83-640 - TS: Windows Server 2008 Active Directory, Configuring
Go back to
Microsoft
Example Questions
Your company has an Active Directory domain. AlI servers run Windows Server 2008. Your company uses an Enterprise Root certificate authority (CA). You need to ensure that revoked certificate information is highly available. What should you do?
Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
You are decommissioning domain controllers that hold all forest-wide operations master roles. You need to transfer all forest-wide operations master roles to another domain controller. Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
Schema master
Domain naming master
Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department. You need to install an Office 2007 application only on the computers in the Sales organizational unit. You create a GPO named SalesApp GPO. What should you do next?
Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.
You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Which utility you will use to convert basic disks to dynamic disks on FileSrv1?
Diskpart.exe
Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails. What should you do?
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Your company has a single Active Directory domain. AlI domain controllers run Windows Server 2003 You install Windows Server 2008 on a server. You need to add the new server as a domain controller in your domain.What should you do first?
On a domain controller, run adprep /forestprep.
Your company has an Active Directory domain. All servers run Windows Server 2008. Your company runs an Enterprise Root certification authority (CA). You need to ensure that only administrators can sign code. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
Publish the code signing template.
Modify the security settings on the template to allow only administrators to request code signing certificates.
You are an administrator at . has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper physical security. You need to activate non-administrative accounts passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords?
Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group
Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latency between the domain controllers. What should you do?
Decrease the replication interval for the DEFAUL TIPSITELINK object.
Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008. The domain functional level and the forest functional level are set to Windows 2000 native mode. You need to ensure the UPN suffix for contoso.com is available for user accounts. What should you do first?
Add the new UPN suffix to the forest.
You need to identify all failed logon attempts on the domain controllers. What should you do?
Run Event Viewer.
has a domain controller that runs Windows Server 2008. The network boosts 40 Windows Vista client machines. As an administrator at , you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificate settings on all machines in a domain from one main location?
Configure Group Policy certificate settings
Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do?
Raise the domain functional level of fabrikam.com to Windows Server 2008.
Your network consists of a single Active Directory domain.? All domain controllers run Windows Server 2008. You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller. What should you do?
Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.
com has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. As an administrator at .com, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality?
Configure an email account in Active Directory Domain Services (AD DS) for each user.
boosts a two-node Network Load Balancing cluster which is called web. CK1 .com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only. With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web. CK1 .com. You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web. CK1 .com NLB cluster to accept HTTP traffic only. Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)
Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
Delete the default port rules through Network Load Balancing Cluster console
Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application. The registry modifications are in a file that has an .adm extension. You need to prepare the target computers for the application. What should you do?
Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers.
You need to relocate the existing user and computer objects in your company to different organizational units. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
Run the Dsmod utility.
Run the Active Directory Users and Computers utility.
You have a domain controller named DC1 that runs Windows Server 2008. DC1 is configured as a DNS Server for contoso.com. You install the DNS Server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 recerves zone updates from DC1. What should you do?
On DC1, modify the zone transfer settings for the contoso.com zone.
Your network consists of an Active Directory forest that contains one domain named contoso.com AlI domain controllers run Windows Server 2008 and are configured as DNS servers You have two Active Directory-integrated zones : contoso.com and nwtraders.com You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone What should you do?
From the DNS Manager console, modify the permissions of the contoso.com zone.
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain. You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes What should you do?
Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
Your company has an Active Directory domain. You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You need to access the Active Directory Schema snap-in. What should you do?
Register Schmmgmt.dll.
Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations. London Chicago New York Madrid Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department. The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection. You need to install an application on all the computers in the sales department. Which two actions should you perform? (Each correct answer presents part of the solution Choose two.)
Disable the slow link detection setting in the Group Policy Object (GPO).
Create a Group Policy Object (GPO) named Officelnstall that assigns the application to the computers. Link the GPO to each Sales organizational unit.
Your company has a domain controller that runs Windows Server 2008. The server is a backup server. The server has a single 500-GB hard disk that has three partitions for the operating system, applications, and data. You perform daily backups of the server. The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart the computer on the installation media. You select the Repair your computer option. You need to restore the operating system and all files. What should you do?
Run the Wbadmin utility at the command prompt.
Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit. You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.
com has servers on the main network that run Windows Server 2008. It also has two domain controllers. Active Directory services are running on a domain controller named CKDC1. You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to perform offline critical updates on CKDC1 without rebooting the server?
Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.
has a main office and a branch office. 's network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003. You are the administrator at . You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has not IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office. What should you do to setup RODC on the computer in branch office?
Execute an unattended installation of AD DS
Your company has an Active Directory forest that contains only Windows Server 2003 domain controllers. You need to prepare the Active Directory domain to install Windows Server 2008 domain controllers. Which two tasks should you perform? (Each correct answer presents part of the solution Choose two.)
Run the adprep /forestprep command.
