Catalog server to support a new application. You need to configure the domain controller as a Global Catalog server. Which tool should you use? A.The Dcpromo.exe utility B.The Server Manager console C.The Computer Management console D.The Active Directory Sites and Services console E.The Active Directory Domains and Trusts console Correct Answers: D Explanation: 10: Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2. The DNS servers are configured as shown in the following table.

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites. You need to enable Internet name resolution for all client computers.

What should you do? A.Create a copy of the .(root) zone on DNS1. B.Update the list of root hints servers on DNS2. C.Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1. D.Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2. Correct Answers: D Explanation: 11: Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit. You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit. You also need to ensure that the application is not deployed to users in the R&D organizational unit. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A.Configure the Enforce setting on the software deployment GPO. B.Configure the Block Inheritance setting on the R&D organizational unit. C.Configure the Block Inheritance setting on the Production organizational unit. D.Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group. Correct Answers: B D 12: Your companys security policy requires complex passwords. You have a comma delimited file named import.csv that contains user account information. You need to create user accounts in the domain by using the import.csv file. You also need to ensure that the new user accounts are set to use default passwords and are disabled. What should you do? A.Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD utility to set default passwords for the user accounts. B.Modify the userAccountControl attribute to accounts disabled. Run the csvde f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.

C.Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADD utility to set default passwords for the imported user accounts. D.Modify the userAccountControl attribute to disabled. Run the ldifde i f import.csv command. Run the DSADD utility to set passwords for the imported user accounts. Correct Answers: A Explanation: 13: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes. What should you do? A.Enable the Audit account management policy in the Default Domain Controller Policy. B.Run auditpol.exe and then configure the Security settings of the Domain Controllers OU. C.Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy. D.From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes. Correct Answers: B Explanation: 14: Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: "This user account has expired. Ask your administrator to reactivate the account." You need to ensure that the user is able to log on to the domain. What should you do? A.Modify the properties of the user account to set the account to never expire. B.Modify the properties of the user account to extend the Logon Hours setting. C.Modify the properties of the user account to set the password to never expire. D.Modify the default domain policy to decrease the account lockout duration. Correct Answers: A Explanation:

15: You are installing an application on a computer that runs Windows Server 2008. During installation, the application will need to install new attributes and classes to the Active Directory database. You need to ensure that you can install the application. What should you do? A.Change the functional level of the forest to Windows Server 2008. B.Log on by using an account that has Server Operator rights. C.Log on by using an account that has Schema Administrator rights and the appropriate rights to install the application. D.Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the application. Correct Answers: C Explanation: 16: Your company has an Active Directory forest. The company has servers that run Windows Server 2008 and client computers that run Windows Vista. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements. Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 and client computers that run Windows Vista. You need to configure your partner companys domain to use the approved set of administrative templates. What should you do? A.Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy. B.Copy the ADMX files from your companys PDC emulator to the PolicyDefinitions folder on the partner companys PDC emulator. C.Copy the ADML files from your companys PDC emulator to the PolicyDefinitions folder on the partner companys PDC emulator. D.Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on the partner companys PDC emulator. Correct Answers: B Explanation: 17: You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5 minutes. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

 A.Set the Minimum password age setting to one day. B.Set the Maximum password age setting to one day. C.Set the Account lockout duration setting to 5 minutes. D.Set the Reset account lockout counter after setting to 5 minutes. E.Set the Account lockout threshold setting to 3 invalid logon attempts. F.Set the Enforce password history setting to 3 passwords remembered. Correct Answers: C D E 18: Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations: London Chicago New York Madrid Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department. The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection. You need to install an application on all the computers in the sales department. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Disable the slow link detection setting in the Group Policy Object (GPO). B.Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO). C.Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users. Link the GPO to each Sales organizational unit.

D.Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link the GPO to each Sales organizational unit. Correct Answers: A D 19: Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web. You configure and test new security settings for Internet Information Service (IIS) servers on a server named IISServerA. You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit. What should you do? A.Run secedit /configure /db iis.inf from the command prompt on IISServerA, and then run secedit /configure /db webou.inf from the command prompt. B.Export the settings on IISServerA to create a security template. Import the security template into a GPO and link the GPO to the Web organizational unit. C.Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf from the command prompt. D.Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit. Correct Answers: B Explanation: 20: Your company has a server that runs Windows Server 2008. The server runs an instance of Active Directory Lightweight Directory Services (AD LDS). You need to replicate the AD LDS instance on a test computer that is located on the network. What should you do? A.Run the repadmin /kcc <servername> command on the test computer. B.Create a naming context by running the Dsmgmt command on the test computer. C.Create a new directory partition by running the Dsmgmt command on the test computer. D.Create and install a replica by running the AD LDS Setup wizard on the test computer. Correct Answers: D Explanation: 21: Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC). An RODC server is stolen from one of the branch offices. You need to identify the user accounts that were cached on the stolen RODC server. Which utility should you use?

