Windows Server 2008 Active Directory, Configuring
Question No: 171 – (Topic 2)
Your network contains a server named Server1 that runs Windows Server 2008 R2.
You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1.
You need to create an additional AD LDS application directory partition in the existing instance.
Which tool should you use?
Answer: D Explanation:
http://technet.microsoft.com/en-us/library/cc755251.aspx Create an Application Directory Partition
You use Ldp.exe to add a new application directory partition to an existing instance of Active Directory
Lightweight Directory Services (AD LDS).
Question No: 172 – (Topic 2)
Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.
You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication.
What do you need to configure, in order to complete the deployment of AD RMS?
Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1
Ensure that all Windows XP computers have the latest service pack and install the RMS
client on all systems. Install AD RMS on domain controller Company _DC1
Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5
Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5
None of the above
Answer: D Explanation:
http://technet.microsoft.com/en-us/library/dd772753(v=ws.10).aspx AD RMS Client Requirements
Windows AD RMS Client Windows 7, all editions
Windows Server 2008 R2, all editions except Core Editions Windows Vista, all editions
Windows Server 2008, all editions except Core Editions Windows XP SP3 32-bit Edition
Windows XP SP3 64-bit Edition
Windows Server 2003 with SP1 32-bit Edition Windows Server 2003 with SP1 64-bit Edition
Windows Server 2003 for Itanium-based systems with SP1 Windows Server 2003 R2 32-bit Edition
Windows Server 2003 R2 64-bit Edition
Windows Server 2003 R2 for Itanium-based systems Windows Small Business Server 2003 32-bit Edition Windows Server 2000 SP4 32-bit Edition
http://technet.microsoft.com/en-us/library/dd772659(v=ws.10).aspx AD RMS Prerequisites
Before you install AD RMS
Before you install Active Directory Rights Management Services (AD RMS) on Windows Server庐 2008 R2 for the first time, there are several requirements that must be met.
Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) forest as the user accounts that will be using rights-protected content.
Question No: 173 – (Topic 2)
Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.
What should you do?
Remove the Request Certificates permission from the Domain Users group.
Remove the Request Certificated permission from the Authenticated Users group.
Assign the Allow – Manage CA permission to only the Security Manager user Account.
Assign the Allow – Issue and Manage Certificates permission to only the Security Manger user account
http://technet.microsoft.com/en-us/library/cc732590.aspx Implement Role-Based Administration
You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user#39;s security settings.
You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.
The following table describes the roles, users, and groups that can be used to implement role-based administration.
Roles and groups Certificate manager Security permission
Issue and Manage Certificates Description
Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.
Question No: 174 – (Topic 2)
Your network contains an Active Directory forest. The forest contains a single domain. You want to access resources in a domain that is located in another forest.
You need to configure a trust between the domain in your forest and the domain in the other forest.
What should you create?
an incoming external trust
an incoming realm trust
an outgoing external trust
an outgoing realm trust
A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest).
Question No: 175 – (Topic 2)
Your network contains two Active Directory forests. One forest contains two domains named contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configured between the two forests.
You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.com domain by using the user name NA\User1.
Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain.
You need to ensure that User1 can log on to the computer in the nwtraders.com domain.
What should you do?
Enable selective authentication over the forest trust.
Create an external one-way trust from na.contoso.com to nwtraders.com.
Instruct User1 to log on to the computer by using his user principal name (UPN).
Instruct User1 to log on to the computer by using the user name nwtraders\User1.
Answer: C Explanation:
http://apttech.wordpress.com/2012/02/29/what-is-upn-and-why-to-use-it/ What is UPN and why to use it?
UPN or User Principal Name is a logon method of authentication when you enter the credentials as email@example.com instead of Windows authentication method: domainname\username to be used as login.
So UPN is BASICALLY a suffix that is added after a username which can be used in place of “Samaccount” name to authenticate a user. So lets say your company is called ABC, then instead of ABC\Username you can use username@ABC.com at the authentication popup.
The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of firstname.lastname@example.org”, change it to “username@atlanta”, if you create an UPN suffix called Atlanta. http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-across-forest-and- achieve-single-signon-part1.aspx
Accessing Resources across forest and achieve Single Sign ON (Part1) http://technet.microsoft.com/en-us/library/cc772808(v=ws.10).aspx Accessing resources across forests
When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are replicated to the global catalog.
Question No: 176 – (Topic 2)
Your company has two Active Directory forests as shown in the following table.
The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain.
You need to configure the forest trust to meet the new security policy requirement. What should you do?
Delete the outgoing forest trust in the contoso.com domain.
Delete the incoming forest trust in the contoso.com domain.
Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication.
Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties.
Answer: D Explanation:
http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx How Domain and Forest Trusts Work
Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account.
The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive).
One-Way and Two-Way Trusts
Trust relationships that are established to enable access to resources can be either one-
way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.
All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with:
Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains.
Kerberos V5 realms.
Transitive and Nontransitive Trusts
Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain.
Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.
Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.
The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource.
Default Transitive Trust Relationships
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts.
Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest.
Forest trust. A transitive trust between one forest root domain and another forest root domain.
Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.
A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust.
Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between:
A Windows Server 2003 domain and a Windows NT domain
A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust)
By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows
NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade
a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.
A nontransitive trust between an Active Directory domain and a Kerberos V5 realm
Question No: 177 – (Topic 2)
Your network contains an Active Directory domain named contoso.com. You plan to deploy a child domain named sales.contoso.com.
The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com.
You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fully qualified domain names (FQDNs).
What should you do?
Create a DNS forwarder.
Create a DNS delegation.
Configure root hint servers.
Configure an alternate DNS server on all client computers.
Answer: B Explanation:
http://technet.microsoft.com/en-us/library/cc784494(v=ws.10).aspx Delegating zones
DNS provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:
A need to delegate management of part of your DNS namespace to another location or department within your organization.
A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault- tolerant DNS environment.
A need to extend the namespace by adding numerous subdomains at once, such as to
accommodate the opening of a new branch or site.
If, for any of these reasons, you could benefit from delegating zones, it might make sense to restructure your namespace by adding additional zones. When choosing how to structure zones, you should use a plan that reflects the structure of your organization.
When delegating zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.
When a standard primary zone is first created, it is stored as a text file containing all resource record information on a single DNS server. This server acts as the primary master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.
When structuring your zones, there are several good reasons to use additional DNS servers for zone replication:
Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients
if a primary server for the zone stops responding.
Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed WAN link can be useful in managing and reducing network traffic.
Additional secondary servers can be used to reduce loads on a primary server for a zone.
Example: Delegating a subdomain to a new zone
As shown in the following figure, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.
In this example, an authoritative DNS server computer for the newly delegated example.microsoft.com subdomain is named based on a derivative subdomain included in the new zone
(ns1.us.example.microsoft.com). To make this server known to others outside of the new delegated zone, two
RRs are needed in the microsoft.com zone to complete delegation to the new zone. These RRs include:
An NS RR to effect the delegation. This RR is used to advertise that the server named ns1.us.example.microsoft.com is an authoritative server for the delegated subdomain.
An A RR (also known as a glue record) is needed to resolve the name of the server specified in the NS RR to its IP address. The process of resolving the host name in this RR
to the delegated DNS server in the NS RR is sometimes referred to as glue chasing. Note When zone delegations are correctly configured, normal zone referral behavior can sometimes be circumvented if you are using forwarders in your DNS server configuration.
Question No: 178 – (Topic 2)
Your network contains a single Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone for Contoso.
com. DC2 hosts a secondary zone for contosto.com.
On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept secure dynamic updates only.
You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.
Which command should you run?
dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com
dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary
repadmin.exe /syncall /force
Answer: B Explanation:
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx#BKMK_29 Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network.
dnscmd /zoneresettype Changes the zone type.
dnscmd [lt;ServerNamegt;] /zoneresettype lt;ZoneNamegt; lt;ZoneTypegt; [/overwrite_mem |
Specifies the DNS server to manage, represented by local computer syntax, IP address, FQDN, or host name. If this parameter is omitted, the local server is used.
Identifies the zone on which the type will be changed.
lt;ZoneTypegt; Specifies the type of zone to create. Each type has different required parameters:
/dsprimary Creates an Active Directory-integrated zone.
/primary /file lt;FileNamegt; Creates a standard primary zone.
/secondary lt;MasterIPAddressgt; [,lt;MasterIPAddressgt;…] Creates a standard secondary zone.
/stub lt;MasterIPAddressgt;[,lt;MasterIPAddressgt;…] /file lt;FileNamegt; Creates a file-backed stub zone.
/dsstub lt;MasterIPAddressgt;[,lt;MasterIPAddressgt;…] Creates an Active Directory-integrated stub zone.
/forwarder lt;MasterIPAddress[,lt;MasterIPAddressgt;]… /filelt;FileNamegt;
Specifies that the created zone forwards unresolved queries to another DNS server.
/dsforwarder Specifies that the created Active Directory-integrated zone forwards unresolved queries to another DNS server.
/overwrite_mem | /overwrite_ds Specifies how to overwrite existing data:
/overwrite_mem Overwrites DNS data from data in AD DS.
/overwrite_ds Overwrites existing data in AD DS. Remarks
Setting the zone type as /dsforwarder creates a zone that performs conditional forwarding.
Question No: 179 – (Topic 2)
Your network contains an Active Directory domain named contoso.com.
The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2.
You need to identify if all of the DNS records used for Active Directory replication are correctly registered.
What should you do?
From the command prompt, use netsh.exe.
From the command prompt, use dnslint.exe.
From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.
From the Active Directory Module for Windows PowerShell, run the Get- ADDomainController cmdlet.
Answer: B Explanation:
DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues.
It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct.
Question No: 180 – (Topic 2)
ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network.
You are instructed to capture all replication errors from all domain controllers to a central location.
What should you do to achieve this task?
Initiate the Active Directory Diagnostics data collector set
Set event log subscriptions and configure it
Initiate the System Performance data collector set
Create a new capture in the Network Monitor
Answer: B Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be
http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting computers.
The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx
100% Ensurepass Free Download!
–Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
–Download 2018 EnsurePass 70-640 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|