NEW QUESTION 1
A corporate network includes a single Active Directory Domain Services (AD D5) domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You plan to create an Active Directory-integrated zone.
You need to ensure that the new zone is replicated to only four of the domain controllers.
What should you do first?

• A. Use the dnscmd tool with the /enlistdirectorypartition paramete
• B. Create a new delegation in the ForestDnsZones application directory partitio
• C. Use the dnscmd tool with the /createdirectorypartition paramete
• D. Use the dnscmd tool with the /createbuiltindirectorypartitions paramete

Answer: D

NEW QUESTION 2
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of domain controllers: "The request for a new accountidentifier pool failed. The operation will be retried until the request succeeds. The error is " %1 ""
You need to ensure that the domain controllers can acquire new account-identifier pools successfully.
What should you do?

• A. Move the PDC emulator rol
• B. Move the schema master rol
• C. Move the global catalog serve
• D. Move the domain naming master rol
• E. Move the infrastructure master rol
• F. Move the RID master rol
• G. Restart the Active Directory Domain Services (AD DS) servic
• H. Deploy an additional global catalog serve
• I. Move the bridgehead serve
• J. Install a read-only domain controller (RODC).

Answer: F

Explanation:
http://technet.microsoft.com/en-us/library/cc756699.aspx
Event ID 16651 — RID Pool Request
Users, computers, and groups stored in Active Directory are collectively known as security
principals. Each security principal is assigned a unique alphanumeric string called a SID.
The SID includes a domain prefix identifier that uniquely identifies the domain and a
relative identifier (RID) that uniquely identifies the security principal within the domain. The
RID is a monotonically increasing number at the end of the SID. Each domain controller is
assigned a pool of RIDs from the global RID pool by the domain controller that holds the
RID master role (also known as flexible single master operations or FSMO) in each Active
Directory domain. The RID master (also known as the RID pool manager, RID manager, or
RID operations master) is responsible for issuing a unique RID pool to each domain
controller in its domain. By default, RID pools are obtained in increments of 500. (...) Newly
promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.
Event Details Message The request for a new account-identifier pool failed. The operation will be retried until the
request succeeds.
The error is " %1 " Resolve Check connectivity to the RID master, and check its replication status A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the
local domain controller can communicate with the domain controller that is identified as the
RID operations master.
Ensure that the RID master is online and replicating to other domain controllers.

NEW QUESTION 3
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
You need to create a snapshot of Active Directory.
What should you do?

• A. Run the Get-ADDomain cmdle
• B. Run the dsget.exe comman
• C. Run the ntdsutil.exe comman
• D. Run the ocsetup.exe comman
• E. Run the dsamain.exe command
• F. Run the eventcreate.exe comman
• G. Create a Data Collector Set (DCS).
• H. Create custom views from Event Viewe
• I. Configure subscriptions from Event Viewe
• J. Import the Active Directory module for Windows PowerShel

Answer: C

NEW QUESTION 4
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the group when they log off of the client computers.
What should you do?

• A. Modify the Group Policy permission
• B. Enable block inheritanc
• C. Configure the link orde
• D. Enable loopback processing in merge mod
• E. Enable loopback processing in replace mod
• F. Configure WMI filterin
• G. Configure Restricted Group
• H. Configure Group Policy PExplanation
• I. Link the Group Policy object (GPO) to the Sales O
• J. Link the Group Policy object (GPO) to the Engineering O

Answer: H

Explanation:
http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-pExplanations-to-secure-local-administrator-groups/

NEW QUESTION 5
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.
You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort.
What should you do?

• A. Modify the Group Policy permission
• B. Configure WMI filterin
• C. Enable block inheritanc
• D. Enable loopback processing in replace mod
• E. Configure the link orde
• F. Configure Group Policy PExplanation
• G. Link the GPO to the Human Resources O
• H. Configure Restricted Group
• I. Enable loopback processing in merge mod
• J. Link the GPO to the Finance O

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

NEW QUESTION 6
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated.
You deploy a read-only domain controller (RODC) named RODC1.
You install the DNS Server server role on RODC1.
You discover that RODC1 does not have any application directory partitions.
You need to ensure that RODC1 has a directory partition of contoso.com.
What should you do?

• A. From DNS Manager, create secondary zone
• B. Run Dnscmd.exe, and specify the /enlistdirectorypartition paramete
• C. From DNS Manager, right-click RODC1 and click Update Server Data File
• D. Run Dnscmd.exe and specify the /createbuiltindirectorypartitions paramete

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc742490.aspx
RODC Post-Installation Configuration
If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions.
To enlist a DNS server in a DNS application directory partition
1. Open an elevated command prompt.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd<ServerName> /EnlistDirectoryPartition <FQDN>
For example, to enlist RODC01 in the domain-wide DNS application directory partition in a
domain named child.contoso.com, type the following command:
dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com

NEW QUESTION 7
You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.
You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL).
What should you do?

• A. Install and configure an Online Responde
• B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstation
• C. Install and configure an additional domain controlle
• D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstation

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc725958.aspx
What Is an Online Responder? An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.

NEW QUESTION 8
HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate
filter option in the answer area.

Answer:

Explanation:

NEW QUESTION 9
You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller.
You need to create a WMI script query to retrieve information from the bios of each domain controller.
Which format should you use to write the query?