A.Dsmod.exe B.Ntdsutil.exe C.Active Directory Sites and Services D.Active Directory Users and Computers Correct Answers: D Explanation: 22: Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) server role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What should you do? A.Add and configure a new account store. B.Add and configure a new account partner. C.Add and configure a new resource partner. D.Add and configure a Claims-aware application. Correct Answers: A Explanation: 23: Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Restart IIS. B.Install Message Queuing. C.Start the MSSQLSVC service. D.Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD RMS.

Correct Answers: A C 24: Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008. All domain controllers are configured as DNS servers. You have a standard primary zone for dev.contoso.com that is stored on a member server. You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone. What should you do? A.On the member server, create a stub zone. B.On the member server, create a NS record for each domain controller. C.On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest. D.On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain. Correct Answers: C Explanation: 25: Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain. You need to reregister the SRV records. Which command should you run on the new domain controller? A.Run the netsh interface reset command. B.Run the ipconfig /flushdns command. C.Run the dnscmd /EnlistDirectoryPartition command. D.Run the sc stop netlogon command followed by the sc start netlogon command. Correct Answers: D Explanation: 26: Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 and are configured as DNS servers. You have an Active Directory-integrated zone for contoso.com. You have a UNIX-based DNS server. You need to configure your Windows Server 2008 environment to allow zone transfers of the contoso.com zone to the UNIX-based DNS server. What should you do in the DNS Manager console? A.Disable recursion.

B.Create a stub zone. C.Create a secondary zone. D.Enable BIND secondaries. Correct Answers: D Explanation: 27: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com. You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data. What should you do? A.On both servers, modify the interface that the DNS server listens on. B.Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. C.Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone. D.Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone. Correct Answers: B Explanation: 28: Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 and are configured as DNS servers. You plan to create a new Active Directory-integrated zone. You need to ensure that the new zone is only replicated to four of your domain controllers. What should you do first? A.Create a new delegation in the ForestDnsZones application directory partition. B.Create a new delegation in the DomainDnsZones application directory partition. C.From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter. D.From the command prompt, run dnscmd and specify the /createdirectorypartition parameter. Correct Answers: D Explanation:

29: Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. What should you do? A.Create a new stub zone named ad.contoso.com on DC2. B.Configure the DNS server on DC2 to forward requests to DC1. C.Create a new standard secondary zone named ad.contoso.com on DC2. D.Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone. Correct Answers: D Explanation: 30: You have a domain controller named DC1 that runs Windows Server 2008. DC1 is configured as a DNS server for contoso.com. You install the DNS Server server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. What should you do? A.On Server1, add a conditional forwarder. B.On DC1, modify the permissions of contoso.com zone. C.On DC1, modify the zone transfer settings for the contoso.com zone. D.Add the Server1 computer account to the DNSUpdateProxy group. Correct Answers: C Explanation: 31: You have a domain controller that runs Windows Server 2008. The Windows Server Backup feature is installed on the domain controller. You need to perform a non-authoritative restore of the domain controller by using an existing backup file. What should you do? A.Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore. B.Restart the domain controller in Directory Services Restore Mode. Use the Windows Server

Backup snap-in to perform a critical volume restore. C.Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore. D.Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore. Correct Answers: A Explanation: 32: You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation of the Active Directory database on the domain controller. You must achieve this goal without affecting the availability of the DHCP service. What should you do? A.Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility. B.Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility. C.Stop the Active Directory Domain Services service. Run the Ntdsutil utility. D.Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility. Correct Answers: C Explanation: 33: You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct. You need to identify the cause of the failure. You also need to ensure that the new users are able to log on. Which utility should you run? A.Rsdiag B.Rstools C.Repadmin D.Active Directory Domains and Trusts Correct Answers: C Explanation:

34: You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. You need to reset the Directory Services Recovery Mode (DSRM) password on a domain controller. What tool should you use? A.dsmod B.ntdsutil C.Local Users and Groups snap-in D.Active Directory Users and Computers snap-in Correct Answers: B Explanation: 35: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller. What should you do? A.Review performance data in Resource Monitor. B.Review the Hardware Events log in the Event Viewer. C.Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report. D.Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report. Correct Answers: D Explanation: 36: Your company has an Active Directory domain. All servers run Windows Server 2008. Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highly available. What should you do? A.Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. B.Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array. C.Publish the trusted certificate authorities list to the domain by using a Group Policy Object