Run the adprep /domainprep command.
is having an Active Directory Rights Management Service (AD RMS) server. Users machines are running Windows Vista and an Active Directory domain is configured at Microsoft Windows Server 2003 functional level. Users are complaining that they cannot protect their documents. You need to configure AD RMS so that users are able to protect their documents. What should you do?
Establish an e-mail account in Active Directory Domain Services (AD DS) for each user
Critical services are running on CKD20, a domain controller. You have completed restructuring the organizational unit hierarchy for the domain and deleted the needless objects. What would you do to perform an offline defragmentation of the Active Directory database on CKD20 while ensuring that the critical services remain online?
Open the MMC and stop the Domain Controller service. After that, run the Ntdsutil tool.
You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do to accomplish this task?
Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance
has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network. You are instructed to capture all replication errors from all domain controllers to a central location. What should you do to achieve this task?
Set event log subscriptions and configure it
Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller. You disable an account that has administratrve rights. You need to immediately replicate the disabled account information to all sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
Use Repadmin.exe to force replication between the site connection objects
From the Active Directory Sites and Services console, select the existing connection objects and force replication.
You are an administrator at . has a network of 5 member servers acting as file servers. It has an Active Directory domain. You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdowns and identify the cause of it. What should you do to perform this task?
Link the GPO to the domain and enable System Events option
has organizational units in the Active Directory domain. There are 10 servers in the organizational unit called Security. As an administrator at , you generate a Group Policy Object (GPO) and link it to the Security organizational unit. What should you do to monitor the network connections to the servers in Security organizational unit?
Start the Audit Logon Events option
You need to remove the Active Directory Domain Services role from a domain controller named DC1. What should you do?
Run the Dcpromo utility. Remove the Active Directory Domain Services role.
Your company has an Actrve Directory forest that runs at the functional level of Windows Server 2008 You implement Actrve Directory Rights Management Services (AD RMS) You install Microsoft SOL Server 2005 When you attempt to open the AD RMS administration Web site, you recerve the following error message: "SOL Server does not exist or access denied" You need to open the AD RMS administration Web site Which two actions should you perform?(Each correct answer presents part of the solution Choose two.)
Restart liS
Start the MSSOLSVC service
One of the remote branch offices of branch is running a Windows Server 2008 having ready only domain controller (RODC) installed.For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2)
Configure RODC filtered set on the server that holds Schema Operations Master role.
Configure forest functional level server for Windows server 2008 to configure filtered attribute set.
You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization. Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational. What should you do? (Select all that apply)
In the event viewer, Applications, Event ID column look for event ID 674.
Open a browser window, and then type the Federation Service URL for the new federation server.
You have two servers named Server1 and Server2. Both servers run Windows Server 2008. Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder role service on Server2. You need to configure Server1 to support the Online Responder. What should you do?
Configure the Authority Information Access (AIA) extension.
You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct. You need to identify the cause of the failure. You also need to ensure that the new users are able to log on Which utility should you run?
Repadmin
You have a domain controller that runs Windows Server 2008 and is configured as a DNS server You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console?
Enable debug logging.
has a main office and 30 branch offices. To manage the network, each branch office has a separate active directory site that has a dedicated read-only domain controller (RODC). A branch office located in a far off location reports a robbery. The robbers have stolen the RODC server. Which utility should you do to recover the user accounts that were cached on the stolen RODC server?
Use Active Directory Users and Computers
Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008. You need to create multiple password policies for users in your domain. What should you do?
From the ADSI Edit snap-in, create multiple Password Setting objects.
Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives. You need to apply desktop restrictions to the sales executives group. You must not apply these desktop restrictions to the sales managers group. You create a GPO named DesktopLockdown and link it to the Sales organizational unit. What should you do next?
Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.
Your network consists of a single Active Directory domain All domain controllers run WIndows Server 2008. You need to capture all replication errors from all domain controllers to a central localion What should you do?
configure event log subscriptions.
Your company has a branch office that is configured as a separate Active Directory site and has an Actrve Directory domain controller. The Active Directory site requires a local Global Catalog server to support a new application. You need to configure the domain controller as a Global Catalog server. Which tool should you use?
The Active Directory Sites and Services console
Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll. You create a GPO. You need to track which employees access the Payroll files on the file servers. What should you do?
Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the consultants to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution Choose two.)
Create and link a new GPO to the SecureServers organizational unit Configure the Audit object access Failure audit policy setting.
On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab Configure the Failed Full control setting in the Auditing Entry dialog box.
Your company hires 10 new employees. You want the new employees to connect to the main office through a VPN connection. You create new user accounts and grant the new employees the Allow Read and Allow Execute permissions to shared resources in the main office. The new employees are unable to access shared resources in the main office. You need to ensure that users are able to establish a VPN connection to the main office What should you do?
Grant the new employees the Allow Access Dial-in permission.