• A. XrML
• B. XML
• C. WQL
• D. HTML

Answer: C

Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606%28v=vs.85%29.aspx
WQL (SQL for WMI)
The WMI Query Language (WQL) is a subset of the American National Standards Institute
Structured Query Language (ANSI SQL)—with minor semantic changes.

NEW QUESTION 10
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to compact the Active Directory database.
What should you do?

• A. Run the Get-ADForest cmdle
• B. Configure subscriptions from Event Viewe
• C. Run the eventcreate.exe comman
• D. Configure the Active Directory Diagnostics Data Collector Set (OCS).
• E. Create a Data Collector Set (DCS).
• F. Run the repadmin.exe comman
• G. Run the ntdsutil.exe comman
• H. Run the dsquery.exe comman
• I. Run the dsamain.exe comman
• J. Create custom views from Event Viewe

Answer: G

Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline
defragmentation returns free disk space in the Active Directory database to the file system.
As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file
in a different location.
Explanation 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.

NEW QUESTION 11
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit, (Click the Exhibit button.)

You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group.
The users must be removed from the group when they log off of the client computers.
What should you do?

• A. Modify the Group Policy permission
• B. Enable block inheritanc
• C. Configure the link orde
• D. Enable loopback processing in merge mod
• E. Enable loopback processing in replace mod
• F. Configure WMI filterin
• G. Configure Restricted Group
• H. Configure Group Policy PExplanation
• I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).
• J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Answer: H

Explanation:
http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-pExplanations-to-secure-local-administrator-groups/

NEW QUESTION 12
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All client computers run Windows 7.
You install Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. From Server1, run djoin.ex
• B. From Server1, run netdom.ex
• C. From a Windows 7 computer, run djoin.ex
• D. Upgrade one domain controller to Windows Server 2008 R2.
• E. Raise the functional level of the domain to Windows Server 2008.

Answer: AC

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.

NEW QUESTION 13
You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?

• A. Active Directory Domains and Trusts
• B. Repadmin
• C. Rstools
• D. Rsdiag

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.

NEW QUESTION 14
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to run adprep /forestprep and the operation fails.
You discover that the first domain controller deployed to the forest failed.
You need to run adprep /forestprep successfully.
What should you do?

• A. Move the PDC emulator rol
• B. Move the RID master rol
• C. Move the infrastructure master rol
• D. Move the schema master rol
• E. Move the global catalog serve
• F. Move the bridgehead serve
• G. Install a read-only domain controller (RODC).
• H. Deploy an additional global catalog serve
• I. Restart the Active Directory Domain Services (AD DS) servic

Answer: D

NEW QUESTION 15
You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain.
You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO).
You need to change the domain security settings to trace the shutdowns and identify the cause of it.
What should you do to perform this task?

• A. Link the GPO to the domain and enable System Events option
• B. Link the GPO to the domain and enable Audit Object Access option
• C. Link the GPO to the Domain Controllers and enable Audit Object Access option
• D. Link the GPO to the Domain Controllers and enable Audit Process tracking option
• E. Perform all of the above actions

Answer: A

Explanation:
http://msdn.microsoft.com/en-us/library/ms813610.aspx
Audit system events Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy
Description Determines whether to audit when a user restarts or shuts down the computer;
or an event has occurred that affects either the system security or the security log.
By default, this value is set to No auditing in the Default Domain Controller Group Policy
object (GPO) and in the local policies of workstations and servers.
If you define this policy setting, you can specify whether to audit successes, audit failures,
or not to audit the event type at all. Success audits generate an audit entry when a system
event is successfully executed. Failure audits generate an audit entry when a system event
is unsuccessfully attempted. You can select No auditing by defining the policy setting and
unchecking Success and Failure.

NEW QUESTION 16
Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.
You need to create a forest trust between adatum.com and litwareinc.com.
What should you do first?

• A. Create an external trus
• B. Raise the functional level of both forest
• C. Configure SID filterin
• D. Raise the functional level of all the domain

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc771397.aspx
When to create a forest trust
You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher.

NEW QUESTION 17
Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the records are replicated to all DNS servers.
Which tool should you use?

• A. Dnslint
• B. Ldp
• C. Nslookup
• D. Repadmin

Answer: D

Explanation: http://technet.microsoft.com/en-us/library/cc811569.aspx
Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.
Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters
<DC>Specifies the host name of the domain controller to synchronize with all replication
partners.
<NamingContext>Specifies the distinguished name of the directory partition.
<Flags> Performs specific actions during the replication.

NEW QUESTION 18
Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.
You need to modify the custom attribute value of 500 user accounts.
Which tool should you use?

• A. Csvde
• B. Dsmod
• C. Dsrm
• D. Ldifde

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc731033.aspx
Ldifde
Creates, modifies, and deletes directory objects.

NEW QUESTION 19
Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008.
You plan to install a new RODC that runs Windows Server 2008 R2.
You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. From Active Directory Domains and Trusts, raise the functional level of the domai
• B. At the command prompt, run adprep.exe /forestpre
• C. From Active Directory Users and Computers, pre-stage the RODC computer accoun
• D. At the command prompt, run adprep.exe /domainpre
• E. At the command prompt, run adprep.exe /rodcpre

Answer: CD

Explanation: C:
* During the first stage of the installation, the wizard records all the data about the RODC that will be stored in the distributed Active Directory database, including the read-only domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.
* To create an RODC account by using the Windows interface Click Start, click Administrative Tools, and then click Active Directory Users and Computers. Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action. Click Pre-create Read-only Domain Controller account