(GPO). D.Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain. Correct Answers: A Explanation: 37: You have two servers named Server1 and Server2. Both servers run Windows Server 2008. Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server1 to support the Online Responder. What should you do? A.Import the enterprise root CA certificate. B.Configure the Certificate Revocation List Distribution Point extension. C.Configure the Authority Information Access (AIA) extension. D.Add the Server2 computer account to the CertPublishers group. Correct Answers: C Explanation: 38: Your company has an Active Directory domain. All servers run Windows Server 2008. Your company runs an Enterprise Root certification authority (CA). You need to ensure that only administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A.Publish the code signing template. B.Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy. C.Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers. D.Modify the security settings on the template to allow only administrators to request code signing certificates. Correct Answers: A D 39: Your company has an Active Directory domain. All servers run Windows Server 2008. Your

company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA. The Enterprise Intermediate CA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. What should you do? A.Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server. B.Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server. C.Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object. D.Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object. Correct Answers: D Explanation: 40: You have a Windows Server 2008 that has the Active Directory Certificate Services server role installed. You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). What should you do? A.Install and configure an Online Responder. B.Install and configure an additional domain controller. C.Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations. D.Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. Correct Answers: A Explanation:

: B
1: Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008. You need to create multiple password policies for users in your domain. What should you do? A.From the Schema snap-in, create multiple class schema objects.

B.From the ADSI Edit snap-in, create multiple Password Setting objects. C.From the Security Configuration Wizard, create multiple security policies. D.From the Group Policy Management snap-in, create multiple Group Policy objects. Correct Answers: B Explanation: 2: You want users to log on to Active Directory by using a new User Principal Name (UPN). You need to modify the UPN suffix for all user accounts. Which tool should you use? A.Dsmod B.Netdom C.Redirusr D.Active Directory Domains and Trusts Correct Answers: A Explanation: 3: Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers. The TempWorkers group is not nested in any other groups. You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders. You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers. You must achieve this goal without affecting access to other domain resources. What should you do? A.Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. B.Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. C.Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group. D.Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on

locally user right to the TempWorkers global group. Correct Answers: A Explanation: 4: Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering. You need to create a password policy for the engineering department that is different from your domain password policy. What should you do? A.Create a new GPO. Link the GPO to the Engineering OU. B.Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU. C.Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group. D.Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard. Correct Answers: C Explanation: 5: Your company has an Active Directory forest that contains client computers that run Windows Vista and Windows XP. You need to ensure that users are able to install approved application updates on their computers. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Set up Automatic Updates through Control Panel on the client computers. B.Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site. C.Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Microsoft WSUS server for approved updates. D.Install the Microsoft WSUS application on a server in the environment. Configure the server to search for new updates on the Internet. Approve all required updates. Correct Answers: C D

6: Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives. You need to apply desktop restrictions to the sales executives group. You must not apply these desktop restrictions to the sales managers group. You create a GPO named DesktopLockdown and link it to the Sales organizational unit. What should you do next? A.Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO. B.Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO. C.Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. D.Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. Correct Answers: A Explanation: 7: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1. You need to log changes made to the Description attribute on all group objects in OU1 only. What should you do? A.Run auditpol.exe. B.Modify the auditing entry for OU1. C.Modify the auditing entry for the domain. D.Create a new Group Policy object (GPO). Enable the Audit account management policy setting. Link the GPO to OU1. Correct Answers: B Explanation: 8: Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008. You perform the following activities: Create a global distribution group.

Add users to the global distribution group. Create a shared folder on a Windows Server 2008 member server. Place the global distribution group in a domain local group that has access to the shared folder. You need to ensure that the users have access to the shared folder. What should you do? A.Raise the forest functional level to Windows Server 2008. B.Add the global distribution group to the Domain Administrators group. C.Change the group type of the global distribution group to a security group. D.Change the scope of the global distribution group to a Universal distribution group. Correct Answers: C Explanation: 9: Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data. You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data. What should you do? A.Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility. B.Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account. C.Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users into the Deny DLG group. Configure the Allow Full control permission on the shared folder that holds the confidential data for the Deny DLG group. D.Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users into the Deny DLG group. Configure the Deny Full control permission on the shared folder that holds the confidential data for the Deny DLG group. Correct Answers: D Explanation: 10: Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition. You have a

member server that contains a standard primary DNS zone for dev.contoso.com. You need to ensure that all domain controllers can resolve names for dev.contoso.com. What should you do? A.Create a NS record in the contoso.com zone. B.Create a delegation in the contoso.com zone. C.Create a standard secondary zone on a Global Catalog server. D.Modify the properties of the SOA record in the contoso.com zone. Correct Answers: B Explanation: 11: Your network consists of an Active Directory forest that contains one domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. You have an Active Directory-integrated zone. You have two Active Directory sites. Each site contains five domain controllers. You add a new NS record to the zone. You need to ensure that all domain controllers immediately receive the new NS record. What should you do? A.From the DNS Manager console, reload the zone. B.From the Services snap-in, restart the DNS Server service. C.From the command prompt, run repadmin /syncall. D.From the DNS Manager console, increase the version number of the SOA record. Correct Answers: C Explanation: 12: Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com. Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com. You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails. What should you do? A.Configure the Expire after option for the contoso.com zone to 4 days. B.Configure the Retry interval option for the contoso.com zone to 4 days. C.Configure the Refresh interval option for the contoso.com zone to 4 days. D.Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.

