72-640 - TS: Windows Server 2008 Active Directory Configuring
Go back to
Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping. You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. What should you do?
Run certutil.exe -crl.
Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table: You need to ensure that all device certificate requests use the MD5 hash algorithm. What should you do?
On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key.
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed: -Enterprise root certification authority (CA) -Certificate Enrollment Web Service -Certificate Enrollment Policy Web Service You create a new certificate template. External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users. You need to ensure that the external users can request certificates by using the new template. What should you do on Server1?
Run iisreset.exe /restart.
Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. All domain controllers hold the DNS Server server role and are configured as Active Directory- integrated zones. The DNS zones only allow secure updates. You need to enable dynamic DNS updates on DC3. What should you do?
Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. Users are required to log on to the domain by using a smart card. Your company's corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked. An employee resigns. You need to immediately prevent the employee from logging on to the domain. What should you do?
Disable the employee's Active Directory account.
Your network contains an Active Directory domain. You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA). You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computers can automatically enroll for certificates. Which command should you run on Computer1?
Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist. You need to configure the contoso.com zone to automatically remove expired records. What should you do?
Enable scavenging and configure the refresh interval on the contoso.com zone.
Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. What should you do?
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
You add an Online Responder to an Online Responder Array. You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array. What should you do?
From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller.
Your network contains an enterprise root certification authority (CA). You need to ensure that a certificate issued by the CA is valid. What should you do?
Run certutil.exe and specify the -verify parameter.
Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA). What should you configure in the adatum.com domain?
From the Default Domain Policy, modify the Certificate Enrollment policy.