Correct Answers: A Explanation: 13: Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain. You need to reregister the SRV records. Which command should you run on the new domain controller? A.Run the netsh interface reset command. B.Run the ipconfig /flushdns command. C.Run the dnscmd /EnlistDirectoryPartition command. D.Run the sc stop netlogon command followed by the sc start netlogon command. Correct Answers: D Explanation: 14: Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com. You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone. What should you do? A.From the DNS Manager console, modify the permissions of the contoso.com zone. B.From the DNS Manager console, modify the permissions of the nwtraders.com zone. C.From the Active Directory Users and Computers console, run the Delegation of Control Wizard. D.From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU). Correct Answers: A Explanation: 15: Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 2 or Windows Vista. You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone. You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone. What should you do first?

A.On the member server, add a conditional forwarder. B.On the member server, install Active Directory Domain Services. C.Add all computer accounts to the DNSUpdateProxy group. D.Convert the standard primary zone to an Active Directory-integrated zone. Correct Answers: D Explanation: 16: Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 and are configured as DNS servers. You plan to create a new Active Directory-integrated zone. You need to ensure that the new zone is only replicated to four of your domain controllers. What should you do first? A.Create a new delegation in the ForestDnsZones application directory partition. B.Create a new delegation in the DomainDnsZones application directory partition. C.From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter. D.From the command prompt, run dnscmd and specify the /createdirectorypartition parameter. Correct Answers: D Explanation: 17: Your company has an Active Directory forest. The company has three locations. Each location has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department. The company plans to deploy a Microsoft Office 2007 application on all computers within the three Sales organizational units. You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units. What should you do? A.Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain. B.Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. C.Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D.Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. Correct Answers: D Explanation: 18: Your company has a server that runs an instance of Active Directory Lightweight Directory Services (AD LDS). You need to create new organizational units in the AD LDS application directory partition. What should you do? A.Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition. B.Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. C.Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units. D.Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units. Correct Answers: B Explanation: 19: Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) server role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What should you do? A.Add and configure a new account store. B.Add and configure a new account partner. C.Add and configure a new resource partner. D.Add and configure a Claims-aware application. Correct Answers: A Explanation: 20: Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level. You need to configure AD RMS so that users are able to protect their

documents. What should you do? A.Install the AD RMS client 2.0 on each client computer. B.Add the RMS service account to the local administrators group on the AD RMS server. C.Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user. D.Upgrade the Active Directory domain to the functional level of Windows Server 2008. Correct Answers: C Explanation: 21: You have two servers named Server1 and Server2. Both servers run Windows Server 2008. Server1 is configured as an Enterprise Root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A.Import the enterprise root CA certificate. B.Import the OCSP Response Signing certificate. C.Add the Server1 computer account to the CertPublishers group. D.Set the Startup Type of the Certificate Propagation service to Automatic. Correct Answers: A B 22: Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1. You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1. What should you do? A.Remove the Request Certificates permission from the Domain Users group. B.Remove the Request Certificates permission from the Authenticated Users group. C.Assign the Allow - Manage CA permission to only the Security Manager user account. D.Assign the Allow - Issue and Manage Certificates permission to only the Security Manager user account. Correct Answers: D

Explanation: 23: You have a Windows Server 2008 Enterprise Root CA. Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA. You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role. What should you do next? A.Configure the Online Responder Role Service on a member server. B.Configure the Online Responder Role Service on a domain controller. C.Configure the Certification Authority Web Enrollment Role Service on a member server. D.Configure the Certification Authority Web Enrollment Role Service on a domain controller. Correct Answers: C Explanation: 24: Your company has an Active Directory domain. You plan to install the Active Directory Certificate Service (AD CS) server role on a member server that runs Windows Server 2008. You need to ensure that members of the Account Operators group are able to issue smartcard credentials. They should not be able to revoke certificates. Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.) A.Install the AD CS server role and configure it as an Enterprise Root CA. B.Install the AD CS server role and configure it as a Standalone CA. C.Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group. D.Restrict certificate managers for the Smartcard logon certificate to the Account Operator group. E.Create a Smartcard logon certificate. F.Create an Enrollment Agent certificate. Correct Answers: A C E 25: Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server. When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that the Enterprise CA option is not available. You need to install the AD CS server role as an Enterprise CA. What should you do first?

A.Add the DNS Server server role. B.Join the server to the domain. C.Add the Web Server server role and the AD CS server role. D.Add the Active Directory Lightweight Directory Services (AD LDS) server role. Correct Answers: B Explanation: 26: Your company has an Active Directory domain. You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You need to access the Active Directory Schema snap-in. What should you do? A.Register Schmmgmt.dll. B.Log off and log on again by using an account that is a member of the Schema Admins group. C.Use the Ntdsutil.exe command to connect to the schema master operations master and open the schema for writing. D.Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager. Correct Answers: A Explanation: 27: You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008. What is the minimal forest functional level that you should use? A.Windows Server 2008 B.Windows Server 2003 Interim mode C.Windows 2000 Native mode D.Windows Server 2003 Native mode Correct Answers: D Explanation: 28: Your company has three Active Directory domains in a single forest. You install a new Active Directoryenabled application. The application adds new user attributes to the Active Directory

schema. You discover that the Active Directory replication traffic to the Global Catalogs has increased. You need to prevent the new attributes from being replicated to the Global Catalog. You must achieve this goal without affecting application functionality. What should you do? A.Change the replication interval for the DEFAULTIPSITELINK object to 9990. B.Change the cost for the DEFAULTIPSITELINK object to 9990. C.Mark the new attributes in the Active Directory schema as defunct. D.Modify the properties in the Active Directory schema for the new attributes. Correct Answers: D Explanation: 29: Your company has a single Active Directory domain. All domain controllers run Windows Server 2003. You install Windows Server 2008 on a server. You need to add the new server as a domain controller in your domain. What should you do first? A.On the new server, run dcpromo /adv. B.On the new server, run dcpromo /createdcaccount. C.On a domain controller run adprep /rodcprep. D.On a domain controller, run adprep /forestprep. Correct Answers: D Explanation: 30: Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2. The DNS servers are configured as shown in the following table.

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites. You need to enable Internet name resolution for all client computers.

What should you do? A.Create a copy of the .(root) zone on DNS1. B.Update the list of root hints servers on DNS2. C.Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1. D.Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2. Correct Answers: D Explanation: 31: You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2. You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller. You create the site link between Site1 and Site2. What should you do next? A.Use the Active Directory Sites and Services console to configure a new site link bridge object. B.Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2. C.Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2. D.Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1. Correct Answers: C Explanation: 32: Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do? A.Create a new forest trust and enable forest-wide authentication. B.Raise the forest functional level of contoso.com to Windows Server 2008. C.Raise the forest functional level of fabrikam.com to Windows Server 2008.

D.Raise the domain functional level of fabrikam.com to Windows Server 2008. Correct Answers: D Explanation: 33: Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller. You disable an account that has administrative rights. You need to immediately replicate the disabled account information to all sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A.Use Dsmod.exe to configure all domain controllers as global catalog servers. B.Use Repadmin.exe to force replication between the site connection objects. C.From the Active Directory Sites and Services console, select the existing connection objects and force replication. D.From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers. Correct Answers: B C 34: Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS Server server role installed. You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Clear the DNS cache on DC2. B.Delete the Root zone on DC2. C.Configure conditional forwarding on DC2. D.Configure the Listen On address on DC2. Correct Answers: B C 35: Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and

forest operations master roles. DC1 fails. You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations master roles to their original state. You perform a metadate cleanup and remove all references of DC1. Which three actions should you perfrom next? (To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)

Correct Answers:

36: You need to identify all failed logon attempts on the domain controllers. What should you do? A.Run Event Viewer. B.View the Netlogon.log file. C.Run the Security Configuration Wizard. D.View the Security tab on the domain controller computer object. Correct Answers: A Explanation: 37: You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation of the Active Directory database on the domain controller. You must achieve this goal without affecting the availability of the DHCP service. What should you do?

A.Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility. B.Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility. C.Stop the Active Directory Domain Services service. Run the Ntdsutil utility. D.Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility. Correct Answers: C Explanation: 38: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. You need to capture all replication errors from all domain controllers to a central location. What should you do? A.Configure event log subscriptions. B.Start the System Performance data collector set. C.Start the Active Directory Diagnostics data collector set. D.Install Network Monitor and create a new a new capture. Correct Answers: A Explanation: 39: You need to perform an offline defragmentation of an Active Directory database. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.)

Correct Answers:

40: Your company has an Active Directory domain that runs Windows Server 2008. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups. An administrator deletes the Groups OU. You need to restore the Groups OU without affecting users and computers in the Sales OU. What should you do? A.Perform an authoritative restore of the Sales OU. B.Perform an authoritative restore of the Groups OU. C.Perform a non-authoritative restore of the Groups OU. D.Perform a non-authoritative restore of the Sales OU. Correct Answers: B Explanation:

: C
1: All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the consultants to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use Failure audit policy setting. B.Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting. C.Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global group. D.On each shared folder on the three file servers, add the three servers to the Auditing tab.

Configure the Failed Full control setting in the Auditing Entry dialog box. E.On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box. Correct Answers: B E 2: Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department. You need to install a Microsoft Office 2007 application only on the computers in the Sales organizational unit. You create a GPO named SalesApp GPO. What should you do next? A.Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain. B.Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. C.Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. D.Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. Correct Answers: D Explanation: 3: Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language version of the administrative templates. You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR. You need to ensure that the French-language version of the templates is available. What should you do? A.Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copy the ADM files to the FR folder. B.Copy the ADML files from the French local installation media for Windows Server 2008 to the FR folder on the subsidiary PDC emulator. C.Copy the Install.WIM file from the French local installation media for Windows Server 2008 to the FR folder on the subsidiary PDC emulator. D.Copy the ADMX files from the French local installation media for Windows Server 2008 to the

FR folder on the subsidiary PDC emulator. Correct Answers: B Explanation: 4: A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails. You need to enable the user to join a single computer to the domain. You must ensure that the user is denied any additional rights beyond those required to complete the task. What should you do? A.Prestage the computer account in the Active Directory domain. B.Add the user to the Domain Administrators group for one day. C.Add the user to the Server Operators group in the Active Directory domain. D.Grant the user the right to log on locally by using a Group Policy Object (GPO). Correct Answers: A Explanation: 5: The default domain GPO in your company is configured by using the following account policy settings: Minimum password length: 8 characters Maximum password age: 30 days Enforce password history: 12 passwords remembered Account lockout threshold: 3 invalid logon attempts Account lockout duration: 30 minutes You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has domain user rights. The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out. You need to resolve the server failure and prevent recurrence of the failure. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Reset the password of the SQLSrv user account.

B.Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user account. C.Configure the properties of the SQLSrv account to Password never expires. D.Configure the properties of the SQLSrv account to User cannot change password. E.Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon locally user right. Correct Answers: A C 6: Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit. You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group. B.Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units. C.Run the Delegation of Control Wizard and delegate the right to link GPOs for the domain to the branch office administrators. D.Run the Delegation of Control Wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators. Correct Answers: A D 7: Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll. You create a GPO. You need to track which employees access the Payroll files on the file servers. What should you do? A.Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. B.Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder. C.Enable the Audit process tracking option. Link the GPO to the Domain Controllers

organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder. D.Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder. Correct Answers: A Explanation: 8: Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008. You need to create multiple password policies for users in your domain. What should you do? A.From the Schema snap-in, create multiple class schema objects. B.From the ADSI Edit snap-in, create multiple Password Setting objects. C.From the Security Configuration Wizard, create multiple security policies. D.From the Group Policy Management snap-in, create multiple Group Policy objects. Correct Answers: B Explanation: 9: Your company hires 10 new employees. You want the new employees to connect to the main office through a VPN connection. You create new user accounts and grant the new employees the Allow Read and Allow Execute permissions to shared resources in the main office. The new employees are unable to access shared resources in the main office. You need to ensure that users are able to establish a VPN connection to the main office. What should you do? A.Grant the new employees the Allow Full control permission. B.Grant the new employees the Allow Access Dial-in permission. C.Add the new employees to the Remote Desktop Users security group. D.Add the new employees to the Windows Authorization Access security group. Correct Answers: B Explanation: 10: You have a domain controller that runs Windows Server 2008. The Windows Server Backup feature is installed on the domain controller. You need to perform a non-authoritative restore of the domain controller by using an existing backup file. What should you do?

A.Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore. B.Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore. C.Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore. D.Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore. Correct Answers: A Explanation: 11: You company has an Active Directory forest that contains multiple domain controllers. The domain controllers run Windows Server 2008. You need to perform an authoritative restore of a deleted organizational unit and its child objects. Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area, and arrange them in the correct order.)

Correct Answers:

12: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. You need to capture all replication errors from all domain controllers to a

central location. What should you do? A.Configure event log subscriptions. B.Start the System Performance data collector set. C.Start the Active Directory Diagnostics data collector set. D.Install Network Monitor and create a new a new capture. Correct Answers: A Explanation: 13: You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. You need to reset the Directory Services Recovery Mode (DSRM) password on a domain controller. What tool should you use? A.dsmod B.ntdsutil C.Local Users and Groups snap-in D.Active Directory Users and Computers snap-in Correct Answers: B Explanation: 14: You need to validate whether Active Directory successfully replicated between two domain controllers. What should you do? A.Run the DSget command. B.Run the Dsquery command. C.Run the RepAdmin command. D.Run the Windows System Resource Manager. Correct Answers: C Explanation: 15: Your company has an Active Directory forest that contains two domains. The forest has universal groups that contain members from each domain. A branch office has a domain controller

named DC1. Users at the branch office report that the logon process takes too long. You need to decrease the amount of time it takes for the branch office users to logon. What should you do? A.Configure DC1 as a Global Catalog server. B.Configure DC1 as a bridgehead server for the branch office site. C.Decrease the replication interval on the site link that connects the branch office to the corporate network. D.Increase the replication interval on the site link that connects the branch office to the corporate network. Correct Answers: A Explanation: 16: Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers. You need to deactivate the Universal Group Membership Caching option on the domain controllers in the branch offices. At which level should you deactivate the Universal Group Membership Caching option? A.Site B.Server C.Domain D.Connection object Correct Answers: A Explanation: 17: Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. You upgrade all domain controllers to Windows Server 2008. You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R). What should you do? A.From the command prompt, run netdom /reset. B.From the command prompt, run dfsutil /addroot:sysvol. C.Raise the functional level of the domain to Windows Server 2008. D.From the command prompt, run dcpromo /unattend:unattendfile.xml.

Correct Answers: C Explanation: 18: Your company has an Active Directory domain. The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 that contains a secondary copy of the zone file from DNS1. The two offices are connected with an unreliable WAN link. You add a new server to the main office. Five minutes after adding the server, a user from the branch office reports they are unable to connect to the new server. You need to ensure that the user is able to connect to the new server. What should you do? A.Clear the cache on DNS2. B.Reload the zone on DNS1. C.Refresh the zone on DNS2. D.Export the zone from DNS1 and import the zone to DNS2. Correct Answers: C Explanation: 19: Your company has an Active Directory forest that contains only Windows Server 2003 domain controllers. You need to prepare the Active Directory domain to install Windows Server 2008 domain controllers. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A.Run the adprep /forestprep command. B.Run the adprep /domainprep command. C.Raise the forest functional level to Windows Server 2008. D.Raise the domain functional level to Windows Server 2008. Correct Answers: A B 20: Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS Server server role installed. You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2. You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server. Which two actions should you perform?

(Each correct answer presents part of the solution. Choose two.) A.Clear the DNS cache on DC2. B.Delete the Root zone on DC2. C.Configure conditional forwarding on DC2. D.Configure the Listen On address on DC2. Correct Answers: B C 21: You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2. You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller. You create the site link between Site1 and Site2. What should you do next? A.Use the Active Directory Sites and Services console to configure a new site link bridge object. B.Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2. C.Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2. D.Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1. Correct Answers: C Explanation: 22: You are decommissioning one of the domain controllers in a child domain. You need to transfer all domain operations master roles within the child domain to a newly installed domain controller in the same child domain. Which three domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose three.) A.RID master B.PDC emulator C.Schema master

D.Infrastructure master E.Domain naming master Correct Answers: A B D 23: Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008. The domain functional level and the forest functional level are set to Windows 2000 native mode. You need to ensure the UPN suffix for contoso.com is available for user accounts. What should you do first? A.Raise the contoso.com forest functional level to Windows Server 2003 or Windows Server 2008. B.Raise the contoso.com domain functional level to Windows Server 2003 or Windows Server 2008. C.Add the new UPN suffix to the forest. D.Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com. Correct Answers: C Explanation: 24: Your company has two Active Directory forests named Forest1 and Forest2. The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008. The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003. You need to set up a transitive forest trust between Forest1 and Forest2. What should you do first? A.Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode. B.Raise the forest functional level of Forest2 to Windows Server 2003. C.Upgrade the domain controllers in Forest2 to Windows Server 2008. D.Upgrade the domain controllers in Forest2 to Windows Server 2003. Correct Answers: B Explanation: 25: Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) server role installed. You

need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What should you do? A.Add and configure a new account store. B.Add and configure a new account partner. C.Add and configure a new resource partner. D.Add and configure a Claims-aware application. Correct Answers: A Explanation: 26: A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD LDS) role installed. An AD LDS instsance named LDS1 stores its data on the C: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform in sequence? (To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.)

Correct Answers:

27: Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Run the adprep/rodcprep command. B.Raise the functional level of the forest to Windows Server 2008. C.Raise the functional level of the domain to Windows Server 2008. D.Deploy a Windows Server 2008 domain controller at the main office. Correct Answers: A D 28: Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. You implement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." You need to open the AD RMS administration Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A.Restart IIS. B.Install Message Queuing. C.Start the MSSQLSVC service. D.Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD RMS.

Correct Answers: A C 29: You have an Active Directory domain that runs Windows Server 2008. You need to implement a certification authority (CA) server that meets the following requirements: Allows the certification authority to automatically issue certificates Integrates with Active Directory Domain Services What should you do? A.Install and configure the Active Directory Certificate Services server role as a Standalone Root CA. B.Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA. C.Purchase a certificate from a third-party certification authority. Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA. D.Purchase a certificate from a third-party certification authority. Import the certificate into the computer store of the schema master. Correct Answers: B Explanation: 30: Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008. You need to ensure users are able to enroll new certificates. What should you do? A.Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to theCertEnroll folder on the issuing CA. B.Renew the Certificate Revocation List (CRL) on the issuing CA. Copy the CRL to theSystemCertificates folder in the users profile. C.Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations. D.Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations.

Correct Answers: A Explanation: 31: Your company has a server that runs Windows Server 2008. Active Directory Certificate Services (AD CS) is configured as a stand-alone Certification Authority (CA) on the server. You need to audit changes to the CA configuration settings and the CA security settings. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A.Configure auditing in the Certification Authority snap-in. B.Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%\CertSrv directory. C.Enable auditing of successful %SYSTEM32%\CertLog directory. and failed attempts to write to files in the

D.Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server. Correct Answers: A D 32: You have a Windows Server 2008 Enterprise Root certification authority (CA). You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates. You grant the Account Operators group the Issue and Manage Certificates permission on the CA. Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.) A.Enable the Restrict Enrollment Agents option on the CA. B.Enable the Restrict Certificate Managers option on the CA. C.Add the Basic EFS certificate template for the Account Operators group. D.Grant the Account Operators group the Manage CA permission on the CA. E.Remove all unnecessary certificate templates that are assigned to the Account Operators group. Correct Answers: B C E 33: Your company has an Active Directory domain. All servers run Windows Server 2008. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.

The Enterprise Intermediate CA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. What should you do? A.Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server. B.Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server. C.Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object. D.Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object. Correct Answers: D Explanation: 34: Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition. You have a member server that contains a standard primary DNS zone for dev.contoso.com. You need to ensure that all domain controllers can resolve names for dev.contoso.com. What should you do? A.Create a NS record in the contoso.com zone. B.Create a delegation in the contoso.com zone. C.Create a standard secondary zone on a Global Catalog server. D.Modify the properties of the SOA record in the contoso.com zone. Correct Answers: B Explanation: 35: Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist. You need to configure the contoso.com zone to automatically remove expired records. What should you do? A.Enable only secure updates on the contoso.com zone. B.Enable scavenging and configure the refresh interval on the contoso.com zone.

C.From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone. D.From the Start of Authority tab, increase the default expiration interval on the contoso.com zone. Correct Answers: B Explanation: 36: Your network consists of an Active Directory forest that contains one domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. You have an Active Directory-integrated zone. You have two Active Directory sites. Each site contains five domain controllers. You add a new NS record to the zone. You need to ensure that all domain controllers immediately receive the new NS record. What should you do? A.From the DNS Manager console, reload the zone. B.From the Services snap-in, restart the DNS Server service. C.From the command prompt, run repadmin /syncall. D.From the DNS Manager console, increase the version number of the SOA record. Correct Answers: C Explanation: 37: You have a domain controller named DC1 that runs Windows Server 2008. DC1 is configured as a DNS server for contoso.com. You install the DNS Server server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. What should you do? A.On Server1, add a conditional forwarder. B.On DC1, modify the permissions of contoso.com zone. C.On DC1, modify the zone transfer settings for the contoso.com zone. D.Add the Server1 computer account to the DNSUpdateProxy group. Correct Answers: C Explanation: 38: Your company has a main office and a branch office. The company has a single-domain Active

Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008. The branch office has a Windows Server 2008 read-only domain controller (RODC) named DC3. All domain controllers hold the DNS Server server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You need to enable dynamic DNS updates on DC3. What should you do? A.Run the Ntdsutil.exe /DS Behavior commands on DC3. B.Run the Dnscmd.exe /ZoneResetType command on DC3. C.Reinstall Active Directory Domain Services on DC3 as a writable domain controller. D.Create a custom application directory partition on DC1. Configure the partition to store Active Directory-integrated zones. Correct Answers: C Explanation: 39: Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 2 or Windows Vista. You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone. You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone. What should you do first? A.On the member server, add a conditional forwarder. B.On the member server, install Active Directory Domain Services. C.Add all computer accounts to the DNSUpdateProxy group. D.Convert the standard primary zone to an Active Directory-integrated zone. Correct Answers: D Explanation: 40: You have a domain controller that runs Windows Server 2008 and is configured as a DNS server. You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console? A.Enable debug logging. B.Enable automatic testing for simple queries.

C.Enable automatic testing for recursive queries. D.Configure event logging to log errors and warnings. Correct Answers: A Explanation: