Trans

TAFE NSW Western Sydney Institute
Created: 18/04/2013
Version: 1.0
Document1
Modified: 00/00/0000
Page 1 of 133
You are the administrator of your company's Windows Server 2008 single Active Directory forest. The forest consists of one
domain,
named verigon.com. All servers on the domain run Windows Server 2008, and all client computers run Windows Vista. The
functional
level of the network is Windows Server 2008.
Verigon has decided to purchase a company called DreamSuites. The DreamSuites company network consists of a single
Windows
Server 2003 domain, named dreamsuites.com.
The users in the sales department of Verigon need to access files from the sales department on several servers of
DreamSuites. The
server at DreamSuites is named Server1.
You must configure access for Verigon's users, but DreamSuites users must not be allowed access to Verigon. What should
you do?
Explanation:
You should configure a one-way external trust where dreamsuites.com trusts verigon.com. A one-way external trust will allow
an
explicit trust to be created between a Windows Server 2008 forest and a Windows Server 2003 domain. The domain providing
access
to the resource is configured as the trusting domain, and the domain supporting the users who will gain access to the resources
is
configured as the trusted domain. To allow users to access resources on Server1 in the dreamsuites.com domain, the
dreamsuites.com domain must trust verigon.com domain.
With outgoing forest and external trusts, you can specify either selective or domain-wide authentication. Domain-wide
authentication
provides users from a trusted domain the same level of access to local resources as users from the local forest. Selective
authentication allows users from a trusted domain to authenticate only to those resources to which they are explicitly all owed to
authenticate. In this scenario, the sales department at Verigon needs to access sales department files on several DreamSuites
servers.
You can configure domain-wide authentication since the Verigon users need access to several resources. If the Verigon users
needed
access to a single server, you could use Selective authentication to ensure that Verigon users only have access to the single
server.
You should not configure a one-way external trust where verigon.com trusts dreamsuites.com. This action will allow the users
at
dreamsuites.com to access resources in the verigon.com domain. This is opposite of the objectives stated in the scenario.
You cannot configure a one-way shortcut trust between the dreamsuites.com domain and the verigon.com domain. A shortcut
trust is
configured to allow access to resources between two domains that are logically distant from each other in the Active Directory
tree.
These domains must reside in the same Active Directory forest, which verigon.com and dreamsuites.com do not.
You are the network administrator for your company. The company network consists of Windows Server 2003 domain
controllers. You
plan to install a new Windows Server 2008 domain controller in the existing domain. This domain controller will be t he first
Windows
Server 2008 writable domain controller in the Window Sever 2003 domain and you would like it to be a global catalog server as
well.
What should you do before installing the new Windows Server 2008 domain controller?
Item: 1 (Ref:Cert-70-640.2.2.2)
*'Configure a one-way external trust where dreamsuites.com trusts
verigon.com.
*'Configure a one-way external trust where verigon.com trusts
dreamsuites.com.
*'Configure a one-way shortcut trust between the dreamsuites.com domain and the verigon.com
domain.
*'Configure a one-way shortcut trust between the verigon.com domain and the dreamsuites.com
domain.
Answer:
Configure a one-way external trust where dreamsuites.com trusts
verigon.com.
Item: 2 (Ref:Cert-70-640.3.3.10)
*'Run the adprep /rodcprep command on any computer in the forest to prepare the
forest.
Page 1 of 173
Copyright 2009 Transcender LLC, a Kaplan Professional Company. All Rights Reserved.
Explanation:
You should run the adprep /forestprep command on the schema operations master for extending the schema before installing
the new
Windows Server 2008 domain controller. This command is used to prepare the forest by extending the schema. You must run
this
command on the schema operations master. After running adprep/forestprep on the schema master, you must run the
adprep /domainprep command on the infrastructure master in each domain in the forest.

Created: 18/04/2013
Version: 1.0
Document1
Page 2 of 133
You should not run the adprep /domainprep command on the infrastructure master to prepare the domain before installing the
new
Windows Server 2008 domain controller. This command prepares the existing Windows Server 2003 domains installing a new
Windows
Server 2008 domain controller. However, it must be preceded by preparing the forest with the adprep /forestprep command on
the
schema operations master. After preparing the forest and the domain, you must then install Active Directory Domain Services
(AD DS)
to create a new Windows Server 2008 domain controller. If you also want it to be a global catalog server as well, this can be
accomplished after the installation by using Active Directory Users and Computers tool or the Active Directory Domains
and
Trusts tool.
You should not run the adprep /rodcprep command on any computer in the forest to prepare the forest before installing the
new
Windows Server 2008 domain controller. This command is used to prepare the forest to install a Read Only Domain Controller
(RODC).
This command can be used on any computer in the forest.
You should not run the adprep /domainprep /gpprep command on the infrastructure master to prepare the domain before
installing
the new Windows Server 2008 domain controller. This command is used to prepare a Windows 2000 Server domain, and not a
Windows Server 2003 domain, to install a new Windows Server 2008 domain controller.
*'Run the adprep /domainprep command on the infrastructure master to prepare the
domain.
*'Run the adprep /domainprep /gpprep command on the infrastructure master to prepare the
domain.
*'Run the adprep /forestprep command on the schema operations master for extending the
schema.
Answer:
Run the adprep /forestprep command on the schema operations master for extending the
schema.
Item: 3 (Ref:Cert-70-640.6.2.4)
You are the network administrator for your company. Your company's network has a single domain. All servers and domain
controllers
run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure that maintains a
subordinate enterprise Certification Authority (CA), which issues certificates on behalf of the root CA. All CAs use Windows
Server
2008.
Your company uses a proprietary application that tracks customer shipments and orders. You want to ensure that the code in
the
application has not been tampered with. The AppUsers group monitors the application for flaws. You want to achieve the
following:
Have a code-signing certificate automatically issued to the AppUsers group.
Ensure that the certificate utilizes Suite B cryptography settings.
What should you do to achieve the objective? (Drag the steps from the Choices area and place them sequentially in the
Correct
Order area. It may not be necessary to use all the steps provided.)
Page 2 of 173
Explanation:
You should do the following:
To create a new certificate template, you can use the Certificate Template snap-in. You can highlight the appropriate certificate
template and duplicate the existing template. You should create the duplicate based on an existing template that is closest i n
function to
the target template. Although most settings in the certificate template can be edited after the template is duplicated, you cannot
change
the subject type, such as Code Signing, Web, or Exchange User. If you use an existing certificate template, such as Code
Signing, you
will not be able to edit most of the settings.
Page 3 of 173
You should create the template using Windows Longhorn Enterprise edition as the minimum CA level. Version 3 certificates are
issued
by Windows Server 2008 servers that are Certification Authorities. Version 3 certificates include the Suite B cryptographic
settings in
their certificates, which include advanced options for encryption, digital signatures, key exchange, and hashing. These types of
certificates can only used by Windows Server 2008 and Vista clients. In this scenario, all computers are either Windows Server
2008 or
Windows Vista, and you want to ensure that the certificate utilizes Suite B cryptography settings.
You should not create the template based using Windows Server 2003 Enterprise edition as the minimum CA level. Windows
Server

Created: 18/04/2013
Version: 1.0
Document1
Page 3 of 133
2003 servers that are Certification Authorities issue Version 2 certificates. You are able to edit most settings with Version 2
certificates,
but they do not utilize Suite B cryptography settings. A Windows Server 2008 CA server can issue Version 1, Version 2 and
Version 3
certificates. A Windows Server 2003 CA can only issue Version 1 and Version 2 certificates.
You should assign the AppUsers group the Read, Enroll, and Autoenroll permissions on the template. The Autoenroll
permission is
needed in addition to the Enroll permission for a user to enroll for a given certificate template.
Page 4 of 173
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where all
servers run Windows Server 2008 and all client computers run Windows Vista. All client computer accounts reside in the
Computers
container, and all user accounts reside in the Users container. The company's written security policy dictates that certain
restrictions be
applied to all client computers and to all users who work on those computers. These restrictions should not apply to any other
computers.
You create a Group Policy object (GPO) and configure the appropriate user and computer policies in it. Which of the following
should
you do next?
Explanation:
There are two subsets of policies in a GPO: Computer Configuration and User Configuration. The policies in the Computer
Configuration folder are computer-specific, and the policies in the User Configuration folder are user specific. Computer-
specific
Item: 4 (Ref:Cert-70-640.4.3.5)
*'Link the GPO to the Computers
container.
*'Link the GPO to the Users
container.
*'Link the GPO to the Computers container and to the Users
container.
*'Move all user accounts to an OU, link the GPO to the OU, and enable the loopback processing mode in the
GPO.
*'Move the computer objects for all of the client computers to an OU, link the GPO to the OU, and enable the
loopback processing
mode in the GPO.
*'Link the GPO to the domain and enable Block Policy inheritance for the Domain Controllers
OU.
Answer:
Move the computer objects for all of the client computers to an OU, link the GPO to the OU, and enable the loopback
processing mode in the GPO.
Page 5 of 173
policies apply only to the computer objects that are targeted by the GPO, and user-specific policies apply only to the user
objects that
are targeted by the GPO. To meet the requirements of this scenario, you must enforce both computer-specific and user-specific
policies. The computer-specific policies should apply to all client computers, and the user-specific policies should apply to all
users who
log on at any of the client computers. You can accomplish this task by enabling the User Group Policy loopback processing
mode
policy, which is located in the Computer Configuration\Administrative Templates\System\Group Policy folder in the GPO
namespace. When this policy is enabled in a GPO that targets computers, the user-specific policies in all GPOs that target
those
computers are applied to any user who logs on at any of those computers. If you set this policy to Replace, then the GPOs that
target
the user are not applied to the user. If you set this policy to Merge, then user-specific policies from both those GPOs that target
the
computer and the GPOs that target the user are applied. If there are any conflicting settings, then the user-specific policy
settings from
the GPOs that target the computer take precedence.
In this scenario, you should create an organizational unit (OU), move all client computer accounts into that OU, link the GPO to
that OU
and enable the loopback processing mode in the GPO. GPOs can be linked only to sites, domains, and OUs; they cannot be
linked to
generic Active Directory folders, such as the Computers or Users folders. If you linked the GPO to an OU where only user
objects
reside, then only the user-specific policies in the GPO would be enforced. If you linked the GPO to the domain and blocked
policy
inheritance on the Domain Controllers OU, then, in addition to all client computers, the GPO would also apply to member
servers.

Created: 18/04/2013
Version: 1.0
Document1
Page 4 of 133
You are the network administrator for a company that makes golf balls and automotive tires. Your network has a single domain
with
several locations configured as Active Directory sites. All domain controllers run Windows Server 2008 and the functional level
of the
domain is Windows Server 2008.
You want to install a public key infrastructure (PKI) so that users in the domain are automatically issued certificates. What must
you
configure? (Choose all that apply.)
Explanation:
You should install a root CA and an enterprise subordinate CA, create an autoenrollment user template and add the template to
the
Certificate server, and create a group policy to distribute certificates to users. You must have an enterprise subordinate CA to
automatically issue certificates to users and computers in Active Directory. You should keep the root CA offline and have the
enterprise
subordinate CA issue certificates.
You must create an autoenrollment user template and add the template to the Certificate server. Your computer must be a
member of
the domain to use certificate autoenrollment. The autoenrollment process is normally triggered by the Winlogon process. The
autoenrollment process is activated and managed by a domain-based Group Policy. Both machine-based and user-based
Group Policy
can activate autoenrollment for machines and users.
Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. Certificates
are
issued or automatically renewed on behalf of the specifications in the certificate template. To create a certificate template,
perform the
following steps:
Item: 5 (Ref:Cert-70-640.6.1.1)
M|.A root CA and an enterprise subordinate
CA.
M|.A root CA and a standalone subordinate
CA.
M|.A standalone
CA.
M|.Create an autoenrollment user template and add the template to the Certificate
server.
M|.Create a group policy that can distribute certificates to
users.
M|.Install a certification authority Web enrollment
agent.
Answer:
A root CA and an enterprise subordinate CA.
Create an autoenrollment user template and add the template to the Certificate
server.
Create a group policy that can distribute certificates to users.
Page 6 of 173
Launch the Certification Authority Microsoft Management Console (MMC).
Expand the Certification Authority folder.
Expand the folder for your Certificate Server.
Right-click on the Certificate Templates folder and select New Certificate Template to Issue.
Once you add the Certificate Template to be issued, you need to create a group policy that can then distribute user certificates
to the
users' laptops and desktops automatically. A group policy can distribute the certificates to the users. You can use the Group
Policy
Mangement Console (GPMC) to edit a group policy. If you want the autoenrollment to apply to the entire domain, perform the
following
steps:
Edit the Default Domain Policy and click Edit.
Under the User Configuration container, expand the Windows Settings folder.
Expand the Security Settings folder and then click to select the Public Key Policies folder.
Right-click the Autoenrollment Settings object and select Properties.
Check the Renew Expired Certificates, Update Pending Certificates, and Remove Revoked Certificates options as well
as
the Update Certificates That Use Certificate Templates option. Click OK.
Page 7 of 173
You cannot have a standalone CA or a subordinate standalone CA issuing certificates. A certificate template must check Active
Directory for the user or computer account, and neither standalone CA nor a subordinate standalone CA can query Active
Directory. If a
certificate template has to check for an existing certificate before issuing another certificate, Active Directory will be queried for
an

Created: 18/04/2013
Version: 1.0
Document1
Page 5 of 133
existing duplicate certificate.
You do not have to install a certification authority Web enrollment agent. Web enrollment allows users to request certificates via
the
HTTP protocol or a by using a browser. This agent is helpful when you have computers that are not members of the domain,
such as
Unix computers, that need to request certificates.
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. The
network
contains an Active Directory Lightweight Directory Services (AD LDS) server to provide Active Directory data to an application
named
App1, which is accessed by all users on the network.
You want to ensure that only managers have rights to modify the App1 database. To achieve this, you want to create a new
group in
the AD LDS directory and add managers to that group.
Which tool should you use to create a new group in the AD LDS application directory partition?
Item: 6 (Ref:Cert-70-640.3.1.2)
*'Dsmod.exe
*'Dsadd.exe
Page 8 of 173
Explanation:
You should use the Dsadd.exe tool to create a new group in the AD LDS application directory partition. Dsadd.exe is a
command-line
tool that is built into Windows Server 2008. Dsadd.exe is available if you have the AD DS server role installed. To use
Dsadd.exe, you
must run the Dsadd command from an elevated command prompt. The Dsadd group command allows you to add a single
group to
the directory. To add a group to the directory by using Dsadd group command, you should you use the Dsadd group
<GroupDN>
syntax. <GroupDN> is a required parameter and it is used to specify the distinguished name of the group that you want to add.
Lightweight Directory Access Protocol (LDAP)-based directories, such as Active Directory Domain Services (AD DS) and AD
LDS, most
commonly use OUs to keep users and groups organized. To add an OU to the directory by using Dsadd ou command, you
should you
use the Dsadd ou <OrganizationalUnitDN> syntax. <OrganizationalUnitDN> is a required parameter and it is used to specify
the
distinguished name of the OU that you want to add.
You cannot use the Dsmod.exe tool to create a new group in the AD LDS application directory partition. Dsmod.exe is a
command-line
tool built into Windows Server 2008, which can be used to modify an existing object of a specific type in the directory.
You cannot use the Dsa.msc tool, known as Active Directory Users and Computers, or Domain.msctool, known as Active
Directory
Domains and Trusts, to create a new group in the AD LDS application directory partition, because AD LDS is not supported by
these
domain-oriented tools.
Your company, Verigon Incorporated, has a main office and five branch offices. The company has a single domain, and each
office is
configured as its own site.
You have several temporary workers who work on a seasonal basis. You need to create a batch file that will disable the
temporary
workers' accounts and force replication of the disabled accounts to the domain controllers in the domain.
Which commands will the batch file contain? (Choose two.)
Explanation:
The batch file will contain the Dsmod user and Repadmin commands. You should use Dsmod user to disable the temporary
workers'
accounts. The Dsmod.exe command will modify the properties of a user account, such as the password, account expiration
date, or
any property. The following example uses the Dsmod user command to force the expiration of the accounts for Michelle Smith
and
Dave Jones in the Verigon corporate network:
*'Dsa.msc
*'Domain.msc
Answer:
Dsadd.exe
Item: 7 (Ref:Cert-70-640.2.4.4)
M|.Reset
user
M|.Dsmod
user
M|.Dsadd
user

Created: 18/04/2013
Version: 1.0
Document1
Page 6 of 133
M|.Repadmin
M|.Rsnotify
Answer:
Dsmod
user
Repadmin
Page 9 of 173
dsmod user "CN=Michelle Smith,CN=Users,DC=Verigon,DC=Com" "CN=Dave Jones,CN=Users,DC=Verigon,DC=Com" -
acctexpires 0
A value of 0 for the -acctexpires parameter sets expiration of the accounts for the end of today.
You should also use the Repadmin tool in the batch file to force replication. This tool allows you to force replication with
replication
partners. The following example uses the replicate operation of the Repadmin tool to make DC5 initiate replication of the
domain
directory partition for a domain named kaplanit.com from DC1. In this example, DC1 is the source server and DC5 is the
destination
server.
repadmin /replicate dc5.kaplanit.com dc1.kaplanit.com dc=kaplanit,dc=com
You should not use the Dsadd user command to disable the temporary workers account. The Dsadd user command is used to
add
new users in Active Directory. You cannot use this command to modify the properties of existing users.
You should not use Reset user. The Reset.exe tool is the Terminal Services reset utility on a Windows Server computer. This
utility will
not disable an account, nor will it force replication.
You should not use Rsnotify.exe. This command is a remote storage recall notification program on a Windows operating
system. This
command will not disable an account, nor will it force replication.
You are the systems administrator for several Windows Server 2008 computers on your company's network. The network
contains an
Active Directory Federation Services (AD FS) server. The AD FS server is configured to provide Web-based Single Sign-On
(SSO)
capabilities to users in a partner organization.
You want to test which claims the Federation Service sends in AD FS security tokens. What should you do?
Explanation:
You should create a claims-aware application. AD FS is an identity access solution that allows browser-based clients to access
one or
more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts and
applications are located in completely different networks or organizations. In any given federation relationship, the business
partners
can either be identified as a resource organization or an account organization. The account organization is the one that owns
and
manages user accounts. The resource organization is the one that owns and manages resources that are accessible from the
Internet.
Users from the account organization access AD FS-enabled applications in the resource organization. AD FS provides a Web-
based
SSO solution that authenticates users to multiple Web applications during a single browser session. When you install AD FS,
you
configure its trust policy by using the AD FS snap-in to specify the list of partners with which you want to federate.
AD FS supports three types of claims: organization or identity claims, group claims, and custom claims. Claims are statements
about
users that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate
from
either an account store or an account partner. To verify which claims are sent in AD FS security tokens by the Federation
Service, you
should create a claims-aware application. A claims-aware application is a Microsoft ASP.NET application that uses claims in an
AD FS
security token to make authorization decisions and provide additional application personalization. The claims-aware application
is made
up of the following three files:
default.aspx
web.config
default.aspx.cs
Item: 8 (Ref:Cert-70-640.3.4.5)
*'Create a claims-aware
application.
*'Configure a resource
partner.
*'Configure an account
partner.
*'Configure a Windows NT token-based Web Agent.
Answer:

Created: 18/04/2013
Version: 1.0
Document1
Page 7 of 133
Create a claims-aware
application.
Page 10 of 173
You should not configure a resource partner or an account partner. The resource partner is the one that owns and manages
resources
that are accessible from the Internet. The account organization is the one that owns and manages user accounts. Configuring a
resource partner or an account partner will not allow you to test which claims the Federation Service sends in AD FS security
tokens.
You should not configure a Windows NT token-based Web Agent. The Windows NT tokenbased Web Agent is used on a Web
server
that hosts a Windows NT tokenbased application to support conversion of AD FS security tokens to impersonation-level,
Windows NT
access tokens. A Windows NT tokenbased application is an application that uses Windows-based authorization mechanisms.
Configuring a Windows NT token-based Web Agent will not allow you to test which claims the Federation Service sends in AD
FS
security tokens.
You are the network administrator for your company. In the company's main office, the domain functional level is set to Windows
Server
2008. All client computers run Windows Vista.
Your company purchases a rival company that has its own Active Directory domain with the domain functional level set to
Windows
Server 2003 in a separate forest. The newly acquired company is configured as a branch office, and you create an external trust
between both the forests.
You want to enable the use of Advanced Encryption Standard (AES) encryption with Kerberos. You want to achieve this
objective by
involving minimum administrative effort.
What should you do? (Choose two. Each correct answer represents part of the solution.)
Explanation:
You should upgrade all domain controllers in the branch office to Windows Server 2008 and raise the domain functional level to
Windows Server 2008. AES is a National Institute of Standards and Technology specification for the encryption of electronic
data. AES
provides more secure encryption than its predecessor, Data Encryption Standard (DES). The security enhancements in
Windows
Server 2008 and Windows Vista enable the use of AES encryption with Kerberos. This means the base Kerberos protocol in
Windows
Server 2008 and Windows Vista supports AES for encryption of Ticket Granting Tickets (TGTs), service tickets, and session
keys. To
be able to configure AES encryption with Kerberos, the domain functional level must be at Windows Server 2008. To raise the
domain
functional level of a domain to Windows Server 2008, all domain controllers in the domain must be running Windows Server
2008.
You should not upgrade all servers in the branch office to Windows Server 2008 because this will require additional
administrative
effort. To raise the domain functional level to Windows Server 2008, it is only necessary for domain controllers to be running
Windows
Server 2008.
You should not recreate a two-way shortcut trust between the main office domain and the branch office domain. A shortcut trust
is
configured to allow access to resources between two domains that are logically distant from each other in the Active Directory
tree.
These domains must reside in the same Active Directory forest. In this scenario, the main office domain and the branch office
domain
are located in separate forests.
Item: 9 (Ref:Cert-70-640.2.2.1)
M|.Upgrade all domain controllers in the branch office to Windows Server
2008.
M|.Upgrade all servers in the branch office to Windows Server
2008.
M|.Raise the domain functional level to Windows Server
2008.
M|.Recreate a two-way shortcut trust between the main office domain and the branch office
domain.
Answer:
Upgrade all domain controllers in the branch office to Windows Server 2008.
Raise the domain functional level to Windows Server 2008.
Item: 10 (Ref:Cert-70-640.2.6.8)
Page 11 of 173
You are implementing an Active Directory forest for your company. You install Windows Server 2008 on a computer, name it
DC1, and

Created: 18/04/2013
Version: 1.0
Document1
Page 8 of 133
promote it to the first domain controller in a new domain in a new forest. Then, you install Windows Server 2008 on another
computer,
name it DC2, and promote it to an additional domain controller in the existing domain. Now, you want to create a new domain.
You
install Windows Server 2008 on a new computer, name it DC3, and start the Active Directory Installation wizard. You specify
that DC3
will be a domain controller in a new domain in a new domain tree in the existing forest.
You receive an error message that indicates that DC3 cannot be promoted to a domain controller. Your investigation reveals
that DC1
has failed due to a hardware problem. The replacement part necessary to bring DC1 back online will be delivered within the
next few
days. However, you must continue the deployment of Active Directory immediately, and you must promote DC3 to a domain
controller
in a new domain.
Which of the following should you do?
Explanation:
In an Active Directory forest, certain types of operations can be performed only on the domain controllers that are designated as
operations masters for those types of operations. There are five operations master roles. The schema master and domain
naming
master are forest-wide roles; the PDC emulator, RID master, and infrastructure master are domain-wide roles. There can be
only one
schema master and one domain naming master in each forest. Each domain-wide role is unique only in each domain. By
default, the
first domain controller in a new forest hosts all five operations master roles. The first domain controller in any new domain in a
forest, by
default, holds the three domain-wide roles for that domain. Subsequently, a forest-wide role can be transferred to another
domain
controller in the forest, and a domain-wide role can be transferred to another domain controller in the domain.
In order for a new domain to be created in a forest, the domain naming master must be available in that forest. It appears that
you
cannot create a new domain in this scenario because DC1, by default, was configured to hold all five operations master roles. In
this
scenario DC3 cannot be promoted to a domain controller for the new doman because the domain naming master role is not
available. To proceed with the creation of a new tree-root domain, as you originally intended, you should force the transfer of at
least
the domain naming master role to DC2, which currently is the only remaining domain controller in the existing forest. Once you
have
forced the transfer of, or seized, the domain naming master role to DC2, the original domain naming master, DC1, should never
be
brought back online. Instead, when it is repaired, you should perform a fresh installation of Windows Server 2008 on that
computer and
configure it as a different domain controller or as a member server. Therefore, in this scenario, you should seize all of the
operations
master roles that were held by DC1.
In the absence of the domain naming master, you cannot create a new domain, regardless of whether it is a tree-root or a child
domain.
Any computer that runs the appropriate edition of Windows Server 2008 can be promoted to become a domain controller in an
existing
forest, regardless of whether it is a stand-alone server or a member server in a domain in that forest. A domain controller in one
domain
cannot be directly reconfigured as a domain controller in another domain. First, it must be demoted to a member server or a
standalone
server. Only then can it be promoted to a domain controller in a different domain.
You are the network administrator for the Verigon corporation. The Verigon corporation has a single domain named
verigon.com with
all domain controllers running the Windows Server 2008 operating system. Your company recently acquired a rival group, Nutex
Corporation. Nutex Corporation has a single forest with three domains: nutex.com, east.nutex.com, and west.nutex.com.
Each
domain in Nutex and Verigon has a Windows Server 2008 DNS server that contains the zone for its respective domain.
Nutex and Verigon will continue to act as separate companies from a network standpoint. Nutex users will not need to access
any
resources in Verigon. However, users in the verigon.com domain will need to access a Web-based application on
server5.west.nutex.com. Since Nutex and Verigon are connected by a heavily used WAN link, you want to limit the amount of
traffic
sent over the WAN link.
*'Promote DC3 to a domain controller in a new child
domain.
*'Join DC3 to the existing domain and then promote it to a domain controller in a new tree-root
domain.
*'Promote DC3 to an additional domain controller in the existing domain and then join it to a new tree-root
domain.
*'Configure DC2 to hold all operations master roles and then promote DC3 to a new domain controller in a new tree-
root

Created: 18/04/2013
Version: 1.0
Document1
Page 9 of 133
domain.
Answer:
Configure DC2 to hold all operations master roles and then promote DC3 to a new domain controller in a new treeroot
domain.
Item: 11 (Ref:Cert-70-640.1.2.1)
Page 12 of 173
Users in verigon.com complain that they cannot access the Web-based application. What should you do?
Explanation:
You should configure conditional forwarding on the DNS server in the verigon.com domain to forward queries for
west.nutex.com to
the DNS server in west.nutex.com. In Windows Server 2003 and Window Server 2008, a DNS server can be configured to
conditionally forward queries. A conditional forwarder is different from a regular forwarder. A regular forwarder forwards any
queries that
cannot be resolved by any zones that are contained on the DNS server. A conditional forwarder forwards only queries that meet
a
certain criteria. For example, if you wanted only to forward queries for computers in the west.nutex.com domain, you could
specify a
conditional forwarder to the west.nutex.com domain.
In Windows Server 2008, you can configure a conditional forwarder by adding the DNS domain of the query that you want to
forward in
the conditional forwarder settings box. You must also add the IP address or the DNS name of the DNS server to receive the
forwarded
queries. In this scenario, you should configure the DNS server in the verigon.com domain to forward queries to the IP address
or DNS
*'Create a secondary zone of nutex.com on the DNS server in the verigon.com
domain.
*'Create a secondary zone of west.nutex.com on the DNS server in the verigon.com
domain.
*'Configure conditional forwarding on the DNS server in the verigon.com domain to forward queries for
west.nutex.com to the
DNS server in the west.nutex.com domain.
*'Configure conditional forwarding on the DNS server in the west.nutex.com domain to forward queries for
verigon.com to the
DNS server in the verigon.com domain.
Answer:
Configure conditional forwarding on the DNS server in the verigon.com domain to forward queries for
west.nutex.com to the DNS server in the west.nutex.com domain.
Page 13 of 173
name of the DNS server in the west.nutex.com domain.
You should not create a secondary zone of nutex.com or a secondary zone of west.nutex.com on the DNS server in the
verigon.com
domain. A secondary zone is a read-only copy of a zone that is pulled from a master DNS server. A secondary zone needs to
be
periodically updated from the master DNS. Zone transfers from the master DNS to the DNS server that hosts the secondary
zone will
occur. Although placing a secondary zone of the west.nutex.com on the DNS server in verigon.com will resolve names in the
west.nutex.com domain, such as server5.west.nutex.com, it will produce additional traffic across the WAN link.
You should not configure conditional forwarding on the DNS server in the west.nutex.com domain to forward queries for
verigon.com
to the DNS server in the verigon.com domain. In this scenario, you want to resolve queries for west.nutex.com from the
verigon.com
domain, not to resolve queries for verigon.com from the west.nutex.com domain.
You are a network administrator for your company. The corporate network consists of a single Active Directory domain and two
sites.
Click the Exhibit(s) button to view the Active Directory domain structure.
All servers on the network run Windows Server 2008. In Site1, there are three domain controllers, which also provide additional
services: DC1 is configured as a DHCP server and a DNS server, DC2 is an application server, and DC3 is a Routing and
Remote
Access server that provides connectivity with the network in Site2. In Site2, there are two domain controllers, DC4 and DC5.
DC4 is
a Routing and Remote Access server that provides connectivity with the network in Site1.
Users complain that at certain times DC2 becomes very slow or even unresponsive. You determine that DC2's poor
performance as an
application server coincides with the scheduled inter-site Active Directory replication times. You must improve the performance
of DC2
during the times when inter-site replication occurs.
Explanation:

Created: 18/04/2013
Version: 1.0
Document1
Page 10 of 133
Active Directory is a distributed database and is hosted on domain controllers. Administrators can make changes to Active
Directory on
different domain controllers, which will communicate the changes to each other. Replication is the process of synchronizing the
Item: 12 (Ref:Cert-70-640.2.4.15)
*'Designate DC3 as a preferred bridgehead
server.
*'Designate DC2 as a preferred bridgehead
server.
*'Increase the site link
cost.
*'Decrease the site link
cost.
Answer:
Designate DC3 as a preferred bridgehead
server.
Page 14 of 173
contents of the Active Directory database among domain controllers. The component named Knowledge Consistency Checker
(KCC)
automatically builds a replication topology. Within the same site, it is assumed that all computers are well connected to each
other;
therefore, intra-site replication is optimized for speed rather than for bandwidth. Each change to Active Directory is replicated to
other
domain controllers in the same site within seconds after it occurs. Replication between sites occurs differently. KCC
automatically
designates a bridgehead server in each site. Changes made in other sites are first replicated between bridgehead servers,
which then
replicate the changes to other domain controllers in their respective sites during the course of intra-site replication. An
administrator can
manually designate one or more preferred bridgehead servers for a site, thereby forcing KCC to designate specific bridgehead
servers
for the site.
It appears in this scenario that the deterioration of performance of DC2 during inter-site replication times occurs because DC2 is
the
bridgehead server in Site1. Currently, inter-site replication traffic is handled inefficiently. DC3 is the RRAS server that provides
connectivity with Site2; therefore, all replication traffic from Site2 is directed to DC3. DC3 forwards the replication traffic to DC2,
which
records the changes in its copy of Active Directory, and then replicates those changes back to DC3 either directly or indirectly
through
DC1. To offload DC2, you should designate DC3 as the preferred bridgehead server instead of DC2. The changes to Active
Directory
received from Site2 will then be recorded on DC3 first and propagated to DC1 and DC2 during the course of intra-site
replication, which
occurs substantially faster than inter-site replication. Thus, DC2 will spend less time processing replication. Site link costs are
numeric
values that indicate relative preference among multiple alternative replication paths between the same pair of sites. Changing
the site
link cost would have no effect on replication in this scenario because there are only two sites and, therefore, no alternative
replication
paths between them.
You are the administrator of the Verigon corporation. You have a main office in Birmingham and branch offices in Atlanta and
Chicago.
The Birmingham office has a DNS server, server1, which has the IP address of 10.10.10.101 and hosts a primary zone. The
Atlanta
office in has a DNS server, server2, which has the IP address of 10.10.15.112 and hosts a secondary zone. The Chicago office
has a
DNS server, server3, which has the IP address of 10.10.20.78 and hosts a secondary zone. The DNS configuration of server1
is
displayed in the exhibit. (Click on the Exhibit(s) button.)
The WAN link to Atlanta is prone to failure over the weekends. You want to ensure that zone information would still be valid on
server2
if the WAN link fails on Friday evening and is not restored until Monday morning.
What should you configure?
Item: 13 (Ref:Cert-70-640.1.3.2)
*'On server1, change the Minimum (default) TTL to 72
hours.
*'On server2, change the Minimum (default) TTL to 72
hours.
*'On server1, change the Expires After: setting to 72
hours.
*'On server2, change the Expires After: setting to 72
hours.

Created: 18/04/2013
Version: 1.0
Document1
Page 11 of 133
Answer:
On server1, change the Expires After: setting to 72
hours.
Page 15 of 173
Explanation:
You should change the Expires After: setting to 72 hours on the SOA record of server1. The Expires After: setting specifies
when
zone file information should expire if the secondary server fails to refresh the information. In this scenario, a failure of the WAN
link may
prevent server2 from pulling a zone transfer from server1. If server2's zone expires, zone data is considered potentially
outdated and
is discarded. Secondary master servers do not use zone data from an expired zone. Currently the SOA record from the primary
zone
has the Expires After: setting configured to one day. You can change this setting to a value in minutes, hours, or days.
You should ensure that the Expires After: setting is longer than the Refresh Interval and the Retry Interval. The Refresh
Interval
determines how often the secondary server polls the primary server for updates. The Retry Interval specifies how often the
secondary
server attempts to contact the primary server if the server does not respond. Consider increasing the value of the Expires After:
setting
to compensate for slow network connections. In this scenario, you should change this setting to at least three days to cover a
WAN
outage from Friday to Monday.
You should not change the Expires After: setting to 72 hours on the SOA record of server2. This DNS server hosts a
secondary zone.
A secondary zone is a read-only copy of the primary zone hosted on server1. You will not be able to change the SOA record on
server2, only on server1.
You should not change the Minimum (default) TTL to 72 hours on server1 or server2. The Minimum (Default) TTL setting
specifies
how long records from this zone should be cached on other servers. This setting will not determine how quickly records in zone
will
expire.
You are the systems administrator for Verigon Corporation. The company has a single domain with a main office and five
branch
offices. Each office has its own Active Directory site in a single forest. Each site has a domain controller running Windows
Server 2008,
and each domain controller has a DNS server with an Active Directory-integrated zone for both the forward lookup and reverse
lookup
zones for the domain.
You add several new file servers at the main office. Later that morning, users in the different branch offices report that they
cannot
connect to the file servers. You notice that the A records and PTR records for the file servers are in the DNS server at the main
office.
You want to synchronize replication with all replication partners to ensure that the A records and PTR records are replicated to
all DNS
Item: 14 (Ref:Cert-70-640.1.3.4)
Page 16 of 173
servers in the forest.
Which command should you run?
Explanation:
You should run the Repadmin /syncall command with /e parameter. In this scenario, you need to ensure that the Active
Directory
zones on the DNS server at the main office replicate to the other domain controllers that have DNS installed. You can force
replication
with the Repadmin /syncall command. The /e parameter ensures that replication partners in all sites are included in the
replication
synchronization.
You should not have the DNS server at the main office forward to each DNS server in the branch office. This will not replicat e
the A
records and PTR records for the new file servers to the branch office DNS servers. You should configure a forwarder to resolve
queries
that you cannot resolve from your own zone.
You should not add the DNS servers in the branch offices to the Automatically Notify list for zone updates. You can specify
secondary
servers to be notified of an update at the master DNS. You can add the IP address of the secondary servers to the
Automatically Notify
list. This setting does not affect Active Directory-integrated zones. Zone transfers between Active Directory-integrated zones use
Active
Directory replication.

Created: 18/04/2013
Version: 1.0
Document1
Page 12 of 133
You should not change the expiration time of the zone on the SOA record. The Expires After: setting on a zone specifies when
the
zone file information should expire if the secondary server fails to refresh the information. This setting will not force Active
Directory
replication.
You are the network administrator for a county government. The county has two offices in a single domain. The servers at the
main
office run Windows Server 2003 and the servers at the other office run Windows 2000 Server and Windows Server 2003. All
domain
controllers are Windows Server 2003 and the functional level of the domain is Windows Server 2003. The client computers in
both
offices have different operating systems, including Windows 2000 Professional, Windows XP Professional , and Windows Vista.
You plan to upgrade all Windows Server 2003 domain controllers to Windows Server 2008. Once the domain controllers have
been
upgraded, you want to deploy Active Directory Rights Management Services (AD RMS) in the main office.
You want to ensure that AD RMS is deployed in both offices. You have a limited budget. What should you do to ensure that
client
computers in both offices can support AD RMS?
*'Have the DNS server at the main office forward to each DNS server in the branch
office.
*'Add the DNS servers in the branch offices to the Automatically Notify list for zone
updates.
*'Run the Repadmin /syncall command with /e
parameter.
*'Change the expiration time of the zone on the SOA
record.
Answer:
Run the Repadmin /syncall command with /e
parameter.
Item: 15 (Ref:Cert-70-640.3.2.2)
*'Upgrade all computers to Windows Vista.
*'Ensure that all Windows 2000 Professional computers have Service Pack 4 and that all Windows XP computers
have Service
Pack 2. Download and install the AD RMS client on all Windows XP and Windows 2000 Professional client computers.
*'Upgrade all Windows 2000 Professional computers to Windows XP with Service Pack 2 (SP2). Download and install
the RMS
client on all Windows XP computers.
*'Ensure that each client computer has the Client IPSec policy and RMS client installed. Ensure that the AD RMS
server has the
Secure Server IPSec Policy.
Answer:
Page 17 of 173
Explanation:
You should download and install the RMS client on all Windows 2000 Professional and XP client computers to achieve the
objective in
this scenario. The Windows Professional computers must have Service Pack 4 or later, and the Windows XP computers must
have
Service Pack 2 to support the RMS client. Windows Vista includes the AD RMS client by default. However, operating systems
released
before Windows Vista and Windows Server 2008 do not have the RMS client installed. To use the AD RMS service on a
Windows XP
or Windows 2000 Professional computer, you can download and install the RMS client from the Microsoft Download Center
(Microsoft
Windows Rights Management Services (RMS) with Service Pack 2). By using AD RMS, you can protect the documents for AD
RMSenabled
applications by providing appropriate user rights and permissions to the documents, such as copy, edit, view, and print
permissions.
To install AD RMS in Windows Server 2008, perform the following steps:
1. Click Start, click Administrative Tools, and click Server Manager.
2. In the Server Manager window, click Add Roles.
3. Highlight AD RMS and click Next to complete the installation.
You should not upgrade all computers to Windows Vista to achieve the objective in this scenario. Upgrading all client computers
to
Windows Vista will make the AD RMS services available, as Windows Vista includes default RMS client. However, it cannot be
done
with minimum administrative efforts, and it would strain the limited budget referenced in the scenario.
You do not have to upgrade the Windows 2000 Professional computers to Windows XP. The RMS client supports Windows
2000
Professional computers if the computers have Service Pack 4 or later installed.
You do not have to ensure that each client computer has the Client IPSec policy and that the AD RMS server has the Secure
Server

Created: 18/04/2013
Version: 1.0
Document1
Page 13 of 133
IPSec Policy. Although deploying IPSec on both the client and the server will ensure that the data is secure in transit, it i s not a
requirement to deploy AD RMS.
You are the network administrator for your company. The company has a head office in Atlanta and a branch office in Boston.
The head
office's network consists of Windows Server 2008 domain controllers, and the branch office network consists of Windows Server
2003
domain controllers. The branch office has 45 users who are members of a single organizational unit (OU).
The branch office is connected to the head office by a low bandwidth connection. To ensure efficient user logons to the domai n,
you
plan to enable universal group membership caching.
On which Active Directory object should you enable the universal group membership caching?
Explanation:
You should enable universal group membership caching in the branch office site. Universal group membership caching should
be
enabled in a site that is connected by a low bandwidth connection or that has hardware limitations on the domain controller,
such as low
hard disk space, that prohibits installing the global catalog. Enabling universal membership caching provides efficient user
logons in
Ensure that all Windows 2000 Professional computers have Service Pack 4 and that all Windows XP computers have
Service Pack 2. Download and install the AD RMS client on all Windows XP and Windows 2000 Professional client
computers.
Item: 16 (Ref:Cert-70-640.4.3.3)
*'OU
*'domain
*'hub
site
*'branch office
site
Answer:
branch office
site
Page 18 of 173
situations with low or no network bandwidth.
Another solution would be to install a Windows Server 2008 read-only domain controller (RODC) in the branch office, because
universal
group membership caching would be enabled by default for that site.
You should not enable universal group membership caching in the OU, the domain, or the hub site. Universal group
membership
caching should only be enabled on a site that is connected to a hub site via a low network bandwidth connection, or in sites that
have
fewer than 100 users. This ensures efficient user logons to the domain.
You are the network administrator of your company. The company has a main office and one branch office. Each office has its
own
Active Directory domain in a single forest. All servers on the network run Windows Server 2008. Each office contains a domain
controller. The domain controller in the main office is named MainDC and the domain controller in the branch office is named
BranchDC.
The BranchDC contains an Organizational Unit (OU) named SalesOU, which contains some Active Directory groups that have
backlinks
of Universal and global groups of the main office domain as members of the groups. The branch office administrator reports that
the SalesOU has been accidentally deleted. You perform an authoritative restore of the SalesOU. You now want to create an
LDAP
Data Interchange Format (LDIF) file for recovering the back-links of groups from the main office domain as members in groups
of the
branch domain for the authoritatively restored objects in the SalesOU. Which utility should you use?
Explanation:
You should use the Ntdsutil.exe command. An authoritative restore process returns a designated object or container of objects
to its
state at the time of the backup. An authoritative restore marks the OU as authoritative and causes the replication process to
restore it to
all the domain controllers in the domain. To perform an authoritative restore of Active Directory Domain Services (AD DS), you
must
first complete a nonauthoritative restore, and ensure that replication does not occur after the nonauthoritative restore. Next,
perform the
authoritative restore. After performing the authoritative restore of AD DS, you should start the domain controller normally and
synchronize replication with all replication partners. If you have authoritatively restored objects that have back-links in another
domain,
you should create and run an LDIF file against a domain controller in that domain to restore the back-links. To create the LDIF
file, you
should run the Ntdsutil.exe command. Before creating the LDIF file, you must copy the .txt file that Ntdsutil created on the first
domain controller during the authoritative restore to a location on the domain controller where you want to create the LDIF f ile.
You should not use the Dsamain.exe utility. Dsamain.exe, or the data mining tool, can be used to expose snapshot data of a

Created: 18/04/2013
Version: 1.0
Document1
Page 14 of 133
Lightweight Directory Access Protocol (LDAP) server. The Dsamain.exe tool provides a means to compare data as it exists in
snapshots that are taken at different times to improve the recovery process. The Dsamain.exe utility cannot be used to create
an LDIF
file for recovering the back-links for authoritatively restored objects.
You should not use the Wbadmin.exe utility. Wbadmin.exe is a command-line tool that allows you to back up and restore your
computer, volume, and files from a command prompt. The Wbadmin.exe tool cannot be used to create an LDIF file for
recovering
back-links for authoritatively restored objects.
You should not use the Wecutil.exe utility because this utility cannot be used to create an LDIF file for recovering back-links for
authoritatively restored objects. Wecutil.exe or the Windows Event Collector Utility is a command-line tool that is used to
subscribe and
unsubscribe to hardware events.
You are a network administrator for a company named Verigon. The network consists of a single Active Directory domain. All
servers
Item: 17 (Ref:Cert-70-640.5.1.4)
*'Dsamain.exe
*'Wbadmin.exe
*'Wecutil.exe
*'Ntdsutil.exe
Answer:
Ntdsutil.exe
Item: 18 (Ref:Cert-70-640.6.4.1)
Page 19 of 173
run Windows Server 2008, and all client computers run Windows Vista. The network contains an enterprise issuing certification
authority (CA) and an offline root CA.
Verigon acquires a new company named TelStar that has its own Active Directory domain in a different forest. You want to
establish an
L2TP/IPSec VPN connection between both company networks. You install a VPN server on your network, install a certificate
from your
issuing CA, and configure the server for a router-to-router VPN connection. A network administrator at TelStar performs similar
actions
on the TelStar network. When you test the connection, you receive an error message that indicates that the TelStar certificate is
not
trusted. You must ensure that a VPN connection between the two companies can be successfully established without producing
the
error message.
What should you do?
Explanation:
You should place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN
server. To
make your VPN server trust the TelStar VPN server's certificate, that certificate must be verified to a trusted CA. All certificates
on
TelStar's network can ultimately be verified to TelStar's root CA. Thus, if your VPN server trusts TelStar's root CA, then it will
trust any
certificate that is issued by any CAs on TelStar's network. To enable your VPN server to trust TelStar's root CA, you should
import
TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server. It is a common practice to
implement
a stand-alone root CA and enterprise subordinate CAs. To provide maximum security for root CAs, they are often kept offline.
Standalone
CAs are better suited for being kept offline because they are less prone to the various synchronization problems that occur as a
result of being disconnected from the network for prolonged periods of time. When you want to allow clients to get certificates
from an
intermediate CA even when the Trusted CA is offline, you should store the Trusted CA's certificate in the Trusted Root
Certification
Authorities store on your VPN server store on client computers.
You can also make computers trust certificates from external CAs by using a Group Policy object (GPO) that applies to those
computers. The GPO should list the appropriate certificates in the Trusted Root Certification Authorities policy. Alternatively, you
can
add the trusted root CA's certificates to a Certificate Trust List (CTL) and specify that CTL in the GPO. Another possible solution
is
cross-certification; for example, your root CA could issue a certificate for your partner's root CA and vice versa.
If you installed the TelStar root CA's certificate on your root or issuing CA, then only your root or issuing CA, respectivel y, would
trust
TelStar's certificates; the scenario requires that your VPN server trust TelStar's certificates.
You should not include the TelStar root CA's certificate in the Verigon root CA's certificate revocation list. A certificate revocation
list
(CRL) contains revoked certificates from a specific CA. When a certificate is revoked, it is included in the CRL on the CA that
issued
that certificate. You cannot include the TelStar root CA's certificate in your root CA's CRL because that certificate is self-signed;
it has

Created: 18/04/2013
Version: 1.0
Document1
Page 15 of 133
been issued by TelStar's root CA, not your root CA.
You are the network administrator of your company. All servers on the network run Windows Server 2008. The company's
network
consists of a single Active Directory domain, and the client computers all run Windows Vista.
You create some custom ADMX language-specific files on your Windows Vista administrative workstation. You want to copy all
language-specific ADML files to the central store on the domain controller to ensure that the ADML files are automatically
available to
all Group Policy administrators in the domain.
Which tool can you use to perform this task?
*'Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN
server.
*'Install the TelStar root CA's certificate on the root CA in
Verigon.
*'Include the TelStar root CA's certificate in Verigon root CA's certificate revocation
list.
*'Install the TelStar root CA's certificate on the issuing CA in
Verigon.
Answer:
Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN
server.
Item: 19 (Ref:Cert-70-640.4.4.3)
Page 20 of 173
Explanation:
You can use the Xcopy.exe tool to copy ADML files from your Windows Vista administrative workstation to the central store on
the
domain controller. The ADMX files are language-neutral resource files. The other type of registry-based policy settings are
known as
ADML files, which are language-specific resource files. ADMX and ADML files replace the ADM files that were used in earlier
versions
of Windows. To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object Editor,
you must
be running a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual Group
Policy
Objects (GPOs).
If you have a domain environment, you can create a central store location of ADMX files that can be accessed by anyone with
permission to create or edit GPOs. The central store is a folder created in the SYSVOL folder of an Active Directory domain
controller
and is used to provide a centralized storage location for ADMX and ADML files for the domain. In addition to storing the ADMX
files
shipped in the operating system in the central store, you can also share a custom ADMX file by copying the file to the central
store,
which makes it available automatically to all Group Policy administrators in a domain. The default location for .ADML files on a
domain
controller is the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder. For example, the United States
English ADMX language-specific file will be stored in the %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us
folder.
Windows Vista does not contain any user interface for populating the central store in Windows Vista. You can use the
Xcopy.exe
command-line tool to copy all ADMX language resource files from your Windows Vista administrative workstation to the central
store on
your domain controller. You should use the following syntax:
xcopy %systemroot%\PolicyDefinitions\EN-US\*
%logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions\EN-US\
The options stating Ntdsutil.exe, Group Policy Object Editor, and Group Policy Management Console are incorrect because
these
tools cannot be used to copy all ADMX language resource files from your Windows Vista administrative workstation to the
central store
on your domain controller.
Your company's corporate network consists of two Active Directory domains that span three sites as shown in the following
image:
The network is fully routed. Users from Site2 often have to travel to the office in Site3 with their portable computers. These
users report
that when they connect to the network in Site3, it takes 5 to 10 minutes to log on to their domain. You want to minimize the time
it takes
*'Ntdsutil.exe
*'Group Policy Object
Editor
*'Xcopy.exe
*'Group Policy Management
Console
Answer:

Created: 18/04/2013
Version: 1.0
Document1
Page 16 of 133
Xcopy.exe
Item: 20 (Ref:Cert-70-640.2.3.5)
Page 21 of 173
for users to log on to their domain. Your solution should not involve additional expense and should not reduce the availabili ty
and
reliability of the existing network services.
Explanation:
Users in Site2 belong to the domain2.com domain. There are no domain controllers for this domain in Site3. Therefore, logon
requests
to the domain2.com domain are routed from Site3 to Site2. When site links form multiple paths between two sites, logon
requests are
sent over the path with the lowest total site link cost. In this scenario, the cost of the direct site link between Site2 and Site3 is
200,
whereas the combined cost of the alternative route through Site1 is 250. Therefore, the logon requests from Site3 to domain
controllers
in Site2 are sent over the slow direct communications link. To minimize the logon time for domain2.com users who log on from
Site3,
their logon requests should be sent over the faster communications links through Site1. To accomplish this task, you should
increase
the cost of the site link between Site2 and Site3 to a value greater than 250.
If you merged Site2 and Site3 into a single site, then logon requests to the domain2.com domain would be routed within that
site over
the 56-Kbps WAN link. If you moved a domain2.com domain controller from Site2 to Site3, then the domain2.com domain
controllers
would have to replicate over the slow link between Site2 and Site3. Additionally, if the remaining domain controller in Site2
failed or
had to be shut down for maintenance, then users in Site2 would have to log on over the slow link to the domain controller that
you
moved to Site3. If you reconfigured a domain controller in Site3 to belong to the domain2.com domain, then the reliability and
availability of network services for domain1.com users in Site3 might be adversely affected because only one domain1.com
domain
controller would be left in Site3. If that domain controller failed, then domain1.com users in Site3 would have to connect to a
domain
controller in Site1 in order to log on. The increased volume of network traffic between Site1 and Site3 might result in increased
expenses for the use of the WAN link between these sites.
You are the network administrator for the Verigon corporation. Your company consists of a central office in Atlanta and branch
offices in
Birmingham and Charlotte connected through a private WAN link. Each office has a domain controller that is configured as a
global
catalog server. Each office has a file server called SRV1 that contains sales records for each office.
There are approximately 1,200 users in each office. The network consists of a single Active Directory forest. Each office is its
own
*'Merge Site2 and Site3 into a single
site.
*'Change the cost of the link between Site2 and Site3 to
300.
*'Move a domain controller from Site2 to Site3.
*'Reconfigure a domain controller in Site3 to belong to the domain2.com
domain.
Answer:
Change the cost of the link between Site2 and Site3 to
300.
Item: 21 (Ref:Cert-70-640.2.4.7)
Page 22 of 173
separate domain and a separate site is configured for each office. All servers run Windows Server 2008.
Users in Charlotte report that access to spreadsheets on srv1.verigon.com in Atlanta is slow. You monitor the WAN link
between
Atlanta and Charlotte and discover that the slow network performance occurs during Active Directory replication between the
sites. You
must minimize the WAN bandwidth use without affecting the ability of branch office users to log on even if the WAN link is
temporarily
unavailable.
What should you do?
Explanation:
You should increase the replication interval on the site link. An Active Directory site is a logical object that represents a group of
relatively well-connected computers. A site link is a logical object that represents a physical connection between the sites that
are listed

Created: 18/04/2013
Version: 1.0
Document1
Page 17 of 133
in that link. Within a site, replication occurs almost immediately after a change to Active Directory is made. Replication between
sites
occurs on schedule, which indicates when the site link is available. The replication interval on a site link indicates how of ten
inter-site
Active Directory replication will occur during the times that the site link is available. By default, a site link is always available, and
the
replication interval is set to three hours. To minimize the WAN bandwidth that is used for replication, you should increase the
replication
interval on the site link so that inter-site replication occurs less frequently. For example, if the replication interval between SiteA
and
SiteB is 180 minutes, increasing the replication interval to 360 minutes will generate less communication and use less
bandwidth. The
total amount of Active Directory data that must be replicated between two sites does not depend on replication frequency.
However,
each replication session involves communication overheads, or additional traffic that is caused by establishing the session.
You should not reduce the replication interval on the site link. Reducing the replication interval will cause the replication between
both
the sites to occur more frequently, which will consume more WAN bandwidth. For example, if the replication interval between
SiteA and
SiteB is 180 minutes, decreasing the replication interval to 90 minutes will generate more communication and use less
bandwidth.
When you have multiple sites, reducing the replication interval between a pair of sites will ensure that the data between sites is
more up
to date as compared to other sites.
You should not increase the number of Global Catalog servers in the branch office. For each Active Directory partition, only one
domain
controller in each of the two sites is designated as a bridgehead, and replication occurs only between those bridgeheads.
Therefore,
changing the number of Global Catalog servers in any of the sites would not have any effect on the volume of inter-site
replication, as
long as there was at least one Global Catalog server in each site. Because the domain controllers in different sites belong t o
different
domains in this scenario, the domain partition for the central office domain is replicated between the sites only t o Global Catalog
servers. Therefore, you could reduce the amount of inter-site replication traffic by removing all Global Catalog servers from the
branch
office site. To enable users in the branch office to log on in the absence of WAN connectivity, you could configure universal
group
membership caching for the branch office site. However, it is recommended that at least one Global Catalog server be deployed
to
each site that has 100 or more users.
You should not create an additional site link between the two sites. A site link is a logical object that is intended to represent a
physical
connection. Creating an additional site link between two sites that are connected through a single WAN link would not reduce
the
amount of replication traffic that passes through that link.
You are the administrator for your company. The company has a single forest with multiple domains and sites, as shown in the
exhibit.
(Click the Exhibit(s) button.)
You create a user account on dc1.domain1.com that will be granted login as a service permission on an application server.
You want
to immediately force replication to other domain controllers in Site1.
*'Reduce the replication interval on the Atlanta to Charlotte site
link.
*'Make srv1.chl.verigon.com an additional Global Catalog server in the Charlotte
office
*'Increase the replication interval on the Atlanta to Charlotte site
link.
*'Enable universal group caching in the Charlotte office.
Answer:
Increase the replication interval on the Atlanta to Charlotte site
link.
Item: 22 (Ref:Cert-70-640.2.4.11)
Page 23 of 173
What tool should you use to force replication?
Explanation:
You should use Replmon to force replication. You can use Repadmin, Replmon, or Active Directory Sites and Services to
force intrasite
replication.
You should not use Rsnotify. This command is a remote storage recall notification program on a Windows operating system.
This
command will not force replication.

Created: 18/04/2013
Version: 1.0
Document1
Page 18 of 133
You should not use Active Directory Domains and Trusts to force replication of Active Directory. Active Directory Domains and
Trusts
can be used to raise the functional level of the forest or domain. You can use this tool to create trusts between domains, but you
cannot
use this tool to force replication.
You cannot use the gpupdate /force command to force replication. You can use the gpupdate /force command to force a
change
from a group policy object or local security on a computer or user.
You are the systems administrator for your company, a plastic container manufacturer and distributor. The company's network
consists
of a single Active Directory forest. The network contains an Internet Information Services (IIS) server that hosts a Web
application that
allows users to purchase your company's products online.
Your company has a partner organization, a graphic design firm that designs your company's products. The partner company
has its
own Active Directory forest. You are required to enable users in the partner organization to access your Web application without
being
prompted for secondary credentials.
Which Windows Server 2008 server role should you install in your network to provide Web-based Single-Sign-On (SSO)
capabilities to
users in the partner organization?
*'Rsnotify
*'Replmon
*'Active Directory Domains and
Trusts
*'gpupdate /force
Answer:
Replmon
Item: 23 (Ref:Cert-70-640.3.4.7)
*'Active Directory Rights Management Services (AD
RMS)
*'Active Directory Federation Services (AD
FS)
Page 24 of 173
Explanation:
You should install the Active Directory Federation Services (AD FS) role service in your network to provide Web-based Single-
Sign-On
(SSO) capabilities to users in the partner organization. AD FS is an identity access solution that allows browser-based clients to
access
one or more protected Internet-facing applications without being prompted for secondary credentials, even if the user accounts
and
applications are located in completely different networks or organizations. In any given federation relationship, the business
partners
can be identified as either a resource organization or an account organization. The account organization is the one that owns
and
manages user accounts. The resource organization is the one that owns and manages resources that are accessible from the
Internet.
Users from the account organization can access AD FS-enabled applications in the resource organization. AD FS provides a
Webbased
SSO solution that authenticates users to multiple Web applications during a single browser session. When you install AD FS,
you can configure its trust policy by using the AD FS snap-in to specify the list of partners with whom you want to federate. AD
FS
supports three types of claims: organization or identity claims, group claims, and custom claims. Claims are statements about
users
that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate from
either
an account store or an account partner.
You should not install the Active Directory Rights Management Services (AD RMS) role service. AD RMS is used to protect
information
from unauthorized use. AD RMS does not provide Web-based SSO capabilities to enable browser-based clients to access one
or more
protected Internet-facing applications without being prompted for secondary credentials, if the user accounts and applications
are
located in different networks or organizations.
You should not install the Active Directory Lightweight Directory Services (AD LDS) role service. AD LDS provides a store for
application-specific data for directory-enabled applications that do not require the infrastructure of Active Directory Domain
Services
(AD DS). AD LDS does not provide Web-based SSO capabilities to enable browser-based clients to access one or more
protected
Internet-facing applications without being prompted for secondary credentials.

Created: 18/04/2013
Version: 1.0
Document1
Page 19 of 133
You should not install the AD DS role service. AD DS stores information about objects on the network and makes this
information
available to users and network administrators. AD DS uses domain controllers to provide network users with access to permitted
resources anywhere on the network through a single logon process. AD DS does not provide Web-based SSO capabilities to
enable
browser-based clients to access one or more protected Internet-facing applications without being prompted for secondary
credentials, if
the user accounts and applications are located in different networks or organizations.
You are the network administrator for your company. Your company's network has a single Active Directory domain with over
700 user
accounts and 800 computer accounts. You have one main office and four branch offices. Each office is configured as its own
Active
Directory site. One of the branch offices has a read-only domain controller (RODC).
A technician named Mike who usually works in the main office, travels to the branch office which has the RODC. Mike is
investigating
why the WAN link that connects the branch office to the main office is offline. When Mike attempts to log on to the domain wi th
his
portable computer, the logon attempt fails. Mike's user account is configured in the Password Replication Policy. After fixing the
WAN
link, Mike is able to log on to the domain.
If the WAN link goes down again and you have to dispatch another technician, you want the technician to be able to log on to
the
domain even if the WAN link is down. Your solution must be inexpensive and use little bandwidth. What must you do?
*'Active Directory Lightweight Directory Services (AD
LDS)
*'Active Directory Directory Services (AD
DS)
Answer:
Active Directory Federation Services (AD
FS)
Item: 24 (Ref:Cert-70-640.3.3.4)
*'Install a global catalog server on the
RODC.
*'Have the technician use Repadmin to force
replication.
*'Have the technician restart the workstation service on his portable compuer and log in
again.
*'Prepopulate the password cache of the RODC in the branch office with the password of the technician and the
technician's
portable computer.
Page 25 of 173
Explanation:
You should prepopulate the password cache of the RODC in the branch office with the password of the technician and the
technician's
portable computer. The Password Replication Policy lists the accounts that are permitted to be cached, and the accounts that
are
explicitly denied from being cached. The Password Replication Policy is configured and enforced on a writable domain
controller. When
the technician logs in at the branch office, the RODC contacts the writable domain controller at the main office. If the Password
Replication Policy allows it, the RODC caches the technician's password. However, if the WAN link is offline when the
technician
attempts to log on, then the technician's logon attempt will fail because the RODC has not yet replicated the password for the
account.
You can avoid this problem by prepopulating the password cache of the RODC in the branch office with the password of the
technician
and the technician's computer. Prepopulating the password cache eliminates the need for the RODC to replicate the password
from a
Windows Server 2008 domain controller over the WAN link. Prepopulating the password cache requires no extra bandwidth.
You should not install a global catalog server on the RODC. A global catalog server is a domain controller that provides the
ability to
locate objects from any domain without having to know the domain name. The global catalog server contains a writable domain
directory partition replica of its host domain and also stores a partial, read-only replica of all other domain directory partitions in
the
forest. Adding a global catalog server to the RODC will not eliminate the problem of the technician's password not being cached
if the
user has not logged in at the branch office before the WAN link has gone down. Adding a global catalog server will also
increase the
bandwidth requirements of the WAN link because the global catalog server must replicate with other global catalog servers.
You should not have the technician use Repadmin to force replication. You will not be able to force replication if the WAN link is
down.

Created: 18/04/2013
Version: 1.0
Document1
Page 20 of 133
You should not have the technician restart the workstation service on his computer and log on again. The workstation service
creates
and maintains client network connections to remote servers. The error is not occurring because the technician cannot contact
the
RODC, but because the RODC cannot authenticate the technician.
You are the network administrator for your company. The company's network consists of a single Active Directory domain. The
servers
on the network run Windows Server 2008 and Windows Server 2003. The company's network contains a domain controller,
named
DC1, which runs Windows Server 2008.
The company opens a new branch office that will be used by employees in the Marketing department. The branch office is
located in a
physically insecure location. You are in the process of installing a server in the branch office. You want to meet the following
requirements:
Users' logon requests are serviced locally.
Users' credentials are not misused if the server is compromised.
Network traffic between the main office and the branch office is reduced.
What should you do to achieve the desired goals?
Answer:
Prepopulate the password cache of the RODC in the branch office with the password of the technician and the
technician's portable computer.
Item: 25 (Ref:Cert-70-640.3.3.9)
*'Install Active Directory Domain Services (AD DS) in the branch
office.
*'Install a read-only domain controller (RODC) in the branch
office.
*'Install Active Directory Federation Services (AD FS) in the branch
office.
*'Install Active Directory Lightweight Directory Services (AD LDS) in the branch
office.
Answer:
Install a read-only domain controller (RODC) in the branch
office.
Page 26 of 173
Explanation:
You should install a read-only domain controller (RODC) in the branch office. An RODC is a new type of domain controller in
Windows
Server 2008 that hosts a read-only replica of the Active Directory database. An RODC allows you to easily deploy a domain
controller
at locations where physical security cannot be guaranteed, such as branch office locations or an extranet. The RODC provides
various
new functionalities, such as credential caching, unidirectional replication, and the Read-Only Partial Attribute Set, which can be
used to
mitigate problems related to physical security, network bandwidth, and so on. The Read-Only Partial Attribute Set is also
referred to as
the Filtered Partial Attribute Set. Credential caching is the storage of user or computer credentials. You can configure the
Password
Replication Policy on a writable domain controller to specify whether an RODC should be allowed to cache a password. The
Read-Only
Partial Attribute Set can be used to prevent replication of sensitive information. Active Directory Domain Services (AD DS)
maintains a
list of all credentials that are stored on RODCs, which allows an administrator to force a password reset for all user credentials
stored
on an RODC if the RODC is ever compromised.
By allowing caching of credentials, requirement 1 would be met since authentication could then be performed locally on the
RODC. By
forcing a password reset from the AD DS in the main office, the credentials could be protected to meet requirement 2. By
performing
logins locally, traffic between the main office and the branch office could be reduced, which would meet requirement 3.
You should not install AD DS in the branch office. AD DS hosts a writable Active Directory database. AD DS stores information
about
objects on the network and makes this information available to users and network administrators. AD DS also replicates this
information
to other domain controllers, which takes a considerable amount of network bandwidth. In addition, AD DS is not recommended
for
installation at physically insecure locations.
You should not install Active Directory Federation Services (AD FS) in the branch office. AD FS provides simplified, secure
identity
federation and Web Single-sign-on (SSO) capabilities. AD FS cannot be used to meet the requirements specified in this
scenario.

Created: 18/04/2013
Version: 1.0
Document1
Page 21 of 133
You should not install Active Directory Lightweight Directory Services (AD LDS) in the branch office. AD LDS provides a store
for
application-specific data for directory-enabled applications that do not require the infrastructure of AD DS. AD LDS cannot be
used to
meet the requirements specified in this scenario.
You are the network administrator for a city government. The city government's network has a single domain with Windows
2000
servers, Windows 2003 servers, and Windows 2008 servers. (Click on the Exhibit(s) button.)
Client computers are running Windows XP and Windows Vista. All domain controllers run Windows Server 2003 or Windows
Server
2008.
You want to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to
provide user
authentication. You have a limited budget. What must you configure to complete the deployment of AD RMS?
Item: 26 (Ref:Cert-70-640.3.2.5)
*'Upgrade all client computers to Windows Vista. Install AD RMS on
DC1.
*'Ensure that all Windows XP computers have the latest service pack and install the RMS client on all Windows XP
computers.
Install AD RMS on DC1.
*'Upgrade all client computers to Windows Vista. Install AD RMS on
SRV5.
*'Ensure that all Windows XP computers have the latest service pack and install the RMS client on all Windows XP
computers.
Install AD RMS on SRV5.
Answer:
Ensure that all Windows XP computers have the latest service pack and install the RMS client on all Windows XP
computers. Install AD RMS on SRV5.
Page 27 of 173
Explanation:
You should ensure that all Windows XP computers have the latest service pack, install the RMS client on all Windows XP
computers,
and install AD RMS on SRV5 to achieve the objective in this scenario. You can only deploy the AD RMS on a member server in
the
domain. You cannot deploy AD RMS on a server that does not run the Windows Server 2008 operating system. You can deploy
AD
RMS on a domain controller, but not on one that is running Windows Server 2003. Windows Vista includes the RMS client by
default.
However, operating systems released before Windows Vista and Windows Server 2008 do not have the RMS client installed. To
use
AD RMS service on a Windows XP operating system, you can download and install the RMS client from the Microsoft Download
Center
(Microsoft Windows RMS with Service Pack 2 (SP2)). By using AD RMS, you can protect the documents for AD RMS-enabled
applications by providing appropriate user rights and permissions to the documents, such as copy, edit, view, and print.
To install AD RMS in Windows Server 2008, perform the following steps:
1. Click Start, click Administrative Tools, and click Server Manager.
2. In the Server Manager window, click Add Roles.
3. Highlight AD RMS and click Next to complete the installation.
to
Windows Vista will make the AD RMS services available, as Windows Vista has the default RMS client installed on it. However,
it
cannot be done with minimum administrative effort, and it would add additional cost.
Your corporate network consists of a single Active Directory domain. All client computers run either Windows 2000 Professional
or
Windows XP Professional. All servers run Windows Server 2008. An organizational unit (OU) exists for each department. In
each of the
departmental OUs, there are two child OUs; one OU contains the user objects for that department's employees, and the other
OU
contains the computer objects for the client computers that are assigned to that department. Each user can log on to the domain
from
different client computers in different departments.
To meet the requirements that are stipulated in a written security policy, a logon script must be run whenever a user logs on to
the
domain. One logon script must be run on all Windows XP computers, and another logon script must be run on all Windows 2000
computers. You have created one Group Policy object (GPO) for each of the two operating systems, and you have named the
GPOs
XP and W2K. Now you must apply the GPOs to the appropriate computers. You must also minimize the number of links for
each GPO.
Item: 27 (Ref:Cert-70-640.4.3.4)

Created: 18/04/2013
Version: 1.0
Document1
Page 22 of 133
*'Create two groups named XP and W2K, add the computer accounts of all Windows XP Professional computers to
the XP group,
and add the computer accounts of all Windows 2000 Professional computers to the W2K group. Assign the Allow - Apply
Group
Policy permission to each group for the appropriate GPO. Link both GPOs to the domain.
*'In each of the GPOs, specify the appropriate WMI filter, link both GPOs to the domain, and do nothing
else.
*'In each of the GPOs, specify the appropriate WMI filter and enable the loopback processing mode. Link both GPOs
to the
domain.
*'In each OU that contains departmental client computers, create two child OUs. Move all computer objects for that
department's
Windows 2000 Professional computers into one child OU, and move all computer objects for that department's Windows XP
Professional computers into the other child OU. Link the XP GPO to each child OU that contains Windows XP Professional
computers; link the W2K GPO to each child OU that contains Windows 2000 Professional computers.
Answer:
Page 28 of 173
Explanation:
There are two types of GPO policies: computer-specific and user-specific. By default, computer-specific policies apply to
computer
objects, and user-specific policies apply to user objects. To apply a GPO, it must be linked to a site, domain, or OU that contains
the
targeted user or computer objects. The default scope of a GPO can be filtered by assigning the Deny - Apply Group Policy
permission
for the GPO to the users or computers to which the GPO should not apply. Another means of filtering the default scope of a
GPO is
Windows Management Instrumentation (WMI) filters. By using WMI Query Language, you can define a filter that will cause a
GPO to
apply only to specific computers, such as those that run a specific operating system, have specific names, and so on.
In this scenario, you are required to target specific computers with a logon script, which is a user-specific policy. This task can
be
accomplished by using the loopback processing mode, which is an advanced feature that enables you to apply user-specific
policies
that are configured in GPOs that target computer objects to all users of those computers. You should link both GPOs to the
domain so
that they apply to all computers in the domain. In the XP GPO, you should specify the WMI filter that targets computers that run
Windows XP Professional. Windows 2000 Professional computers cannot read a WMI filter. In the W2K GPO, you should
specify the
WMI filter that targets computers that do not run Windows XP Professional. The W2K GPO will not apply to the Windows XP
Professional computers. In both GPOs, you should enable the User Group Policy loopback processing mode policy. Doing
so will
apply the logon script policies in the GPOs to all users who log on to the domain from the computers that are targeted by these
GPOs.
You can set the loopback policy to Replace if you do not want any GPOs that target a current user to be applied. If you want a
current
user to be subject to user-specific policies in the GPOs that target both the user and the computer, then you should set the
loopback
policy to Merge.
None of the other options in this scenario involves using the loopback processing mode, which is necessary in order to apply a
userspecific
policy that is configured in a GPO that targets computers.
You are the network administrator for a company that manufactures auto parts. Your company has a single forest with multiple
domains. All domain controllers run either Windows Server 2003 or Windows 2000 Server. You want to install a Windows
Server 2008
domain controller in a child domain.
What three actions will you need to perform? (Choose three.)
Explanation:
To add a Windows Server 2008 domain controller to a forest that has domain controllers running Windows 2000 Server or
Windows
Server 2003, you must update the Active Directory schema from the domain controller that hosts the schema master role. You
should
run adprep /forestprep on the schema master. You must be a member of the Enterprise Administrators group and Schema
Administrators group to perform this task.
You must also prepare the domain that will have the Windows Server 2008 domain controller installed by running
adprep /domainprep /gpprep from the domain controller that hosts the infrastructure master in that domain. You will get an
error when
In each of the GPOs, specify the appropriate WMI filter and enable the loopback processing mode. Link both GPOs
to the domain.
Item: 28 (Ref:Cert-70-640.2.1.2)
M|.Ensure that you are a member of the Enterprise Admins, Schema Admins, and Domain Admins
groups.

Created: 18/04/2013
Version: 1.0
Document1
Page 23 of 133
M|.Log on to the schema master and run
adprep /forestprep.
M|.Log on to the domain naming master and run
adprep /forestprep.
M|.Log on to the PDC emulator in the domain and run
adprep /domainprep /gpprep.
M|.Log on to the infrastructure master in the domain and run
adprep /domainprep /gpprep.
Answer:
Ensure that you are a member of the Enterprise Admins, Schema Admins, and Domain Admins
groups.
Log on to the schema master and run adprep /forestprep.
Log on to the infrastructure master in the domain and run adprep /domainprep /gpprep.
Page 29 of 173
you run adprep /domainprep /gpprep on Windows 2003 domains, but you can ignore this error. The error occurs because you
do not
need to use the /gpprep parameter when upgrading a Windows Server 2003 domain, but only when upgrading a Windows 2000
Server
domain. You must be a member of the Domain Admins group to perform this task.
When you run either the adprep /forestprep or adprep /domainprep command, you should not use the command version
included in
either the Windows 2000 Server or Windows Server 2003 media. You must use the version of adprep included in the Windows
Server
2008 media in the \sources\adprep folder. You should copy the folder from this folder to the an existing Windows Server 2003
or
Windows Server 2000 domain controller.
You should not run adprep /forestprep from the domain naming master. This command must be run from the domain controller
that is
the schema master in the forest.
You should not run adprep /domainprep /gpprep from the PDC emulator. This command must be run from the infrastructure
master of
that domain.
You are the network administrator for your company. The company has a main office and one branch office. The company's
network
consists of a single Active Directory domain. The domain controller in the main office is named Server1 and the domain
controller in the
branch office is named Server2.
You install Windows Server 2008 on all servers on the network. You want to configure Distributed File System (DFS) Replication
between Server1 and Server2. You install the File Services role with the DFS Replication role service on Server1 and Server2.
You
want to configure Server1 and Server2 as members of a replication group.
Which tool can you use to create a replication group?
Explanation:
You can use the Dfsradmin.exe tool to create a replication group. DFS Replication is a new, state-based, multimaster
replication
engine that supports replication scheduling and bandwidth throttling. DFS Replication is the successor of the File Replication
service
(FRS) that was introduced in the Windows 2000 Server operating system. DFS Replication uses several processes to keep data
synchronized on multiple servers. Before you can deploy DFS Replication, you must configure your server as follows:
Extend the Active Directory Domain Services (AD DS) schema to include Windows Server 2003 R2 or Windows Server 2008
schema additions.
Ensure that all members of the replication group are running Windows Server 2008 or Windows Server 2003 R2.
Install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group.
Install the DFS Management snap-in on a server to manage replication. The server on which you install the DFS Management
snap-in cannot run a Server Core installation of Windows Server 2008.
Ensure that your antivirus software is compatible with DFS Replication.
Ensure that all servers in a replication group are located in the same forest. You cannot enable replication across servers in
different forests.
Store replicated folders on NTFS volumes.
Replication groups and replicated folders are two important components of DFS Replication. The replication group defines
which
servers participate in replication. A replicated folder is a folder that is kept synchronized on each member. You can use the
Dfsradmin.exe tool to deploy replication folders. The Dfsradmin.exe is a command-line tool for the DFS that can be used to
administer DFS replication from the command line.
The Dfsutil.exe tool is incorrect because this tool cannot be used to create a replication group. The Dfsutil.exe tool allows
Item: 29 (Ref:Cert-70-640.2.4.6)
*'Dfsutil.exe
*'Dfscmd.exe
*'Dfsradmin.exe
*'Dfsrdiag.exe
Answer:

Created: 18/04/2013
Version: 1.0
Document1
Page 24 of 133
Dfsradmin.exe
Page 30 of 173
administrators to perform advanced DFS tasks, such as enabling root scalability mode, least expensive target selection, and
same-site
target selection. The Dfsutil.exe tool is also useful for determining the size of a namespace, exporting or importing
namespaces,
checking the site name of a computer or IP address, adding and removing root targets, and updating site information for root
servers.
When you install Dfsutil.exe on DFS clients, Dfsutil.exe can be used to view and clear the referral cache (PKT cache), domain
cache
(SPC cache), and MUP cache.
The Dfscmd.exe tool is incorrect because this tool cannot be used to create a replication group. The Dfscmd.exe tool allows
administrators to perform and script basic DFS tasks, such as configuring DFS roots, links, and targets.
The Dfsrdiag.exe tool is incorrect because this tool cannot be used to create a replication group. Dfsrdiag.exe is a command-
line tool
that can generate a backlog count or trigger a propagation test, both of which show the state of replication.
Explanation:
Item: 30 (Ref:Cert-70-640.4.6.8)
You are the network administrator for a company that makes cookies and baked goods. Your company has a single domain.
The
domain controllers are a mixture of Windows 2003 Server and Windows Server 2008 computers. Each department has its own
Organizational Unit (OU) in the domain.
The users in the Accounting OU need to have different password settings than other departments. What should you configure?
(Click
and drag the steps on the left to the Correct Order area on the right. It may not be necessary to use all the steps provided.)
Page 31 of 173
In a domain that has the domain functional level set to Windows Server 2008, you can configure fine-grained passwords. With
previous
domain functional levels, such as Windows 2000 Server and Windows Server 2003, you could only have a single password
policy or
account lockout policy for all users in the domain. In this scenario, you must first upgrade all domain controllers to Windows
Server
2008. Once this task has been completed, you can raise the functional level of the domain to Windows Server 2008. Once the
domain
functional level has been configured at Windows Server 2008, then you can create a Password Settings Object (PSO). This
PSO will
contain attributes for Password Policy Settings or Account Lockout Settings. You can configure the appropriate values for the
attributes.
You can then link the PSO to a user object or a group object. A user or group object can have multiple linked PSOs, either
because the
object is a member of multiple groups with different PSOs applied to them, or because multiple PSOs are applied directly to the
object.
However, only one PSO can be applied as the effective password policy, and only the settings from that PSO can affect the
user or
group. The settings from other PSOs that are linked to the user or group cannot be merged in any way.
To ensure that the PSO that you configured is applied as intended, you can set the rank of the PSOs. The PSO with the highest
rank
applies to the group or user object. The rank is configured by the msDS-PasswordSettingsPrecedence attribute, which has a
value of
1 or greater. The lower the value, the higher the rank. For example, if a PSO that is linked to a user has a value of 1, and a PSO
that is
linked to a group that a user belongs to has a value of 2, then the password settings in the PSO that has the value of 1 apply to
the
user.
You do not have to create a child domain for the accounting users. You can create a PSO and link it to a group or user to
configure
fine-grained passwords if the functional level of your domain is configured at Windows Server 2008. With previous domain
functional
levels such as Windows 2000 Server and Windows Server 2003, you would have to create another domain if you had a
department or
group that required different password policies or account lockout policies than other departments or groups.
You administer your company's network. The network consists of a single Active Directory domain. All servers run Windows
Server
2008, and all client computers run Windows Vista. The network contains an enterprise issuing certification authority (CA). The
company's written security policy stipulates that certificates for administrators, key recovery agents and EFS recovery agents
are
restricted; they can be issued only after approval by one of the specially designated administrators. Other types of certificates
do not

Created: 18/04/2013
Version: 1.0
Document1
Page 25 of 133
have to be approved.
You create a security group named SpecialAdmins and add the accounts of the users who will approve the certificates to the
group.
You must enforce the company policy.
Item: 31 (Ref:Cert-70-640.6.1.4)
*'Assign the Allow - Full Control permission for the restricted certificate templates to the SpecialAdmins
group.
*'Enable role separation for the CA, and assign the SpecialAdmins group to the CAAdministrator role.
*'Assign the Allow - Issue and Manage Certificates permission for the CA to the SpecialAdmins
group.
*'Enable the Number of authorized signatures option, and specify 1 on the Issuance Requirements tab of the
restricted
templates' Properties sheets.
Answer:
Assign the Allow - Issue and Manage Certificates permission for the CA to the SpecialAdmins
group.
Page 32 of 173
Explanation:
By default, the Enterprise Admins group in the forest root domain, the Domain Admins group in the domain to which an
enterprise
CA belongs, and the local Administrators group on the CA are assigned the Allow - Issue and Manage Certificates and
Allow -
Manage CA permissions for the CA. The latter permission provides the ability to assign permissions for the CA. To enable
members of
the SpecialAdmins group to approve certificates, you should assign the group the Allow - Issue and Manage Certificates
permission
for the CA. This permission allows a user to approve certificate enrollment and revocation requests. You should also duplicat e
the
Administrator and EFS Recovery Agent certificate templates because they are version 1 templates, which are read-only and
therefore
cannot be configured. The duplicates, as well as the Key Recovery Agent template, are version 2 templates, which support the
requisite
functionality.
On the Issuance Requirements tab of the Properties sheets for those templates, you should select CA certificate manager
approval. When users submit requests for the certificates that are based on any of those templates, their requests will be
considered
as pending and will be approved or denied manually by members of the SpecialAdmins group. Members of the
SpecialAdmins group
do not require any permissions for the restricted certificate templates in order to be able to approve requests for certificates
based on
those templates.
By default, the Manage CA permission allows an administrator to perform any activity on the CA, including assigning
permissions for
the CA. To maintain proper security, you might want to remove the Issue and Manage Certificates permissions from the
groups that
are assigned it by default. However, any member of those groups has the authority to assign it to himself or herself again. To
prevent
this from happening, you might want to enable role separation on the CA. If role separation were enabled, then no more than
one role
would be permitted for each user. For example, if you assigned the Allow - Manage CA permission to the SpecialAdmins
group, then
its members would become CA Managers; they would be able to assign permissions for the CA to other users, but they would
not be
able to approve certificate requests. If they assigned the Allow - Issue and Manage Certificates to themselves, then they
would be
locked out of the CA and would not be able to perform any activity on the CA.
If the Number of authorized signatures option is enabled for a certificate template, then all requests for certificates based on
that
template must be digitally signed by the users who have the appropriate authority, which is defined by application or issuance
policies.
The requests without the specified number of authorized signatures are not processed by the CA. The scenario does not require
that
requests for restricted certificates be signed; it requires that those requests be processed manually by members of the
SpecialAdmins
group.
You are the administrator for Verigon Corporation, which imports antique swords and antique military uniforms for resale. Your
company's network has a single domain. All domain controllers run Windows Server 2008, and all client computers run
Windows Vista.
You have a public key infrastructure with a subordinate enterprise Certification Authority (CA) that issues certi ficates on behalf
of the

Created: 18/04/2013
Version: 1.0
Document1
Page 26 of 133
root CA.
Your company uses a proprietary application that tracks the inventory that has been imported. All company employees use the
application to view inventory levels and run reports. You want to ensure that only users in the AntiqueAdmins global group can
perform maintenance on the application. Since the application requires a user certificate to perform maintenance, you want to
ensure
that the AntiqueAdmins global group are automatically issued a certificate. You configure the certificate template for
autoenrollment in
the Certification Authority, then you link the group policy object to distribute the certificates to domain.
What else should you do to ensure that only the AntiqueAdmins global group can perform maintenance on the application?
Item: 32 (Ref:Cert-70-640.6.2.1)
*'Configure the AntiqueAdmins global group to have Read and Enroll permissions on the certificate template.
Remove permissions
from other groups.
*'Configure the AntiqueAdmins global group to have Read permissions on the group
policy.
*'Configure the AntiqueAdmins global group to have Full Control NTFS permissions for the application directory.
Remove
permissions from other groups.
*'Change the request handling of the default policy module of the
CA.
Answer:
Configure the AntiqueAdmins global group to have Read and Enroll permissions on the certificate template. Remove
Page 33 of 173
Explanation:
You should configure the AntiqueAdmins global group to have Read and Enroll permissions on the certificate template and
remove
permissions from other groups. You can limit who is given permissions for autoenrollment to a particular certificate by limit ing
the
permissions on the certificate template. This can be done by performing the following steps:
1. Open the Certificate Templates snap-in.
2. Right-click the appropriate certificate template that you want to change, and then click Properties.
3. On the Security tab, add the users or groups that you want and, under Allow, select the Read, Enroll, and Autoenroll
check boxes. Remove the users or groups that will not have these permissions.
On the Request Handling tab of the certificate, you should also click Enroll subject without requiring any user input. This
action
will ensure that the AntiqueAdmins global group will be able to autoenroll without administrator intervention.
You do not have to configure the AntiqueAdmins global group to have Read permissions on the group policy. The
authenticated users
group is already given Read permissions on a GPO. The GPO will apply to all users because the authenticated users group has
permissions. You can limit the GPO by removing the authenticated users group's Read permission and adding the Read
permission to
the AntiqueAdmins global group.
You should not change the request handling of the default policy module of the CA. The policy module on the CA has its request
handling configured to automatically issue a certificate based on the rules of the certificate template. If you change the request
handling
of the CA, then the certificate status of all requests is set to pending. This means that the administrator must approve each
certificate.
In the scenario, you want to have certificates automatically issued to the AntiqueAdmins global group. If the administrator has
to
approve each request, then the certificates will not be issued automatically. You can change the request handling behavior of
the CA by
performing the following steps:
1. In the Certificate Server Snap-in, highlight the Certificate Server.
2. Right-click the server and click Properties.
3. Click the Policy Module tab and click Properties.
4. Change the option to Set request status of certificate to pending.
You should not configure the AntiqueAdmins global group to have Full Control NTFS permissions for the application directory
and
remove permissions from other groups. This action will prevent other users from using the application. The other users must
have at
least the NTFS Read permission to be able to see the files in the application directory. In the scenario, it states that all users
need to
use the application. You want to ensure that only the AntiqueAdmins global group can perform maintenance, not block other
users'
access to the application.
The following image shows the permissions available for configuration on the certificate template:
permissions from other groups.
Page 34 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 27 of 133
You are the network administrator for a company that tracks and distributes royalties to recording artists. Your network has a
single
domain. The functional level of the domain and the forest domain is Window Server 2003. Your domain controllers run either
Windows
Server 2003 or Windows Server 2008.
You create a GPO to assign applications to users in the Accounting OU. You want this GPO to assign the same applications to
users
in the Sales OU and Finance OU with the least administrative effort.
What should you do?
Explanation:
You should simply link the GPO in the Accounting OU to the Sales OU and Finance OU. The GPO will apply to users in the
container
to which it is linked. This GPO will also apply to users in sub-containers if sub-container inheritance is not blocked. By default,
the
authenticated users group has permissions to the GPO. You could change this permission to limit the GPO to apply to only
certain
users within a container.
You do not have to use the Group Policy Management Console (GPMC) to back up the GPO from the Accounting OU. and
import the
Item: 33 (Ref:Cert-70-640.4.4.1)
*'Use the Group Policy Management Console (GPMC) to back up the GPO from the Accounting OU. Import the
GPO into a GPO
at the Sales OU and Finance OU.
*'Use the GPO in the Accounting OU as a Starter GPO, and create GPOs in the Sales OU and Finance OU based
on the GPO in
the Accounting OU.
*'Link the GPO in the Accounting OU to the Sales OU and Finance
OU.
*'Create a global group for the users in the Sales OU and create a global group for the users in the Finance OU.
Assign
permissions for the global groups to the GPO in the Accounting OU.
Answer:
Link the GPO in the Accounting OU to the Sales OU and Finance
OU.
Page 35 of 173
GPO into a GPO at the Sales OU and Finance OU. You can use backup function to create a copy of a GPO. You can also use
the
GPMC to import the settings from the backed up GPO into a new GPO. Typically you would use this functionality to copy a GPO
to
another forest. In this scenario, however, you can simply link the Accounting GPO to the appropriate OUs.
You cannot use the GPO in the Accounting OU as a Starter GPO. A Starter GPO cannot be linked to an OU. A Starter GPO
can be
used as a template to create new GPOs. In this scenario, the GPO has already been linked to the Accounting OU. This GPO
will not
appear in the Starter GPO folder.
You should not create a global group for the users in the Sales OU and the Finance OU and assign permissions for the global
groups
to the GPO in the Accounting OU. This solution will not work because the GPO is only linked to the Accounting OU. You need
to
have the GPO linked at the Sales OU and the Finance OU. By default, the authenticated users group has permissions to the
GPO.
You can change this permission to limit the GPO to apply to only certain users within a container.
You are the network administrator for the Metroil corporation. The company's network contains servers that run Windows Server
2008.
A server named SRV1 is configured as a Domain Name System (DNS) server on the network to handle name resolution from
users.
SRV1 contains an Active Directory-integrated zone that holds DNS data for network users.
You discover that the primary zone on SRV1 contains entries for computers that are unknown to you and not part of your
domain. What
should you do to prevent this from happening in the future?
Explanation:
You should select the Secure Only option in the properties of the primary zone. When the Secure Only option is not selected,
computers that are not members of the domain will be allowed to register with DNS. This can result in unknown computer
records.
Therefore, selecting this option would stop unknown computers from registering in DNS.
You should not right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records
option.
Aging and scavenging is a feature of DNS that provides a mechanism for performing cleanup and removal of stale records,
which can
accumulate in zone data over time. Aging and scavenging of stale records are features of DNS that are available when you
deploy a

Created: 18/04/2013
Version: 1.0
Document1
Page 28 of 133
Item: 34 (Ref:Cert-70-640.1.1.7)
*'Right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones
option.
*'Select the Enable automatic scavenging of stale records option on the Advanced tab in the Properties dialog
box of the DNS
server.
*'Select the Secure Only option in the properties of the primary
zone.
*'Right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records
option.
Answer:
Select the Secure Only option in the properties of the primary zone.
Page 36 of 173
DNS server with primary zones. Records are automatically added to zones when computers start on the network if you have
configured
dynamic updates. However, in some cases, they are not automatically removed when computers leave the network. When you
configure aging and scavenging, DNS servers can determine that records have aged to the point of becoming stale and remove
them
from zone data. You can start scavenging of stale resource records immediately even if you have not configured the aging and
scavenging feature. To do this, you should right-click the DNS server node in the DNS Manager snap-in and click the Scavenge
Stale
Resource Records option. However, this will not prevent unknown computers from registering in DNS.
You should not right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All
Zones option
because this option is used to configure aging and scavenging for all DNS zones on a DNS server. Clicking the Set
Aging/Scavenging
for All Zones option does not prevent unknown computers from registering in DNS.
You should not select the Enable automatic scavenging of stale records option on the Advanced tab in the Properties
dialog box of
the DNS server. This option allows you to enable automatic scavenging of stale records on a DNS server. Selecting the Enable
automatic scavenging of stale records option does not prevent unknown computers from registering in DNS.
You are the network administrator for a company that manufactures automobiles. You have a showroom in your lobby where
guests
and employees can access the Internet from their portable computers. The DHCP server grants the user an IP address, a
gateway, and
a DNS server.
Your DNS server is a Windows Server 2008 with an Active Directory-integrated zone named company.com. After investigating
your
DNS server, you notice that only employees are able to generate A records, but both guest computers and employees are
creating PTR
records.
How can you prevent PTR records from guests from being created without affecting the employees' access to resources?
Item: 35 (Ref:Cert-70-640.1.1.2)
*'Disable the reverse lookup
zone.
*'Convert the reverse lookup zone to a secondary
zone.
*'Ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to Secure
Only.
Page 37 of 173
Explanation:
You should ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to Secure
Only. In this
scenario, both employees of the company and guests are able to create PTR records in the reverse lookup zone. Since only A
records
of employees are added to the forward lookup zone, then we can conclude that dynamic updates are set to Secure Only. The
reverse
lookup zone in this case does not support secure dynamic updates. The reverse lookup zone may not be an Active Directory-
integrated
zone, or it might be an Active Directory-integrated zone with dynamic updates set to Secure and Nonsecure. Secure dynamic
updates
only allow computers that are members of the domain to add A records in a forward lookup zone or PTR records in a reverse
lookup
zone. By configuring the dynamic updates setting to Secure Only, you can configure secure dynamic updates. This will prevent
nondomain
users, such as guests, from adding PTR records to the reverse lookup zone.
You should not disable the reverse lookup zone. Although this would prevent guests from creating PTR records, it would
prevent

Created: 18/04/2013
Version: 1.0
Document1
Page 29 of 133
employees from creating PTR records as well. PTR records are reverse lookup records that assist in name resolution. Disabling
the
reverse lookup zone would disable the name resolution capabilities of the employees.
You should not convert the reverse lookup zone to a secondary zone. A secondary zone holds a read-only copy of the zone and
pulls
an updated copy of the zone from a master server. A secondary zone would prevent the guests from creating PTR records, but
would
also prevent employees from adding PTR records to this zone. The employee's computers would have to register with the
master DNS
to add records to this zone. Since employees and guests are given the same IP address of the DNS server through DHCP, they
will
register with the same DNS. You would have to configure the DHCP server to give different IP addresses for the DNS server to
employees and to guests.
You should not ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to None.
Although
this would prevent guests from creating PTR records, it will prevent employees from creating PTR records as well. PTR records
are
reverse lookup records that assist in name resolution. Setting dynamic updates to None would prevent the name resolution
capabilities
of the employees.
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. All
servers run
Windows Server 2008. Several application operators belong to a group named AppOperators, and their user objects are
located in an
organizational unit (OU) named AppOperators. Several application servers belong to the AppServers group, and their
computer
objects are located in the AppServers OU. You must configure a Group Policy object (GPO) in order to allow the application
operators
to log on interactively at the application servers.
*'Ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to
None.
Answer:
Ensure that the reverse lookup zone is an Active Directory-integrated zone and set dynamic updates to Secure
Only.
Item: 36 (Ref:Cert-70-640.4.3.2)
*'Configure a GPO that assigns the Allow log on locally user right to the AppOperators OU, and link the GPO to
the AppServers
OU.
*'Configure a GPO that assigns the Allow log on locally user right to the AppServers OU, and link the GPO to the
AppOperators
OU.
*'Configure a GPO that assigns the Allow log on locally user right to the AppOperators group, and link the GPO to
the
AppServers OU.
*'Configure a GPO that assigns the Allow log on locally user right to the AppServers group, and link the GPO to the
AppOperators OU.
Answer:
Configure a GPO that assigns the Allow log on locally user right to the AppOperators group, and link the GPO to the
AppServers OU.
Page 38 of 173
Explanation:
The ability to log on interactively is controlled by the Allow log on locally user right. All user rights are computer-specific
policies.
Policies can be configured in GPOs. GPOs are applied to user objects and computer objects. Computer-specific policies in a
GPO
apply to computers, and user-specific policies in a GPO apply to users. To apply a GPO, an administrator should link it to an
OU,
domain, or site where the target user or computer objects reside.
In this scenario, you should create a GPO and, in that GPO, assign the Allow log on locally user right to the AppOperators
user
group. To apply the GPO to the appropriate computers, you should link the GPO to the AppServers OU.
The Allow log on locally user right can be assigned only to security principals, such as users and user groups; it cannot be
assigned
to OUs.
You should not link the GPO to the AppOperators OU because user rights are computer-specific policies, which are not applied
to user
objects.
You are the network administrator for your company. The company has a main office and five branch offices. Each office has its
own
Active Directory site, and Active Directory replication is configured between each office.

Created: 18/04/2013
Version: 1.0
Document1
Page 30 of 133
Your company opens a new branch office that has its own Active Directory site. You are required to configure Active Directory
replication for the new office. Before configuring Active Directory replication for the new office, you want to view the current
replication
topology between the main office and all the branch offices in a graphical format. Which tool should you use?
Explanation:
You should use the Replmon.exe tool. Replmon.exe is a tool that enables administrators to view the low-level status of Active
Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the
status
and performance of domain controller replication. The Replmon.exe tool must be installed on a computer running Windows
Server
2003 or Windows Server 2008. The computer can be a domain controller, member server, member workstation, or stand-alone
computer.
You should not use the Repadmin.exe tool. Repadmin.exe is a command-line tool that can be used to view the replication
information
on domain controllers. By using the Repadmin.exe tool, you can determine the last successful replication of all directory
partitions,
identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally
manage the Active Directory replication topology for both AD DS and AD LDS replication. You can also use the Repadmin.exe
tool to
force replication of an entire directory partition or a single object, and list domain controllers in a si te. The Repadmin.exe tool
cannot be
used to view replication topology in a graphical format.
You should not use the Ntdsutil.exe tool. Ntdsutil.exe is also a command-line tool that provides management capabilities for
Active
Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master
operations,
and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Acti ve
Directory. The Ntdsutil.exe tool cannot be used to view replication topology in a graphical format.
You should not use the Wbadmin.exe tool. Wbadmin.exe is a command-line tool that allows you to back up and restore your
computer, volume, and files from a command prompt. The Wbadmin.exe tool cannot be used to view replication topology in a
graphical
format.
You are the network administrator for your company's network. You install a Certificate Authority (CA) to distribute certificates to
users
Item: 37 (Ref:Cert-70-640.2.4.17)
*'Repadmin.exe
*'Replmon.exe
*'Ntdsutil.exe
*'Wbadmin.exe
Answer:
Replmon.exe
Item: 38 (Ref:Cert-70-640.4.7.1)
Page 39 of 173
and computers in your domain. You decide that you want to audit the following events on your CA:
Backing up and restoring the CA database
Changing the CA configuration
Changing the CA security settings
Issuing and managing certificate requests
After seven days, you review the security log, but you cannot find any events related to the CA.
What could you do to solve the problem?
Explanation:
You should enable Audit object access in the local security policy on the computer or via a group policy object that is applied
to the
computer. Enabling object access auditing in a policy allows you to specify whether to audit successes, audit failures, or not
audit the
event type at all. Success audits generate an audit entry in the security log when a user successfully accesses an object that
has an
appropriate SACL specified. Failure audits generate an audit entry in the security log when a user unsuccessfully attempts to
access an
object that has a SACL specified. You can use the event viewer tool to view the security log. Only administrators and users that
have
been delegated the right to view the security log may view the security log on a computer.
You should not enable Audit policy change in a group policy object. This policy setting determines whether to audit every
incidence of
a change to user rights assignment policies, Windows Firewall policies, audit policies, or trust policies. This policy will not affect
the
auditing of a CA.
You should not enable Audit system events in a group policy object. This policy setting audits when a user restarts or shuts
down their

Created: 18/04/2013
Version: 1.0
Document1
Page 31 of 133
computer, or when an event occurs that affects either computer security or the Security log. This policy will not affect the
auditing of a
CA.
You should not check the application log for auditing events related to the CA. Audited events will display in the security log, not
in the
application log. Auditing of the CA will not be successful until you enable object access auditing in a local security policy or
group policy
object.
*'Check the application log for auditing events related to the
CA.
*'Enable Audit object access in the local security policy on the
computer.
*'Enable Audit policy change in a group policy
object.
*'Enable Audit system events in a group policy
object.
Answer:
Enable Audit object access in the local security policy on the
computer.
Page 40 of 173
You are a network administrator for a company named Verigon. The network consists of a single Active Directory domain. All
servers
run Windows Server 2008, and all client computers run Windows Vista. The network contains an enterprise issuing certification
authority (CA) and an offline root CA.
Verigon acquires a new company named TelStar that has its own Active Directory domain in a different forest. You want to
establish an
L2TP/IPSec VPN connection between both company networks. You install a VPN server on your network, install a certificate
from your
issuing CA, and configure the server for a router-to-router VPN connection. A network administrator at TelStar performs similar
actions
on the TelStar network. When you test the connection, you receive an error message that indicates that the TelStar certificat e is
not
trusted. You must ensure that a VPN connection between the two companies can be successfully established without producing
the
error message.
What should you do?
Explanation:
Item: 39 (Ref:Cert-70-640.5.2.1)
*'Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN
server.
*'Install the TelStar root CA's certificate on the root CA in
Verigon.
*'Install the TelStar root CA's certificate on the issuing CA in
Verigon.
*'Include the TelStar root CA's certificate in Verigon root CA's certificate revocation
list.
Answer:
Place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN
server.
Page 41 of 173
You should place a copy of the TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN
server. To
make your VPN server trust the TelStar VPN server's certificate, that certificate must be verified to a trusted CA. All certificates
on
TelStar's network can ultimately be verified to TelStar's root CA. Thus, if your VPN server trusts TelStar's root CA, then it will
trust any
certificate that is issued by any CAs on TelStar's network. To enable your VPN server to trust TelStar's root CA, you should
import
TelStar root CA's certificate in the Trusted Root Certification Authorities store on your VPN server. It is a common practice to
implement
a stand-alone root CA and enterprise subordinate CAs. To provide maximum security for root CAs, they are often kept offline.
Standalone
CAs are better suited for being kept offline because they are less prone to the various synchronization problems that occur as a
result of being disconnected from the network for prolonged periods of time. When you want to allow clients to get certificates
from an
intermediate CA even when the Trusted CA is offline, you should store the Trusted CA's certificate in the Trusted Root
Certification
Authorities store on your VPN server store on client computers.
You can also make computers trust certificates from external CAs by using a Group Policy object (GPO) that applies to those

Created: 18/04/2013
Version: 1.0
Document1
Page 32 of 133
computers. The GPO should list the appropriate certificates in the Trusted Root Certification Authorities policy. Alternatively, you
can
add the trusted root CA's certificates to a Certificate Trust List (CTL) and specify that CTL in the GPO. Another possible solution
is
cross-certification; for example, your root CA could issue a certificate for your partner's root CA and vice versa.
If you installed the TelStar root CA's certificate on your root or issuing CA, then only your root or issuing CA, respectivel y, would
trust
TelStar's certificates; the scenario requires that your VPN server trust TelStar's certificates.
You should not include the TelStar root CA's certificate in the Verigon root CA's certificate revocation list. A certificate revocation
list
(CRL) contains revoked certificates from a specific CA. When a certificate is revoked, it is included in the CRL on the CA that
issued
that certificate. You cannot include the TelStar root CA's certificate in your root CA's CRL because that certificate is self-signed;
it has
been issued by TelStar's root CA, not your root CA.
You administer your company's Windows 2008 network. The network consists of 25 Windows Server 2008 computers. The
network
contains an offline root Certification Authority (CA) located in the main office and five subordinate issuing CAs, located in the
main office
and each of the remaining four retail locations.
One of the four retail locations has been purchased and will operate as a franchise. You must ensure that resources on the
company
network will not accept certificates from the associated subordinate CA in this retail location after the sale is completed. Your
solution
must use a minimum amount of administrative effort.
What should you do? (Choose three. Each correct answer presents part of the solution.)
Item: 40 (Ref:Cert-70-640.6.4.2)
M|.On the company's root CA, revoke the certificate of the subordinate
CA.
M|.Disconnect the subordinate CA from the
network.
M|.On the subordinate CA, remove the CA software and remove the CA
files.
M|.On the subordinate CA, revoke the certificates that it has
issued.
M|.Publish a new Certificate Revocation
List.
M|.Copy the Edb.log file from the root CA to its Certification Distribution Point on your
network.
M|.Copy the Edb.log file from the subordinate CA to its Certification Distribution Point on your
network.
M|.Copy the Certificate Revocation List file to the Certificate Distribution Point on your
network.
Answer:
On the company's root CA, revoke the certificate of the subordinate CA.
Publish a new Certificate Revocation List.
Copy the Certificate Revocation List file to the Certificate Distribution Point on your
network.
Page 42 of 173
Explanation:
On the company's root CA, revoke the certificate of the subordinate CA.
Publish a new Certificate Revocation List.
Copy the Certificate Revocation List file to the Certificate Distribution Point on your network.
Digital certificates are used to establish trust between network objects. The ability to trust is determined by the status of the
certificate:
whether the chain of trust to the certificate's certifying authority can be verified, and whether the certificate remains in good
standing
with the certifying authority. When an issuing CA is deployed, it is issued a certificate that ultimately links to the root CA. It is a
common
practice to implement a stand-alone root CA and enterprise subordinate CAs. To provide maximum security for root CAs, they
are often
kept offline. Stand-alone CAs are better suited for being kept offline because they are less prone to various synchronization
problems
that occur as a result of being disconnected from the network for prolonged periods of time.
When you want to allow clients to get certificates from an intermediate CA even when the Trusted CA is offline, you should store
the
Trusted CA's certificate in the Trusted Root Certification Authorities store on your VPN server store on client computers. When
you
need to ensure that certificates from this issuing CA are no longer valid, you need to perform three primary tasks. First, the
issuing CA

Created: 18/04/2013
Version: 1.0
Document1
Page 33 of 133
certificate must be revoked on the on the root CA. This will break the chain of trust for any new certificates issued. To notify
objects that
currently trust certificates from the issuing CA that these certificates are no longer valid, you should then publish the Certificate
Revocation List (CRL). Finally, you should copy the CRL file to the Certificate Distribution Point on your network so that it is
distributed
to network objects that rely on certificates for authentication. This action will communicate the change in the public key
infrastructure
(PKI) across the network and will prevent you from having to revoke individual certificates that were issued by the CA.
Ultimately, the subordinate CA will be removed from the network when the retail location is sold. You do not have to manually
remove
the CA or uninstall Certificate Services from the computer. These acts, in and of themselves, will have no effect beyond
preventing new
certificates from being issued to your users or computers. Steps must be taken to break the chain of trust for the issuing CA,
and this
change must be communicated throughout the network.
Certificate Services uses a database format to store certification transactions. The < CA name > .edb file is the database file,
and the
Edb.log file is the transaction log file for the CA store. This file is not used as notification to CA clients for PKI changes. This
type of
information is distributed throughout the enterprise by using the CRL.
You are the administrator of a company that manufactures novelty items. Your company has a single domain. All domain
controllers are
a mixture of Windows Server 2003 and Windows Server 2008. The functional level of the domain and forest are both set to
Windows
Server 2003.
You have entered into a partnership with a company from China to import different novelty items. Your partners will need access
to a
Web-based inventory control application that is run on one of your servers. The partner's company also has a single domain.
The
functional level of the partner's domain and forest are both set to Windows Server 2003.
You want to give the partner's company access to your Web-based inventory control application, but you do not want to create
users or
manage users from the partner company because there is lot of personnel turnover in the partner company.
What should you configure? (Choose three.)
Item: 41 (Ref:Cert-70-640.3.4.4)
M|.Use Active Directory Federation Services (AD FS) and create a federated
trust.
M|.Install a Federation Service Proxy on a separate server in the perimeter
network.
M|.Install an Edge Transport Server on a separate server in the perimeter
network.
M|.Install an AD FS Web
agent.
M|.Install an Edge Transport Server on the same server as the AD FS
server.
M|.Install a SMTP server to handle outgoing and incoming authentication
requests.
Answer:
Page 43 of 173
Explanation:
You should use Active Directory Federation Services (AD FS) and create a federated trust. AD FS allows users from outside
your
organization, such as the partners from China, to have access to a Web application that your company hosts. You could have
the
partners in China create a security group in their own Active Directory of users that need access to the application, and use AD
FS to
grant access to the application to the security group. When users from the partner's domain attempt to access the Web
application, the
application uses AD FS to authenticate the users based on their group membership.
You will also need to install a Federation Service Proxy on a separate server in the perimeter network. The Federation Service
Proxy
allows users outside your organization to access your application without exposing your Active Directory forest to the outside
world. In
this scenario, users from the partners company in China will need to use the Internet to access the Web-based application on
your
server. This Federation Service Proxy in the perimeter network would relay federation requests from users outside your
organization,
such as the partners in China, to your federation server. Placing the Federation Service Proxy server in the perimeter network
ensures
that your federation server is not exposed directly to the outside world.

Created: 18/04/2013
Version: 1.0
Document1
Page 34 of 133
You should install an AD FS Web agent. The Web agent is the mechanism that the Web application users for authenticating
external
users. The AD FS Web agent manages the security tokens and authentication cookies that are sent to the Web server. There
are two
different agents:
Claims-aware agent: Used for claims-aware application, such as Microsoft ASP .NET.
Windows token-based agent: Performs the AD FS security token conversion to Windows NT access token for applications that
support Windows NT access tokens.
You cannot install the Federation Service Proxy and Active Directory Federation Service on the same server. They must be
installed on
separate computers.
You should not install an Edge Transport Server or an SMTP Server. An Edge Transport server is used to route incoming email
messages to a Hub Transport server and handle outgoing email messages from a Hub Transport server. You can place virus
and email
filtering agents on an Edge Transport server. An Edge Transport server and an SMTP server are not required to configure AD
FS.
You are the network administrator for Nutex Corporation. Nutex has a single Active Directory domain. Several portable
computers,
desktop computers, and application servers have been added to the domain.
You want a list of all your records in the DNS zone. You want to compare the A records from the DNS server with the IP
addresses
assigned from the DHCP server to see if any of the IP addresses of the portable computers, desktop computers, or application
servers
are static addresses.
How would you get a list of all the DNS records in the DNS zone?
Use Active Directory Federation Services (AD FS) and create a federated trust.
Install a Federation Service Proxy on a separate server in the perimeter
network.
Install an AD FS Web agent.
Item: 42 (Ref:Cert-70-640.1.1.6)
*'Run the Dnscmd /info
command.
*'Run the Dnscmd /config
command.
*'Use the DNS Manager snap-in to rightclick on the DNS server and choose Configure DNS Server. Choose to
export a list of
records to a file.
*'Use the DNS Manager snap-in to right-click on the zone and choose Export
List.
Answer:
Use the DNS Manager snap-in to right-click on the zone and choose Export
List.
Page 44 of 173
Explanation:
You should use the DNS Manager snap-in to right-click on the zone and choose Export List to get a list of all DNS records in
the DNS
zone. This action will export all the DNS records to a text file. You can use the text file to compare the IP addresses of the A
records in
the zone with the IP addresses assigned by the DHCP server. You can also use the Dnscmd /ZoneExport command to export
the
zone records to a file. Alternatively, you can use the Dnscmd /ZonePrint command to display all records in the zone to the
screen.
You cannot use the Dnscmd /config command to get a list of the DNS records in the DNS zone. You can use the Dnscmd
/config
command to change the values in the registry for the DNS server and for individual zones.
You cannot use the Dnscmd /info command to get a list of the DNS records in the DNS zone. The Dnscmd /info command
displays
DNS server level configuration and not zone-level information. To display the configuration for each zone, you must use
Dnscmd /zoneinfo command.
You cannot use the Configure DNS Server option of the DNS Manager snap-in to get a list of the DNS records in the DNS
zone. You
can use the Configure DNS Server option to configure forward and reverse lookup zones, configure forwarders, and configure
root
hints.
You are a network administrator for a multinational bank. You administer a contact center for the company in Alaska. The
company's
network consists of a single Active Directory domain that runs Windows Server 2008. The company's network also consists of
100
Windows Vista client computers.
One of the users, named Fred, reported that his computer keeps restarting. You fixed the problem by reinstalling a device
driver. You

Created: 18/04/2013
Version: 1.0
Document1
Page 35 of 133
now want to enable an audit policy using the Auditpol.exe command-line tool to track all system restart events on Fred's
computer.
However, before you run Auditpol.exe to enable a new audit policy, you want to verify all the audit policies currently enabled on
Fred's
computer.
What should you do?
Item: 43 (Ref:Cert-70-640.4.7.3)
*'Run the Auditpol /list /r
command.
*'Run the Auditpol /get
Page 45 of 173
Explanation:
You should run the Auditpol /get command to verify all audit policies that are currently enabled on Fred's computer.
Auditpol.exe is a
command-line tool used to set audit policy subcategories and per-user audit policy in Windows Server 2008. In Windows 2000
Server
and Windows Server 2003, there is only one audit policy for Active Directory, named Audit Directory Service Access, which
controls
whether auditing for directory service events are enabled or disabled. In Windows Server 2008, the audit policy is divided into
four
subcategories:
Directory Service Access: Enables users to audit the event of a user accessing an Active Directory objects.
Directory Service Changes: Enables users to audit the event of changes that are made to an Active Directory objects, for
example, create, modify, or move.
Directory Service Replication: Enables users to audit Active Directory replication problems.
Detailed Directory Service Replication: Enables detailed tracking of Active Directory replication.
Each subcategory is independent for its own usage. To be precise, if you disable one of the subcategories such as Directory
Service
Access, the event changes generated can still be seen if you have enabled the Directory Service Changes subcategory.
Similarly, if
you disable the Directory Service Changes subcategory and enable the Directory Service Access subcategory, the Security
log
events will still be reflected. Since there is no Windows interface tool available for these in Windows Server 2008, you can use
the
Auditpol.exe command-line tool to view or set audit policy subcategories.
You should not run the auditpol / list /r command to verify all audit policies currently enabled on Fred's computer. The auditpol
/ list /r
command is a subcommand to the Auditpol /list command, which is used to display the output in report format as comma-
separated
values.
You should not run the auditpol /list command to verify all audit policies currently enabled on Fred's computer. The /list
command
parameter in Auditpol.exe is used to display selectable policy elements to create an audit policy.
You should not run the auditpol /get /sd command to verify all audit policies currently enabled on Fred's computer. The
auditpol /get /sd command in Auditpol.exe is a subcommand to the Auditpol /get command, which is used to retrieve the
security
descriptor used to delegate access to the audit policy. To verify only the current audit polices enabled, you can use the
Auditpol /get
command separately.
You are the systems administrator of your company. The company's network consists of a single Active Directory domain. The
company's network contains servers that run Windows Server 2003 and Windows Server 2008. The client computers on the
network
run Windows XP Professional and Windows Vista.
You create .ADMX and .ADML files to define registry-based policy settings on all client computers in the domain. You want to
manage
the .ADMX files.
What should you do? (Choose two. Each answer is a complete solution.)
command.
*'Run the Auditpol /list
command.
*'Run the Auditpol /get /sd
command.
Answer:
Run the Auditpol /get
command.
Item: 44 (Ref:Cert-70-640.4.4.5)
M|.Use Group Policy Object Editor on a Windows XP Professional
computer.
M|.Use Group Policy Object Editor on a Windows Server 2003
computer.
M|.Use Group Policy Object Editor or Group Policy Management Console on a Windows Vista

Created: 18/04/2013
Version: 1.0
Document1
Page 36 of 133
computer.
M|.Use Group Policy Object Editor or Group Policy Management Console on a Windows Server 2008
computer.
Page 46 of 173
Explanation:
You can use Group Policy Object Editor or Group Policy Management Console on either a Windows Vista computer or a
Windows
Server 2008 computer. Group Policy is used to apply one or more desired configurations or policy settings to a set of targeted
users
and computers within an Active Directory environment. Over 700 new policy settings are included in Group Policy in Windows
Vista,
which provides greater coverage of policy settings for easier administration by including Group Policy Management console
(GPMC),
support for multilingual environments by using ADMX files, and multiple components of Windows Vista. The registry-based
policy
settings in Windows Vista are defined by using a standards-based XML file format known as ADMX files. The ADMX files are
languageneutral
resource files. The other type of registry-based policy settings are known as ADML files, which are language-specific resource
files. ADMX and ADML files replace the ADM files that were used in earlier versions of Windows. To ensure that ADMX files are
recognized by Group Policy tools, such as GPMC and Group Policy Object Editor, you must be running a Windows Vista-based
or
Windows Server 2008-based computer. ADMX files are not stored in individual Group Policy Objects (GPOs).
If you have a domain environment, you can create a central store location of ADMX files that can be accessed by anyone with
controller
and is used to provide a centralized storage location for ADMX and ADML files for the domain. A central store can be created
on a
domain controller running Windows Server 2003 R2, Windows Server 2003 Service Pack 1 (SP1), or Windows 2000 Server.
The ADMX
files supersede the default ADM files that were included in the operating system, such as System.adm and Inetres.adm.
Therefore,
Group Policy tools exclude the default ADM files. If you have any custom ADM files in your existing environment, Group Policy
tools will
continue to recognize those ADM files.
You can use the Add/Remove Template menu option to add or remove custom ADM files to a GPO. New Windows Vista-
based policy
settings can only be managed from Windows Vista and Windows Server 2008 based machines by using Group Policy Object
Editor or
GPMC. Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines will not display new
Windows
Vista Administrative Template policy settings that may be enabled or disabled within a GPO. You can use the Group Policy
Object
Editor or GPMC in Windows Vista and Windows Server 2008 to manage all operating systems that support Group Policy, such
as
Windows Vista, Windows Server 2003, Windows XP, and Windows 2000.
The options stating that you should use Group Policy Object Editor on a Windows XP Professional computer or a Windows
Server 2003
computer are incorrect. New Windows Vista-based policy settings can only be managed from Windows Vista-based machines
by using
Group Policy Object Editor or GPMC. Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000
machines
will not display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO.
You are the network administrator for your company. The company has a main office and a branch office. You install Windows
Server
2008 on all servers on the network. You install a domain controller named DC1 in the main office and a read-only domain
controller
(RODC) named RODC1 in the branch office. The offices are connected by a 128-Kbps link.
A user named John travels frequently to the branch office and requires access to the branch office network. You want to ensure
that
John is able to log on to the network in the branch office even if the Wide Area Network (WAN) link to the domain controller is
unavailable.
To achieve this, you need to prepopulate the password cache of RODC1 with the password of John's user account.
What should you do?
Answer:
Use Group Policy Object Editor or Group Policy Management Console on a Windows Vista computer.
Use Group Policy Object Editor or Group Policy Management Console on a Windows Server 2008
computer.
Item: 45 (Ref:Cert-70-640.3.3.3)
*'Add John's user account to the Denied List on the Password Replication Policy tab in the Properties dialog box
for
RODC1.

Created: 18/04/2013
Version: 1.0
Document1
Page 37 of 133
*'Add John's user account to the Accounts that have been authenticated to this Read-only Domain Controller list
in the
Advanced Password Replication Policy dialog box for RODC1.
*'Add John's user account to the Accounts whose passwords are stored on this Read-only Domain Controller
list in the
Advanced Password Replication Policy dialog box for RODC1.
*'Add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box
for
RODC1.
Page 47 of 173
Explanation:
You should add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box
for
RODC1. You can prepopulate the cache of an RODC with the passwords of user and computer accounts that will authenticate
to that
RODC. Prepopulating the RODC password cache triggers the RODC to replicate and cache the passwords for users and
computers
before the accounts try to log on in the branch office. Prepopulating the password cache is helpful when you want to ensure that
a user
is able to log on to the network in a branch office even if the WAN link to the writable domain controller is unavailable. You can
prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a
password
of an account that the Password Replication Policy does not allow to be cached, the operation will fail.
You should not add John's user account to the Denied List on the Password Replication Policy tab in the Properties dialog
box for
RODC1. You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. Therefore,
you
should add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for
RODC1.
You should not add John's user account to the Accounts that have been authenticated to this Read-only Domain
Controller list in
the Advanced Password Replication Policy dialog box for RODC1. The Accounts that have been authenticated to this
Read-only
Domain Controller list displays all user and computer accounts that are authenticated to an RODC. You cannot manually add a
user
or a computer account to the Accounts that have been authenticated to this Read-only Domain Controller list.
You should not add John's user account to the Accounts whose passwords are stored on this Read-only Domain
Controller list in
the Advanced Password Replication Policy dialog box for RODC1. The Accounts whose passwords are stored on this
Readonly
Domain Controller list displays all user or computer accounts whose passwords are stored on that RODC. To view credentials
that are cached on an RODC, you should use the Active Directory Users and Computers snap-in. To do so, open the Password
Replication Policy tab in the properties sheet for the RODC, and select the Accounts whose passwords are stored on this
Readonly
Domain Controller option in the Advanced Password Replication Policy dialog box. You cannot manually add a user or a
computer account to the Accounts whose passwords are stored on this Read-only Domain Controller list.
You are the network administrator for your company. All servers on the network run Windows Server 2008. The company's
network
consists of a single Active Directory domain. The client computers run Windows Vista.
You create .ADMX files to define registry-based policy settings on all client computers in the domain. You want to create a
custom
domain-based ADMX file that supports the Japanese language in your domain. You want to ensure that the custom ADMX file
for the
Japanese language is automatically available to all Group Policy administrators in the domain.
What should you do?
Explanation:
You should create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]
folder on
the domain controller. The ADMX files are language-neutral resource files. The other type of registry-based policy settings are
known
as ADML files, which are language-specific resource files. ADMX and ADML files replace the ADM files that were used in earlier
versions of Windows. To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object
Editor,
Answer:
Add John's user account to the Allowed List on the Password Replication Policy tab in the Properties dialog box for
RODC1.
Item: 46 (Ref:Cert-70-640.4.4.4)
*'Create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]
folder on the
domain controller.

Created: 18/04/2013
Version: 1.0
Document1
Page 38 of 133
*'Create an .ADMX file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions folder on the
domain
controller.
*'Create an .ADM file and copy it to the %systemroot%\inf folder on all client
computers.
*'Create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]
folder on all
client computers.
Answer:
Create an .ADML file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder
on the domain controller.
Page 48 of 173
you must be running a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual
Group
Policy Objects (GPOs). If you have a domain environment, you can create a central store location of ADMX files that can be
accessed
by anyone with permission to create or edit GPOs. The central store is a folder created in the SYSVOL folder of an Active
Directory
domain controller and is used to provide a centralized storage location for ADMX and ADML files for the domain.
In addition to storing the ADMX files shipped in the operating system in the central store, you can also share a custom ADMX
file by
copying the file to the central store, which makes it available automatically to all Group Policy administrators in a domain. The
default
location for .ADML files on a domain controller is the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]
folder.
For example, the United States English ADMX language-specific file will be stored in the %systemroot%
\sysvol\domain\policies\PolicyDefinitions\en-us folder.
You should not create an .ADMX file and copy it to the %systemroot%\sysvol\domain\policies\PolicyDefinitions folder on
the
domain controller. The ADMX files are language-neutral resource files and cannot be used as a resource for a specific
language.
You should not create an .ADM file and copy it to the %systemroot%\inf folder on all client computers. The .ADM files were
used in
earlier versions of Windows that were released prior to Windows Vista. The .ADM files cannot be used as a resource for a
specific
language. Also, copying the .ADM file to the %systemroot%\inf folder on all client computers will make the file available locally,
but it
will not ensure that the .ADM is automatically available to all Group Policy administrators in the domain.
You should not create an .ADML file and copy it to the
%systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] folder
on all client computers. Copying the .ADML file to the %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]
folder
on all client computers will make the file available locally on client computers, but it will not ensure that the .ADML file is
automatically
available to all Group Policy administrators in the domain.
You administer a domain that includes an enterprise root Certification Authority (CA) and an issuing enterprise subordinate CA.
You
want each computer in the domain to have a Computer certificate that can be used for IPSec communications. In order to limit
the
administrative effort required on behalf of the computers' users, you want to enable automatic enrollment for computer
certificates in the
domain.
Which two of the following actions should you take in order to enable all computers in the domain to automatically enroll for
computer
certificates? (Choose two.)
Explanation:
Automatic enrollment eliminates the need for a user to log on to each computer as the administrator, install Certificate Services,
and
request a computer certificate on behalf of the computer. Public Key Group Policy must also be configured in order to enable
the
creation of CTLs for users and computers, the addition of CA certificates for trusted third-party and stand-alone root CAs, and
the
allocation of Encrypting File System (EFS) Recovery Agent accounts. A Public Key Group Policy can be created for a domain, a
site or
an organizational unit (OU).
You must configure a Public Key Group Policy for the domain and assign the Enroll and Autoenroll permissions to all domain
computers for the Computer certificate template. Doing so will enable all domain computers to enable automatic enrollment for
certificates that are issued to computers. The configuration of a Public Key Group Policy is not necessary for most uses of
certificate
Item: 47 (Ref:Cert-70-640.6.3.1)
M|.Create a Certificate Trust List (CTL) that allows the use of computer certificates in the

Created: 18/04/2013
Version: 1.0
Document1
Page 39 of 133
domain.
M|.Configure a Public Key Group Policy for the
domain.
M|.Assign the Enroll and Autoenroll permissions to all domain computers for the Computer certificate template.
M|.Issue Enrollment Agent certificates to all users in the
domain.
M|.Issue Recovery Agent certificates to all users in the
domain.
Answer:
Configure a Public Key Group Policy for the domain.
Assign the Enroll and Autoenroll permissions to all domain computers for the Computer certificate
template.
Page 49 of 173
services and the public-key infrastructure. However, you must configure a Public Key Group Policy in order to enable automatic
enrollment for certificates that are issued to computers, including Computer, Domain Controller, IPSec and Enrollment Agent
(computer) certificates.
In order to receive a particular certificate, the Enroll permission for that certificate template must be granted to the requesting
party,
which can be a computer or a person depending on the type of certificate being requested. Computer certificates can be issued
only to
computers; thus, in this scenario, each domain computer must be granted the Enroll permission for the Computer certificate
template.
CTLs are used to designate trusted CAs and the purposes for which the CAs' certificates can be used. Supported CTL purposes
can
include client authentication, server authentication, code signing, secure e-mail and time-stamping. You cannot create a CTL
that
explicitly allows the use of Computer certificates in the domain.
An EFS Recovery Agent certificate should be issued to the user of a computer on which EFS-encrypted data will be recovered.
An
Enrollment Agent certificate should be issued to any administrators who obtain certificates for smart card users. The domain
computer
users do not require either Enrollment Agent certificates or EFS Recovery Agent certificates in order for their computers to
obtain
Computer certificates.
You are a network administrator for a large software company. The company's network consists of three Windows Server 2008
servers
and 200 Windows Vista client computers installed in various departments.
You are responsible for issuing certificates to all client computers and network devices using Active Directory Certificate Service
(AD
CS). Several departments have several network switches and routers that need certificates issued to them.
What should you do to issue certificates to the network switches and routers?
Explanation:
You should use the Network Device Enrollment Service (NDES) to issue a certificate to the network switches and routers. NDES
is the
Microsoft implementation of a communications protocol named Simple Certificate Enrollment Protocol (SCEP). SCEP helps to
provide
X.509 certificates for software running on network devices such as routers and switches.
You should not use a restricted enrollment agent to issue a certificate to network devices such as routers and switches.
Enrollment
agents are generally one or more persons authorized to perform enrollment within an organization. The enrollment agent needs
to be
issued an enrollment agent certificate that enables the agent to enroll for smart card certificates on behalf of other users for a
particular
department or section of an organization. Using a restricted enrollment agent in AD CS allows you to set permission limits on
users
designated as enrollment agents who receive certificates on behalf of other users.
You should not use Enterprise Public Key Infrastructure (PKI)-View to issue a certificate to network devices such as switches
and
routers. Enterprise PKI-View is used to provide the status view of your network's PKI environment, which enables administrators
to
troubleshoot possible errors by the CA. You should use NDES to issue a certificate to network devices.
You cannot use the Web enrollment service to issue a certificate to a network device, such as a router or switch. The Web
enrollment
service can be used to issue certificates to non-Microsoft client computers that are not a part of the domain. The Web
enrollment
service can assign certificates to these clients or users who cannot rely on auto-enrollment mechanisms of a certification
authority (CA)
or the Certificate Request Wizard. The Web enrollment service is a Windows-based CA that allows users to obtain new or
renewed
certificates over the Internet.
Item: 48 (Ref:Cert-70-640.6.2.2)

Created: 18/04/2013
Version: 1.0
Document1
Page 40 of 133
*'Issue a certificate using Enterprise Public Key Infrastructure (PKI)-
View.
*'Issue a certificate using a restricted enrollment
agent.
*'Issue a certificate using the Network Device Enrollment Service
(NDES).
*'Issue a certificate using the Web enrollment
service.
Answer:
Issue a certificate using the Network Device Enrollment Service
(NDES).
Page 50 of 173
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. The
organizational unit (OU) structure is shown in the exhibit. (Click the Exhibit(s) button.)
The user accounts of all network administrators belong to the NetAdmins OU, the user accounts of all managers belong to the
Managers OU, and the user accounts of all other employees in the company belong to the Employees OU. All Help Desk users
are
members of a security group named Help Desk. The Help Desk personnel should be allowed to reset the passwords of all
users,
except network administrators and managers, but they should not be assigned any additional privileges in the domain. You must
delegate the required level of authority to the Help Desk group.
Explanation:
OUs are used to delegate administration of specific subsets of domain resources, such as users, computers, and groups. In this
scenario, you should assign the Help Desk group the permission to reset user passwords for the Employees OU. To
accomplish this
task, you can run the Delegation of Control wizard on the Employees OU, add the Help Desk group to the list of the users to
whom
you want to delegate control of the OU, and select the Reset user passwords and force password change at next logon
task.
Alternatively, you can assign the Help Desk group the Allow - Reset Password permission for the Employees OU and
specify that
the permission apply to user objects. If you delegated the Create, delete and manage user accounts task for the Personnel
OU, then
members of the Help Desk group would be able to fully manage the user accounts of all employees in the company, including
network
administrators and managers.
The Block Policy inheritance option is irrelevant to delegation of administration; this option is used to prevent Group Policy
objects
that are linked to higher-level OUs or to the domain from applying to objects in the current OU. Delegating the Read all
InetOrgPerson
information task would allow the Help Desk personnel to read all information for the InetOrgPerson objects; it would not allow
them to
reset the passwords for user objects. InetOrgPerson objects are similar to user objects and are used for compatibility with t hird-
party
directory services. Delegating the Read all user information task would not allow the Help Desk personnel to reset user
passwords.
Item: 49 (Ref:Cert-70-640.4.3.7)
*'Delegate the Create, delete and manage user accounts task for the Personnel OU and enable the Block Policy
inheritance
option for the NetAdmins and Managers OUs.
*'Delegate the Reset user passwords and force password change at next logon task for the Employees
OU.
*'Delegate the Read all InetOrgPerson information task for the Personnel OU and disable the propagation of
inheritable
permissions for the NetAdmins and Managers OUs.
*'Delegate the Read all user information task for the Employees
OU.
Answer:
Delegate the Reset user passwords and force password change at next logon task for the Employees
OU.
Page 51 of 173
You are the network administrator at your company. You have set password policies and account lockout policies on the
domain, as
seen in the exhibit. (Click the Exhibit(s) button.)
You have an application that runs on a server. The application uses a domain account named AppLogin to log in to a server on
the
domain called FS1. AppLogin is granted the log on as a service right on FS1.

Created: 18/04/2013
Version: 1.0
Document1
Page 41 of 133
After working with the application for a few weeks, users complain that they suddenly cannot access the application. How
should you fix
the problem?
70-640.4.2b
70-640.4.2c
Item: 50 (Ref:Cert-70-640.4.2.2)
*'Increase the number of attempts for the Account lockout
threshold.
*'Configure the password on AppLogin to never
expire.
*'Decrease the number of minutes for the Reset account lockout counter after
policy.
*'Change the Maximum password age setting in the default domain policy to
999.
Answer:
Configure the password on AppLogin to never
expire.
Page 52 of 173
Explanation:
You should change the properties of the AppLogin account and set the password for the account to never expire. If the account
is a
domain member, the account is governed by the password policies on the domain. In this scenario, the default setting for the
maximum
password age in a group policy object is 42 days. Since the AppLogin account will password expires in 42 days, the account
will not be
able to log in to the domain server, FS1. The AppLogin account logs on as a service. As long as the password is correct
initially, the
password should work until it expires.
You should not change the Maximum password age setting in the default domain policy to 999. This setting determines how
long a
password is valid. Increasing this number will only delay the problem of the AppLogin account's password expiring. Also,
changing any
setting in the default domain policy will affect other accounts on the domain. In this scenario, you only want to fix the problem
with the
AppLogin account.
You should not decrease the number of minutes for the Reset account lockout counter after setting. This setting resets the
number
of invalid login attempts permitted. For example, if the Account lockout threshold was set to 5, and the Reset account
lockout
counter after was set to 30 minutes, then a user would get 5 attempts to enter the correct password in 30 minutes. If the user
did not
exceed 5 attempts in 30 minutes, the user's invalid attempt counter would reset to 0. For the next 30 minutes, the user would
have
another 5 attempts to guess the password.
Increasing the number of allowed attempts for the Account lockout threshold will not fix the problem. This setting will affect
users who
type in their passwords on a daily basis. The AppLogin account has the password configured as a service. As long as the
password is
correct initially, the password should work until it expires. Changing the Reset account lockout counter after setting will not fix
the
problem.
Page 53 of 173
You are the systems administrator of the Nutex corporation's Active Directory domain. All of the domain controllers use
Windows
Server 2008. You have a Windows 2008 Server Core editon server name NutexSCore1. NutexSCore1 has a volume named
FinancialRecords. Because of a computer operator error, several directories were deleted and old data was copied over new
data.
You must restore the data for the FinancialRecords volume.
Which of the following should you run to restore the volume as quickly as possible?
Explanation:
You should run the Wbadmin start recovery command. Wbadmin.exe is a command-line tool that allows you to back up and
restore
your computer, volume, and files from a command prompt. The Wbadmin start recovery command is used to perform a
recovery of
the specified volumes, applications, or files and folders. The -itemtype parameter in the Wbadmin start recovery command
can be
used to specify the type of items to recover. The value for this parameter must be one of the following: Volume, App, or File.
The -

Created: 18/04/2013
Version: 1.0
Document1
Page 42 of 133
backupTarget parameter is used to specify the storage location that contains the backup that you want to recover.
You should not boot from the DVD media, choose Repair your computer, choose System Recovery options and click
Windows
Complete PC Restore. These steps will ensure a complete restore of your computer, but in this scenario you only needed to
restore
the FinancialRecords volume on NutexSCore1, not all of the operating systems and other volumes. However, if it was
required, you
could recover the operating system of a failed computer by doing the following:
Item: 51 (Ref:Cert-70-640.5.1.3)
*'Boot from the DVD media, choose Repair your computer, choose System Recovery options, and click Windows
Complete PC
Restore.
*'From a command-line prompt, run the Wbadmin start sysrecovery
command.
*'From a command-line prompt, run the Wbadmin start sysstaterecovery
command.
*'From a command-line prompt, run the Wbadmin start recovery
command.
Answer:
From a command-line prompt, run the Wbadmin start recovery
command.
Page 54 of 173
Insert the Setup media DVD into drive and turn on the computer.
From the Setup Wizard, click Repair your computer.
The Setup process will search the hard disk drives for an existing Windows installation and then display the results in the
System Recovery Options dialog box. Choose the Windows Installation to recover. Click Next.
On the System Recovery Options page, click Windows Complete PC Restore.
Choose one of the following options, and then click Next:
Restore the following backup (recommended)
Restore a different backup
Depending on the option you choose, you may be asked to provide more details about the backup you want to restore. Click
Next.
On the Choose how to restore the backup page, install any drivers that you need. Then choose one of the following options,
and click Next:
Format and repartition disks (to delete existing partitions and reformat the destination disks to be the same as the
backup)
Restore only system volumes
Click Exclude disks, and then check boxes for any disks that are needed for a system restore. Click Next.
Confirm the details for the restoration, and then click Finish.
Before you can recover your server operating system, you must have Backup installed on the Window Server 2008 server.
Your
account must be a member of the local administrators group or the backup operators group. You must have a backup available
that
contains the critical volumes of the server.
You should not run the Wbadmin start sysrecovery command. This command is used to perform a full system recovery. In this
scenario, you want to restore only a volume. Therefore, the Wbadmin start sysrecovery command need not be used.
You should not run the Wbadmin start sysstaterecovery command. The Wbadmin start sysstaterecovery command is used
to
perform a system state recovery of a Windows Server 2008 computer. In this scenario, you want to restore only a volume.
Therefore,
the Wbadmin start sysrecovery command need not be used.
You are the systems administrator of your company. You install Windows Server 2008 on all servers on your network. A server
named
DC1 is configured as a domain controller. You want to install a new custom application on DC1 that will be used by all users on
the
network. This application will store data in Active Directory.
The application installation requires modification to some attributes and classes in the Active Directory database. Which tool can
you
use to modify attributes and classes in the Active Directory database?
Explanation:
You can use the Schmmgmt.msc tool or the Active Directory Schema snap-in to achieve the desired goal. The Active Directory
Schema snap-in is an Active Directory administrative tool for managing the schema. It is not available by default on the
Administrative
Tools menu and must be added manually. To install the Active Directory Schema snap-in, you should register the
Schmmgmt.dll
dynamic link library (DLL) that is required for the Active Directory Schema snap-in. To register the required DLL file, open a
command
prompt, type the following command, and press Enter:
regsvr32 schmmgmt.dll
After registering the Schmmgmt.dll file, you can add the Active Directory Schema snap-in to Microsoft Management Console
(MMC).

Created: 18/04/2013
Version: 1.0
Document1
Page 43 of 133
To modify the schema, a user must be member of the Schema Admins group, and the Active Directory Schema snap-in must
be
installed on the domain controller that is assigned the schema operations master role. Membership of the Schema Admins
group is
also required to perform tasks such as transferring the schema master role to another computer in the forest, or installing an
application
Item: 52 (Ref:Cert-70-640.2.6.4)
*'Dsa.msc
*'Schmmgmt.msc
*'Domain.msc
*'Adsiedit.msc
Answer:
Schmmgmt.msc
Page 55 of 173
that will install new attributes and classes in the Active Directory database. To just install the Active Directory Schema snap-in,
you
need to be a member of the Domain Admins group, or equivalent.
You cannot use the Dsa.msc tool or the Active Directory Users and Computers snap-in to modify attributes and classes in the
Active
Directory database. Active Directory Users and Computers is a graphical user interface (GUI) tool that you can use to manage
users
and computers in Active Directory domains.
You cannot use the Domain.msc tool or the Active Directory Domain and Trusts snap-in to modify attributes and classes in the
Active
Directory database. Active Directory Domains and Trusts provides a graphical interface in which you can view and manage all
domains
in the forest. This tool can be used to perform tasks such as transferring the domain naming master role to another computer in
the
forest.
You cannot use the Adsiedit.msc tool to modify attributes and classes in the Active Directory database. ADSI Edit or Active
Directory
Services Interfaces Editor is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight
Directory
Access Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can
also
use it to view schema directory partition objects and properties.
servers run Windows Server 2008 and all client computers run Windows XP Professional. All users and computers in the
Human
Resources department belong to the organizational unit (OU) named HR. The Human Resources personnel work only on their
assigned
client computers. Those users must be subject to certain desktop restrictions.
You configure the appropriate user policies in a Group Policy object (GPO) and link the GPO to the HR OU. The technical
support
personnel from the IT department report that, when they are asked to resolve different technical problems on the client
computers in the
Human Resources department, they sometimes cannot do so because some desktop features are disabled on those
computers, even
though the IT personnel use their own user account credentials to log on to the domain. You must ensure that only the Human
Resources personnel receive restricted desktops; the IT personnel should not be subject to those restrictions.
Explanation:
There are two groups of policies in a GPO: Computer Configuration and User Configuration. By default, computer-specific
policies
apply to computers, and user-specific policies apply to users. However, if the User Group Policy loopback processing mode
policy is
enabled in a GPO that targets computers, then the user-specific policies in the GPOs that target those computers apply to all
users on
those computers. In this scenario, you have configured user-specific policies that restrict desktop features, and you have linked
that
GPO to the HR OU, which contains both user and computer objects. If you configured only user-specific policies in the GPO,
then it
would apply to all users in the HR OU and it would not affect any other users. In this scenario, it appears that you have also
enabled the
loopback processing mode in that GPO. Therefore, the GPO affects all users, including the IT personnel, when they log on to
the
domain from the computers in the Human Resources department. The desktop restrictions in this scenario should be imposed
on the
Human Resources users, regardless of the computers that they use. Therefore, there is no need to enable the loopback
processing
mode, which is typically used when it is necessary to apply user-specific restrictions to all users on specific computers.

Created: 18/04/2013
Version: 1.0
Document1
Page 44 of 133
The GPO in this scenario targets only users and computers in the HR OU; it does not target the user accounts of IT personnel.
Therefore, assigning permissions for that GPO to the IT personnel would have no effect.
If you enabled the Block Policy inheritance option for the HR OU, then the GPOs that are linked to the site or domain would
not apply
to the HR OU. However, this option has no effect on the GPOs that are linked to the HR OU.
Item: 53 (Ref:Cert-70-640.4.3.6)
*'Assign the Deny - Apply Group Policy permission for the GPO to the IT
personnel.
*'Enable the Block Policy inheritance option for the HR
OU.
*'Disable the loopback processing mode in the
GPO.
*'Enable the No Override option for the GPO
link.
Answer:
Disable the loopback processing mode in the GPO.
Page 56 of 173
If you enabled the No Override option for the GPO link, then, in addition to the HR OU, that GPO would be enforced on any
child OUs.
However, it would not change the way that the GPO affects the IT personnel when they log on at the computers in the Human
Resources department.
You are a network administrator for your company. Your corporate network consists of several Active Directory domains in a
single
forest. All domain controllers in the forest run Windows Server 2008. The domain controller that holds the schema master role
must be
shut down in order to upgrade its hardware. However, a schema master must always be available because your company uses
a lineof-
business Active Directory-aware application that routinely makes changes to the Active Directory schema. You must upgrade
the
hardware as planned while maintaining the continuity of business operations.
Explanation:
Changes to the Active Directory schema can be made only on the domain controller that holds the schema master role. There
can be
only one schema master in a forest. Initially, the first domain controller in the forest becomes the schema master. When more
domain
controllers are installed in the forest, the schema master role can be transferred to any domain controller in any domain in the
forest. To
be able to reassign the schema master role, you must be a member of the Schema Admins universal security group or you
must be
assigned the Allow - Change Schema Master permission for the schema. You can transfer the schema master role by using
Active
Directory Schema or the Ntdsutil command-line utility. You must connect to the domain controller to which you want to
transfer the
schema master role. Seizing is another method that can be used to reassign an operations master role; seizing differs from
transferring
a role in that seizing is possible only when the original operations master is unavailable on the network. Seizing is an extreme
measure
and should be used only when transferring is no longer possible. You should seize the schema master, domain naming master
or the
RID master role only if the original operations master will never be brought back online.
To seize the schema master role do the following:
1. Open Command Prompt and type ntdsutil and hit Enter.
2. At the ntdsutil command prompt, type roles and hit Enter.
3. At the fsmo maintenance command prompt, type connections and hit Enter.
4. At the server connections command prompt, type connect to serverDomainController and hit Enter where
serverDomainController is the domain controller to which you want to assign the new operations master role.
5. At the server connections prompt, type quit and hit Enter.
6. At the fsmo maintenance command prompt, type seize schema master and hit Enter.
You want to configure Online Responders to ensure that when a client requests information about the status of a certificate, only
information about the status of the requested certificate is sent to the client. Which edition or editions of Windows Server 2008
can you
use to ensure that you correctly configure Online Responders? (Choose all that apply.)
Item: 54 (Ref:Cert-70-640.2.6.6)
*'Connect to another domain controller in the forest root domain and seize the schema master
role.
*'Connect to another domain controller in any domain in the forest and seize the schema master
role.
*'Connect to another domain controller in any domain in the forest and transfer the schema master role to that domain
controller.

Created: 18/04/2013
Version: 1.0
Document1
Page 45 of 133
*'Connect to the schema master and transfer the schema master role to another domain controller in the forest root
domain.
*'Connect to the schema master and transfer the schema master role to another domain controller in any domain in
the
forest.
Answer:
Connect to another domain controller in any domain in the forest and transfer the schema master role to that domain
controller.
Item: 55 (Ref:Cert-70-640.6.5.6)
Page 57 of 173
Explanation:
Online Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008
Datacenter
editions. Online responders can be used as an alternative to or an extension of certificate revocation lists (CRLs) to provide
certification
revocation data to clients. In Windows Server 2008, you can use an Online Responder based on the Online Certificate Status
Protocol
(OSCP) to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal
solution.
OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP
responder.
When the OSCP responder receives the request, a definitive, digitally signed response indicating the certificate status is
returned to the
client.
The options stating Windows Server 2008 Standard edition and Windows Server 2008 Web edition are incorrect because
Online
Responders can only be installed on servers running Windows Server 2008 Enterprise or Windows Server 2008 Datacenter
editions.
You are the network administrator of your company. The company has a main office and a branch office. Each office has its
own Active
Directory domain in a single forest. The main office network contains two domain controllers, named DC1 and DC2. The branch
office
network also contains two domain controllers, named DC3 and DC4. All servers on the network run Windows Server 2008.
You are decommissioning DC3 to a member server. You want to transfer all of the domain-wide roles from DC3 to DC4 in the
branch
office. Which two utilities can you to use achieve the objective? (Choose two. Each correct answer represents a complete
solution.)
Explanation:
You can use Ntdsutil.exe or the Active Directory Users and Computers snap-in to transfer all domain-wide operations master
role to
another domain controller. In an Active Directory forest, certain types of operations can be performed only on the domain
controllers
that are designated as operations masters for those types of operations. There are five operations master roles. The schema
master
and domain naming master are forest-wide roles; the PDC emulator, RID master and infrastructure master are domain-wide
roles.
There can be only one schema master and one domain naming master in each forest.
M|.Windows Server 2008 Datacenter
edition
M|.Windows Server 2008 Enterprise
edition
M|.Windows Server 2008 Standard
edition
M|.Windows Server 2008 Web
edition
Answer:
Windows Server 2008 Datacenter
edition
Windows Server 2008 Enterprise edition
Item: 56 (Ref:Cert-70-640.2.6.1)
M|.Ntdsutil.exe
M|.Active Directory Schema snapin
M|.Active Directory Domains and Trusts snapin
M|.Active Directory Users and Computers snapin
Answer:
Ntdsutil.exe
Active Directory Users and Computers snapin
Page 58 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 46 of 133
Each domain-wide role is unique only in each domain. By default, the first domain controller in a new forest hosts all five
operations
master roles. The first domain controller in any new domain in a forest, by default, holds the three domain-wide roles for that
domain.
Subsequently, a forest-wide role can be transferred to another domain controller in the forest, and a domain-wide role can be
transferred to another domain controller in the domain. In order for a new domain to be created in a forest, the domain naming
master
must be available in that forest. In the absence of the domain naming master, you cannot create a new domain, regardless of
whether it
is a tree-root or a child domain.
To transfer the domain-wide operations master roles by using Active Directory Users and Computers, you should perform the
following
steps:
1. Open Active Directory Users and Computers.
2. In the console tree, right-click Active Directory Users and Computers, and then click the Connect to Domain Controller
option.
In the Enter the name of another domain controller field, type the name of the domain controller that will hold the
infrastructure
master role. Or, click the domain controller in the list of available domain controllers.
1. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click the Operations
Masters
option.
2. Click Change on the Infrastructure tab, the PDC tab, or the RID tab.
To transfer the domain-wide operations master roles by using Ntdsutil.exe, you should perform the following steps:
1. Type Ntdsutil on a command prompt
2. At the ntdsutil command prompt, type: roles
3. At the FSMO maintenance command prompt, type: connection
4. At the server connections command prompt, type: connect to serverDomainController
5. At the server connections command prompt, type: quit
6. At the FSMO maintenance command prompt, type: transfer RoleName master
The Active Directory Schema snap-in and the Active Directory Domains and Trusts snap-in are incorrect because these snap-
ins
cannot be used to transfer the domain-wide roles. The Active Directory Schema snap-in is used to manage or transfer the
schema
master role, which is a forest-wide role. The Active Directory Domains and Trusts snap-in is used to manage or transfer the
domain
naming master role, which is also a forest-wide role.
You are the network administrator for Verigon Entertainment Ltd., a company that buys and sells event tickets on the secondary
market. Your company has three domains: verigon.com, sportstickets.verigon.com and concerttickets.verigon.com. All of
the
domain controllers in the sportstickets.verigon.com domain are running either Windows 2000 Server, Windows Server 2003,
or
Window Server 2008.
You want to install a read-only domain controller (RODC) in the sportstickets.verigon.com domain. What must you do to meet
the
minimum required configuration? (Choose three. Each answer is part of a single solution.)
Item: 57 (Ref:Cert-70-640.3.3.1)
M|.Upgrade all domain controllers in the sportstickets.verigon.com domain to Windows Server
2008.
M|.Replace at least one domain controller in the sportstickets.verigon.com domain with Windows Server 2008
domain
controllers.
M|.Run adprep /rodcprep before you install the
RODC.
M|.Raise the domain level of the sportstickets.verigon.com domain to Windows Server
2008.
M|.Raise the domain level of the sportstickets.verigon.com domain to Windows Server
2003.
Answer:
Replace at least one domain controller in the sportstickets.verigon.com domain with Windows Server 2008 domain
controllers.
Run adprep /rodcprep before you install the RODC.
Raise the domain level of the sportstickets.verigon.com domain to Windows Server 2003.
Page 59 of 173
Explanation:
To configure the sportstickets.verigon.com domain, you should raise the domain level to Windows Server 2003, ensure that
at least
one domain controller is upgraded to Windows Server 2008, and run adprep /rodcprep before you install the first RODC.
An RODC must be installed on a Windows Server 2008 server computer. The server can run the Enterprise version, Standard
version,

Created: 18/04/2013
Version: 1.0
Document1
Page 47 of 133
or even the Server Core edition, but you need at least one writable Windows Server 2008 domain controller to which the RODC
can
send authentication requests. The functional level of the domain and the forest must be at least Windows Server 2003. To raise
the
domain's functional level, you will have to ensure that all Windows 2000 Server domain controllers are upgraded to Windows
Server
2003 or Windows Server 2008. You cannot have a Windows 2000 Server domain controller running in a domain with the
domain level
set to Windows Server 2003. Finally, you must run adprep /rodcprep before you install the first RODC.
You do not have to upgrade all domain controllers in the sportstickets.verigon.com domain to Windows Server 2008, nor do
you have
to raise the domain level of the sportstickets.verigon.com domain to Windows Server 2008. You require a minimum domain
level of
Windows Server 2003 and at least one domain controller running Windows Server 2008.
You are the network administrator for Verigon Corporation.Your network has a single domain, and all of the domain controllers
run
Windows Server 2008.
A domain controller in the branch office failed this morning. This domain controller does not hold any other roles. You bring the
domain
controller back on line, but you need to perform a nonauthoritative restore of the domain controller. You do not have a criti cal
volume
backup of the domain controller on hand, but you do have a recent full backup.
What should be your first action to perform a nonauthoritative restore of the domain controller?
Explanation:
You should enter the command bcdedit /set safeboot dsrepair and hit Enter, then type shutdown -t 0 -r and hit Enter at the
next
command prompt. The command bcdedit /set safeboot dsrepair will boot the domain controller into Directory Services
Restore Mode
(DSRM). You can shut down or restart the computer to complete the nonauthoritative restore process. You can type shutdown
-t 0 -r
and hit Enter at the command prompt to force a restart. Another option would be to manually shut down the computer, manually
restart
the computer, and hit the F8 key to force the domain controller into DSRM.
You should have a critical-volume backup to perform a nonauthoritative restore of Active Directory Directory Services (AD DS).
However, you can perform a nonauthoritative restore of AD DS with a full backup. A critical-volume backup includes all volumes
that
are reported by System Writers. You can use a full server backup for a nonauthoritative restore if you do not have a critical-
volume
backup because a full server backup is generally larger and will contain all of the critical volumes. Restoring a full server backup
will
take longer than restoring a critical backup. The restore of a full server backup rolls back data in AD DS to the time of backup.
Unfortunately, it will roll back all data in other volumes. In this scenario, however, restoring the other volumes is not a problem
because
the domain controller does not hold any other roles, such as a file server or application server. Restoring the other volumes is
not
necessary to achieve nonauthoritative restore of AD DS in this situation.
You can perform a nonauthoritative restore of AD DS by doing the following:
Item: 58 (Ref:Cert-70-640.5.1.1)
*'Perform a critical backup of another domain controller. Reboot the failed domain controller into Directory Services
Restore Mode
(DSRM).
*'Perform a full backup of another domain controller. Reboot the failed domain controller into Directory Services
Restore Mode
(DSRM).
*'At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt, type
shutdown -t 0 -r
and hit Enter.
*'At the command prompt, type bcdedit /set safeboot and hit Enter. At the next command prompt, type shutdown -t
0 -r and hit
Enter.
Answer:
At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command
prompt, type shutdown -t 0 -r and hit Enter.
Page 60 of 173
1. At the Windows logon screen, type .\administrator as the user name, type the DSRM password for the server, and then
press
Enter.
2. Click Start, right-click Command Prompt, and then click Run as Administrator.
3. If you have multiple versions of the backup, you need to find the correct version of the backup. At the command prompt, type
the

Created: 18/04/2013
Version: 1.0
Document1
Page 48 of 133
following command, and then press Enter:
wbadmin get versions -backuptarget:<targetDrive>: -machine:<BackupComputerName>
<targetDrive>: The destination drive where you want to restore your backup to.
<BackupComputerName>: If you have multiple computers backed up to the same location, you need to identify which
computer's backup you want to restore.
4. Find the version that you want to restore. At the prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:<MM/DD/YYYY-HH:MM>
-backuptarget:<targetDrive>: -machine:<BackupComputerName>
-quiet
You do not have to have a full backup or a critical backup of another domain controller to perform a nonauthoritative restore of
the failed
domain controller. You can use the existing full backup of the failed domain controller. The full backup will contain the critical
volumes
and other volumes. Although restoring the other volumes may take longer, a full backup can be used.
You should not type bcdedit /set safeboot and hit Enter at the command prompt. The command bcdedit /set safeboot will
boot the
domain controller into Safe mode, but it will not boot the computer into DSRM. You should type type bcdedit /set safeboot
dsrepair
and hit Enter at the command prompt, or restart the computer and hit F8, to boot the computer into DSRM.
You are the network administrator for a company that manufactures coffee and tea. Your company's network has a single
domain. The
main office is located in Atlanta, and the company has several branch locations in Tuscaloosa, Gainesville, Tallahassee, and
Knoxville.
All domain controllers run Windows Server 2008 and the functional level of the domain is Windows Server 2008. Each location
is a
separate Active Directory site.
The Windows Remote Management (WinRM) service is running on all servers running Windows Server 2008. You would like to
collect
all replication errors from all the domain controllers and view them on a file server in Atlanta.
What should you do?
Explanation:
You should start the Windows Event Collector service on the file server in Atlanta and configure its start mode to Automatic. The
Windows Event Collector service manages persistent subscriptions to events from remote sources that support WS-
Management
protocol, such as the domain controllers in the main and branch offices. These events include Windows Vista event logs,
hardware
events, and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The Windows Event
Collector
service start mode should be set to Automatic because if this service is stopped or disabled, then event subscriptions cannot be
created
and forwarded events cannot be accepted. To collect events from remote computers, such as the domain controllers in the
domain,
these domain controllers must be running the Windows Remote Management (WinRM) service.
Item: 59 (Ref:Cert-70-640.5.3.2)
*'On the file server in Atlanta, start the Windows Event Collector service and configure its start mode to
Automatic.
*'On the file server in Atlanta, start the Windows Error Reporting service and configure its start mode to
Automatic.
*'On the file server in Atlanta, start the Windows System Resource Manager service and configure its start mode to
Automatic.
*'On the domain controllers in the domain, start the Windows System Resource Manager service and configure its
start mode to
Automatic.
Answer:
On the file server in Atlanta, start the Windows Event Collector service and configure its start mode to
Automatic.
Page 61 of 173
You do not have to start the Windows Error Reporting service and configure its start mode to Automatic. This service is start ed
automatically. The Error Reporting service allows errors to be reported to Microsoft when programs stop working or responding,
and
allows existing solutions to be delivered. It also allows logs to be generated for diagnostic and repair services. Although t his
service is
important, it is not required to forward events.
You do not have to start the Windows System Resource Manager (WSRM) service on the file server in Atlanta or the domain
controllers
in the domain. The WSRM is started by default. This service assigns computer resources to multiple applications running on
Windows
Vista or Windows Server 2008.
You can also configure an event subscription in the Event Viewer. Right click on Subscriptions and choose Create
subscription. On

Created: 18/04/2013
Version: 1.0
Document1
Page 49 of 133
the subscription properties you can specify the computers from which logs should be collected and specify what events to
collect.
You are the network administrator for a company that makes consumer electronics. Your network has a single domain. All file
servers,
print servers, and application servers run Windows Server 2008. Each department has its own Organizational Unit within the
domain.
You want to configure users in the Sales OU to have different account lockout settings than the rest of the organization's users.
What
should you do?
Item: 60 (Ref:Cert-70-640.4.6.3)
*'Raise the functional level of the domain to Windows Server 2008 and specify fine-grained password policies for the
users in the
Sales OU.
*'Create a sub-domain for the users in the Sales OU. Configure the default domain policy in the new
domain.
*'Create a Group Policy Object (GPO) that has the appropriate account lockout settings and link the GPO to the
Sales
OU.
*'Create a Group Policy Object (GPO) that has the appropriate account lockout settings and link the GPO to the
Sales OU. Enable
the Block Inheritance setting at the Sales OU.
Page 62 of 173
Explanation:
You should raise the functional level of the domain to Windows Server 2008 and specify fine-grained passwords for the users in
the
Sales OU. A domain functional level set to Windows Server 2008 is required to configure fine-grained passwords. With pervious
domain functional levels, including Windows 2000 Server and Windows Server 2003, you could only have a single password
policy or
account lockout policy for all users in the domain. In this scenario, you must first upgrade all domain controllers to Windows
Server
2008. Once this task has been completed, you can raise the functional level of the domain to Windows Server 2008. Once the
domain
functional level has been configured to Windows Server 2008, then you can create a Password Settings Object (PSO). A PSO
allows
you to specify fine-grained passwords for an Active Directory domain. This PSO will contain attributes for Password Policy
Settings or
Account Lockout Settings. You can configure the appropriate values for the attributes, then link the PSO to a user object or a
group
object. A user or group object can have multiple linked PSOs, either because the object is a member of multiple groups with
different
PSOs applied to them, or because multiple PSOs are applied directly to the object. However, only one PSO can be applied as
the
effective password policy, and only the settings from that PSO can affect the user or group. The settings from other PSOs that
are
linked to the user or group cannot be merged in any way.
To ensure that the PSO that you configured is applied, you can set the rank of the PSOs. The PSO with the highest rank
applies. The
rank is configured by the msDS-PasswordSettingsPrecedence attribute. This attribute has a value of 1 or greater. The lower
the
value, the higher the rank. For example, if a PSO that is linked to a user has a value of 1, and the user belongs to a group with a
linked
PSO that has a value of 2, then the password settings in the PSO with the value of 1 apply to the user.
You should not create a sub-domain for the users in the Sales OU and configure the default domain policy in the new domain.
Unlike in
previous versions of Windows Server, you can create different password and account lockout settings for users in the same
Active
Directory domain if the functional level of the domain is set to Windows Server 2008.
You should not create a Group Policy Object (GPO) that has the appropriate account lockout settings and link the GPO to the
Sales
OU. Linking another GPO will not necessarily change the password or account lockout settings for domain accounts. The
account
lockout settings, password settings, and Kerberos ticket settings in a GPO can only be applied at the domain level to domain
accounts.
However, account lockout settings and password settings in a GPO applied at the OU level can affect local accounts on a
computer in
that OU, but not the domain account. For example, let us say a GPO linked at the domain level sets the maximum password
length to
9, and a GPO linked at the Accounting OU sets the maximum password length to 7. Joe's account is in the Accounting OU,
and the
computer Server1 is in the Accounting OU. The maximum length of Joe's password is 9, but any local user account that is
created on

Created: 18/04/2013
Version: 1.0
Document1
Page 50 of 133
Server1 will have a password length of 7. The GPO at the Accounting OU would take precedence over the domain GPO, but
password policies, account lockout policies and Kerberos ticket lifetime policies for domain accounts are governed by a GPO at
the
domain. A GPO with password or account lockout settings applied to computers in an OU will only affect local accounts on
those
computers, not domain accounts. The higher-ranked PSO that is linked to a user group determines the account lockout or
password
policy. If no PSO is obtained from a user or from a group that the user belongs to, then a GPO at the domain level is applied.
You should not block inheritance at the Sales OU. The block inheritance setting will not block a GPO linked at the domain level
from
applying a password policy. If no PSO is obtained from a user or from a group that the user belongs to, then a GPO at the
domain level
is applied.
You are a network administrator for your company. The network consists of a server running Windows Server 2008 and 50
client
computers running Windows Vista. Users on the network are experiencing problems in the network, such as loss of connection
to the
network printer and random computer restarts or shutdowns.
You want to enable audit policies for the following:
Track events of printer usage
Track events of registry edits
Track events of network connection
Track events on restart and shutdown
What should you do?
Answer:
Raise the functional level of the domain to Windows Server 2008 and specify fine-grained password policies for the
users in the Sales OU.
Item: 61 (Ref:Cert-70-640.4.7.6)
*'Enable Audit system events, Audit policy change, and Audit privilege use
policies.
Page 63 of 173
Explanation:
You should enable Audit system events, Audit object access, and Audit logon events policies to achieve the objectives in
this
scenario. Following are the objectives of these three audit policies:
The Audit system events policy will audit events related to a computer restart or shutdown.
The Audit object access policy will audit events when a user accesses an object. Objects include files, folders, printers,
registry
keys, and Active Directory objects.
The Audit logon events policy will audit events related to a user logging on to, logging off from, or making a network
connection
to the computer configured to audit logon events.
Since Audit system events tracks events on restart and shutdown, Audit object access tracks events of printer usage and
registry,
and Audit logon events tracks events of network connections, enabling these audit policies will fulfill all the stated objectives.
You can
configure these audit policies in Group Policy Object (GPO) settings either in the Graphical User Interface (GUI) mode or by
using the
Auditpol.exe command line utility. Once you configure Audit policy and enable the appropriate user permissions, you can link
the GPO
to the appropriate organizational unit (OU).
You should not enable Audit system events, Audit policy change, and Audit privilege use policies to achieve the objectives
in this
scenario because enabling these three audit policies will not fulfill the objectives stated in this scenario.
You should not enable Audit logon events, Audit system events, and Audit privilege use policies to achieve the objectives
in this
You should not enable Audit object access, Audit policy change, and Audit privilege use policies to achieve the objectives
in this
Your corporate network consists of a single Active Directory domain and three sites, as shown in the following image:
Active Directory replication between the sites is scheduled as shown in the following image:
*'Enable Audit logon events, Audit system events, and Audit privilege use
policies.
*'Enable Audit system events, Audit object access, and Audit logon events
policies.
*'Enable Audit object access, Audit policy change, and Audit privilege use
policies.
Answer:
Enable Audit system events, Audit object access, and Audit logon events
policies.

Created: 18/04/2013
Version: 1.0
Document1
Page 51 of 133
Item: 62 (Ref:Cert-70-640.2.3.3)
Page 64 of 173
Users report that the changes to Active Directory that are made in Site1 during normal business hours reach Site3 two days
later. You
must ensure that all the changes that are made during normal business hours in one site become available in the other sites by
the next
business day.
Explanation:
Active Directory replication between sites can be scheduled to occur at specified intervals during specified site link availability
windows.
In this scenario, changes that are made in Site1 during business hours are replicated to Site2 on the following night, every hour,
between 2 A.M. and 6 A.M. Those changes start being replicated to Site3 only after the end of the next business day, from 7
P.M. to 1
A.M. Thus, the changes that are made in Site1 become available in Site3 two business days later. To ensure that changes that
are
made in any site reach all the other sites by the next day, you can change the replication schedule between Site1 and Site2 to 8
P.M. -
2 A.M. Then, between 8 P.M. and 1 A.M., both site links will be available simultaneously. Therefore, changes that are made at
any site
during normal business hours will be replicated to all other sites during this time period on the same night.
Changing site link costs would not affect the propagation of Active Directory changes among the sites in this scenario because
the
replication topology does not include alternative paths between the same sites. Replication frequency defines the duration of the
interval between consecutive replication sessions. However, replication over a site link occurs only when that site link is
available.
Changing the replication interval would not accomplish the task in this scenario. If you changed site link availability schedules so
that
the site link between Site1 and Site2 is available from to 7 P.M. - 1 A.M., and change the site link between Site2 and Site3 is
available
from 2 A.M. - 6 A.M, then changes that are made in Site1 would reach Site2 the same night and then reach Site3 by the next
morning.
However, changes that are made in Site3 would reach Site1 two days later.
You are the network administrator for your company's domain. The company has two branch offices with two different Active
Directory
sites. The default domain policy for the domain is displayed in the exhibit. (Click the Exhibit(s) button.)
You want to secure the accounts in your domain. You specifically want to ensure that an account cannot be compromised by a
hacker,
and that the account would be disabled before the hacker has an opportunity to guess the password.
*'Change the cost of the site link between Site1 and Site2 to
50.
*'Change the replication frequency for the site link between Site1 and Site2 to 30
minutes.
*'Change the availability of the site link between Site1 and Site2 to 7 P.M. - 1 A.M., and change the availability of the
site link
between Site2 and Site3 to 2 A.M. - 6 A.M.
*'Change the availability of the site link between Site1 and Site2 to 8 P.M. - 2
A.M.
Answer:
Change the availability of the site link between Site1 and Site2 to 8 P.M. - 2
A.M.
Item: 63 (Ref:Cert-70-640.4.6.2)
*'Change the minimum password age to 7
days.
*'Enable store passwords using reverse
encryption.
*'Change the account lockout duration to
0.
*'Change the account lockout threshold to
Page 65 of 173
70-640.4.2b
70-640.4.6a
Explanation:
You should change the account lockout duration to 0. This setting will lock out an account until the administrator unlocks it.
Configuring
the account lockout duration setting, along with the account lockout threshold setting and the reset lockout counter sett ing, can
help

Created: 18/04/2013
Version: 1.0
Document1
Page 52 of 133
prevent hackers from guessing the passwords of accounts on the domain. The account lockout threshold setting limits the user' s
number of attempts to type a correct password. The reset lockout counter sets the length of time that the system remembers the
failed
attempts. In this scenario, the account lockout threshold setting is set to 4 and the reset lockout counter setting is set to 30
minutes,
which means that the user has 4 attempts within 30 minutes to guess the password for the account. If the user has 3 attempts at
the
password, but comes back more than 30 minutes later, then the user would have another 4 attempts at the password before the
7.
Answer:
Change the account lockout duration to
0.
Page 66 of 173
password is locked.
You should not increase the account lockout duration to 7. This action will lessen security and will only lock the account for 7
minutes if
the number of failed password attempts reaches the threshold.
You should not change the minimum password age to 7 days. The minimum password age is the time a password must remain
valid
before a user can change it. If set the minimum password age to 7 days, then the user must wait a week before changing
his/her
password. This setting will not stop a hacker from guessing a password, or disable the account if the hacker incorrectly types a
password.
You should not store passwords using reversible encryption. This policy provides support for legacy applications that use
protocols that
require knowledge of the user's password for authentication purposes. These types of applications can compromise security.
You
should never store passwords using reversible encryption setting because storing passwords using reversible encryption is
essentially
the same as storing plaintext versions of the passwords. The default setting for this policy is disabled.
You are the network administrator for your company. The company has three domains in a single forest, named nutex.com,
east.nutex.com and west.nutex.com. The west.nutex.com domain consists of three Active Directory sites. All domain
controllers in
your company are Windows 2003 servers.
You want to install a read-only domain controller (RODC) in the west.nutex.com domain. You need to control costs and
minimize
hardware expansion. What must you do before you install the RODC in the west.nutex.com domain? (Choose two.)
Explanation:
You should ensure that the domain level the west.nutex.com domain is set at Windows Server 2003, and you should upgrade
at least
one domain controller in the west.nutex.com domain to Windows Server 2008. An RODC must be installed on a Windows
Server 2008
computer. The server can run any version of Windows Server 2008, such as Enterprise version, Standard version, or the Server
Core
edition. You need at least one writable Windows Server 2008 domain controller to which the RODC can send authentication
requests.
The functional level of the domain and the forest must be Windows Server 2003 or above. You will also have to run the
adprep /rodcprep command before you install the first RODC.
You should not raise the domain level of the west.nutex.com domain to Windows Server 2008. Although this will support an
RODC, it
will mandate that all domain controllers in the domain must run Window Server 2008.
You should not raise all domain controllers in the nutex.com forest to Windows Server 2008. Only one domain controller in the
west.nutex.com domain needs to be running Windows Server 2008.
You should not upgrade at least one domain controller in the each of the west.nutex.com, east.nutex.com, and nutex.com
domains
to Windows Server 2008. Only one domain controller in the west.nutex.com domain needs to be running Windows Server
2008.
Item: 64 (Ref:Cert-70-640.3.3.2)
M|.Upgrade all domain controllers in the west.nutex.com domain to Windows Server
2008.
M|.Upgrade at least one domain controller in the west.nutex.com domain to Windows Server
2008.
M|.Upgrade all domain controllers in the nutex.com forest to Windows Server
2008.
M|.Upgrade at least one domain controller in the west.nutex.com domain, the east.nutex.com domain, and the
nutex.com domain
to Windows Server 2008.
M|.Raise the domain level in the west.nutex.com domain to Windows Server
2008.
M|.Raise the forest level in the nutex.com forest to Windows Server
2008.

Created: 18/04/2013
Version: 1.0
Document1
Page 53 of 133
M|.Ensure that the domain level in the west.nutex.com domain is set at Windows Server
2003.
Answer:
Upgrade at least one domain controller in the west.nutex.com domain to Windows Server
2008.
Ensure that the domain level in the west.nutex.com domain is set at Windows Server 2003.
Page 67 of 173
You should not raise the forest level in the nutex.com forest to Windows Server 2008. This action would mean that all domain
controllers in each domain must run Windows Server 2008 and the domain level in all domains in the forest must be set to
Windows
Server 2008. Only the domain level of the west.nutex.com domain needs to set at Window Server 2003 or higher.
To install an RODC, run dcpromo. The Active Directory Domain Services Installation Wizard lets you choose to install the
domain
controller as an RODC.
You are the network administrator for a company that owns several professional sports franchises. Your company has a single
domain
with several organizational units (OUs). All marketing personnel are in the Marketing OU. Some of the marketing personnel in
the
company market tickets and merchandise for a professional basketball team. Other marketing personnel in the company market
tickets
and merchandise for a professional football team.
There are separate ticket application programs that are used by marketing personnel. The BasketballTicketApp is used by
marketing
personnel that market tickets and merchandise for the professional basketball team. The FootballTicketApp is used by
marketing
personnel that market tickets and merchandise for the professional football team. A Group Policy Object (GPO) is created, as
shown in
the exhibit, to install the each of the appropriate applications for the appropriate personnel. (Click the Exhibit(s) button.)
You want to ensure that the marketing personnel dedicated to the professional basketball team only receive the
BasketballTicketApp
and not the FootballTicketApp. You want to ensure that the marketing personnel dedicated to the professional football team
only
receive the FootballTicketApp and not the BasketballTicketApp.
Item: 65 (Ref:Cert-70-640.4.3.12)
*'Create two Organizational Units (OUs) under the Marketing OU, named Basketball and Football. Move the
appropriate
personnel into the appropriate OU.
*'Create two global groups named BasketballGlobalGroup and FootballGlobalGroup. Place the appropriate
personnel into the
appropriate group. One each GPO, under Security Filtering, remove the Authentiated Users group and add the appropriate
global group.
*'Create two subdomains, named Basketball and Football. Move the appropriate personnel into the appropriate
domains.
*'At the Marketing OU, block inheritance to the BasketballTicketApp GPO for the FootballGlobalGroup and block
inheritance to
the FootballTicketApp GPO for the BasketballGlobalGroup.
Page 68 of 173
Explanation:
You should create two global groups named BasketballGlobalGroup and FootballGlobalGroup. Place the appropriate
personnel into
the appropriate group. On each GPO, under Security Filtering, remove the Authentiated Users group and add the appropriate
global
group. You can use Security Filtering on a GPO to apply the GPO only to certain users within an OU if you remove the
Authentiated
Users group. In this scenario, you can limit access to the BasketballTicketApp GPO to only the BasketballGlobalGroup by
adding
the BasketballGlobalGroup into the Security Filtering window and removing the Authentiated Users group. You can limit
access to
the FootballTicketApp GPO to only the FootballGlobalGroup by adding the FootballGlobalGroup into the Security Filtering
window
and removing the Authentiated Users group.
You should not create two Organizational Units (OUs) under the Marketing OU, named Basketball and Football, and move the
appropriate personnel into the appropriate OU. This will not solve the problem because the GPOs are still applied to the
Marketing OU
and will still apply to both the Basketball and Football sub-OUs. If you were to create two sub-OUs, you should remove the link
from
the Marketing OU and link the appropriate GPO to the appropriate sub-OU. For example, you could link the
BasketballTicketApp

Created: 18/04/2013
Version: 1.0
Document1
Page 54 of 133
GPO to the Basketball OU and link the FootballTicketApp GPO to the Football OU.
You should not create two subdomains named Basketball and Football and move the appropriate personnel into the appropriate
domains. This will not solve the problem because the GPOs are still applied to the Marketing OU. The GPOs will not apply to
the new
domains.
You should not block inheritance to the BasketballTicketApp GPO for the FootballGlobalGroup and block inheritance to the
FootballTicketApp GPO for the BasketballGlobalGroup. You cannot block inheritance for a particular group or user. You can
only
block inheritance at a container level, such as an OU. Block inheritance stops GPOs that are applied above from flowing down.
The following graphic displays the correctly configured filtering for the BasketballTicketApp GPO:
Answer:
Create two global groups named BasketballGlobalGroup and FootballGlobalGroup. Place the appropriate personnel
into the appropriate group. One each GPO, under Security Filtering, remove the Authentiated Users group and add
the appropriate global group.
Page 69 of 173
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where al l
servers run Windows Server 2003 and all client computers run Windows XP Professional. You use a Group Policy object (GPO)
to
deploy an application on the network. Later, you receive a different application to work with the files that have the same fi le
name
extensions instead of the previously deployed application. You must deploy the new application, but users should not have to
install it if
they choose to use the original application instead of the new one. However, only one of these applications should be install ed
on the
same computer.
Explanation:
To deploy software by using a GPO, you have three main options: you can assign an application to users, assign it to
computers, or
publish it to users. An application that is assigned to computers is installed automatically on a target computer when the
computer is
started. An application that is assigned to users is advertised in the Start menu when a target user logs on, and it is installed
automatically when the user activates the shortcut on the Start menu or attempts to open a file whose file name extension is
associated
with the application. An application that is published to users is advertised in Add or Remove Programs in Control Panel when
a target
user logs on; the user can install the application from Control Panel; or, optionally, the GPO can be configured to install the
application
automatically when the user attempts to open a file whose file name extension is associated with the application.
Item: 66 (Ref:Cert-70-640.4.5.1)
*'Assign the new application to computers; specify in the GPO that the original application be removed before the new
one is
installed.
*'Publish the new application to computers and remove the GPO that deploys the original
application.
*'Assign the new application to users and remove the GPO that deploys the original
application.
*'Publish the new application to users; specify in the GPO that the original application be removed before the new one
is
installed.
Answer:
Publish the new application to users; specify in the GPO that the original application be removed before the new one
is installed.
Page 70 of 173
In this scenario, you should publish the new application to users. On the Upgrades tab of the Properties sheet for the package
in the
GPO, you should indicate that this package is intended to upgrade the original application. You should click Add, specify the
GPO
where the package for the original application is defined, and select the Uninstall the existing package, then install the
upgrade
package option. On the Upgrades tab, you should leave the Required upgrade for existing packages option disabled
because the
scenario stipulates that the upgrade should not be mandatory. Users will be able to continue using the original application or
install the
new application from Control Panel. If a user chooses to install the new application on a computer where the original application
is
installed, the original application will be removed before the installation of the new one starts.
If you assigned the new application to computers, then the application would be installed automatically at computer startup. If
you

Created: 18/04/2013
Version: 1.0
Document1
Page 55 of 133
assigned the new application to users, then the Auto-install this application by the extension activation option on the
Deployment
tab would become unavailable and the application would install automatically when a user attempted to open a file whose file
name
extension is associated with the application.
Applications cannot be published to computers.
You are the network administrator for the Metroil corporation. The company's network contains servers that run Windows Server
2008.
A server named SRV1 is configured as a Domain Name System (DNS) server on the network to handle name resolution from
users.
SRV1 contains a primary zone that holds DNS data for network users.
You notice that the zone has records for computers that were decommissioned weeks ago. You want to immediately remove
any stale
records from metroil.com. What should you do to start scavenging stale resource records immediately?
Explanation:
You can start scavenging stale resource records immediately, even if you have not configured the aging and scavenging
feature. To do
this, you can type dnscmd srv1.metroil.com /StartScavenging . You can also do this from the DNS Manager snap-in by right-
clicking
the DNS server node in the DNS Manager snap-in and clicking the Scavenge Stale Resource Records option. Aging and
scavenging
is a feature of DNS that provides a mechanism for performing cleanup and removal of stale records, which can accumulate in
zone data
Item: 67 (Ref:Cert-70-640.1.1.5)
*'Right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All Zones
option.
*'From the command prompt type dnscmd
srv1.metroil.com /AgeAllRecords
*'Select the Scavenge stale resource records option in the Zone Aging/Scavenging Properties dialog
box.
*'From the command prompt type dnscmd
srv1.metroil.com /StartScavenging
Answer:
From the command prompt type dnscmd srv1.metroil.com /StartScavenging
Page 71 of 173
over time.
Aging and scavenging of stale records are DNS features that are available when you deploy a DNS server with primary zones.
Stale
records are automatically added to zones when computers start on the network if you have configured dynamic updates.
However, in
some cases, they are not automatically removed when computers leave the network. When you configure aging and
scavenging, DNS
servers can determine that records have aged to the point of becoming stale and remove them from the zone data.
You should not right-click the DNS server node in the DNS Manager snap-in and click the Set Aging/Scavenging for All
Zones option
because this option is used to configure aging and scavenging for all DNS zones on a DNS server. Clicking the Set
Aging/Scavenging
for All Zones option does not immediately start the scavenging of stale resource records.
You should not type dnscmd srv1.metroil.com /AgeAllRecords from the command prompt. This command is used for
backward
compatibility with previous releases of DNS in which aging and scavenging are not supported. The /AgeAllRecords switch
adds a time
stamp with the current time to records that do not have a time stamp. This switch will not force the scavenging of records on a
zone.
You should not select the Scavenge stale resource records option in the Zone Aging/Scavenging Properties dialog box.
This
option is used to configure scavenging settings for a specific DNS zone. Selecting the Scavenge stale resource records
option does
not immediately start the scavenging of stale resource records.
This graphic is not available in print format.
Explanation:
If a user attempts to log on with the correct user name but an incorrect password, then the logon fails. After each unsuccessful
logon
attempt, the lockout counter on the user's account is increased by one. When the user logs on successfully or if within the t ime
period
that is specified in the Reset account lockout counter after policy no unsuccessful logon attempts occur on the user's
account, the
lockout counter is reset to zero. When the lockout counter value becomes equal to the value that is specified in the Account
lockout

Created: 18/04/2013
Version: 1.0
Document1
Page 56 of 133
threshold policy, the user's account is locked out for the time period that is specified in the Account lockout duration policy. If
the
account lockout duration is set to zero, then the account is locked out permanently, and only an administrator can unlock it.
In this scenario, you should set the account lockout threshold to three unsuccessful logon attempts that can occur within a 60-
minute
period. Once this threshold has been reached, the account must be locked out for 120 minutes.
You are the network administrator of your company. Your company has a main office and a branch office. The main office
network
consists of a single Active Directory domain.
You want to create a new domain for the branch office in the same forest as the main office domain. Which operations master
role must
be available in the forest for you to create a new domain for the branch office successfully?
Item: 68 (Ref:Cert-70-640.4.6.1)
You are your company's network administrator. Your company's network consists of a single Active Directory domain. All
servers run
Windows Server 2008, and all client computers run Windows XP Professional and Windows Vista. The company's written
security
policy stipulates that after three unsuccessful logon attempts that have occurred within one hour, the user's account must be
locked
out for two hours. You must configure a Group Policy to enforce this requirement.
To perform this task, select the appropriate settings in the left pane and place them to the correct locations in the right pane.
Item: 69 (Ref:Cert-70-640.2.6.3)
Page 72 of 173
Explanation:
The domain naming master role must be available in the forest for you to create a new domain. In an Active Directory forest,
certain
types of operations can be performed only on the domain controllers that are designated as operations masters for those types
of
operations. There are five operations master roles. The schema master and domain naming master are forest-wide roles; the
PDC
emulator, RID master, and infrastructure master are domain-wide roles. There can be only one schema master and one domain
naming
master in each forest. The schema master domain controller controls all updates and modifications to the schema. To update
the
schema of a forest, you must have access to the schema master. The domain controller holding the domain naming master role
controls the addition or removal of domains in the forest. The infrastructure master is responsible for updating references f rom
local
objects to objects in other domains. The PDC emulator appears as a Windows NT primary domain controller to legacy client
operating
systems, such as Windows NT and Windows 9x/ME. The RID master assigns batches of relative IDs to other domain
controllers, which
in turn assign those IDs to new security principal objects that are being created in the domain.
Each domain-wide role is unique only in each domain. By default, the first domain controller in a new forest hosts all five
operations
master roles. The first domain controller in any new domain in a forest, by default, holds the three domain-wide roles for that
domain.
Subsequently, a forest-wide role can be transferred to another domain controller in the forest, and a domain-wide role can be
transferred to another domain controller in the domain. In order for a new domain to be created in a forest, the domain naming
master
must be available in that forest. In the absence of the domain naming master, you cannot create a new domain, regardless of
whether it
is a tree-root or a child domain.
The options stating schema master, RID master, PDC emulator master, and infrastructure master are incorrect because the
domain
controller holding the domain naming master role controls the addition or removal of domains in the forest. Therefore, you
cannot create
a new domain unless the domain naming master role is available in the forest in which you want to create the new domain.
You are a network administrator for your company. The functional level of your corporate Active Directory forest is Windows
Server
2003. You have created a shared folder on a file server named Server1 in one of the child domains in your forest. You must
give a
group of employees in a partner company access to this shared folder. Those users belong to an Active Directory child domain
in
another forest. You do not want users from the partner company to be able to access any other resources in your forest.
*'Schema
master
*'Domain naming
master
*'Relative ID (RID)
master

Created: 18/04/2013
Version: 1.0
Document1
Page 57 of 133
*'Primary domain controller (PDC) emulator
master
*'Infrastructure
master
Answer:
Domain naming master
Item: 70 (Ref:Cert-70-640.2.2.4)
*'Create an external trust with domain-wide
authentication.
*'Create an external trust with selective
authentication.
*'Create a forest trust with domain-wide
authentication.
*'Create a forest trust with selective
authentication.
Answer:
Create an external trust with selective authentication.
Page 73 of 173
Explanation:
An external trust is a one-way or two-way non-transitive trust between a local domain and a domain in another forest or between
a local
domain and a Windows NT domain. A forest trust is a one-way or two-way transitive trust between two forests whose functional
level is
Windows Server 2003. In this scenario, you must enable users from a single domain in another forest to access a resource in
one
domain in your forest. Therefore, you should create an outgoing external trust from the domain where the file server is located to
the
partner's domain where users require access to a resource in your forest. With the external trust, users from the partner's
domain will
authenticate directly to your resource domain. If you created a forest trust, then the authentication path would involve all parent
domains of your resource domain and all parent domains of the partner's user account domain, which would cause the
authentication
process to take more time. A forest trust would be appropriate if users from multiple domains in one forest required access to
resources
in multiple domains in another forest. Additionally, the scenario does not stipulate that the functional level of the partner's forest
is
With outgoing forest and external trusts, you can specify either selective or domain-wide authentication. Domain-wide
authentication
provides users from a trusted domain the same level of access to local resources being provided to users from the local forest.
Selective authentication allows users from a trusted domain to authenticate only to those resources to which they are explicitly
allowed
to authenticate. For example, in this scenario, you should configure selective authentication on the trust and assign the Domain
Users
group from the trusted domain the Allow - Allowed to Authenticate permission for the Server1 computer object in Active
Directory in
your trusting domain. You should also configure the appropriate share and NTFS permissions for the shared folder on Server1
that
those users need to access. Users from the partner's domain will then be able to access shared resources only on Server1.
They will
not be able to access resources on any other computers in the trusting domain, even if share and NTFS permissions for those
resources allow access to everyone. If you configured domain-wide authentication on the trust, then users from the trusted
domain
would be able to access any resources on any computers in the trusting domain for which the Authenticated Users or
Everyone
group is assigned sufficient permissions.
Your corporate network consists of a single Active Directory domain. Your company has recently acquired another company.
You have
created several hundred user accounts for the new employees in the Users container in Active Directory. Now, you must move
each
user account to the organizational unit (OU) that corresponds to the user's department. You request that the Human Resources
department provide you with information about the department affiliations of the new employees. The Human Resources
department
maintains employee data in a custom application. A Human Resources employee exports the requested information from that
application to a text file in a comma-separated values (CSV) format. The file contains each employee's first and last names,
department
affiliation, and phone number. Every month, the Human Resources department will provide you with a CSV file in the same
format that
includes updates to employee department affiliations.
You must update the users' Department attribute in Active Directory, and you must move the appropriate users to the
appropriate OUs.

Created: 18/04/2013
Version: 1.0
Document1
Page 58 of 133
You must accomplish these tasks by using the least administrative effort.
Explanation:
Active Directory Service Interfaces (ADSI) is a set of programming interfaces that can be used to manipulate data
programmatically in
Active Directory. To accomplish the tasks in this scenario, you can create a VBScript or Jscript script that will parse the data
from the
CSV files provided by the Human Resources department, identify the user objects in Active Directory that correspond to the
employees
referenced in those files, update the appropriate attributes of those user objects in Active Directory, and move those user
objects to the
Item: 71 (Ref:Cert-70-640.4.2.1)
*'In Active Directory Users and Computers, create a custom filter that returns the user accounts of employees from
a specified
department, select those user objects, and drag them and drop them into the appropriate OU.
*'Create a script that will read the CSV files and use ADSI to update Active
Directory.
*'Create LDAP queries that will return the user accounts of employees from each department and save those queries.
In Active
Directory Users and Computers, select the user accounts that are returned by each saved query, and drag them and drop
them
into the appropriate OUs.
*'Create a Group Policy that will automatically move users to the appropriate OUs based on the contents of a
specified CSV
file.
Answer:
Create a script that will read the CSV files and use ADSI to update Active
Directory.
Page 74 of 173
appropriate OUs. Please note that the location of a user object in a specific OU is defined by the user object's distinguished
name, not
by the value of the user object's Department attribute.
Alternatively, you can use Active Directory Users and Computers to perform the required tasks manually, which would
require
substantially more effort than creating a script once and running it every month. You should not create a custom filter that
returns the
user accounts of employees from a specified department, select those user objects, and drag them and drop them into the
appropriate
because an LDAP filter or a saved query would return the user objects of employees from a specific department based on their
currently registered department affiliations. Similarly, you should not create LDAP queries that will return the user accounts of
employees from each department and save those queries, select the user accounts that are returned by each saved query, and
drag
them and drop them into the appropriate OUs because an LDAP filter or a saved query would return the user objects of
employees from
a specific department based on their currently registered department affiliations. In this scenario, you are required to move user
objects
to the appropriate OUs based on their new department affiliations, which are specified in the CSV files provided by the Human
Resources department.
Group Policies cannot be used to automatically update user objects based on the information in a CSV file. Therefore, you
should not
create a Group Policy that will automatically move users to the appropriate OUs based on the contents of a specified CSV file.
You are the systems administrator of Verigon Corporation. The company has a main office and ten branch offices. Each office
has its
own Active Directory site in a single forest. A domain controller running Windows Server 2008 in each site contains user
accounts in an
Organizational Unit (OU) for that site.
An administrator from one of the branch offices reports that the OU containing the branch office user accounts has been
accidentally
deleted. You perform an authoritative restore of the OU. Next, you want to synchronize replication with all replication partners to
ensure
that the restored OU is replicated to all domain controllers in the forest.
Explanation:
You should run the Repadmin /syncall command with /e parameter. An authoritative restore process returns a designated
object, or
container of objects, to its state at the time of the backup. When you restore a domain controller from backup, the normal or
nonauthoritative restore process will not restore the deleted OU, because after the restore process, the restored domain
controller is
updated to the current status of its replication partners, which deleted the OU. Therefore, recovering the deleted OU requires an
authoritative restore. An authoritative restore marks the OU as authoritative and causes the replication process to restore i t to all

Created: 18/04/2013
Version: 1.0
Document1
Page 59 of 133
domain controllers in the domain. To perform an authoritative restore of AD DS, you must complete a nonauthoritati ve restore
and
ensure that replication does not occur after the nonauthoritative restore. To prevent the replication from occurring after the
nonauthoritative restore, and to perform the authoritative restore portion of the operation, you must restart the domain controller
in
Directory Services Restore Mode or disconnect the network cable, and perform the authoritative restore at the domain controll er
that
you are restoring. After performing the authoritative restore of AD DS, you should start the domain controller normally and
synchronize
replication with all replication partners. To synchronize replication, run the Repadmin /syncall DCName command, where
DCName is
the Domain Name System (DNS) name of the domain controller on which you want synchronize replication with all partners.
The /e
parameter ensures that replication partners in all sites are included in the replication synchronization.
You should not run the Repadmin /syncall command with /d parameter. The /d parameter is used to identify servers by
distinguished
name in messages. Using the /d parameter in the Repadmin /syncall command will not ensure that the restored OU is
replicated to all
domain controllers in the forest.
You should not run the Repadmin /syncall command with /A parameter. The /A parameter specifies that all directory partitions
that are
held on the home server should be synchronized. Using the /A parameter in the Repadmin /syncall command will not ensure
that the
Item: 72 (Ref:Cert-70-640.2.4.16)
*'Run the Repadmin /syncall command with the /e
parameter.
*'Run the Repadmin /syncall command with the/d
parameter.
*'Run the Repadmin /syncall command with the/A
parameter.
*'Run the Repadmin /syncall command with the/P
parameter.
Answer:
Run the Repadmin /syncall command with the /e
parameter.
Page 75 of 173
restored OU is replicated to all domain controllers in the forest.
You should not run the Repadmin /syncall command with /P parameter. The /P parameter is used to push changes outward
from the
home server. Using the /P parameter in the Repadmin /syncall command will not ensure that the restored OU is replicated to
all
domain controllers in the forest.
Your corporate network currently consists of a single Active Directory domain and a single site. Your company opens a new
branch
office to expand its business operations. In the central office, you install a domain controller named DC1 in a new domain and
deploy
Windows XP Professional on new client computers that will be used in the branch office. The central office and the branch office
are
connected by a dedicated WAN link. You create a new Active Directory site named Site2. When DC1 and the new client
computers are
delivered to the branch office, you want to configure them to belong to Site2.
Which of the following should you do? (Choose two. Each correct answer is part of the complete solution.)
Explanation:
To assign a domain controller to a specific Active Directory site, the server object that represents that domain controller must be
moved
to the Servers container in the appropriate site. To move DC1 to Site2 in this scenario, you should use Active Directory Sites
and
Services to move the DC1 server object to the Servers container that is a child of the Site2 container. Client computers and
member
servers are not assigned to sites explicitly. Their site affiliations are determined automatically from the IP addresses assi gned to
those
computers. In this scenario, you should use Active Directory Sites and Services to create a new subnet object in Site2 and
specify an
IP address for that subnet. When the new client computers are physically connected to the network in the branch office, you
should
assign them IP addresses that belong to the new subnet. Site affiliations cannot be configured in Group Policy objects (GPOs).
You are network administrator for a pharmaceutical company. The network is configured with one Windows Server 2008 server.
The
network also contains 200 Windows Vista client computers installed in various departments. The client computers in each
department
are located in a separate organizational unit (OU).

Created: 18/04/2013
Version: 1.0
Document1
Page 60 of 133
You install new software on all computers in the sales department in an OU named Sales. Three users from the same
department now
report that their computers restart every five minutes.
You want to enable a Group Policy Object (GPO) policy to identify the cause of the problem.
What should you do?
Item: 73 (Ref:Cert-70-640.2.3.2)
M|.Move the DC1 server object to
Site2.
M|.Move the computer objects for the new client computers to
Site2.
M|.Create a subnet object in Site2 and assign DC1 an IP address from the range of that
subnet.
M|.Create a subnet object in Site2 and assign the new client computers IP addresses from the range of that
subnet.
M|.In a GPO linked to the new domain, configure a policy that assigns the new client computers to
Site2.
M|.In a GPO linked to the Domain Controllers organizational unit, configure a policy that assigns DC1 to
Site2.
Answer:
Move the DC1 server object to Site2.
Create a subnet object in Site2 and assign the new client computers IP addresses from the range
of that subnet.
Item: 74 (Ref:Cert-70-640.4.7.8)
Page 76 of 173
Explanation:
You should implement the Audit system events policy and link the GPO to the Sales OU to identify the cause of the problem in
this
scenario. By enabling the Audit system events policy, you can audit events related to a computer restart or shutdown. This
setting is
not enabled for any operating system except for Windows Server 2003 or Windows Server 2008 domain controllers, which are
configured to audit successes of these events. It is considered a best practice to configure this level of auditing for all computers
on the
network.
You can configure the Audit system events policy in GPO settings. To access group policy and configure Audit system
events
policy, perform the following steps:
1. Click Start, type gpedit.msc in the Run dialog box, and press the Enter key. This will open the Group Policy window.
2. Under the group policy menu, scroll down to the following node: Computer Configuration\Security Settings\Local
Policies\Audit Policy.
3. In the right pane, right-click Audit system events and click Properties.
4. Under the Properties Window, you can configure Success or Failure audit events.
5. Once you configure the Audit policy, you can link the GPO to the appropriate OU.
You should not implement the Audit logon events policy and link the GPO to the Sales OU to identify the cause of the problem
in this
scenario. An Audit logon events policy will audit events related to a user logging on to, logging off from, or making a network
connection to the computer configured to audit logon events. This audit policy will not audit a computer that keeps restarting or
shutting
down.
You should not implement the Audit account logon events policy and link the GPO to the Sales OU to identify the cause of
the
problem in this scenario. By enabling the Audit account logon events policy, you can audit each time a user is logging on or
off from
another computer in which the computer performing the auditing is used to validate the account. This audit policy will not audit a
computer that keeps restarting or shutting down.
You should not implement the Audit process tracking policy and link the GPO to the Sales OU to identify the cause of the
problem in
this scenario. An Audit process tracking policy will audit events related to processes on the computer, such as program
activation,
process exit, handle duplication, and indirect object access. This audit policy will not audit a computer that keeps restart ing or
shutting
down.
You are the administrator of your company. Your company's network has a single forest with one Active Directory domain. All
the
domain controllers run Windows Server 2008. Your account is a member of the Domain Admins group.
You attempt to install Active Directory Rights Management Services (AD RMS) for the first time. You receive the following error:
"Event ID 190 AD RMS Service Connection Point Registration"
What could have caused the error?
*'Implement the Audit logon events policy and link GPO to the Sales
OU.
*'Implement the Audit system events policy and link GPO to the Sales

Created: 18/04/2013
Version: 1.0
Document1
Page 61 of 133
OU.
*'Implement the Audit account logon events policy and link GPO to the Sales
OU.
*'Implement the Audit process tracking policy and link GPO to the Sales
OU.
Answer:
Implement the Audit system events policy and link GPO to the Sales
OU.
Item: 75 (Ref:Cert-70-640.3.2.4)
*'You are not a member of the Schema Admins group, or have not been delegated the appropriate permissions to the
schema.
*'You are not a member of the local AD RMS Enterprise Administrators group, or have not been delegated the
appropriate
permissions.
Page 77 of 173
Explanation:
You need to be a member of the local AD RMS Enterprise Administrators group and a member of the Enterprise Admins group
to install
AD RMS. AD RMS clients use a service connection point (SCP) to automatically discover the AD RMS cluster. The error
message
means that the AD RMS installation failed to register the AD RMS SCP in Active Directory Domain Services (AD DS). After the
installation, you can register the SCP by using the AD RMS console if your user account is a member of the member of the local
AD
RMS Enterprise Administrators group and the AD DS Enterprise Admins group. In this scenario, the user installing AD RMS
does not
have the appropriate permissions.
You do not have to be a member of the Schema Admins group or have been delegated the appropriate permissions to the
schema, nor
do you have to be a member of the Windows Authorization Access group. Members of the Schema Admins group have the
ability to
edit the Active Directory schema. Members of the Windows Authorization Access group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects. Neither group will allow you register a SCP. To register a SCP by
using
the AD RMS console, the user account must be a member of the local AD RMS Enterprise Administrators group and the AD DS
Enterprise Admins group.
The error was not caused by a pre-existing AD RMS SCP in the forest. This is the first time that you have installed AD RMS.
There
should not be a SCP already in existence, since AD RMS has not been installed.
You are the network administrator for the Nutex Company, a woman's shoe manufacturer. Your company's network has a single
domain. All domain controllers use Windows Server 2008. The functional level and domain level are set at Window Server 2003.
You
have Group Policy Objects (GPOs) deployed in your domains that set the login and desktop environment for users in that
domain.
Your company purchases a company that makes shoes for men. The new company's network also has a single domain. All
domain
controllers are a mixture of Windows Server 2008 and Window Server 2003. There are no plans to integrate both companies'
Active
Directory domain structures. However, you want to use the deployed GPOs in your network in the new company's network.
How should you do this?
Explanation:
You should use the Group Policy Management Console (GPMC) to back up the appropriate GPO in the Nutex domain. You
should use
the GPMC to import the GPO to the appropriate container on a domain controller in the new forest. You can export the settings
of a
GPO by using the backup function of the GPMC. You can import the settings into a new domain by using the import function.
The
*'You are not a member of the Windows Authorization Access
group.
*'An AD RMS SCP already exists in the forest.
Answer:
You are not a member of the local AD RMS Enterprise Administrators group, or have not been delegated the
appropriate permissions.
Item: 76 (Ref:Cert-70-640.4.4.8)
*'At a domain controller for Nutex, use gpresult to export the appropriate GPOs to a file. At the domain controller at
the new
company, use gpresult to import the GPO to the appropriate container.
*'At a domain controller for Nutex, use gpupdate to export the appropriate GPOs to a file. At the domain controller at
the new
company, use gpupdate to import the GPO to the appropriate container.

Created: 18/04/2013
Version: 1.0
Document1
Page 62 of 133
*'At a domain controller for Nutex, use the Group Policy Management Console (GPMC) to back up the appropriate
GPO. At a
domain controller at the new company, use the GPMC to import the GPO to the appropriate container.
*'Create a two-way forest trust between the root domains. At a domain controller for Nutex, use gpupdate to export
the appropriate
GPOs to a file. At the domain controller at the new company, use gpupdate to import the GPO to the appropriate container.
Answer:
At a domain controller for Nutex, use the Group Policy Management Console (GPMC) to back up the appropriate
GPO. At a domain controller at the new company, use the GPMC to import the GPO to the appropriate container.
Page 78 of 173
import operations transfer settings from the backup GPO into a new GPO in the new domain. You do not need a cross-domain
or crossforest
trust relationship. You do need access to the file system where the backup of the GPO resides. The backup and import
operations are ideally suited for copying GPOs that you created on a test environment into a production environment.
You cannot use gpresult or gpupdate to import or export GPOs from one domain to another. The gpresult utility is used to
display
what GPOs have been applied to a user or computer. The gpupdate utility is used to force the application of a GPO on a user
or
computer.
You can back up a GPO using the GPMC by following these steps:
Highlight the GPO that you want to backup.
Right click the GPO and choose Back up.
Specify the location to back up and choose Back Up.
You can import a GPO using the GPMC by following these steps:
Highlight the GPO where you want to import the settings from the backup of the original GPO.
Right-click and choose Import Settings.
The Import Wizard will prompt you for the location of the backup copy.
Choose the GPO that you want to import.
You are the network administrator for your company. The company has a main office and a branch office. All servers on the
network
run Windows Server 2008. You install a domain controller named DCMain in the main office and a domain controller named
DCBranch
in the branch office. You configure each office to have its own Active Directory site.
You want to configure Active Directory replication between both the offices. Which tool or tools can you use to configure Act ive
Directory replication between DCMain and DCBranch? (Choose all that apply. Each correct answer is a complete solution.)
Item: 77 (Ref:Cert-70-640.2.4.18)
Page 79 of 173
Explanation:
You can use the Active Directory Sites and Services snap-in or the Repadmin.exe tool to configure Active Directory replication.
The
Active Directory Sites and Services snap-in runs on domain controllers and it is installed automatically when you install Active
Directory.
The Active Directory Sites and Services snap-in provides a view into the Sites container of the configuration directory partition
and can
be used to manage Active Directory replication topology. Repadmin.exe is a command-line tool that can be used to view the
replication
information on domain controllers. By using the Repadmin.exe tool, you can determine the last successful replication of all
directory
partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and
generally manage Active Directory replication topology for both AD DS and AD LDS replication. You can also use the
Repadmin.exe
tool to force replication of an entire directory partition or a single object, and list domain controllers in a site.
You cannot use Ntdsutil.exe to configure Active Directory replication. Ntdsutil.exe can be used to perform Active Directory
database
maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers
that are
removed from the network without uninstalling Active Directory
You cannot use Active Directory Domains and Trusts, Ldp.exe, or Wbadmin.exe to configure Active Directory replication.
Active
Directory Domains and Trusts is a Microsoft Management Console (MMC) snap-in that can be used to create and manage
trusts
between domains and sites. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer,
volume, and
files from a command prompt. The Ldp.exe tool is a Lightweight Directory Access Protocol (LDAP) tool that can be used to view
and
modify Active Directory Lightweight Directory Services (AD LDS) data.
You are the network administrator for a company that makes golf trophies and awards. Your network has a single domain with
several

Created: 18/04/2013
Version: 1.0
Document1
Page 63 of 133
locations configured as Active Directory sites. All domain controllers run Windows Server 2008 and the functional level of the
domain is
Windows Server 2008. User accounts are distributed to different Organizational Units that are based on departments. All
domain
controllers are placed in the Domain Controllers OU. All servers are placed in the Servers OU.
You create a public key infrastructure by installing a root Certification Authority (CA). You create a subordi nate enterprise CA to
issue
certificates to users and computers. You take the root CA offline. You create a certificate template on the CA to issue user
certificates.
(Click the Exhibit(s) button to view the configuration of the CA.)
What must you do to ensure user certificates are automatically issued to domain users when they log in?
M|.Active Directory Sites and
Services
M|.Active Directory Domains and
Trusts
M|.Repadmin.exe
M|.Ldp.exe
M|.Wbadmin.exe
M|.Ntdsutil.exe
Answer:
Active Directory Sites and
Services
Repadmin.exe
Item: 78 (Ref:Cert-70-640.6.1.2)
*'Install a certification authority Web enrollment
agent.
*'Create a group policy that can distribute certificates to users and link the GPO to the
domain.
*'Create a group policy that can then distribute certificates to users and link the GPO to the Servers
OU.
*'Change the settings on the Request Handling tab of the
CA.
Page 80 of 173
70-640.6.1c
70-640.6.1b
Answer:
Create a group policy that can distribute certificates to users and link the GPO to the
domain.
Page 81 of 173
Explanation:
You should create a group policy that can distribute certificates to users and link the GPO at the domain. You can configure
autoenrollment of certificates for domain users or computers through group policy. You must have an subordinate enterprise CA
to
issue the certificates to the users or computers, and the CA must be able to check Active Directory to validate the user or
computer.
You cannot use a standalone CA to issue certificates for autoenrollment.
In this scenario you have added the certificate template to the Certification Authority server and the user's computer is a
member of the
domain. The autoenrollment process is normally triggered by the Winlogon process. The autoenrollment process is activated
and
managed by a domain-based Group Policy. Both machine-based and user-based Group Policy can activate autoenrollment for
machines and users. To automatically issue user certificates, you must edit the group policy object (GPO).
Go to User Configuration Security Settings Public Key Policies.
Highlight and edit the Certificate Services Client - auto enrollment option.
To automatically issue computer certificates, you must edit the group policy object (GPO).
Go to Computer Configuration Security Settings Public Key Policies.
Highlight and edit the Certificate Services Client - auto enrollment option.
You should not link the GPO that distribute certificates to users to the Servers OU. In this scenario, you want the users in the
domain to
automatically receive certificates. If you link the GPO to the Servers OU, only user accounts in and beneath the Servers OU
will
receive certificates. You should link the GPO to the domain to ensure that all users in the domain receive certificates.
You do not have to install a certification authority Web enrollment agent. This service allows users to request certificates via the
HTTP
protocol or a by using a browser. This agent is helpful when you have computers that are not members of the domain, such as
Unix
Page 82 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 64 of 133
computers, that need to request certificates.
You should not change the settings on the Request Handling tab of the CA. The current settings are configured to follow the
settings
in the certificate template. The template will determine if the user or computer should receive a certificate. If you change the
settings to
Set the certificate status to pending, then the administrator will have to determine if the user and computer receive a
certificate. The
scenario required that the user certificates be distributed automatically.
You can use the Group Policy Mangement Console (GPMC) to edit a group policy. If you want the autoenrollment to apply to
the entire
domain, do the following:
Edit the Default Domain Policy and click Edit.
Under the User Configuration container, expand the Windows Settings folder.
Expand the Security Settings folder and then click to select the Public Key Policies folder.
Right-click the Autoenrollment Settings object and select Properties.
Check the Renew Expired Certificates, Update Pending Certificates, and Remove Revoked Certificates options as well
as
the Update Certificates That Use Certificate Templates option. Click OK.
You are a network administrator for your company. The company has one main office and two branch offices. The servers at the
main
office run Windows Server 2008 at the Windows Server 2003 functional level and all servers at the branch office network are
running
Windows Server 2003. The client computers in the main office run Windows XP Professional, and client computers in branch
offices run
Windows Vista.
You deploy Active Directory Rights Management Services (AD RMS) in the main office. However, you notice that the client
computers
in the main office are unable to protect their documents using the AD RMS service.
What should you do to fix the problem with minimal administrative efforts?
Explanation:
You should download and install RMS client on all client computers running Windows XP to achieve the objective in this
scenario.
Windows Vista includes the RMS client by default. Operating systems released before Windows Vista and Windows Server
2008 do not
have the RMS client installed. To use AD RMS service in Windows XP computer, you must download and install the RMS client
from
the Microsoft Download Center (Microsoft Windows RMS with Service Pack 2 (SP2)). With AD RMS, you can protect the
documents for
AD RMS enabled applications by providing appropriate user rights and permissions to the documents such as copy, edit, view,
and
print. To install AD RMS in Windows Server 2008, follow these steps:
1. Click Start, click Administrative Tools and click Server Manager
2. Under Server Manager window, click Add Roles
3. Highlight AD RMS and click Next
to
Windows Vista will make the AD RMS services available, however, it will be entail more administrative effort than install ing the
RMS
client and will cost additional money. Hence, upgrading all computers to Windows Vista will not be the right choice in this
scenario.
You should not raise the functional level to Windows Server 2008 to achieve the objective in this scenario. Al l servers in this
scenario
are using Windows Server 2003 as the functional level, which is enough to deploy AD RMS in your company's network.
Item: 79 (Ref:Cert-70-640.3.2.6)
*'Upgrade all computers to Windows Vista.
*'Raise the functional level to Windows Server
2008.
*'Download and install the RMS client on all XP client
computers.
*'Flush the RMS Message Queuing
queue.
Answer:
Download and install the RMS client on all XP client
computers.
Page 83 of 173
You should not flush the RMS Message Queuing queue to achieve the objective in this scenario. You should flush the RMS
Message
Queuing queue when you want to ensure that all messages are written to the RMS logging database when you are upgrading
from
RMS to AD RMS.

Created: 18/04/2013
Version: 1.0
Document1
Page 65 of 133
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. Click
the
Exhibit(s) button to view the organizational unit (OU) structure of the domain.
The user accounts of all network administrators belong to the NetAdmins OU. The user accounts of all Help Desk personnel
belong to
a security group named Help Desk. The Help Desk personnel should be allowed to reset the passwords of all users, except
network
administrators. You must delegate only the appropriate level of authority to the Help Desk group; you should not assign them
excessive
privileges. Your actions should not affect any existing permissions and privileges for any users.
Explanation:
By default, permissions are propagated from parent OUs to all of their child OUs. To prevent the Help Desk personnel from
being able
to reset passwords on network administrators' accounts, you should first disable permission inheritance for the NetAdmins OU.
On the
Security tab of the Properties sheet for the NetAdmins OU, you should click Advanced. On the Permissions tab of the
Advanced
Security Settings for NetAdmins sheet, disable Allow inheritable permissions from the parent to propagate to this object
and all
child objects. Include these with entries explicitly defined here. You will then be prompted to copy or remove the permissions
that the
NetAdmins OU inherited from its parent. You should click Copy to preserve all of the permissions for the NetAdmins OU that
are
currently in effect. Next, you should assign the Help Desk group the permission to reset user passwords for the Personnel OU.
To
accomplish this task, you can run the Delegation of Control wizard on the Personnel OU, add the Help Desk group to the list of
the
users to whom you want to delegate control of the OU and select the Reset user passwords and force password change at
next
logon task. Alternatively, you can assign the Help Desk group the Allow - Reset Password permission for the Personnel OU
and
specify that the permission apply to user objects. The permission will apply to all user objects in the Managers and Employees
OUs
and will not apply to the user objects in the NetAdmins OU.
If you assigned the Help Desk group the permission to reset the users' passwords for the Personnel OU, then the Help Desk
personnel would be able to reset the passwords of all users, including network administrators. Additionally, by removing
inherited
Item: 80 (Ref:Cert-70-640.4.3.8)
*'Disable permission inheritance and remove the existing permissions for the Personnel OU; then assign the Help
Desk group the
permission to reset the users' passwords for the Personnel OU.
*'Assign the Help Desk group the permissions to manage user accounts for the Managers and Employees OUs.
*'Disable permission inheritance and copy the existing permissions for the NetAdmins OU; then assign the Help
Desk group the
permission to reset the users' passwords for the Personnel OU.
*'Create a GPO that assigns the Generate security audits user right to the Help Desk group and link the GPO to the
Personnel
OU. Place the Help Desk group into the NetAdmins OU, and enable Block Policy inheritance for the NetAdmins OU.
Answer:
Disable permission inheritance and copy the existing permissions for the NetAdmins OU; then assign the Help Desk
group the permission to reset the users' passwords for the Personnel OU.
Page 84 of 173
permissions for the Personnel OU, you would change some of the existing permissions and privileges of some of the network
administrators.
If you assigned the Help Desk group the permission to manage user accounts for the Managers and Employees OUs, then the
Help
Desk personnel would have excessive privileges; particularly, they would be able to create, delete, and fully manage user
accounts in
these OUs.
You should not create a GPO that assigns the Generate security audits user right to the Help Desk group and link the GPO to
the
Personnel OU, place the Help Desk group into the NetAdmins OU, and enable Block Policy inheritance for the NetAdmins
OU.
These actions are not feasible and irrelevant to this scenario.
You are the systems administrator for your company. The company's network consists of a single Active Directory forest. The
company
has a main office and two branch offices, named Branch1 and Branch2. Each office has its own Active Directory domain. Both
branch
offices contain a read-only domain controller (RODC). You configure the RODCs to cache user passwords.

Created: 18/04/2013
Version: 1.0
Document1
Page 66 of 133
You suspect that the security of the RODC in Branch1 has been compromised. To prevent misuse of domain users' credentials,
you
want to reset the current credentials that are cached on the RODC in Branch1. Which is the minimum group membership that
you will
require to be able to reset the current cached credentials on the RODC?
Explanation:
You will require membership in the Domain Admins group to reset the current cached credentials on the RODC in Branch1.
Credential caching is the storage of user or computer credentials. You can configure the Password Replication Policy on a
writable
domain controller to specify if an RODC should be allowed to cache a password. Password caching enables an RODC to
directly
service a user's request to log on if the user's credentials are cached on the RODC. When you suspect that the security of an
RODC
has been compromised or if the RODC has been stolen, you can reset the password for all user accounts that are cached on
that
RODC. Resetting the password for a given user is the mechanism to securely clear the cached password for that user. You
must be a
member of the Domain Admins group to reset the current credentials that are cached on an RODC.
The options stating Enterprise Admins and Schema Admins, are incorrect because granting membership in those groups
would
grant more permissions than necessary to reset the current cached credentials on the RODC.
The local Administrators group on the RODC is incorrect because that does not grant sufficient permissions to reset the
current
cached credentials on the RODC. A user must be a member of the Domain Admins group to reset the current credentials that
are
cached on an RODC.
You are the systems administrator for your company. The company has a main office and a branch office; all administrators are
located
at the main office. The network consists of a single Active Directory domain. The main office contains a domain controller
named DC1.
You install a read-only domain controller (RODC) named RODC1 in the branch office due to its reduced management
requirements.
You want to prevent the replication of sensitive information between DC1 and RODC1. What should you do?
Item: 81 (Ref:Cert-70-640.3.3.8)
*'Enterprise
Admins
*'Schema
Admins
*'Domain
Admins
*'Local Administrators group on
RODC
Answer:
Domain
Admins
Item: 82 (Ref:Cert-70-640.2.5.2)
Page 85 of 173
Explanation:
You should configure a Filtered Partial Attribute Set. An RODC is a new type of domain controller in Windows Server 2008 that
hosts
read-only partitions of the Active Directory database. An RODC holds all the Active Directory Domain Services (AD DS) objects
and
attributes that a writable domain controller holds, except for account passwords. Each RODC has a unique account, named
Krbtgt,
which is used for Kerberos authentication. By default, an RODC does not store any user or computer credentials except its own
computer account and the Krbtgt account. When you want to prevent the replication of sensitive information, you should
configure a
Filtered Partial Attribute Set. A Filtered Partial Attribute Set is a set of attributes that you can configure in the schema to ensure
that
these attributes are not replicated to an RODC.
You should not disable the Krbtgt account on RODC1. The Krbtgt account is used by an RODC for Kerberos authentication.
Disabling
the Krbtgt account will not prevent sensitive information from being replicated between a writable domain controller and an
RODC.
You should not configure the Password Replication Policy on RODC1. The Password Replication Policy determines if an RODC
should
be allowed to cache a password. The Password Replication Policy lists the accounts that are permitted to be cached, and the
accounts
that are explicitly denied from being cached. The Password Replication Policy is configured and enforced on a writable domain

Created: 18/04/2013
Version: 1.0
Document1
Page 67 of 133
controller. For example, to prevent the Administrator password from replicating from the Main office to the Branch office RODC,
a
Password Replication Policy would need to be implemented on the DC in the Main office. This would prevent the password from
replicating to the RODC in the Branch office.
You should not disable the Replicator user group on RODC1. The Replicator user group supports file replication in a domain.
Disabling the Replicator user group will not ensure that sensitive information is not replicated between a writable domain
controller and
an RODC.
You are the network administrator of your company. You create an account for a user named Michelle Smith. Click the
Exhibit(s)
button to see the properties of the account.
Michelle is able to successfully store and retrieve files from the file server. A few days later, however, Michelle is not able to log
in with
her password.
What should you do to correct the problem with Michelle's account?
*'Configure a Filtered Partial Attribute
Set.
*'Disable the Krbtgt account on
RODC1.
*'Configure the Password Replication Policy on
RODC1.
*'Disable the Replicator user group on
RODC1.
Answer:
Configure a Filtered Partial Attribute
Set.
Item: 83 (Ref:Cert-70-640.4.2.5)
*'Select Unlock the account and change the expiration
date.
*'Select Unlock the account and clear User must change password at next
logon.
*'Select Unlock the account and reset Michelle's
password.
*'Select Unlock the account and select Password never
expires.
Answer:
Select Unlock the account and change the expiration
date.
Page 86 of 173
Explanation:
You should select Unlock the account and change the expiration date. In this scenario, Michelle was able to log in with her
account.
After a few days, the account stopped working. Her account has an expiration date set. When an account expires, the account
is not
deleted from Active Directory. You can unlock the account and configure another expiration date, or set the account to never
expire.
You should not clear User must change password at next logon. This setting is used after resetting a password or setting a
user's
password for the first time. This setting forces the user to change the password when he/she logs in. This setting is not the
reason
Michelle is locked out.
You should not reset Michelle's password. Michelle's password is not the problem. Michelle was not able to log on with her
password
after a week. The problem is that the account has expired.
You should not select Password never expires. This setting will lessen security. You should have users change their
passwords
periodically to enforce security. Michelle's password is not the problem; the problem is that the account has expired.
You are the security administrator of VisionWorx Corporation. The network of the company consists of a single Active Directory
domain,
named visionworx.com. The servers on the network run Windows Server 2008. The client computers run Windows Vista. The
organizational unit (OU) structure of the company is shown in the exhibit. (Click the Exhibit(s) button.)
You employ an assistant administrator named Adam. You want to enable Adam to only apply Group Policy Objects (GPOs) to
desktop
client computers. What should you do?
Item: 84 (Ref:Cert-70-640.4.3.11)
*'Add Adam's user account to the Group Policy Creator Owners
group.
*'Add Adam's user account to the Managed By tab in the properties sheet for the Desktop Clients
Page 87 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 68 of 133
Explanation:
You should run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Desktop
Clients
OU. Windows Server 2008 allows you to delegate the following three Group Policy tasks independently:
Creating Group Policy objects.
Managing Group Policy links for a site, domain, or organizational unit.
Editing Group Policy objects.
To delegate a user with the rights to manage Group Policy links for a site, domain, or OU, you should use the Delegation of
Control
Wizard. To run the Delegation of Control Wizard, you should right-click the appropriate container and select the Delegate
Control
option.
The Group Policy tab in the site, domain, or organizational unit's Properties page allows you to specify which Group Policy
objects
are linked to this site, domain, or organizational unit. This property page stores the user's choices in two Active Directory
properties
called gPLink and gPOptions. The gPLink property contains the prioritized list of Group Policy object links and the gPOptions
property contains the Block Policy Inheritance policy setting for domains or organizational units. The Block Policy
Inheritance policy
setting is not available for sites. If non-administrators have Read and Write access to the gPLink and gPOptions properties,
they can
manage the list of Group Policy objects linked to that site, domain, or organizational unit. To give a user Read and Write access
to
these properties, you should use the Delegation of Control Wizard and select the Manage Group Policy links predefined
task.
You should not add Adam's user account to the Group Policy Creator Owners group. By default, only Domain Administrators,
Enterprise Administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects.
Adding a nonadministrator
user to the Group Policy Creator Owners group allows the user to create Group Policy objects. Being a member of the
Group Policy Creator Owners group gives the non-administrator full control of only those Group Policy objects that the user
creates or
those explicitly delegated to that user. It does not give the user full control of any other Group Policy objects, and does not allow
the
user to link Group Policy objects to sites, domains, or organizational units. In this scenario, you only want to enable Adam to
apply
Group Policy Objects (GPOs) to desktop client computers only. Therefore, adding Adam's user account to the Group Policy
Creator
Owners group will not allow Adam to link a GPO at the Desktop Clients OU only.
You should not add Adam's user account to the Managed By tab in the properties sheet for the Desktop Clients OU. When
you add a
user as a manager in the Managed By tab in the properties sheet of an OU, the user does not get any permissions for the OU.
This
setting is only informational. The other fields on the tab display the manager's properties and not the OU's properties.
You should not run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Client
Computers OU. This will allow Adam to apply Group Policy Objects (GPOs) only to all computers whose computer accounts
are
located in the Client Computers OU, Desktop Clients OU, and the Portable Clients OU.
OU.
*'Run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Desktop
Clients
OU.
*'Run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Client
Computers
OU.
Answer:
Run the Delegation of Control Wizard and delegate Adam the right to manage Group Policy links for the Desktop
Clients OU.
Page 88 of 173
You are the network administrator for your company. A user reports that their password has expired. You investigate and
determine
that the user account has been locked out. The user needs to log on immediately, and you need to replicate the change in
account
status to all domain controllers.
What are three ways that you can force replication of the account status? (Choose three. Each answer is a complete solution.)
Explanation:
You can use the Repadmin tool or the Replmon tool to force replication in Active Directory. You can also use Active Directory
Sites
and Services and click NTDS Settings for the server that you want to force replication. In this scenario, you need to force the
replication
of the change in account status of an unlocked account to all domain controllers. Eventually this change will replicate to all
domain

Created: 18/04/2013
Version: 1.0
Document1
Page 69 of 133
controllers based on the replication schedule. You can use the the Repadmin tool , the Replmon tool, or Active Directory Users
and
Computers to force replication.
You should not use Rsnotify.exe. This command is a remote storage recall notification program on a Windows operating
system. This
command will not force replication.
Trusts
cannot
You cannot use Active Directory Users and Computers to force replication by selecting the domain controllers OU and forci ng
replication. You cannot force replication at the OU level with Active Directory Users and Computers. You can use the the
Repadmin
tool, the Replmon tool, or Active Directory Sites and Services to force replication.
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. A
computer
running Windows Server 2008 has both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory
Services
(AD LDS) roles installed. The AD LDS server contains an instance with the default name that is used by several applications
that
access data from and write data to the AD LDS database.
Over time, users report to you that the AD LDS applications have become slow. To resolve this problem, you want to
defragment the
AD LDS database.
What should you do to perform an offline defragmentation of AD LDS database? (Choose all that apply. Each correct answer is
part of
a single solution.)
Item: 85 (Ref:Cert-70-640.2.4.5)
M|.Use
Repadmin.
M|.Use
Replmon.
M|.Use Rsnotify.
M|.Use Active Directory Domains and Trusts. Click NTDS Settings for the server where you want to force
replication.
M|.Use Active Directory Sites and Services. Click NTDS Settings for the server that you want to force
replication.
M|.Use Active Directory Users and Computers. Choose the Domain Controllers OU and force
replication.
Answer:
Use Repadmin.
Use Replmon.
Use Active Directory Sites and Services. Click NTDS Settings for the server that you want to force
replication.
Item: 86 (Ref:Cert-70-640.3.1.3)
Page 89 of 173
Explanation:
You should run the Net stop Adam_instance1 command, use the Ntdsutil command with the appropriate parameters to defrag
the
database, and run the Net start Adam_instance1 command. When you perform offline defragmentation of the directory
database file,
a new, compacted version of the database file is created in a different location. In Windows Server 2008, you can use the
Net.exe
command-line tool to perform tasks such as offline defragmentation of the AD DS database without restarting the domain
controller.
Restartable AD DS is a new feature in Windows Server 2008 that allows you to perform offline operations quickly because it
does not
require you to restart the domain controller in Directory Services Restore Mode. In Windows Server 2008, you can perform
offline
defragmentation of the AD LDS directory database by stopping the AD LDS service, performing the defragmentation, and
restarting the
AD LDS service. The scenario states that the AD LDS instance is installed with the default name, which would be Instance1.
Therefore, to stop the AD LDS service, you should run the Net stop Adam_instance1 command. You should then run the
Defrag
command with the appropriate parameters. Finally, you should start the AD LDS service with the Net start Adam_instance1
command.
You should not restart the domain controller in Directory Services Restore Mode. Restarting the domain controller in Directory
Services
Restore Mode is required for Windows 2000 Server Active Directory and Windows Server 2003 Active Directory. In Windows
Server

Created: 18/04/2013
Version: 1.0
Document1
Page 70 of 133
2008, however, you can perform offline defragmentation by stopping AD LDS instead of restarting the domain controller in
Directory
Services Restore Mode.
You should not run the Net stop Ntds command or the Net start Ntds command because these commands will stop and start
the AD
DS service. In this scenario, you want to perform offline defragmentation of the AD LDS database. Therefore, you should stop
the AD
LDS service instead of AD DS service.
You are the systems administrator of the Nutex corporation. The company's network consists of a single Active Directory
domain. The
network contains a Server Core installation of Windows Server 2008 on a computer named NutexCoreSrv1.
You want to create a daily backup schedule for NutexCoreSrv1. You want to ensure that only volumes that contain system
state data
are included in the backup. The backups should be able to viewed by all adminstrators in the network infrastructure.
Which three commands can you run? (Choose three. Each correct answer presents a complete solution.)
M|.Restart the domain controller in Directory Services Restore
Mode.
M|.Run the Net stop Adam_instance1
command.
M|.Run the Net stop Ntds
command.
M|.Use the Ntdsutil command with the appropriate parameters to defrag the
database.
M|.Run the Net start Adam_instance1
command.
M|.Run the Net start Ntds
command.
Answer:
Run the Net stop Adam_instance1 command.
Use the Ntdsutil command with the appropriate parameters to defrag the
database.
Run the Net start Adam_instance1 command.
Item: 87 (Ref:Cert-70-640.5.1.2)
M|.Wbadmin enable backup -
allCritical
include
addtarget
M|.Wbadmin start backup -
Page 90 of 173
Explanation:
Windows Server Backup is not installed by default on the Windows Server 2008 Core Edition or any other version of Windows
Server
2008. You must install type start /w ocsetup WindowsServerBackup to install the Windows Backup Utility. You must have the
Windows
Backup utility to use the Wbadmin command. You can either run the Wbadmin enable backup -allCritical command or the
Wbadmin
start backup -allCritical command. Wbadmin.exe is a command-line tool that allows you to back up and restore your
computer,
volume, and files from a command prompt. The Wbadmin enable backup command can be used to create a daily backup
schedule or
to modify an existing backup schedule. When this command is run without any parameters, it displays the currently scheduled
backup
settings. The -allCritical parameter ensures that all critical volumes that contain system state data are automatically included in
the
backup.
The Wbadmin start backup command is used to run a backup by using specified parameters. The -allCritical parameter
ensures that
all critical volumes that contain system state data are automatically included in the backup. You should use the -allCritical
parameter
with the Wbadmin start backup command only when the -backupTarget parameter is also specified. The -backupTarget
parameter
is used to specify the storage location for a backup.
You must have a backup available that contains the critical volumes of the server to recover to recovery the operating system of
your
server. You can recover the operating system of a failed computer by doing the following:
Insert the Setup media DVD into drive and turn on the computer.
From the Setup Wizard, click Repair your computer.
The Setup process will search the hard disk drives for an existing Windows installation and then display the results in the
System Recovery Options dialog box. Choose the Windows Installation to recover. Click Next.

Created: 18/04/2013
Version: 1.0
Document1
Page 71 of 133
On the System Recovery Options page, click Windows Complete PC Restore.
Choose one of the following options, and then click Next:
Restore the following backup (recommended)
Restore a different backup
Depending on the option you choose, you may be asked to provide more details about the backup you want to restore. Click
Next.
On the Choose how to restore the backup page, install any drivers that you need. Then choose one of the following options,
and click Next:
Format and repartition disks (to delete existing partitions and reformat the destination disks to be the same as the
backup)
Restore only system volumes
Click Exclude disks, and then check boxes for any disks that are needed for a system restore. Click Next.
Confirm the details for the restoration, and then click Finish.
You should not run the Wbadmin enable backup -include command or the Wbadmin start backup -include command
because the -
include parameter specifies a comma-delimited list of volume drive letters, volume mount points, or GUID-based volume names
to
include in the backup. To ensure that the system state data is backed up, you should use the -allCritical parameter.
You should not run the Wbadmin enable backup -addtarget command because the -addTarget parameter is used to specify
the
storage location for backups, and cannot be used to include the system state data in backups.
You should not run start /w ocsetup DFSR-Inrastructure-ServerEdition. This will install the Distributed File System
Replication
service. This service will not allow you to use the Wbadmin command to backup volumes.
include
M|.Wbadmin start backup -
allCritical
M|.start /w ocsetup
WindowsServerBackup
M|.start /w ocsetup DFSR-Inrastructure-
ServerEdition
Answer:
Wbadmin enable backup -allCritical
Wbadmin start backup -allCritical
start /w ocsetup
WindowsServerBackup
Page 91 of 173
You are the network administrator for Northern Corporation. The company's network contains servers that run Windows Server
2008.
The company's network consists of a single Active Directory domain.
You are creating audit policies using the Auditpol.exe command-line tool. You set up a per user audit policy. You now want to
set Full
Privilege Auditing.
Explanation:
You should run the auditpol /set /option:fullprivilegeauditing command to create a per user audit policy with Full Privilege
Auditing.
Auditpol.exe is a command-line tool used to set subcategories audit policy and per-user audit policy in Windows Server 2008.
In
Windows 2000 Server and Windows Server 2003, there is only one audit policy, called the Audit directory service access,
which
controls whether auditing for directory service events are enabled or disabled. However, in Windows Server 2008, the audit
policy is
divided into four subcategories:
Directory Service Access: Enables users to audit the event of a user accessing an Active Directory objects.
Directory Service Changes: Enables users to audit the event of changes that are made to an Active Directory objects, for
example, create, modify, and move.
Directory Service Replication: Enables users to audit Active Directory replication problems.
Detailed Directory Service Replication: Enables detailed tracking of Active Directory replication.
Each subcategory is independent for its own use. Since there is no Windows interface tool available in Windows Server 2008,
you can
use the Auditpol.exe command-line tool to view or set audit policy subcategories. For example, type the following command to
set the
per-user audit policy for all subcategories under the Detailed Tracking category to audit the user's successful attempts (the
name of
the user in this command is Amy):
Auditpol /set /user:amy /category:"Detailed Tracking" /include /success:enable
In the given command, the /user field indicates the name of the user, the /category field implies the audit category, the /include
field
states that the user's per-user policy will generate an audit even if the audit policy is not specified by a system audit policy, and
the /success field specifies success audit events to be audited.

Created: 18/04/2013
Version: 1.0
Document1
Page 72 of 133
You should not run the auditpol /set /category:fullprivilegeauditing command to create a per user audit policy with Full
Privilege
Auditing. The auditpol /set /category command is used to specify only the audit categories.
You should not run the auditpol /set /include:fullprivilegeauditing command to create a per user audit policy with Full
Privilege
Auditing. When you use the /include field with the /set command, it states that the user's per-user policy will generate an audit
log even
if the audit policy is not specified by a system audit policy.
You should not run auditpol /set /subcategory:fullprivilegeauditing command to create a per user audit policy with Full
Privilege
Auditing. The auditpol /set /subcategory command is used to specify only the audit subcategories.
You are an administrator of an Active Directory domain. All servers in the domain run Windows Server 2008, and all client
computers in
the domain run Windows XP Professional. All domain operations master roles are currently assigned to DC1, which is the first
domain
controller in the domain. DC1 is due for routine maintenance, and network users will not be able to access it for several hours.
There is
Item: 88 (Ref:Cert-70-640.4.7.4)
*'auditpol /set /category:fullprivilegeauditing
*'auditpol /set /option:fullprivilegeauditing
*'auditpol /set /include:fullprivilegeauditing
*'auditpol /set /subcategory:fullprivilegeauditing
Answer:
auditpol /set /option:fullprivilegeauditing
Item: 89 (Ref:Cert-70-640.2.6.7)
Page 92 of 173
another domain controller named DC2 in the domain.
Recently, your company has acquired another company. As a result, several thousand new user accounts must be created in
the
domain as soon as possible. You must comply with the server maintenance schedule and also ensure that another
administrator can
create the new user accounts at the same time that you will be performing maintenance on DC1. You want to take only the
minimum
steps that are necessary to attain these two goals.
Which of the following should you do? (Choose two. Each correct answer is part of the complete solution.)
Explanation:
All domain controllers in an Active Directory domain host the same domain directory partition. All instances of the domain
directory
partition are writeable; most types of changes to the domain directory partition can be made on any domain controller in the
domain.
However, certain types of changes are allowed only on one domain controller in the domain. In each domain, the infrastructure
master,
PDC emulator and RID master operations master roles can be assigned to the same domain controller or to different domain
controllers. Each operations master controls certain types of operations. The infrastructure master is responsible for updating
references from local objects to objects in other domains. The PDC emulator appears as a Windows NT primary domain
controller to
legacy client operating systems, such as Windows NT and Windows 9x/ME. The RID master assigns batches of relative IDs to
other
domain controllers, which in turn assign those IDs to new security principal objects that are being created in the domain.
The RID master does not have to be online when new user accounts are being created as long as the domain controller where
the user
accounts are being created has not exhausted its pool of available RIDs. In this scenario, a large number of RIDs will be
required in
order to create several thousand new user accounts. Therefore, you should transfer the RID master role to another domain
controller in
the domain in order to ensure that domain controllers do not run out of RIDs during the creation of new user accounts. To
transfer the
RID master role to DC2, you should connect to DC2 by using either Active Directory Users and Computers or the Ntdsutil
command-line tool and then initiate the transfer. Seizing is also referred to as forcing the transfer of an operations master role.
Seizing
an operations master role is an extreme measure that is possible only if the original operations master is unavailable. You
should not
seize the RID master role unless you are absolutely sure that the original RID master will never be brought back online. The
temporary
absence of a PDC emulator can be tolerated in this scenario because no computers in the domain run legacy operating
systems. The
temporary absence of the infrastructure master can also be tolerated because the scenario does not indicate that any relevant
activity,
such as renaming or moving user accounts or modifying group memberships, is expected to be performed during the next few
hours.
You are the network administrator of your company. You install Windows Server 2008 on all servers on the network. All client

Created: 18/04/2013
Version: 1.0
Document1
Page 73 of 133
computers are configured to run Windows Vista. You want to be able to use Advanced Encryption Standard (AES) with
Kerberos for
encryption of Ticket Granting Tickets (TGTs), service tickets, and session keys.
What is the minimum domain functional level that is required to support AES encryption with Kerberos?
M|.Connect to
DC1.
M|.Connect to
DC2.
M|.Transfer the infrastructure master role to
DC2.
M|.Seize the infrastructure master role and assign it to
DC2.
M|.Transfer the PDC emulator role to
DC2.
M|.Seize the PDC emulator role and assign it to
DC2.
M|.Transfer the RID master role to
DC2.
M|.Seize the RID master role and assign it to
DC2.
Answer:
Connect to DC2.
Transfer the RID master role to DC2.
Item: 90 (Ref:Cert-70-640.2.2.3)
*'Windows 2000 Server
Page 93 of 173
Explanation:
The option stating Windows Server 2008 is correct. AES is a National Institute of Standards and Technology specification for
the
encryption of electronic data. AES provides more secure encryption than its predecessor, Data Encryption Standard (DES). The
security enhancements in Windows Server 2008 and Windows Vista enable the use of AES encryption with Kerberos. This
means the
base Kerberos protocol in Windows Server 2008 and Windows Vista supports AES for encryption of Ticket Granting Tickets
(TGTs),
service tickets, and session keys. To be able to configure AES encryption with Kerberos, the domain functional level must be at
Windows Server 2008. To raise the domain functional level of a domain to Windows Server 2008, all domain controllers in the
domain
must be running Windows Server 2008.
The option stating Windows Server 2003, Windows 2000 Server mixed, and Windows 2000 Server native are incorrect because
to be
able to configure AES encryption with Kerberos, the domain functional level must be at Windows Server 2008.
You are responsible for administering your company's DNS servers. The corporate network consists of a single Active Directory
forest.
All DNS servers run Windows Server 2008. Lately, users have started to complain that they receive an unusually large number
of error
messages that indicate name resolution problems. You want to monitor DNS traffic, and you want to record and analyze
individual
queries.
Explanation:
On the Debug Logging tab of a DNS server's Properties sheet, you should select Log packets for debugging in order to
configure
the DNS server to begin capturing debug packet information. This information is stored in the DNS debug log, which is named
Dns.log.
The Dns.log file can be opened only when the DNS Server service is stopped. You can use debug logging to record queries,
transfers,
updates, and notifications. You can specify whether to record the information about incoming or outgoing DNS packets, DNS
requests
or responses, or DNS packets sent by using TCP or UDP. You can specify whether detailed information about each packet
must be
recorded, and you can specify whether packets must be filtered according to IP addresses.
On the Monitoring tab, you can configure a DNS server to perform two types of functionality testing. A simple query test verifies
whether individual records can be read from zone data on the server. A recursive test verifies whether the server can
communicate with
mixed
native
*'Windows Server
2003
*'Windows Server
2008

Created: 18/04/2013
Version: 1.0
Document1
Page 74 of 133
Answer:
Windows Server
2008
Item: 91 (Ref:Cert-70-640.1.2.3)
*'On the Monitoring tab of a DNS server's Properties sheet, specify the types of tests to run and an interval between
the
tests.
*'Enable logging on the Debug Logging tab of a DNS server's Properties
sheet.
*'Select the appropriate level of logging on the Event Logging tab of a DNS server's Properties
sheet.
*'In Performance Logs and Alerts, run a counter log to capture DNS-related
counters.
Answer:
Enable logging on the Debug Logging tab of a DNS server's Properties
sheet.
Page 94 of 173
Internet root DNS servers. Performing these tests, however, would not allow you to record and analyze individual queries and
meet the
requirements of the scenario.
On the Event Logging tab of a DNS server's Properties sheet, you can specify the types of events, such as errors and
warnings, to be
recorded in the DNS event log. Although event logging can provide useful information about possi ble problems, the DNS event
log
does not record individual queries.
A counter log in Performance Logs and Alerts can be used to gather quantitative, or performance, data; it cannot be used to
record and
analyze individual queries.
You are the systems administrator for your company. The company's network consists of a single Active Directory domain and
several
branch locations. All domain controllers run Windows Server 2008, and all client computers run Windows Vista. You have a
public key
infrastructure which contains a Windows Server 2008 computer, which is a subordinate enterprise Certification Authority (CA)
that
issues certificates on behalf of the root CA.
You want another Windows Server 2008 computer to manage and distribute the revocation status of certificates to clients
spread out in
different locations that connect via the Internet. What must you configure or install? (Choose three.)
Item: 92 (Ref:Cert-70-640.6.5.2)
M|.Install the Online Certificate Status protocol
(OCSP).
M|.Install the certification authority Web enrollment
service.
M|.Install the Microsoft Simple Certificate Enrollment Protocol
(MSCEP).
M|.Install
IIS.
M|.Install Sharepoint 3.0.
M|.Check the Include in the AIA extension of issued certificates and Include in the online certificate status
protocol (OCSP)
extension boxes on the Extensions tab of the subordinate enterprise CA.
Page 95 of 173
Explanation:
You should choose the following answers:
Install the Online Certificate Status protocol (OCSP).
Install IIS.
Check the Include in the AIA extension of issued certificates and Include in the online certificate status protocol
(OCSP)
extension boxes on the Extensions tab on the subordinate enterprise CA.
Online Responders can be used as an alternative to or an extension of certificate revocation lists (CRLs) to provide certification
revocation data to clients. In Windows Server 2008, you can use an Online Responder based on the Online Certificate Status
Protocol
(OSCP) to manage and distribute revocation status information in cases where the use of conventional CRLs is not an optimal
solution.
OCSP is a Hypertext Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP
responder.
When the OSCP responder receives the request, a definitive, digitally signed response indicating the certificate status is
returned to the
client.

Created: 18/04/2013
Version: 1.0
Document1
Page 75 of 133
You should install the Online Certificate Status protocol on a Windows Server 2008 computer by using Server Manager.
Open Server Manager and choose Manage Roles.
Select Select Server Roles, check Active Directory Certificate Services, and click Next.
Check Online Certificate Status Protocol and click Next.
You will also be prompted to install the IIS role services. Click Add Required Role Services to install the required IIS
services,
and click Next.
On the Confirm Installation Options page, click Install.
Before configuring a CA to support the Online Responder service, you must ensure that the following conditions are met:
IIS must be installed on the computer before the Online Responder can be installed.
An OCSP Response Signing certificate template must be configured on the CA, and autoenrollment must be used to issue an
OCSP Response Signing certificate to the computer on which the Online Responder will be installed.
The URL for the Online Responder must be included in the AIA extension of certificates issued by the CA. This URL is used
by
the Online Responder client to validate certificate status.
You should not install Sharepoint 3.0. Sharepoint 3.0 is not a prerequisite for installing an Online Responder. You must have IIS
installed.
You should not install the Microsoft Simple Certificate Enrollment Protocol (MSCEP). MSCEP, referred to in some documents as
Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP, which was developed by Cisco Systems
Inc. to
support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a communication
protocol
that allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA.
MSCEP is not
required to install an Online Responder.
You should not install the certification authority Web enrollment service on the Windows Server 2008 computer. The certificat ion
authority Web enrollment service allows users to enroll and receive certificates via HTTP or a browser. This service will not
allow you to
manage and distribute revocation status of certificates.
On the CA, you must have enabled both the Include in the AIA extension of issued certificates and the Include in the
online
certificate status protocol (OCSP) extension boxes on the Extensions tab of the subordinate enterprise CA.
To configure the CA Authority Information Access extension, perform the following actions:
Open the Certification Authority snap-in, right-click the name of the issuing CA, and then click Properties.
Click the Extensions tab.
In the Select extension list, click Authority Information Access (AIA) and then click Add.
In the dialog box, type the full URL of the Online Responder, which should be in the following form:
http : //<DNSServerName>/<vDir>. When installing the Online Responder, the default virtual directory used in IIS is
OCSP.
M|.Check the Include in the AIA extension of issued certificates box on the Extensions tab of the subordinate
enterprise
CA.
Answer:
Install the Online Certificate Status protocol (OCSP).
Install IIS.
Check the Include in the AIA extension of issued certificates and Include in the online certificate
status protocol (OCSP) extension boxes on the Extensions tab of the subordinate enterprise CA.
Page 96 of 173
Select the location from the Locations list.
Select the Include in the AIA extension of issued certificates and Include in the online certificate status protocol
(OCSP)
extension check boxes, and then click OK.
Page 97 of 173
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. All
domain
controllers run Windows Server 2008, and all client computers run Windows Vista. You have a public key infrastructure that has
a
subordinate enterprise Certification Authority (CA), which issues certificates on behalf of the root CA.
You have a certificate template that allows users to autoenroll, and a group policy object that distributes the certificates to users.
All
users are able to automatically obtain certificates. You now want routers and other network devices are able to obtain
certificates from
the CA.
What should you do?
Explanation:
You should install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service. MSCEP, also referred to in some
documents as Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP, which was developed by
Cisco
Item: 93 (Ref:Cert-70-640.6.5.4)

Created: 18/04/2013
Version: 1.0
Document1
Page 76 of 133
*'Assign the routers and network devices the Autoenroll permission in a certificate
template.
*'Change the Publish Delta CRL to 1 hour so expired certificates for routers and network devices are published in
Active
Directory.
*'Install the Online Certificate Status Protocol (OCSP) role service for AD
CS.
*'Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD
CS.
Answer:
Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD
CS.
Page 98 of 173
Systems Inc. to support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a
communication protocol that allows software running on network devices, such as routers and switches, to enroll for X.509
certificates
from a CA.
You should not install the Online Certificate Status Protocol (OSCP). OSCP is used by an online responder. Online Responders
can be
used as an alternative to or an extension of certificate revocation lists (CRLs) to provide certification revocation data to clients.
In
Windows Server 2008, you can use an Online Responder based on the Online Certificate Status Protocol (OSCP) to manage
and
distribute revocation status information in cases where the use of conventional CRLs is not an optimal solution. OCSP is a
Hypertext
Transfer Protocol (HTTP) that allows a relying party to submit a certificate status request to an OCSP responder. When the
OSCP
responder receives the request, a definitive, digitally signed response indicating the certificate status is returned to the client.
by
The OSCP will not help a network device such as a router receive a certificate.
You do not have to change the Publish Delta CRL setting. This setting, along with the Publish CRL Interval setting,
determines how
often a Certificate Revocation List (CRL) is published. The Publish Delta CRL setting determines how often changes to the
CRL are
published. CAs can have large numbers of certificate revocations that need to be downloaded by clients frequently. Clients can
instead
download the most current delta CRL, which has all the changes since the last base CRL was published via the Publish CRL
Interval
setting. The base CRL can become very large. To minimize frequent downloads of large CRLs, delta CRLs can be published.
Clients
can combine the downloaded delta CRL with the most current base CRL to have a complete list of revoked certificates. In this
scenario,
you should have the MSCEP role service installed to issue certificates to network devices.
You should not assign the routers and network devices the Autoenroll permission in a certificate template. You can only assign
Active
Directory objects permissions in a certificate template. A router or network device would not be an Active Directory object.
You are the network administrator of your company. The company's network consists of a single Active Directory domain. You
install
Windows Server 2008 on all servers on the network. You want to configure multiple password policies in the domain. To
achieve this,
you want to configure fine-grained password policies.
What is the minimum domain functional level that is required for configuring fine-grained policies?
Explanation:
The option stating Windows Server 2008 is correct. Windows Server 2008 allows you to define different password and account
lockout
policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies
within a
single domain. Fine-grained password policies apply only to user objects and global security groups. To configure fine-grained
password policies, the domain functional level must be Windows Server 2008. If you do not create fine-grained password
policies for
different sets of users, the Default Domain Policy settings apply to all users in the domain.
Item: 94 (Ref:Cert-70-640.4.6.5)
native
*'Windows Server 2003

Created: 18/04/2013
Version: 1.0
Document1
Page 77 of 133
mixed
*'Windows Server 2003
native
*'Windows Server
2008
Answer:
Windows Server
2008
Page 99 of 173
Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to
users
of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce
a finegrained
password policy. You can add users of the OU as members of the newly created shadow group, and then apply the finegrained
password policy to this shadow group.
The options stating Windows 2000 Server native, Windows Server 2003 mixed, and Windows Server 2003 native are incorrect.
To
configure fine-grained password policies, the domain functional level must be Windows Server 2008.
You are the network administrator for your company. The company's logical network design consists of a single Active Directory
domain. All servers run Windows Server 2008, and all client computers run Windows XP Professional with Service Pack 2. The
company has Active Directory sites configured as shown in the exhibit. (Click the Exhibit(s) button.)
On dc3, you create a new Group Policy object (GPO) named ExcelInstall. You configure the ExcelInstall GPO to assign
Microsoft
Excel to users who receive the policy settings. The GPO is then linked to the domain.
Users in Site2 report that the assigned software is not advertised on the Start menu. You verify that all users in Site2 are
receiving the
same result. However, users in Site1 report that Microsoft Excel is advertised from the Start menu.
You must ensure that all users in the domain have the ability to access the assigned software. Your solution should provide t he
least
amount of disruption to network users.
What should you do?
Explanation:
You should manually force replication between Site1 and Site2. The software is successfully distributed in the site where the
Group
Policy object (GPO) is assigned, but the settings are not being received by users in the remote site. This indicates that the
settings,
which for Software Installation policies are stored in both Active Directory and the SYSVOL folder, are not being replicated to
domain
controllers in the site.
Item: 95 (Ref:Cert-70-640.2.4.9)
*'Instruct all users in Site2 to restart their
computers.
*'From dc3, link the ExcelInstall GPO to the Site2
container.
*'From Site1, manually force replication between Site1 and
Site2.
*'Instruct all users in Site2 to run gpupdate from the command line on their
computers.
*'Modify the ExcelInstall GPO to publish the application to all computers in the
domain.
Answer:
From Site1, manually force replication between Site1 and
Site2.
Page 100 of 173
The Group Policy container is located in Active Directory, while Group Policy templates and scripts are stored in the SYSVOL
folder. If
changes are being made to GPOs and the new settings are not being applied to users or computers in remote sites, replication
could
be the problem. You can use Active Directory Sites and Services or Repadmin with the appropriate switches to force
replication. It is
important to remember that you cannot force replication of the SYSVOL folder. If the Group Policy Container in Acti ve Directory
and the
SYSVOL folder become unsynchronized, the Software Installation policy will be available to site clients, but the installation of
the
specified software will fail until the SYSVOL folder is replicated.
You can use the Repadmin tool in a batch file to force replication. This tool allows you to force replication with replication
partners. The
following example uses the replicate operation of the Repadmin tool to make a server named DC4 initiate replication of the
domain

Created: 18/04/2013
Version: 1.0
Document1
Page 78 of 133
directory partition for kaplanit.com from a server named DC2. In this example, DC2 is the source server and DC4 is the
destination
server:
repadmin /replicate dc4.kaplanit.com dc2.kaplanit.com dc=kaplanit,dc=com
You should not instruct all users in Site2 to restart their computers. Because the Software Installation policy settings are not
being
applied to all users in the site, a replication problem is indicated. Restarting all computers will be disruptive to network users and
is
unlikely to resolve the problem.
You should not link the ExcelInstall GPO to the Site2 container from dc3. This option will produce duplicate settings from the
domain
and site linkages and will still rely on replication for the software to be properly distributed.
You should not instruct all users in Site2 to run gpupdate from the command line on their computers. If the Software Installation
policy
settings are not being replicated, using gpupdate to reapply group policy settings will not provide the desired outcome.
You cannot modify the ExcelInstall GPO to publish the application to all computers in the domain. Using group policy, software
can be
published to users, assigned to users, or assigned to computers. You cannot publish software to computers.
You are the senior network administrator for your company, which has a main office in Portland and a branch office in Seattle.
The
company's network consists of a single Active Directory domain. You install Domain Name System (DNS) on a Windows Server
2008
computer in the main office, named DNS1, which contains the primary zone.
You install a new UNIX DNS server in the Seattle branch office. You are in the process of configuring DNS1 for interoperability
with the
UNIX DNS server. You are required to ensure that DNS1 is able to replicate DNS zones with the UNIX server in the branch
office.
To achieve this, you want to disable the fast zone transfer method on DNS1 so that DNS1 transfers only one record per packet
during
zone transfer.
What should you do?
Explanation:
You should enable Berkeley Internet Name Domain (BIND) secondaries on DNS1. Enabling the BIND secondaries option
disables the
fast zone transfer method on Windows Server 2008, which enables the server to make successful zone transfers to DNS
servers that
support BIND versions earlier than version 4.9.4.
Windows Server 2008 supports two types of zone file replication, namely full zone transfer (AXFR) and incremental zone
transfer
(IXFR). In AXFR, the entire zone file is replicated. In IXFR, only records that have been modified are replicated. Berkeley
Internet Name
Domain (BIND) version 4.9.3 and earlier DNS server software, such as UNIX DNS and Windows NT 4.0 DNS, only support full
zone
Item: 96 (Ref:Cert-70-640.1.3.6)
*'Configure DNS1 to use Windows Internet Name Service (WINS)
resolution.
*'Disable netmask ordering on
DNS1.
*'Configure the refresh interval on the Start of Authority (SOA) tab on the DNS1 properties sheet to one
hour.
*'Enable Berkeley Internet Name Domain (BIND) secondaries on
DNS1.
Answer:
Enable Berkeley Internet Name Domain (BIND) secondaries on
DNS1.
Page 101 of 173
transfers. There are two types of AXFR: one requires a single record per packet, and the other allows multiple records per
packet.
Windows Server 2008 DNS service supports both types of zone transfer and uses multiple records per packet by default.
Therefore, to
configure your Windows Server 2008 DNS server to successfully work and replicate with a UNIX DNS server, you should
disable the
fast zone transfer method by selecting the BIND secondaries option in the Server options list on the Advanced tab in the
properties
sheet for DNS1.
You should not configure DNS1 to use Windows Internet Name Service (WINS) resolution. Configuring a DNS server to use
WINS
resolution enables the DNS service to look up names that are not found in the DNS domain namespace by checking the
NetBIOS
namespace managed by WINS. Configuring DNS1 to use WINS resolution will not disable the fast zone transfer method on
DNS1.

Created: 18/04/2013
Version: 1.0
Document1
Page 79 of 133
You should not disable netmask ordering on DNS1. Netmask ordering allows you to use one host name for multiple IP
addresses.
Disabling netmask ordering will not disable the fast zone transfer method on DNS1.
You should not configure the refresh interval on the Start of Authority (SOA) tab on the Properties sheet of DNS1 to one hour.
The
refresh interval on the Start of Authority (SOA) tab determines how often the secondary server polls the primary server for
updates.
Configuring the refresh interval will not disable the fast zone transfer method on DNS1.
servers run Windows Server 2008 and all client computers run Windows XP Professional.
Users in the Sales department must use restricted desktops where certain features are disabled. You place all Sales users into
an
organizational unit (OU) named Sales, configure a Group Policy object (GPO) with the appropriate user policies that restrict
user
desktops, and link that GPO to the Sales OU. Later, several supervisors in the Sales department complain that they cannot
perform
some of their job-related tasks because the desktops on their computers are restricted. You must ensure that all Sales users,
except
supervisors, receive restricted desktops. The Sales supervisors should receive normal, unrestricted desktops.
Explanation:
For the policies that are configured in a GPO to take effect, the GPO must be linked to an Active Directory container, such as a
site,
domain, or OU. User-specific policies in a GPO apply to user objects, and computer-specific policies apply to computer objects
in those
Active Directory containers. By default, a GPO that is linked to a parent container also applies to all child containers of t hat
parent
container. If multiple GPOs apply to the same user or computer, then the GPOs that are linked to a higher-level container are
applied
before the GPOs that are linked to lower-level containers. If configured policy settings in multiple GPOs are in conflict, then the
settings
in the GPOs that are applied later will overwrite the settings that were applied earlier. Policies that are not configured in a GPO
are
ignored; they do not conflict with configured policies in other GPOs. The Block Policy inheritance option for a domain or OU
and the
Enforced option for a GPO link can be used to change the default order of GPO precedence. If Block Policy inheritance is
enabled
for a child container, then the GPOs that are linked to parent containers do not apply to that child container. If Enforced is
enabled for a
GPO link, then that GPO applies all the way down the hierarchy, even if Block Policy inheritance is enabled for any child
containers.
In this scenario, to prevent the GPO with desktop restriction policies from applying to the supervisors' user accounts, you can
create a
child OU in the Sales OU, place the supervisors' user accounts into the child OU, and enable Block Policy inheritance for the
child
OU. Another possible solution is to filter the scope of the GPO so that it would not apply to the supervisors' user accounts. To
filter the
scope of the GPO, you can create a group named Supervisors, add the supervisors' user accounts to that group, and assign
the Deny
- Apply Group Policy permission for the GPO to the Supervisors group. You should not assign the Allow - Apply Group
Policy
permission for the GPO to the Supervisors group. The Allow - Apply Group Policy permission for the GPO to the
Supervisors group
Item: 97 (Ref:Cert-70-640.4.3.9)
*'In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Enable the Block
Policy
inheritance option for the child OU.
*'In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Create a new GPO
where all
desktop restriction policies are set to Not configured and link that GPO to the child OU.
*'Filter the scope of the GPO, create a group named Supervisors, add the supervisors' user accounts to that group,
and assign the
Allow - Apply Group Policy permission for the GPO to the Supervisors group.
*'In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Link the original
GPO where the
desktop restriction policies are configured to the child OU and enable the Enforced option for this link.
Answer:
In the Sales OU, create a child OU and move the supervisors' user accounts into the child OU. Enable the Block
Policy inheritance option for the child OU.
Page 102 of 173
would apply the restrictive desktop policy of the GPO.

Created: 18/04/2013
Version: 1.0
Document1
Page 80 of 133
If, in an attempt to override the original GPO that contains the configured desktop restriction policies, you created a GPO with
no
configured policies in it, then that new GPO would have no effect, regardless of the container to which it was linked and
regardless of
the Enforced option. Policies that are not configured do not conflict with configured policies in other GPOs. Linking the original
GPO
both to the Sales OU and to a child OU and enabling Enforced for the link to the child OU would not be feasible in this scenario
because all users in the Sales and child OUs would still be subject to the same desktop restrictions.
You are the network administrator for your company. The company has a main office and a branch office. All servers on the
network
run Windows Server 2008. Each office has its own Active Directory domain. The domain controller in the main office is named
DC1 and
the domain controller in the branch office is named DC2. Each office is configured as a separate Active Directory site.
You want to configure Active Directory replication between both the sites. Which tool or tools can you use to configure Active
Directory
replication between DC1 and DC2? (Choose all that apply. Each correct answer represents a complete solution.)
Explanation:
You can use the Active Directory Sites and Services snap-in or Repadmin.exe to configure Active Directory replication. The
Active
Directory Sites and Services snap-in runs on domain controllers and is installed automatically when you install Active Directory.
The
Active Directory Sites and Services snap-in provides a view into the Sites container of the configuration directory partition, and
can be
used to manage Active Directory replication topology.
Repadmin.exe is a command-line tool that can be used to view the replication information on domain controllers. By using the
Repadmin.exe tool, you can determine the last successful replication of all directory partitions, identify inbound and outbound
replication partners, view object metadata, manage Active Directory replication topology both for AD DS and AD LDS
replication, and
identify the current bridgehead servers. A bridgehead server is a domain controller in a site that has been either assigned or
automatically chosen, if not assigned, to replicate changes collected from other domain controllers in the site to bridgehead
servers in
other sites. You can also use the Repadmin.exe tool to force replication of an entire directory partition or a single object, and to
list
domain controllers in a site.
Ntdsutil.exe is also a command-line tool that provides management capabilities for Active Directory. You can use Ntdsutil.exe
to
remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active
Directory.
This ensures a smaller amount of data to replicate. You can also use Ntdsutil.exe to perform Active Directory database
maintenance
and to manage and control single-master operations. You cannot use Ntdsutil.exe to force a replication of Active Directory
data,
The options stating Active Directory Domains and Trusts, Ldp.exe, and Wbadmin.exe are incorrect because these tools cannot
be
used to configure Active Directory replication. Active Directory Domains and Trusts is a Microsoft Management Console (MMC)
snap-in
that can be used to create and manage trusts between domains and sites. Wbadmin.exe is a command-line tool that allows
you to
back up and restore your computer, volume, and files from a command prompt. The Ldp.exe tool is a Lightweight Directory
Access
Protocol (LDAP) tool that can be used to view and modify Active Directory Lightweight Directory Services (AD LDS) data.
Item: 98 (Ref:Cert-70-640.2.4.3)
M|.Active Directory Sites and
Services
M|.Active Directory Domains and
Trusts
M|.Repadmin.exe
M|.Ldp.exe
M|.Wbadmin.exe
M|.Ntdsutil.exe
Answer:
Active Directory Sites and
Services
Repadmin.exe
Page 103 of 173
You are the systems administrator of Verigon Corporation. The company has a single domain with a main office and five branch
offices.
Each office has its own Active Directory site in a single forest. Each site has a domain controller running Windows Server 2008,
and
each domain controller has DNS server with an Active Directory-integrated zone for the domain.

Created: 18/04/2013
Version: 1.0
Document1
Page 81 of 133
Several users from a branch office reported that they were unable to log on to several intranet Web servers. You investigated,
and
discovered that an A record had been created for the Web servers in the DNS server at the main office.
You now want to synchronize replication with all replication partners, while ensuring that all directory partitions that are held on
the DNS
server at the main office are synchronized with other domain controllers in the forest.
Explanation:
You should run the Repadmin /syncall command with /A parameter. You need to replicate the Active Directory zone from the
main
office to the other branch offices. The /A parameter ensures that all directory partitions that are held on the home server are
synchronized.
You should not run the Repadmin /syncall command with /P parameter. The /P parameter is used to push changes outward
from the
home server. Using the /P parameter in the Repadmin /syncall command will not ensure that all directory partitions that are
held on
the home server are synchronized.
You should not run the Repadmin /syncall command with /d parameter. The /d parameter is used to identify servers by
distinguished
name in messages. Using the /d parameter in the Repadmin /syncall command will not ensure that all directory partitions that
are held
on the affected domain controller are synchronized with other domain controllers in the forest.
You should not run the Repadmin /syncall command with /e parameter. The /e parameter ensures that replication partners in
all sites
are included in the replication synchronization. Using the /e parameter will not ensure that all directory partitions held on the
affected
domain controller are synchronized with other domain controllers in the forest.
Your corporate network consists of a single Active Directory domain that spans three sites, as shown in the following image:
Item: 99 (Ref:Cert-70-640.1.3.3)
*'Run the Repadmin /syncall command with /P
parameter.
*'Run the Repadmin /syncall command with /d parameter.
*'Run the Repadmin /syncall command with /e
parameter.
*'Run the Repadmin /syncall command with /A
parameter.
Answer:
Run the Repadmin /syncall command with /A
parameter.
Item: 100 (Ref:Cert-70-640.2.3.4)
Page 104 of 173
There are no domain controllers in Site1, and you want users in Site1 to log on by using domain controllers only from Site2.
Explanation:
If there are no domain controllers in a site, then the client computers in that site will send user logon requests to the sit e or sites
with the
lowest site link cost where domain controllers are available. To ensure that users in Site1 authenticate to domain controllers
only from
Site2 in this scenario, you can either reduce the cost of the site link between Site1 and Site2 or configure the client computers
in Site1
to belong to Site2. You should use Active Directory Sites and Services to reconfigure the subnet object that corresponds to
the IP
address range of the client computers in Site1 to belong to Site2. You can then delete Site1 altogether because, once you have
configured all its computers to belong to Site2, Site1 will be left empty. Only server objects for domain controllers can be
explicitly
moved between sites; computer objects for member servers and client computers cannot be moved between sites because their
site
affiliations are determined automatically based on their IP addresses. Computer objects for member servers and client
computers do
not appear in Active Directory Sites and Services.
You are the network administrator for your company. Your company's network has a single forest with three domains. All
domain
controllers in your forest run Windows Server 2008.
You will be expanding the personnel in one of your domains by an additional 200 users. You have created a spreadsheet with
the
properties of the new user accounts. You want to import the spreadsheet into Active Directory.
What should you do?
50.

Created: 18/04/2013
Version: 1.0
Document1
Page 82 of 133
150.
*'Configure the subnet object that corresponds to the IP address range of the client computers in Site1 to belong to
Site2.
*'Move the computer objects for the client computers from Site1 to
Site2.
Answer:
Configure the subnet object that corresponds to the IP address range of the client computers in
Site1 to belong to Site2.
Item: 101 (Ref:Cert-70-640.4.1.1)
*'Run CSVDE to import the accounts and REPADMIN to replicate the accounts to the other domain
controllers.
*'Export the spreadsheet to a comma delimited text file. Use Active Directory Users and Computers to import the file
into the
appropriate domain. Use REPADMIN to replicate the accounts to the other domain controllers.
Page 105 of 173
Explanation:
You should use CSVDE to import the accounts. The CSVDE utility can be used to import a comma-delimited file in Active
Directory.
However, this utility can be used to import only new objects; it cannot be used to modify existing objects. The LDIFDE utility can
be
used to import new or modified objects in Active Directory. However, LDIFDE does not use comma-delimited or tab-delimited
files; it
uses a special file format named the LDAP directory interchange file (LDIF).
You cannot use Active Directory Users and Computers to import accounts from a file.
You should use REPADMIN to force replication of the newly imported accounts to other domain controllers. You can use either
the
Repadmin or Replmon command-line tools to manually force the replication of a specific directory partition to other domain
controllers.
You cannot use RSDIAG to force replication of the newly imported accounts to other domain controllers. This tool is a
command-line
tool that examines Remote Storage (HSM) databases and displays diagnostic information in text format about migration jobs,
managed
volumes of the version of the NTFS file system used in Windows Server 2003, and physical media, as well as other Remote
Storage
information used for system analysis. RSDIAG does not replicate Active Directory information.
You are a network administrator for your company. The network consists of a single Active Directory domai n that contains five
Windows
Server 2008 computers, 500 Windows Vista computers, and 250 Windows XP Professional computers. The network includes an
internal DNS server named DNS1INT and an external DNS server named DNS1Ext. DNS1Ext hosts only the records for your
company's Web, FTP, and mail servers. These servers handle a high volume of connections from both intranet and Internet
sources
and are configured with static IP addresses.
Multiple secondary DNS servers are being deployed on the external segment of the network to improve name resolution
performance
for Internet-based users. You monitor the newly deployed servers by using System Monitor and notice that the Transfer SOA
Requests Sent value is high. You want to minimize the bandwidth required for the zone transfer SOA requests sent by all
secondary
DNS servers. You also want to ensure that only authorized servers can receive copies of this zone file.
What modifications should you perform on DNSExt1? (Choose two. Each correct answer presents part of the solution.)
*'Export the spreadsheet to a comma delimited text file. Use Active Directory Users and Computers to import the file
into the
appropriate domain. Use RSDIAG to replicate the accounts to the other domain controllers.
*'Run CSVDE to import the accounts and RSDIAG to replicate the accounts to the other domain
controllers.
Answer:
Run CSVDE to import the accounts and REPADMIN to replicate the accounts to the other domain
controllers.
Item: 102 (Ref:Cert-70-640.1.3.1)
M|.Disable dynamic
updates.
M|.Increase the time to live for the SOA
record.
M|.Decrease the time to live for the SOA
record.
M|.Increase the value of the Refresh interval in the SOA
record.
M|.Decrease the value of the Refresh interval in the SOA
record.
M|.Configure the notify list to include the secondary DNS
servers.

Created: 18/04/2013
Version: 1.0
Document1
Page 83 of 133
Answer:
Increase the value of the Refresh interval in the SOA record.
Configure the notify list to include the secondary DNS
servers.
Page 106 of 173
Explanation:
Zone transfers are always initiated by requests sent by secondary DNS servers. These requests typically occur when the DNS
Service
on the secondary server is started, when the refresh interval expires, and when new changes are made and saved in the
primary zone
file. To ensure that the primary DNS server, which hosts the primary zone file, will only respond to zone file transfer requests
from
authorized DNS servers, you should configure the notify list on DNS1Ext to include all authorized secondary DNS servers. You
can
also reduce the number of requests sent by increasing the value of the Refresh interval in the start of authority (SOA) record.
Increasing the value of the Refresh interval in the SOA record will cause the secondary DNS servers to request updates less
frequently, resulting in a decrease in network traffic. However, decreasing this value ensures that the DNS data is updated more
frequently, and could possibly result in an increase in network traffic for the transfer of SOA records.
You should not disable dynamic updates on DNSExt1. Dynamic DNS (DDNS) updates allow DNS clients to automatically
register their
host (A) and PTR records in the master zone file. This feature should not be enabled on an externally placed DNS server. The
status of
this service will have no effect on zone file transfer behavior.
You should not increase or decrease the TTL for the SOA record on DNSExt1. A DNS server caches a query result for a
specified
amount of time, called the time to live (TTL). A longer TTL will increase the time that records, such as the SOA record, are
allowed to
be cached by servers and applications. Increasing the TTL will decrease network traffic associated with DNS queries. However,
this
setting will have no effect on zone file transfer behavior.
You should not decrease the value of the Refresh interval in the SOA record on DNSExt1. Decreasing this value ensures that
the DNS
data is updated more frequently, and could result in an increase in network traffic for the transfer of SOA records.
You are the network administrator for you company. The company has a head office in Atlanta and a branch office in Boston.
The head
office network consists of Windows Server 2008 domain controllers and the branch office network consists of Windows Server
2003
domain controllers. The branch office has 45 users that are member of a single organizational unit (OU).
The branch office is connected to the head office by using a low bandwidth connection. To ensure efficient user log on to the
domain,
you plan to enable universal group membership caching.
On which Active Directory object should you enable the universal group membership caching?
Explanation:
You should enable the universal group membership caching in the branch office site. Universal group membership caching
should be
enabled in a site that is connected by a low bandwidth connection or that has hardware limitations on the DC such as low hard
disk
space that prohibits installing the global catalog. Enabling universal membership caching provides efficient user log on in
situations of
low or no network bandwidth. If you install a Windows Server 2008 read-only domain controller (RODC) in a branch office,
universal
group membership caching is enabled by default for that site.
You should not enable universal group membership caching in the OU, the domain or the hub site. Universal group membership
caching should only be enabled on a site that is connected to a hub site via low network bandwidth or i n sites that have less
than 100
users. This ensures efficient user log on to the domain.
Item: 103 (Ref:Cert-70-640.2.5.1)
*'OU
*'domain
*'hub
site
*'branch office
site
Answer:
branch office
site
Page 107 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 84 of 133
You are the network administrator for a company that manufactures cricket equipment and sports apparel. Your company's
network has
a single domain with several different locations. All domain controllers run Windows Server 2008 and the functional level of the
domain
is Windows Server 2008.
You want a file server in main office, called FS1, to collect all replication errors and warnings from all domain controllers at the
main
office and other locations. What should you do? (Choose two.)
Explanation:
You should start the Windows Event Collector Service on FS1 and configure its start mode to Automatic, and start the Windows
Remote Management (WinRM) service on all domain controllers and configure its start mode to Automatic. The Windows Event
Collector service manages persistent subscriptions to events from remote sources, such as the domain controllers in the main
offices
and other locations, that support WS-Management protocol. These events include Windows Vista event logs, hardware events,
and
IPMI-enabled event sources. The service stores forwarded events in a local Event Log. The Window Event Collector service's
start
mode should be set to Automatic because if this service is stopped or disabled, event subscriptions cannot be created and
forwarded
events cannot be accepted.
You should start the Windows Remote Management (WinRM) service on FS1 and configure its start mode to Automatic. The
Windows
Remote Management (WinRM) service implements a standard Web services protocol called WS-Management that is used for
software
and hardware management. The WinRM service provides access to WMI data and enables event collection. For event
collection and
subscription to events to function, the service must be running. The WinRM service needs to be configured with a listener using
either
the winrm.cmd command-line tool or Group Policy in order for it to listen over the network.
You do not have to start the Windows Error Reporting service and configure its start mode to Automatic. This service is started
automatically. The Error Reporting service allows errors to be reported to Microsoft when programs stop working or responding,
and
allows existing solutions to be delivered. It also allows logs to be generated for diagnostic and repair services. Although this
service is
important for general functioning, it is not required to forward events.
You should not install the Network Monitor service on FS1 or install the Network Monitor Agent service on the domain
controllers. The
Network Monitor service and Network Monitor Agent service allow you to capture packets and analyze traffic. You cannot use
Network
Monitor to collect replication errors.
You can configure an event subscription in the Event Viewer. Right click on Subscriptions and choose Create subscription. In
the
subscription Properties dialog box, you can specify the computers from which logs should be collected, and define what events
to
collect.
Item: 104 (Ref:Cert-70-640.5.3.1)
M|.On all domain controllers, start the Windows Error Reporting service and configure its start mode to
Automatic.
M|.On FS1, start the Windows Event Collector service and configure its start mode to
Automatic.
M|.On all domain controllers, start the Windows Remote Management (WinRM) service and configure its start mode to
Automatic.
M|.On FS1, install and start the Network Monitor
service.
M|.On all domain controllers, install and start the Network Monitor Agent
service.
Answer:
On FS1, start the Windows Event Collector service and configure its start mode to Automatic.
On all domain controllers, start the Windows Remote Management (WinRM) service and configure its start mode to
Automatic.
Page 108 of 173
You are the systems administrator of your company. The company's network consists of a single Active Directory domain. There
are
1,000 client computers on the network that run Windows Vista. Each department has its own Organizational Unit (OU) in the
domain
that contains users and computers for the department.
You want to change the computer names for 150 client computers in the Sales department without altering the computers'
location in
the directory tree.
Which command-line tool can you use?
Explanation:

Created: 18/04/2013
Version: 1.0
Document1
Page 85 of 133
You should use the Dsmove command-line tool to rename an object without altering its location in the directory tree. Dsmove is
a
command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD
DS) or
Active Directory Lightweight Directory Services (AD LDS) server roles installed. Dsmove can be used to move a single object,
within a
domain, from its current location in the directory to a new location, or to rename a single object without moving it in the directory
tree.
The option stating Dsmod is incorrect. The Dsmod command-line utility can be used to modify attributes of Active Directory
objects.
However, Dsmod cannot be used to rename an object without altering its location in the directory tree.
Item: 105 (Ref:Cert-70-640.4.2.9)
*'Dsmod
*'Dsmove
*'Dsadd
*'Dsrm
Answer:
Dsmove
Page 109 of 173
The option stating Dsadd is incorrect. The Dsadd command-line utility can be used to add objects to Active Directory. You
cannot use
Dsadd to rename an object without altering its location in the directory tree.
The option stating Dsrm is incorrect. The Dsrm utility is used to delete objects from the directory. You cannot use Dsrm to
rename an
object without altering its location in the directory tree.
You are the network administrator for Verigon Corporation. The company has a single domain. You have a main office in
Houston and
branch offices in Atlanta and Chicago. The main office has a DNS server named DNS1 with the IP address 10.10.10.101. The
Atlanta
office has a DNS server named DNS2 with the IP address 10.10.15.112. The Chicago office has a DNS server named DNS3
with the
IP address 10.10.20.78. The DNS configuration of the Atlanta office server, DNS2, is displayed in the exhibit. (Click on the
Exhibit(s)
button.)
You employ several contractors in the Atlanta office who use portable computers. The contractors need access to shares on
different
servers and to several intranet resources. The portable computers are generating host records in the zone, and these records
are now
showing up on the DNS servers in other offices in the company. You want to ensure that only computers from the Verigon
domain
create records in the zone.
What should you configure on DNS2?
70-640.1.1a
Item: 106 (Ref:Cert-70-640.1.1.1)
*'Allow zone transfers to only the servers listed on the Name Servers
tab.
*'Allow zone transfers to only the IP address of
10.10.10.101.
*'Change dynamic updates to Secure
Only.
*'Change the replication scope to All DNS servers in the
forest.
Answer:
Change dynamic updates to Secure
Only.
Page 110 of 173
70-640.1.1b
Explanation:
You should configure the zone to allow only dynamic updates that are Secure Only. In this scenario, contractors in the branch
office
are able to add records to the zone because the Dynamic Updates setting is set to Nonsecure and Secure. This configuration
allows
non-domain computers to add records to the zone. An Active Directory zone allows you to have secure dynamic updates and
non-
Page 111 of 173
secure dynamic updates. Secure dynamic updates only allow computers that are members of the domain to add host (A)
records in a

Created: 18/04/2013
Version: 1.0
Document1
Page 86 of 133
forward lookup zone or PTR records in a reverse lookup zone. By selecting Secure Only in the Dynamic Updates field of the
verigon.com Properties dialog box, you can configure secure dynamic updates.
You do not have to configure the Allow zone transfers setting to prevent the contractors from adding records into the zone.
The Allow
zone transfers setting can be used to restrict zone transfers to secondary servers and prevent people outside your company
from
viewing zone information with commands such as NSLOOKUP. You can restrict zone transfers to specific DNS servers by
enabling the
Allow zone transfers check box on the Zone Transfers tab, choosing Only to the following servers, and adding the specific
IP
addresses of those DNS servers. You can also restrict zone transfers to DNS servers listed on the Name Servers tab.
Restricting zone
transfers will not prevent computers that are not members of the domain, such as the contractors' computers, from adding
records to
the zone.
You should not change the replication scope to All DNS servers in the forest. This setting will replicate zone data to all DNS
servers
running on domain controllers in the Active Directory forest. If you want DNS servers running on domain controllers with the
Windows
2000 Server operating system to load an Active Directory zone, you must set the Replication scope type on the General tab to
All
domain controllers in the Active Directory domain. None of the replication scope settings will prevent computers that are not
part of
the domain from adding records to the zone.
You are a network administrator for TXGlobal Corporation. There are three file servers in the network, named File-1, File-2, and
File-3,
that run Windows Server 2003. All file servers are connected to the domain, named txglobal.com. The domain controller is
running
You install a new application on all three file servers. After the installation, the File-1 server restarts at random. You fix the
problem by
uninstalling and reinstalling the new application. However, you want to track all restart events on the client computers and all the
files
that users are accessing on the three file servers.
What should you do?
Explanation:
You should activate Audit system events and Audit object access policies to track restart events and file access on the three
file
servers in this scenario. These two audit policies perform the following roles:
Audit system events policy: Audits events related to a computer restart or shutdown.
Audit object access policy: Audits when a user accesses an object. The objects include files, folders, printers, registry keys,
and Active Directory objects.
You can configure these audit policies in Group Policy Object (GPO) settings either in the Graphical User Interface (GUI) mode
or by
using the Auditpol.exe command-line utility. The GPO must be linked to the appropriate organizational unit (OU) after you
create the
audit policy.
You should not activate Audit logon events and Audit privilege use policies to achieve the objectives in this scenario. These
two
policies perform the following roles:
Audit logon events policy: Audits each event related to a user logging on to, logging off from, or making a network
connection
to the computer configured to audit logon events.
Audit privilege use policy: Audits each event related to a user performing a task that is controlled by a User Rights
Assignment
Item: 107 (Ref:Cert-70-640.4.7.7)
*'Activate Audit system events and Audit object access
policies.
*'Activate Audit logon events and Audit privilege use policies.
*'Activate Audit policy change and Audit account management
policies.
*'Activate Audit process tracking and Audit account logon events
policies.
Answer:
Activate Audit system events and Audit object access
policies.
Page 112 of 173
in group policy.
You should not activate Audit policy change and Audit account management policies to achieve the objectives in this
scenario.
These two policies perform the following roles:

Created: 18/04/2013
Version: 1.0
Document1
Page 87 of 133
An Audit policy change policy: Audits events related to a change to one of the three policy areas on a computer. These
policy
areas include:
User Rights Assignment
Audit Policies
Trust relationships
An Audit account management policy: Audits events related to a user managing an account, such as user, group, or
computer.
You should not activate Audit process tracking and Audit account logon events policies to achieve the objectives in this
scenario.
These two policies perform the following roles:
Audit process tracking policy: Audits the events that are related to processes on the computer, such as program activation,
process exit, handle duplication, and indirect object access.
Audit logon events policy: Audits the events that are related to a user logging on to, logging off from, or making a network
connection to the computer configured to audit logon events.
You are the systems administrator for the Windows Server 2008 computers on your company's network. The network contains
an
Active Directory Federation Services (AD FS) server. The AD FS server is configured to provide Web-based Single Sign-On
(SSO)
capabilities to users in a partner organization.
You want to create a claims-aware application to verify which claims are sent in AD FS security tokens by the Federation
Service.
Which three files should you create for the claims-aware application? (Choose three. Each correct answer represents part of the
solution.)
Explanation:
You should create the Default.aspx, Web.config, and Default.aspx.cs files. AD FS is an identity access solution that allows
browserbased
clients to access one or more protected Internet-facing applications without being prompted for secondary credentials, even if
the
user accounts and applications are located in completely different networks or organizations. In any given federation
relationship, the
business partners can either be identified as a resource organization or an account organization. The account organization is
the one
that owns and manages the user accounts. The resource organization is the one that owns and manages resources that are
accessible
from the Internet. Users from the account organization access AD FS-enabled applications in the resource organization. AD FS
provides a Web-based SSO solution that authenticates users to multiple Web applications during a single browser session.
When you
install AD FS, you configure its trust policy by using the AD FS snap-in to specify the list of partners with which you want to
federate.
AD FS supports three types of claims: organization or identity claims, group claims, and custom claims. Claims are statements
about
users that are carried within security tokens and are used by Web applications to make authorization decisions. Claims originate
from
either an account store or an account partner. To verify which claims are sent in AD FS security tokens by the Federation
Service, you
should create a claims-aware application. A claims-aware application is a Microsoft ASP.NET application that uses claims in an
AD FS
security token to make authorization decisions and provide additional application personalization. The claims-aware application
is made
up of the following three files:
Item: 108 (Ref:Cert-70-640.3.4.3)
M|.Default.aspx
M|.ApplicationHost.config
M|.Web.config
M|.Metabase.xml
M|.Default.aspx.cs
Answer:
Default.aspx
Web.config
Default.aspx.cs
Page 113 of 173
default.aspx
web.config
default.aspx.cs
The options stating ApplicationHost.config and Metabase.xml are incorrect because these files are not required to create a
claimsaware
application.
You are the network administrator for a new company. You deploy Windows Server 2008 and Windows Vista computers on the
company network. You configure Active Directory Domain Services (AD DS) to manage users and other network resources.

Created: 18/04/2013
Version: 1.0
Document1
Page 88 of 133
You want to set an audit policy to audit any user who accesses an Active Directory object. Which audit policy should you
enable?
Explanation:
You should enable the Directory Service Access policy to ensure that a user accessing an Active Directory object is audited.
Windows
Server 2008 retains the global Audit directory service access policy from Windows Server 2003, but also adds the following four
subcategories
of AD DS auditing:
Directory Service Access: Audits the event of a user accessing an Active Directory object.
Directory Service Changes: Provides the ability to audit changes to Active Directory objects, such as create, modify, move,
and
undelete operations that are performed on an Active Directory object.
Directory Service Replication: Audits the replication of computer and user accounts and other Active Directory objects from
one
domain controller to other domain controllers of the same domain, providing enterprise-wide authentication.
Detailed Directory Service Replication: Audits the replication of specified computer and user accounts and other Active
Directory
objects from one domain controller to other domain controllers of the same domain.
To view or set these audit policy sub-categories, you should use the AUDITPOL.EXE command-line tool. This tool allows you to
modify, enable, or disable the audit policies.
You should not enable the Audit object access policy to ensure that the event of a user accessing an Active Directory object is
audited. Enabling the Audit object access policy will audit the event of a user accessing an object such as a file, folder, registry
key, or
printer. This policy does not audit the event of a user accessing an Active Directory object.
You should not enable the Audit system events policy to ensure that the event of a user accessing an Active Directory object
is
audited. Enabling the Audit system events policy will ensure that auditing is enabled for system events such as a computer
restart or
shutdown, or events that affect either the system security or the security log. You cannot enable this policy to audit the event of
a user
accessing an Active Directory object.
You should not enable the Directory Service Changes policy to ensure that the event of a user accessing an Active Directory
object is
audited. The Directory Service Changes policy audits change operations to Active Directory objects, such as file modifications
or
undeletions.
Item: 109 (Ref:Cert-70-640.4.7.5)
*'Enable the Audit object access
policy
*'Enable the Audit system events
policy
*'Enable the Directory Service Access
policy
*'Enable the Directory Service Changes
policy
Answer:
Enable the Directory Service Access
policy
Page 114 of 173
You are the network administrator of the Nutex corporation. You install Windows Server 2008 on all servers in the network. You
are in
the process of configuring a Domain Name System (DNS) server on a server named DNS1 to provide name resolution services
to
users. You are required to ensure that the following:
The DNS zone contains only entries for computers that are members of the domain.
The DNS zone should not contain any stale records
What should you configure on the zone to achieve these objectives? (Choose two. Each correct answer represents a complete
solution.)
Explanation:
You should create a Primary Zone and Store the zone in Active Directory. You should also configure the aging/scavenging
properties
on the zone. You can create either a primary zone or an Active Directory-integrated zone to configure aging and scavenging.
You must
have the zone be stored in Active Directory to force secure dynamic updates. When secure dynamic updates is configured on a
zone
only computers that are members of the domain can create a host (A) record in the zone.
Aging and scavenging is a DNS mechanism for performing cleanup and removal of stale records, which can accumulate in zone
data
over time. Aging and scavenging of stale records are available when you deploy a DNS server with primary zones. Records are
automatically added to zones when computers start up on the network if you have configured dynamic updates. However, in
some

Created: 18/04/2013
Version: 1.0
Document1
Page 89 of 133
cases, they are not automatically removed when computers leave the network. When you configure aging and scavenging, DNS
servers can determine that records have aged to the point of becoming stale and remove them from the zone data.
You can begin scavenging stale resource records immediately even if you have not configured the aging and scavenging
feature. To do
this, right-click the DNS server node in the DNS Manager snap-in and click the Scavenge Stale Resource Records option. To
configure aging and scavenging settings for all DNS zones on a DNS server, right-click the DNS server node in the DNS
Manager
snap-in and click the Set Aging/Scavenging for All Zones option. To enable automatic scavenging of stale records on a DNS
server,
select the Enable automatic scavenging of stale records option on the Advanced tab in the Properties dialog box of the DNS
server.
You should not create a Stub Zone and store the zone in Active Directory. A stub zone is used to store the name server (NS)
records
and host (A) records of DNS servers that host a zone. The records are used to identify which DNS server is authoritative for that
zone.
A stub zone only creates (A) records for the DNS servers that are authoritative for that zone and does not create (A) records for
any
other computers.
You should not create a Secondary Zone and store the zone in Active Directory. A secondary zone is a read only copy of
another zone.
You cannot store a Secondary Zone in Active Directory.
You should not create a secondary zone or stub zone because the aging and scavenging features are available when you
deploy your
server with primary zones. You can configure aging and scavenging for Active Directory-integrated zones because only primary
zones
can be directory-integrated zones.
You should not ensure that all domain computers are members of DnsUpdate Proxy group. This group allows DNS clients to
perform a
Item: 110 (Ref:Cert-70-640.1.1.3)
M|.Create a Primary Zone and store the zone in Active
Directory
M|.Create a Stub Zone and store the zone in Active
Directory
M|.Create a Secondary Zone and store the zone in Active
Directory
M|.Set aging/scavenging properties on the
zone
M|.Ensure that all domain computers are members of DnsUpdate Proxy
group
Answer:
Create a Primary Zone and store the zone in Active
Directory
Set aging/scavenging properties on the zone
Page 115 of 173
dynamic update for a computer that is not a member of the domain such as a DHCP server or a Web server. This group will not
scavenge state records either.
Your company consists of a central office and five branch offices. All servers on the network run Windows Server 2008. The
corporate
network consists of a single Active Directory forest with a functional level of Windows Server 2008. A separate domain and a
separate
site exist for each office. Each office has a department named Marketing.
All employees in the Marketing departments should be allowed access to a shared folder named Products, which is located on
a file
server in the forest root domain. You must provide employees in the Marketing departments in each office with access to the
Products
shared folder.
What should you do?
Item: 111 (Ref:Cert-70-640.4.2.7)
*'In each domain, create a global security group named Marketing and add the user accounts of employees in the
Marketing
department to this group. Create a domain local distribution group named MktgPermissions in the forest root domain, assign
the
appropriate permissions for the Products folder to the MktgPermissions group, and add all of the Marketing global groups to
the
MktgPermissions group.
*'In each domain, create a global security group named Marketing and add the user accounts of employees in the
Marketing
department to this group. Create a domain local security group named MktgPermissions in the forest root domain, assign the
the

Created: 18/04/2013
Version: 1.0
Document1
Page 90 of 133
*'In each domain, create a global distribution group named Marketing and add the user accounts of employees in the
Marketing
department to this group. Create a domain local security group named MktgPermissions in the forest root domain, assign the
the
*'In each domain, create a global distribution group named Marketing and add the user accounts of employees in the
Marketing
department to this group. Create a domain local distribution group named MktgPermissions in the forest root domain, assign
the
the
Page 116 of 173
Explanation:
To streamline the administration of user access rights, you should add users to security groups and assign permissions to the
security
groups rather than to individual user accounts. One possible strategy is to use global security groups for organizing user
accounts that
reside in the same domain and must be assigned the same permissions. You can put those global security groups into
appropriate
domain local security groups and assign permissions to the domain local security groups. In this scenario, you should do the
following:
1. In each domain, create a global security group named Marketing.
2. Add the user accounts of employees in the Marketing department of the domain to Marketing.
3. Create a domain local security group named MktgPermissions in the forest root domain.
4. Assign the appropriate permissions for the Products folder to the MktgPermissions group.
5. Add all the Marketing global groups to the MktgPermissions group.
Distribution groups can be used by Active Directory-aware messaging applications, such as Exchange Server 2007, to send e-
mail
messages to multiple users simultaneously. Unlike security groups, distribution groups are not security principals and, therefore,
cannot
be assigned permissions explicitly or implicitly through membership in other groups. Therefore, you cannot use distribution
groups to
provide users with access to resources.
You are a network administrator for your company. Your corporate network consists of a single Active Directory forest. (Click on
the
Exhibit(s) button.)
The network is fully routed; all computers in the forest can communicate with each other. However, you notice that certain
changes to
Active Directory do not replicate between Site1 and Site3. You must correct the problem.
Answer:
In each domain, create a global security group named Marketing and add the user accounts of employees in the
Marketing department to this group. Create a domain local security group named MktgPermissions in the forest root
domain, assign the appropriate permissions for the Products folder to the MktgPermissions group, and add all of the
Marketing global groups to the MktgPermissions group.
Item: 112 (Ref:Cert-70-640.2.4.13)
*'Enable bridging of the site
links.
*'Reduce the costs of the site
links.
*'Designate dc2.domain2.com as a preferred bridgehead
server.
*'Reconfigure the IP addressing scheme so that computers in Site1 and Site3 will belong to the same IP
subnet.
Answer:
Enable bridging of the site
links.
Page 117 of 173
Explanation:
The domain controllers in Site1 and Site3 belong to a different domain from the domain controllers in Site2. Therefore, changes
to the
domain1.com domain directory partition are not replicated between Site1 and Site2 and between Site2 and Site3. To enable
replication of the domain1.com partition between Site1 and Site3, you should enable bridging of the existing site links. You can
either
enable bridging of all site links or create the necessary bridges manually. By default, all site links are bridged, but it appears that
in this

Created: 18/04/2013
Version: 1.0
Document1
Page 91 of 133
scenario bridging has been disabled. A bridge between two site links that have at least one site in common enables transitive
connectivity through the common site or sites. Bridging will work only if physical connectivity exists between the sites that are
included
in the bridged site links. In this scenario, bridging will work because the network is fully routed; that is, computers in each site
can
communicate with computers in any other site.
Site link costs are values that represent the relative preference of the site links that form a topology with alternative paths
between the
same destinations. The site links in this scenario do not provide alternative replication paths. Therefore, reducing the cost s of
the
existing site links would not result in any changes in the functionality of Active Directory replication. The dc2.domain2.com
domain
controller does not host the domain1.com domain directory partition; therefore, it cannot participate in replication of that
partition with
domain controllers in Site1 and Site3, even if you designate it as a preferred bridgehead server. Networks in Site1 and Site3
probably
cannot belong to the same IP subnet because Site1 and Site3 are connected through routers that are located in Site2.
Furthermore,
the scenario does not indicate that the existing IP addressing scheme is invalid or that there are any network connectivity
problems.
You are a network administrator for your company. The corporate network consists of a single Active Directory domain where al l
servers run Windows Server 2008 and all client computers run Windows XP Professional. Five member servers run Terminal
Server.
All terminal servers are located in an organizational unit (OU) named TS.
Sales users require a custom database application to maintain sales information. The application includes a native Windows
Installer
package. User accounts of all Sales personnel are located in the OU named Sales. You are planning to use a Group Policy
object
(GPO) to deploy the database application to Sales users on the terminal servers.
Item: 113 (Ref:Cert-70-640.4.5.2)
*'In the User Configuration folder in the GPO, define a software installation policy that assigns the application; link
the GPO to the
TS OU.
*'In the User Configuration folder in the GPO, define a software installation policy that publishes the application; link
the GPO to
the Sales OU.
*'In the Computer Configuration folder in the GPO, define a software installation policy that assigns the application;
link the GPO
to the Sales OU.
*'In the Computer Configuration folder in the GPO, define a software installation policy that assigns the application;
link the GPO
to the TS OU.
Answer:
In the Computer Configuration folder in the GPO, define a software installation policy that assigns the application;
link the GPO to the TS OU.
Page 118 of 173
Explanation:
To deploy software by using GPOs, you can define a software installation policy in the User Configuration folder in order to
assign or
publish the software to users, and you can define a software installation policy in the Computer Configuration folder in order to
assign
the software to computers. There are special considerations for deploying programs to Terminal Server users because each
application
that is installed on a terminal server becomes available to all Terminal Server users. To function correctly in a multi -session
environment, applications must be installed and configured in a specific manner. The preferred method to correctly install an
application
on a terminal server is to install it locally by using Add or Remove Programs in Control Panel. If you want to use a GPO to
deploy an
application to multiple terminal servers, then you should assign the application to computers, rather than users.
If you assigned the application to users and linked the GPO to the TS OU, which contains only computers, or if you assigned the
application to computers and linked the GPO to the Sales OU, which contains only users, then the GPO would have no effect
because
user-specific policies apply only to users, and computer-specific policies apply only to computers. Additionally, it is not
recommended
that applications that are to be used on terminal servers be assigned to users. The applications that are assigned to users might
not be
correctly configured to function properly in a multi-session environment.
You cannot deploy an application to terminal servers by publishing the applications in GPOs; Terminal Server does not support
published applications.

Created: 18/04/2013
Version: 1.0
Document1
Page 92 of 133
You administer your company's network. The network consists of a single Active Directory domain. All servers run Windows
Server
2008, and all client computers run Windows Vista. The company's written security policy stipulates that employees must use
certificates
for remote access and secure e-mail. Only designated administrators are authorized to approve users' requests for certificates,
issue
certificates, and revoke certificates.
You install Certificate Services on several servers and configure them as enterprise certification authorities (CAs). You must
assign the
appropriate privileges to the designated administrators in accordance with the company policy.
Explanation:
Windows Server 2008 Certificate Services supports role-based administration. Each role is associated with specific permissions
or user
rights. Members of the Certificate Manager role can issue, approve, deny, renew and revoke certificates. They can also
retrieve
archived private keys to binary files for subsequent key recovery. To assign the designated administrators to the Certificate
Manager
role, you should assign them the Allow - Issue and Manager Certificates for each CA. This permission allows a user to
approve
certificate enrollment and revocation requests. By default, the Enterprise Admins, Domain Admins and local Administrators
groups
are assigned the Allow - Manage CA permission for CAs. This permission provides membership in the CA Administrator role,
which
enables its members to control other users' permissions for the CAs. To fully comply with company policy, you should enable
role
separation for each CA in order to ensure that CA Administrators cannot assign themselves to the Certificate Manager role. If
role
separation is enabled for a CA, then a user can perform the tasks that are associated with only one role on that CA. If a user is
accidentally or intentionally assigned to more than one role on a CA, then that user cannot perform any tasks on that CA.
A certificate that is based on the Enrollment Agent certificate template enables a user to request certificates on behalf of other
users.
Generally, enrollment agents are not authorized to approve certificate requests, to revoke certificates or perform other tasks that
are
associated with the Certificate Manager role. The Allow - Enroll permission for a certificate template enables a user to request
a
certificate that is based on that template. By default, the Domain Users group is assigned this permission for most templates on
all
Item: 114 (Ref:Cert-70-640.6.1.3)
*'Issue an Enrollment Agent certificate to each designated
administrator.
*'Assign the designated administrators to the Certificate Manager role on each
CA.
*'Assign the Allow - Enroll permission for each certificate template to the designated
administrators.
*'Assign the Allow - Write permission for each CA to the designated
administrators.
Answer:
Assign the designated administrators to the Certificate Manager role on each
CA.
Page 119 of 173
enterprise CAs in their domain.
The available permissions for a CA are Read, Issue and Manage Certificates, Manage CA and Request Certificates. There
is no
Write permission for a CA. The Allow - Manage CA permission provides limited write access to a CA database.
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. You
install
Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. The AD CS server is configured as
an
enterprise certification authority (CA).
You want another computer to be an Online Responder to provide certification revocation data to clients. You install the IIS and
the
Online Responder service on a Windows Server 2008 server. You test the Online Responder, but the Online Responder fails.
What must do to ensure the Online Responder works correctly? (Choose two.)
Explanation:
Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the CA.
Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA) extension of
certificates issued by the CA.
The error is occurring because the CA has not been fully configured to support an Online Responder. Before configuring a CA
to

Created: 18/04/2013
Version: 1.0
Document1
Page 93 of 133
support the Online Responder service, you must ensure that the following conditions are met:
by
You should not install the Microsoft Simple Certificate Enrollment Protocol (MSCEP). MSCEP, referred to in some documents as
Network Device Enrollment Service (NDES), is the Microsoft implementation of SCEP, which was developed by Cisco Systems
Inc. to
support the secure, scalable issuance of certificates to network devices by using existing CAs. MSCEP is a communication
protocol
that allows software running on network devices, such as routers and switches, to enroll for X.509 certificates from a CA.
Installing
MSCEP is not a requirement for configuring an Online Responder.
You should not add the Windows Server 2008 server to the Certificate Publishers group. Certificate Publishers is a global
group that
includes all computers that are running an enterprise certificate authority. Certificate publishers are authorized to publish
certificates for
user objects in Active Directory. Adding the Online Responder to the Certificate Publishers group will not allow the Online
Responder
to publish a CRL.
Item: 115 (Ref:Cert-70-640.6.5.3)
M|.Add the Windows Server 2008 server to the Certificate Publishers
group.
M|.Install Microsoft Simple Certificate Enrollment Protocol (MSCEP) on the
server.
M|.Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the
CA.
M|.Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA)
extension of
M|.Lower the Publish Delta CRL and the Publish CRL Interval settings on the CA so that expired certificates are
published in Active
Directory.
Answer:
Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA)
extension of certificates issued by the CA.
Page 120 of 173
You do not have to change the Publish Delta CRL setting or the Publish CRL Interval setting on the CA. The Publish Delta
CRL
setting determines how often changes to the Certificate Revocation List (CRL) are published. CAs can have lots of certificate
revocations and will need to be downloaded by clients frequently. Clients can download the most current delta CRL, which
contains all
the changes from the last base CRL that was published via the Publish CRL Interval setting. The base CRL can become very
large.
To minimize the frequent downloads of large CRLs, delta CRLs can be published and clients can combine the downloaded delta
CRL
with the most current base CRL to create a complete list of revoked certificates. In this scenario, the error is occurring because
the CA
has not been fully configured to support an Online Responder.
You are the network administrator for your company. Your company has a single Active Directory domain with over 700 user
accounts
and 800 computer accounts. You have a main office and three branch offices. Each office is configured as its own Active
Directory site.
You will be opening another branch office in a new city. The new branch office will only have a dozen people. You want to add a
readonly
domain controller (RODC) in the new branch. You only want the accounts used by the people in the new branch office to be
cached on the RODC.
What must you do?
Explanation:
You should add the dozen accounts in the branch office to a Password Replication Policy in the allowed list and add all other
accounts
in the company to the denied list. The Password Replication Policy determines if an RODC should be allowed to cache a
password.
The Password Replication Policy lists the accounts that are permitted to be cached, and the accounts that are explicitly deni ed
from
being cached. The Password Replication Policy is configured and enforced on a writable domain controller. For example, to
prevent the

Created: 18/04/2013
Version: 1.0
Document1
Page 94 of 133
Administrator password from replicating from the main office to the branch office RODC, a Password Replication Policy would
need to
be implemented on the DC in the main office. This would prevent the password from replicating to the RODC in the branch
office.
You should not add the dozen accounts to a Global group and change permissions on the Global group to not replicate
passwords.
There is no property on a Global group or an account to allow the user to cache his/her password on an RODC.
You should not configure the Account is sensitive and cannot be delegated setting on each of the accounts in the branch
office. This
setting allows control over a user account that is designed to be a guest or temporary account. This option can be used if this
account
cannot be assigned for delegation by another account. This setting will not allow the user to cache his/her password on an
RODC.
You should not create a GPO that allows the accounts to be cached and apply it to the site that has the new branch office.
Although
you can link a GPO at the site level in Active Directory, you cannot configure a user account to cache his/her password on an
RODC.
You can only do this via a Password Replication Policy configured on a writable domain controller.
You are a network administrator for your company. The company's network consists of a single Active Directory domain that
contains
servers running Windows Server 2008.
A server named File1 is configured as a file server. Users who access File1 server report that some important files are missing
and
Item: 116 (Ref:Cert-70-640.3.3.5)
*'Add the dozen accounts to a Global group and change permissions on the Global group to not replicate
passwords.
*'On each of the accounts in the branch office, set Account is sensitive and cannot be
delegated.
*'Add the dozen accounts in the branch office to a Password Replication Policy in the allowed list, and add all other
accounts in the
company to the denied list.
*'Create a GPO that allows the accounts to be cached and apply it to the site that has the new branch
office.
Answer:
Add the dozen accounts in the branch office to a Password Replication Policy in the allowed list, and add all other
accounts in the company to the denied list.
Item: 117 (Ref:Cert-70-640.5.3.3)
Page 121 of 173
some files have been misused. You want to track all logon attempts made to the File1 server.
What should you do?
Explanation:
You should implement an Audit logon events policy to achieve the objective in this scenario. An Audit logon events policy will
audit
each event related to a user logging on to, logging off from, or making a network connection. You can configure the Audit logon
events policy in Group Policy Object (GPO) settings either in Graphical User Interface (GUI) mode or by using the Auditpol.exe
command-line utility.
To access group policy and configure an Audit logon events policy on a domain controller, perform the following steps:
1. Click the Start button, type gpedit.msc in the Run dialog box, and press the Enter key. This will open the group policy
window.
2. Under Group Policy menu, scroll down to the following node: Computer Configuration\Security Settings\Local
3. In the right pane, right-click Audit logon events and click Properties.
5. After configuring an Audit policy, link the GPO to the appropriate organizational unit (OU) and enable the appropriate user
permissions.
You should not implement an Audit system events policy to achieve the objective in this scenario. Enabling an Audit system
events
policy will only audit those events which are related to a computer restart or shutdown.
You should not implement an Audit privilege use policy to achieve the objective in this scenario. Enabling an Audit privilege
use
policy will only audit events related to a user performing a task that is controlled by a User Rights Assignment in group pol icy.
You should not implement an Audit account logon events policy to achieve the objective in this scenario. Enabling an Audit
account
logon events policy will only audit the events when a user is logging on or off the domain.
You are the network administrator of your company. The company has a main office and a branch office. You want to configure
Distributed File System (DFS) Replication on the network.
Which requirements should you follow to be able to deploy DFS Replication? (Choose two. Each correct answer represents part
of the
solution.)
*'Implement an Audit system events
policy.

Created: 18/04/2013
Version: 1.0
Document1
Page 95 of 133
*'Implement an Audit privilege use
policy.
*'Implement an Audit account logon events
policy.
*'Implement an Audit logon events
policy.
Answer:
Implement an Audit logon events
policy.
Item: 118 (Ref:Cert-70-640.2.4.2)
M|.Ensure that members of the replication group are running operating system version Windows Server 2003 or
higher.
M|.Install the File Services role with the DFS Replication role service on all servers that will act as members of a
replication
group.
M|.Install the DFS Management snap-in to manage replication on a server running Windows Server 2008 or a Server
Core installation
of Windows Server 2008.
M|.Ensure that all servers in a replication group are located in the same
forest.
Page 122 of 173
Explanation:
You should install the File Services role with the DFS Replication role service on all servers that will act as members of a
replication
group, and ensure that all servers in a replication group are located in the same forest. DFS Replication is a new, state-based,
multimaster replication engine that supports replication scheduling and bandwidth throttling. DFS Replication is the successor of
the
File Replication service (FRS) that was introduced in the Windows 2000 Server operating system. DFS Replication uses several
processes to keep data synchronized on multiple servers. Before you can deploy DFS Replication, you must configure your
server as
follows:
Extend the Active Directory Domain Services (AD DS) schema to include Windows Server 2003 R2 or Windows Server 2008
schema additions.
Ensure that all members of the replication group are running Windows Server 2008 or Windows Server 2003 R2.
Install the File Services role with the DFS Replication role service on all servers that will act as members of a replication group.
Install the DFS Management snap-in on a server to manage replication. The server on which you install the DFS Management
snap-in cannot run a Server Core installation of Windows Server 2008.
Ensure that your antivirus software is compatible with DFS Replication.
Ensure that all servers in a replication group are located in the same forest. You cannot enable replication across servers i n
different forests.
Store replicated folders on NTFS volumes.
The options stating ensure that members of the replication group are running Windows Server 2003 or higher operating system
version
incorrect because members of the replication group must be running Windows Server 2003 R2 or Windows Server 2008.
The options stating install the DFS Management snap-in to manage replication on a server running Windows Server 2008 or a
Server
Core installation of Windows Server 2008 is incorrect. The server on which you install the DFS Management snap-in cannot run
a
Server Core installation of Windows Server 2008.
You are the network administrator for your company. Your company's network has a single forest with three domains. All
domain
controllers in your forest are Windows Server 2008. Each domain is configured to be a separate site.
Recently the telephone company has changed the telephone number of a department in the location of one of your company's
domains. There are 55 accounts that are affected by the telephone number change. You need to change the telephone number
property in the 55 different accounts.
You want to perform the update as quickly as possible. What should you do?
Answer:
Install the File Services role with the DFS Replication role service on all servers that will act as members of a
replication group.
Ensure that all servers in a replication group are located in the same forest.
Item: 119 (Ref:Cert-70-640.4.1.2)
*'Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number and use CSVDE to import the
accounts.
*'In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will
return the 55 user
accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone number in their
accounts'
properties.
*'Create a saved LDAP query that will return user accounts of the 55 user accounts. Export the results to a tab-
delimited file, modify
the expiration date in the file and use the LDIFDE utility to import the file into Active Directory.

Created: 18/04/2013
Version: 1.0
Document1
Page 96 of 133
*'In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will
return the 55 user
accounts. Export the results to a comma-delimited file, modify the expiration date in the file and use the CSVDE utility to import
the
file into Active Directory.
Answer:
In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query that will return
the 55 user accounts. Select all of the user accounts returned by the query and simultaneously modify the telephone
number in their accounts' properties.
Page 123 of 173
Explanation:
You should create a LDAP query in Active Directory Users and Computers by selecting Find from the Action menu and
creating a
LDAP query that will return the 55 user accounts. You can then select the user accounts returned by the query and
simultaneously
modify the telephone number in their accounts' properties. This method will allow you to easily update the telephone number
property
on the 55 user accounts.
In Active Directory Users and Computers, you can select the domain node, select Find from the Action menu, and specify the
same
LDAP query that will return the 55 user accounts. However, you can only modify properties of the returned accounts individually;
the
Properties command is unavailable for a selection if multiple accounts are selected. Also, you cannot export the results of that
query.
You can only export the results of a saved query to a comma-delimited or tab-delimited text file. That file can be edited in any
text
editor. The CSVDE utility can be used to import a comma-delimited file in Active Directory. However, this utility can only be used
to
import new objects; it cannot be used to modify existing objects.
The LDIFDE utility can be used to import new or modified objects in Active Directory. However, LDIFDE does not use comma-
delimited
or tab-delimited files; it uses a special file format named the LDAP directory interchange file (LDIF).
You are the systems administrator for your company, which has a main office and one additional branch office. The company's
network
consists of a single Active Directory forest. The network contains servers running Windows Server 2008 and Windows Server
2003.
You install a domain controller running Windows Server 2008 in the main office. You are required to install a read-only domain
controller (RODC) in the branch office. You want to enable the RODC to replicate the Domain Name system (DNS) partition.
Which two steps should you perform? (Choose all that apply. Each answer is part of a single solution.)
Explanation:
You should copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema master
and
run the Adprep /rodcprep command before installing the RODC. Before deploying an RODC, you must ensure that the forest
functional level is Windows Server 2003 so that linked-value replication is available. You must copy the contents of the
\source\adprep
folder on the Windows Server 2008 installation DVD to the schema master and then run the Adprep /rodcprep command
before
installing the first RODC. This step is required to enable RODC to replicate DNS partitions. If you are creating a new forest that
has only
Windows Server 2008 domain controllers, then this step is not required.
An RODC is a new type of domain controller in Windows Server 2008 that hosts read-only partitions of the Active Directory
database.
An RODC holds all the Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds,
except
for account passwords. RODCs provide various new functionalities, such as credential caching, unidirectional replication, and
the
Filtered Partial Attribute Set, which can be used to mitigate problems related to physical security, network bandwidth, and so on.
The
Filtered Partial Attribute Set is also referred to as the Read-Only Partial Attribute Set. Credential caching is the storage of user
or
computer credentials. You can configure the Password Replication Policy on a writable domain controller to specify if an RODC
should
be allowed to cache a password. A Filtered Partial Attribute Set is a set of attributes that you can configure in the schema to
ensure that
these attributes are not replicated to an RODC. Configuring the Filtered Partial Attribute Set is useful when you want to prevent
Item: 120 (Ref:Cert-70-640.3.3.7)
M|.Run the Adprep /domainprep command in the
domain.
M|.Copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema
master.
M|.Run the Adprep /rodcprep command before installing the

Created: 18/04/2013
Version: 1.0
Document1
Page 97 of 133
RODC.
M|.Run the Adprep /rodcprep command after installing the
RODC.
Answer:
Copy the contents of the \source\adprep folder on the Windows Server 2008 installation DVD to the schema
master.
Run the Adprep /rodcprep command before installing the RODC.
Page 124 of 173
replication of sensitive information.
You should not run the Adprep /domainprep command in the domain. This command is required when the RODC will also be a
global
catalog server. When you run the adprep /domainprep command in all domains, the RODC can replicate global catalog data
from all
domains in the forest and then advertise as a global catalog server. Running the Adprep /domainprep command is not
required to
enable RODC to replicate Domain Name system (DNS) partition.
You should not run the Adprep /rodcprep command after installing the RODC. The Adprep /rodcprep command must be run
before
installing the first RODC.
You are the network administrator for your company. The company has a main office and a branch office. The servers on the
company's network run Windows Server 2008. The main office has its own Active Directory domain.
You upgrade a member server in the branch office to a domain controller. Users report that their client computers take a long
time to
log on to the domain. You investigate and discover that the Service (SRV) Records for the domain controller are not registered
in the
DNS zone of the branch office domain. Which service should you restart on the domain controller to re-register the SRV records
of the
domain controller in the DNS zone?
Explanation:
You should restart the Netlogon service. The SRV records of a domain controller in the domain play an important role in Active
Directory. Active Directory cannot work without a DNS server. The DNS server in Active Directory is used to locate domain
controllers
in the forest or domain with the help of SRV records. When you promote a member server to a domain controller, the SRV
records are
registered specifically for domain controllers. The Netlogon service on domain controller is responsible for registering SRV
records. If
the SRV records for a domain controller are not registered in the DNS server, you can re-register them by restarting the
Netlogon
service on the domain controller.
You should not restart the DNS Client service, DNS Server service, or the Server service because these services are not
responsible
for registering SRV records on the domain controller.
You are the systems administrator for your company. All servers on the network run Windows Server 2008. You install Active
Directory
Domain Services (AD DS) on a server named DC1. The AD DS database contains information about all the resources in the
domain.
Over time, you discover that Active Directory searches have become slow. You investigate and discover that DC1 is running low
on
disk space. You decide to perform an offline defragmentation of the Active Directory database. You are concerned about the
amount of
free disk space that is required to perform the offline defragmentation. You decide to free some disk space on DC1 to ensure
that offline
defragmentation is completed successfully.
What is the minimum amount of disk space that you should free up on DC1 to successfully perform the offline defragmentation
locally
on DC1?
Item: 121 (Ref:Cert-70-640.1.2.7)
*'the DNS Client
service
*'the DNS Server service
*'the Netlogon
service
*'the Server
service
Answer:
the Netlogon
service
Item: 122 (Ref:Cert-70-640.5.2.4)
*'Five percent (5%) of the current size of the AD DS
database

Created: 18/04/2013
Version: 1.0
Document1
Page 98 of 133
Page 125 of 173
Explanation:
You should free up at least 15 percent (15%) of the current size of the AD DS database to perform a local offline
defragmentation. In
Windows Server 2008, you can perform offline defragmentation of an AD DS database by stopping the AD DS service,
performing the
offline defragmentation with the Ntdsutil.exe utility, and restarting the AD DS service. Ntdsutil.exe is a command-line tool that
provides management facilities for Active Directory directory services. The Ntdsutil.exe tool can be used to perform AD DS
database
maintenance, to manage and control single master operations, and to remove metadata left behind by domain controllers that
were
remove from the network without being properly uninstalled. Follow these steps to perform offline defragmentation of AD DS
database:
1. Run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the
Ntds.dit file at the location specified in the Compact to command.
2. Delete all of the log files in the log directory by typing the Del drive:\pathToLogFiles\*.log command.
3. Manually copy the compacted database file to its original location.
4. Perform the integrity check on the database.
5. Restart the AD DS service.
To perform offline defragmentation of AD DS database by compacting the database file locally on the domain controller, you
should
have free disk space equal to at least 15 percent of the current size of the AD DS database. Therefore the options stating that
you
require 5% or 10% of the current database size are both incorrect because they are insufficient.
The option stating that you require an amount of free disk space equivalent to the current size of the AD DS database is
incorrect,
because this amount of free disk space is required when you compact the AD DS database on a remote computer. In this
scenario, you
want to perform the offline defragmentation locally on DC1. Therefore, you should free up 15 percent of the current size of the
AD DS
database.
You are the network administrator of your company. You install Windows Server 2008 on all servers on the network. The
company's
network consists of a single Active Directory domain with the Windows Server 2008 domain functional level. You want to
configure
multiple password policies in the domain. To achieve this, you want to configure fine-grained password policies.
Which group membership will you require for configuring fine-grained policies?
Explanation:
*'10 percent (10%) of the current size of the AD DS
database
*'15 percent (15%) of the current size of the AD DS
database
*'Equivalent to the current size of the AD DS database
(100%)
Answer:
15 percent (15%) of the current size of the AD DS
database
Item: 123 (Ref:Cert-70-640.4.6.4)
*'Enterprise Admins
group
*'Domain Admins
group
*'Schema Admins
group
*'Local Administrators group on the domain
controller
Answer:
Domain Admins
group
Page 126 of 173
By default, only members of the Domain Admins group can set fine-grained password policies. Windows Server 2008 allows
you to
define different password and account lockout policies for different sets of users in a domain. You can use fine-grained
password
policies to specify multiple password policies within a single domain. Fine-grained password policies apply only to user objects
and
global security groups. To configure fine-grained password policies, the domain functional level must be Windows Server 2008.
If you

Created: 18/04/2013
Version: 1.0
Document1
Page 99 of 133
do not create fine-grained password policies for different sets of users, the Default Domain Policy settings apply to all users in
the
domain.
users
a finegrained
password policy. You can add users of the OU as members of the newly created shadow group, and then apply the finegrained
The options stating Enterprise Admins group, Schema Admins group, and local Administrators group on the domain
controller are
incorrect because only members of the Domain Admins group can set fine-grained password policies by default.
Explanation:
When you perform offline defragmentation of the directory database file, a new compacted version of the database file is
created in a
different location. In Windows Server 2008, you can perform offline defragmentation of the AD DS directory database by
stopping the
AD DS service, performing the offline defragmentation, and starting the AD DS service. To perform an offline defragmentation of
the AD
DS database, you should first stop the AD DS service. The Restartable AD DS feature in Windows Server 2008 allows you to
perform
tasks, such as offline defragmentation of the AD DS database, without restarting the domain controller in Directory Services
Restore
Mode. You should run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a
compacted copy
of the Ntds.ditfile at the location specified in the Compact to command. You can specify a folder on the local computer or a
shared
folder on a remote computer in the Compact to command. If defragmentation completes successfully, you should delete all of
the log
files in the log directory by typing the Del drive:\pathToLogFiles\*.log command. You should then manually copy the
compacted
database file to its original location. After copying the compacted Ntds.dit file to its original location, you should perform the
integrity
check on the database. If the integrity check succeeds, you can restart the AD DS service.
Item: 124 (Ref:Cert-70-640.5.1.7)
You are the network administrator for your company. All servers on the network run Windows Server 2008. A server named
DC1 is
configured as a domain controller. You have configured a scheduled backup to be performed every day on DC1.
Some users report that searching resources in Active Directory takes a considerable amount of time. To resolve this problem,
you
plan to perform an offline defragmentation of the Active Directory database. What are the steps you should take? (To answer,
choose
the appropriate steps on the left and arrange them in correct order on the right. It may not be necessary to use all the steps
provided.)
Page 127 of 173
You should not restart the server in Directory Services Restore Mode because it is not required in Windows Server 2008. The
Restartable AD DS feature in Windows Server 2008 allows you to perform an offline defragmentation of the AD DS database
without
restarting the domain controller in Directory Services Restore Mode.
You should perform the following steps in this order to perform an offline defragmentation of AD DS in Windows Server 2008:
You are the administrator of your company. Your company's network has a single forest with one Active Directory domain. All of
the
domain controllers run Windows Server 2008. You have two SQL 2005 Server instances running on a server that is installed
with
You attempt to install Active Directory Rights Management Services (AD RMS) for the first time on a server that runs Windows
Server
2008. Your account is has permissions to install AD RMS.
You receive the following error:
" AD RMS is unable to validate the database name during installation."
What could have caused the error?
Item: 125 (Ref:Cert-70-640.3.2.3)
*'The AD RMS is already installed on a domain
controller.
*'The SQL 2005 Server and the AD RMS server are installed on the same
server.
*'The SQL Browser Service for the SQL 2005 Server that contains the database failed to
start.
*'The SQL Agent Service for the SQL 2005 Server that contains the database failed to
start.
Answer:

Created: 18/04/2013
Version: 1.0
Document1
Page 100 of 133
Page 128 of 173
Explanation:
The error was caused because the SQL Browser Service for the SQL Server that contains the database failed to start. During
AD RMS
installation, you recieved the error message " AD RMS is unable to validate the database name during installation."
because you
cannot validate the AD RMS database. First you should check if the SQL Server service for the SQL instance is started. If the
SQL
Server service is not started, you will not be able to connect to the database. You can type one of the following commands to
start the
SQL Server service:
net start "SQL Server ( instancename )"
-ornet
start MSSQL$ instancename
Once you have verified that the SQL Server service is started, you should ensure that the SQL Browser service is running on
the
database server. If the SQL Browser service is not running, other services, such as AD RMS, may not see the SQL Server
instance.
The error was not caused because the AD RMS was installed on a domain controller. AD RMS should be installed on a member
server.
The error was caused because the AD RMS cannot recognize the SQL Server.
The error was not caused because the SQL Server and the AD RMS server are installed on the same server. Although you
should
separate the SQL Server and the AD RMS server for performance reasons, this will not cause the error you received. The error
was
caused because the AD RMS cannot recognize the SQL Server.
The error was not caused because the SQL Agent Service for the SQL Server that contains the database failed to start. The
SQL Agent
service is important to the SQL Server. The Agent service controls jobs and alerts for the SQL Server and it should be started.
However, the failure of the SQL Agent service to start will not cause the database from being accessed. In this scenario, it could
have
been caused by the SQL Server service for the instance failing to start, or it could have been caused by the SQL Browser
service for
the instance failing to start.
The SQL Browser Service for the SQL 2005 Server that contains the database failed to
start.
Item: 126 (Ref:Cert-70-640.5.1.6)
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. All
servers
on the network run Windows Server 2003, and a server named DC1 is configured as a domain controller.
A help desk technician in the branch office accidentally deletes an Organizational Unit (OU) that contains several user accounts.
You
want to perform an authoritative restore of AD DS on DC1.
What should you do? (To answer, choose the appropriate steps on the left and arrange them in correct order in the answer area
on
the right.)
Page 129 of 173
Explanation:
You should perform the following actions to accomplish an authoritative restore on a Windows Server 2008 domain controller:
An authoritative restore process returns a designated object or container of objects to its state at the time of the backup. When
you
restore a domain controller from backup, the normal or nonauthoritative restore process does not restore the inadvertently
deleted OU.
This is because after the restore process, the restored domain controller is updated to the current status of its replication
partners,
which deleted the OU. Therefore, recovering the deleted OU requires an authoritative restore. An authoritative restore marks the
OU as
authoritative and causes the replication process to restore it to all the domain controllers in the domain. To perform an
authoritative
restore of AD DS, you must first boot your domain controller in Directory Services Restore Mode (DSRM). You must type in the
DSRM
password to log in. Then, you must complete a nonauthoritative restore. Replication will not occur after the nonauthoritative
restore
because the AD DS is stopped After the nonauthoritative restore is finished, do not restart the domain controller because you do
not
want to replicate the information yet. You should perform the authoritative restore at the domain controller that you are restoring
by
using the ntdsutil authoritative restore command to mark an object or objects as authoritative. After performing the
authoritative

Created: 18/04/2013
Version: 1.0
Document1
Page 101 of 133
restore of AD DS, you should start the domain controller normally and synchronize replication with all replication partners.
You should not stop the AD DS service because this will not allow you to perform an authoritative restore of AD DS. To perform
an
authoritative restore of AD DS, you must complete a nonauthoritative restore, which requires restarting the domain controller in
Directory Services Restore Mode. If the server were Windows Server 2008, this would be a possible solution since the ability to
restart
the Active Directory DS service without restarting the server is one of the new features of Server 2008.
Page 130 of 173
You are the systems administrator for your company. The company's network consists of a single Active Directory forest.
Your company has a partner organization that designs your company's products. The partner company has its own Active
Directory
forest. You are required to enable users in the partner organization to access resources in your network without being prompt ed
for
secondary credentials. To achieve this, you want to install the Active Directory Federation Services (AD FS) in your network to
provide
Web-based Single-Sign-On (SSO) capabilities to users in the partner organization.
Which two roles should you install that will be required by AD FS? (Choose two. Each correct answer represents part of the
solution.)
Explanation:
You should install the Web Server (IIS) role and Windows Process Activation Service role service. AD FS is an identity access
solution
that allows browser-based clients to access one or more protected Internet-facing applications without being prompted for
secondary
credentials, even if the user accounts and applications are located in completely different networks or organizations. In any
given
federation relationship, the business partners can either be identified as a resource organization or an account organization.
The
account organization is the one that owns and manages user accounts. The resource organization is the one that owns and
manages
resources that are accessible from the Internet. Users from the account organization access AD FS-enabled applications in the
resource organization. AD FS provides a Web-based SSO solution that authenticates users to multiple Web applications during
a single
browser session. While installing the Active Directory Federation Services role, you should select the Federation Service role
service
on the Select Role Services page. If the Web Server (IIS) role or Windows Process Activation Service role services are not
installed,
you will be prompted to install them. You should select the Add Required Role Services button to install these additional role
services.
The options stating NPAS, AD CS, and Windows SharePoint Services role are incorrect because these roles are not required by
AD FS
to be installed. Network Policy and Access Services allows you to provide local and remote network access and to define and
enforce
policies for network access authentication, authorization, and client health using a Network Policy Server (NPS). The Windows
SharePoint Services role allows teams to create Web sites for information sharing and document collaboration. Active Directory
Certificate Services is an Identity and Access Control security technology that creates and manages public key certi ficates.
You are the network administrator for your company's network. You install a Certificate Authority (CA) to distribute certificates to
users
and computers in your domain. All servers are stored in the Servers OU in your domain.
You link the GPO1 group policy object at the Servers OU as seen in the exhibit. (Click the Exhibit(s) button.)
You want to audit the following on your CA:
Certificate requests from your CA
Revoked certificates
Published Certificate Revocation Lists (CRL)
Item: 127 (Ref:Cert-70-640.3.4.2)
M|.Web Server (IIS)
role
M|.Network Policy and Access Services (NPAS)
role
M|.Active Directory Certificate Services (AD CS)
role
M|.Windows Process Activation Service role
service
M|.Windows SharePoint Services
role
Answer:
Web Server (IIS) role
Windows Process Activation Service role
service
Item: 128 (Ref:Cert-70-640.4.7.2)
Page 131 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 102 of 133
What should you configure to have these items appear in the security log on the CA?
Explanation:
You should enable auditing on the CA. To enable auditing, open the Certificate Server snap-in and highlight the Certificate
server, rightclick
on the Certificate server, and choose the Auditing tab. You can configure the following items to audit:
A back up or a restore of the CA database
A change in the CA configuration
A change in the security settings of the CA
Certificate requests that are issued or managed from the CA
Certificates that have been revoked from the CA
Certificate Revocation Lists (CRL) that have been published
Archive Keys that have been retrieved or stored
If Active Directory Certificate Servers has been stopped or started
These events cannot be logged into the security log until Audit object access is enabled in a group policy. In this scenario,
GPO1 has
Audit object access enabled.
You do not have to enable Audit process tracking or Audit policy change in GPO1 to enable auditing on the CA. The Audit
process
tracking setting determines whether to audit detailed tracking information for events such as program activation, process exit,
and
handle duplication. The Audit policy change setting determines whether to audit every incidence of a change to user rights
assignment policies, Windows Firewall policies, or audit policies. You do not need these settings enabled to configure auditing
on a CA.
You need to have the Audit object access setting enabled and the appropriate settings enabled under the Auditing tab on the
CA
enabled.
You cannot enable auditing on the CA from the Policy Module tab. You should choose the Auditing tab to configure the
settings that
you want to audit.
*'In Group Policy Management Editor, enable audit policy change in
GPO1.
*'In Group Policy Management Editor, enable audit process tracking in
GPO1.
*'On the CA, enable auditing and choose the appropriate settings to
audit.
*'On the CA, choose the Policy Module tab, and choose the appropriate settings to
audit.
Answer:
On the CA, enable auditing and choose the appropriate settings to
audit.
Page 132 of 173
You are the systems administrator of your company. The company's network consists of a single Active Directory forest. You
install
Windows Server 2008 on all servers on the network.
Your company has a partner organization that has its own Active Directory forest. The users in the partner organization need to
access
resources in your network. To achieve this, you want to install the Active Directory Federation Services (AD FS) on a server
named
Server1 in your network.
Which software must be installed on Server1 to ensure that you are able to install the Federation Service on it? (Choose three.
Each
correct answer represents part of the solution.)
Item: 129 (Ref:Cert-70-640.3.4.1)
M|.Internet Information Services
(IIS)
M|.MSXML 6.0
M|.Microsoft ASP.NET
2.0
M|.Windows Installer
3.1
M|.Microsoft .NET Framework
2.0
M|.Microsoft Management Console
3.0
Answer:
Internet Information Services
(IIS)
Microsoft ASP.NET 2.0
Microsoft .NET Framework 2.0

Created: 18/04/2013
Version: 1.0
Document1
Page 103 of 133
Page 133 of 173
Explanation:
You should ensure that Internet Information Services (IIS), Microsoft ASP.NET 2.0, and Microsoft .NET Framework 2.0 are
installed.
AD FS is an identity access solution that allows browser-based clients to access one or more protected Internet-facing
applications
without being prompted for secondary credentials, even if the user accounts and applications are located in completely different
networks or organizations. The AD FS role requires the Web Server (IIS) role and Windows Process Activation Service role
service for
successful installation. The following software must be installed on computers running the Federation Service:
Windows Server 2003 R2, Enterprise Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2008 Enterprise;
or Windows Server 2008 Datacenter
IIS
Microsoft ASP.NET 2.0
Microsoft .NET Framework 2.0
The options stating MSXML 6.0, Windows Installer 3.1, and Microsoft Management Console 3.0 are incorrect because these
software
are not required by AD FS to be installed. MSXML 6.0 is a set of services that allow applications written in JScript, VBScript, and
Microsoft development tools to build Windows-native XML-based applications. Windows Installer 3.1 is an application
installation and
configuration service. Microsoft Management Console 3.0 is a framework that unifies system management tasks on Windows by
providing common navigation, menus, toolbars, and workflow across diverse tools.
You are the systems administrator for your company. The company's network consists of a single Active Directory domain. A
server
named DC1 has Active Directory Domain Services (AD DS) installed. The AD DS database contains information about all the
resources
in the domain.
Over time, you discover that Active Directory searches have become slow. You decide to perform an offline defragmentation of
the AD
DS database. You begin by stopping the AD DS service. Next, you want to compact the AD DS database. Which utility should
you use
to compact the AD DS database?
Explanation:
You should use the Ntdsutil.exe utility to compact the AD DS database. When you perform offline defragmentation of the
directory
database file, a new compacted version of the database file is created in a different location. In Windows Server 2008, you can
perform
offline defragmentation of AD DS database by stopping the AD DS service, performing the offline defragmentation, and then
starting the
AD DS service. In Windows Server 2008, the Restartable AD DS feature allows you to perform an offline defragmentation of AD
DS
database without restarting the domain controller in Directory Services Restore Mode. To perform the offline defragmentation of
the AD
DS database, you should use the Ntdsutil.exe utility. Ntdsutil.exe is a command-line tool that provides management facilities
for
Active Directory directory services. The Ntdsutil.exe tool can be used to perform AD DS database maintenance, to manage and
control
single master operations, and to remove metadata left behind by domain controllers that were removed from the network
without being
properly uninstalled.
Follow these steps to perform offline defragmentation of AD DS database:
1. You should stop the AD DS service by stopping the AD DS service.
2. Run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of the
Ntds.dit file at the location specified in the Compact to command.
3. Delete all of the log files in the log directory by typing the Del drive:\pathToLogFiles\*.log command.
4. Manually copy the compacted database file to its original location.
5. Perform the integrity check on the database.
Item: 130 (Ref:Cert-70-640.5.2.5)
*'Fsutil.exe
*'Ntdsutil.exe
*'Dsamain.exe
*'Wbadmin.exe
Answer:
Ntdsutil.exe
Page 134 of 173
6. Restart the AD DS service.
You should not use the Fsutil.exe utility. Fsutil.exe is a command-line utility that can be used to perform many FAT and NTFS
file

Created: 18/04/2013
Version: 1.0
Document1
Page 104 of 133
system related tasks, such as managing reparse points, managing sparse files, dismounting a volume, or extending a volume.
The
Fsutil utility cannot be used to perform an offline defragmentation of AD DS database.
You should not use the Dsamain.exe utility. Dsamain.exe or the data mining tool can be used to expose snapshot data of a
Lightweight Directory Access Protocol (LDAP) server. The Dsamain.exe tool provides a means to compare data as it exists in
snapshots that are taken at different times to improve the recovery process. Dsamain.exe tool helps administrators decide
which data
to restore after data loss. The Dsamain.exe utility cannot be used to perform an offline defragmentation of AD DS database.
You should not use the Wbadmin.exe utility because this utility cannot be used to perform an offline defragmentation of AD DS
database. Wbadmin.exe is a command-line tool that allows you to back up and restore your computer, volume, and files from a
command prompt.
You are the network administrator for the Nutex corporation. The company has recently reorganized. You are now required to
add three
new members to the Accounting group. You do so with the following command:
dsadd group "CN=Accounting,OU=Distribution Lists,DC=nutex,DC=com" -addmbr
"CN=John Smith,CN=Users,DC=nutex,DC=com"
"CN=Jane Jones,CN=Users,DC=nutex,DC=com"
"CN=Jim Hernandez,CN=Users,DC=nutex,DC=com"
You want the new membership list of this group to be quickly recognized throughout domain. What should you do?
Explanation:
You should use Active Directory Sites and Services to replicate Active Directory information. From Active Directory Sites and
Services,
expand the site and highlight a domain controller in the site. Expand the NTDS settings. You will see all the connection objects
for the
domain controller. If you right-click the connect object, you can force replication on the connection object between the domain
controllers that are being connected.
You should not add universal group membership caching. This allows members of universal groups to log on at a site and have
their
credentials validated locally, saving bandwidth and ensuring functionality in the case of a loss of connection with other sit es.
Universal
group membership caching will not force replication.
You should not add a global catalog server. A global catalog is a domain controller that stores a copy of all Active Directory
objects in a
forest. The global catalog stores a full copy of all objects in the directory for its own domain, and a partial copy of all objects for
all other
domains in the forest. Global catalog servers replicate with other global catalog servers in the forest based on the replication
schedule.
Adding a global catalog server will not force replication.
Trusts
cannot
Item: 131 (Ref:Cert-70-640.2.4.10)
*'From Active Directory Sites and Services, highlight the site and add universal group membership
caching.
*'From Active Directory Sites and Services, highlight the site and add a global catalog
server.
*'From Active Directory Domains and Trusts, expand the domain, right-click the NTDS connections, and force
replication.
*'From Active Directory Sites and Services, expand the site, highlight the domain controller, right-click the NTDS
connections, and
force replication.
Answer:
From Active Directory Sites and Services, expand the site, highlight the domain controller, right-click the NTDS
connections, and force replication.
Page 135 of 173
You are the network administrator of your company. You need to add 100 user accounts to the Sales OU in your domain. You
also
need to modify the account properties of 20 user accounts in the Accounting OU. You have a single Active Directory domain.
What tools will you use?
Explanation:
You should create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU, and create a
script
that uses the DSMOD command to change the 20 user accounts in the Accounting OU. You can use the DSADD command to
import
computers, users, groups, OUs, or quotas. You can use the DSMOD command to change the properties of users, groups,
computers,
OUs, or quotas. You cannot use the DSMOD command to add objects into Active Directory.
The following example uses the Dsmod user command to force the expiration of the accounts of Michelle Smith and Dave
Jones.

Created: 18/04/2013
Version: 1.0
Document1
Page 105 of 133
dsmod user "CN=Michelle Smith,CN=Users,DC=Verigon,DC=Com" "CN=Dave Jones,CN=Users,DC=Verigon,DC=Com" -
acctexpires 0
A value of 0 for -acctexpires sets expiration of the accounts at the end of today.
You cannot use the CSVDE utility to modify the 20 user accounts in the Accounting OU. The CSVDE utility can be used to
import a
comma-delimited file in Active Directory. However, this utility can be used to import only new objects; it cannot be used to
modify
existing objects.
You are the systems administrator for your company. The company's network contains servers that run Windows Server 2008.
One of
the servers is configured as a domain controller. During a routine investigation of the servers, you discover that the domain
controller is
running low on disk space. To ensure that domain services are not affected by low disk space, you decide to move the Active
Directory
database to another server.
You attempt to move the database to a new location by using the Ntdsutil.exe utility, but the database becomes corrupt during
the
move. You attempt to recover the Active Directory Domain Services (AD DS) database by using the Ntdsutil.exe utility, but the
recovery procedure fails due to inconsistency in the database.
Which other utility can you use to recover the AD DS database?
Item: 132 (Ref:Cert-70-640.4.2.6)
*'Create a CSV file for the 100 new user accounts for the Sales OU. Create a CSV file containing the changes for the
20 user
accounts in the Accounting OU. Use CSVDE to import the two files.
*'Create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU. Create a
CSV file
containing the changes for the 20 user accounts in the Accounting OU. Use CSVDE to import the two files.
*'Create a script that uses the DSMOD command to import the 100 new user accounts for the Sales OU. Create a
CSV file
containing the changes for the 20 user accounts in the Accounting OU. Use CSVDE to import the two files.
*'Create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU. Create a
script that uses
the DSMOD command to change the 20 user accounts in the Accounting OU.
Answer:
Create a script that uses the DSADD command to import the 100 new user accounts for the Sales OU. Create a script
that uses the DSMOD command to change the 20 user accounts in the Accounting OU.
Item: 133 (Ref:Cert-70-640.5.2.2)
*'Wbadmin.exe
*'Esentutl.exe
*'Fsutil.exe
*'Dsamain.exe
Page 136 of 173
Explanation:
You can use the Esentutl.exe utility to recover the AD DS database. Active Directory database files are usually relocated for
reasons of
hardware maintenance or low disk space. If the growth of the Active Directory database or log files are causing low disk space,
you
should either expand the partition on the disk that currently stores the database file or move the database file to a bigger
partition by
using the Ntdsutil.exe utility. To relocate the Active Directory database, you should restart the server in Directory Services
Restore
Mode. If the path to the database file or log files will change as a result of moving the files, using the Ntdsutil.exe utility is
recommended because Ntdsutil updates the registry with the new path. The Ntdsutil.exe utility can also be used to recover
Active
Directory database. However, if the procedure for recovering the Active Directory database by using the Ntdsutil.exe utility fails,
you
can use the Esentutl.exe utility to perform database recovery. Esentutl.exe is a command-line utility that provides database
utilities for
the Extensible Storage Engine for Microsoft Windows. To perform database recover by using the Esentutl.exe utility, run the
Esentutl /r PathTo\ntds.dit command.
The Wbadmin.exe utility cannot be used to recover the AD DS database. Wbadmin.exe is a command-line tool that allows you
to back
up and restore your computer, volume, and files from a command prompt.
You cannot use the Fsutil.exe utility. Fsutil.exe is a command-line utility that can be used to perform many FAT and NTFS file
system
related tasks, such as managing reparse points, managing sparse files, dismounting a volume, or extending a volume. The
Fsutil utility
cannot be used to recover the AD DS database.
The Dsamain.exe utility cannot be used to recover the AD DS database. Dsamain.exe or the data mining tool can be used to
expose

Created: 18/04/2013
Version: 1.0
Document1
Page 106 of 133
snapshot data of a Lightweight Directory Access Protocol (LDAP) server. The Dsamain.exe tool provides a means to compare
data as
it exists in snapshots that are taken at different times to improve the recovery process.
You are the network administrator for your company, which has a single domain. The domain controllers are a mixture of
Windows
2000 Server and Windows Server 2003 computers. You will be adding a Windows 2008 Server computer to the domain, and will
install
Active Directory Rights Management Server on the Windows Server 2008 machine.
What must you do to ensure that you can install Active Directory Rights Management (AD RMS) in your domain with minimum
administrative effort? (Choose two. Each answer is part of a single solution.)
Explanation:
You should ensure that the domain functional level is set to Windows Server 2003, and you should upgrade all Windows 2000
Server
domain controllers to Windows Server 2003. You must have a minimum domain functional level and a minimum forest functional
level
of Windows Server 2003. Only domain controllers that use Windows Server 2003 or Windows Server 2008 can support a
domain
functional level of Windows Server 2003 or a forest functional level of Windows Server 2003. Because of this fact, you cannot
have any
Windows 2000 Server domain controllers. These domain controllers must be upgraded to Windows Server 2003, or later.
You should not ensure that Service Pack 4 is installed on all Windows 2000 Server domain controllers. A Windows 2000 Server
domain
Answer:
Esentutl.exe
Item: 134 (Ref:Cert-70-640.3.2.1)
M|.Ensure that Service Pack 4 is installed on all Windows 2000 Server domain
controllers.
M|.Upgrade all Windows 2000 Server domain controllers to Windows Server
2003.
M|.Ensure all domain controllers are running Windows Server 2008 by upgrading or replacing older
ones.
M|.Ensure that the domain functional level of the domain is set to Windows Server 2003.
M|.Ensure that the domain functional level of the domain is set to Windows Server 2008.
Answer:
Upgrade all Windows 2000 Server domain controllers to Windows Server 2003.
Ensure that the domain functional level of the domain is set to Windows Server
2003.
Page 137 of 173
controller cannot exist in a domain where the functional level has been configured to Windows Server 2003.
You do not have to ensure all domain controllers are running Windows Server 2008. You can install AD RMS with Windows
Server
2003 domain controllers. However, you must ensure that the minimum domain functional level is Windows Server 2003 and the
minimum forest functional level is Windows Server 2003.
You do not have to ensure the functional level of the domain is Windows Server 2008. You can install AD RMS with Windows
Server
2003 domain controllers. However, you must ensure that the minimum domain functional level is Windows Server 2003 and the
minimum forest functional level is Windows Server 2003.
You are the network administrator for a company that handles ticket transactions for several theatres and concert halls. Your
company
has a single forest with three domains as shown in the exhibit. All domain controllers in the forest run Windows Server 2003.
(Click the
Exhibit(s) button.)
You want to upgrade some of the domain controllers in each domain to Windows Server 2008. You also want to install a
Windows
Server 2008 Read Only Domain Controller (RODC) in the child2.company.com domain.
What minimal configurations must you perform to prepare for upgrading the domain controllers and installing the RODC?
(Choose five.
Each correct answer is part of the complete solution.)
Item: 135 (Ref:Cert-70-640.2.1.1)
M|.Ensure that each domain is at the Windows Server 2003 functional
level.
M|.Ensure that each domain is at the Windows Server 2008 functional
level.
M|.Ensure that the forest is at the Windows Server 2003 functional
level.
M|.Ensure that the forest is at the Windows Server 2008 functional
level.
M|.Log on to the domain naming master and run
adprep /forestprep.
M|.Log on to the schema master and run
adprep /forestprep.

Created: 18/04/2013
Version: 1.0
Document1
Page 107 of 133
M|.Log on to the PDC emulator in the child2.company.com domain and run
adprep /rodcprep.
M|.Log on to the infrastructure master in the child2.company.com domain and run
adprep /domainprep.
M|.Log on to the domain naming master in the child2.company.com domain and run
adprep /domainprep.
Answer:
Ensure that each domain is at the Windows Server 2003 functional level.
Ensure that the forest is at the Windows Server 2003 functional level.
Log on to the schema master and run adprep /forestprep.
Log on to the PDC emulator in the child2.company.com domain and run adprep /rodcprep.
Log on to the infrastructure master in the child2.company.com domain and run
adprep /domainprep.
Page 138 of 173
Explanation:
You should log on to the schema master and run adprep /forestprep. To add a Windows Server 2008 domain controller to a
forest that
has domain controllers running Windows 2000 Server or Windows Server 2003, you must update the Active Directory schema
from the
domain controller that hosts the schema master role. You must be a member of the Enterprise Administrators group and
Schema
Administrators group to perform this task.
You should log on to the infrastructure master in the child2.company.com domain and run adprep /domainprep. After running
adprep/forestprep on the schema master, you must run the adprep /domainprep command on the infrastructure master in
each
domain in the forest.
You must run adprep /rodcprep. It is not necessary to be logged on to the PDC emulator in the child2.company.com domain
to run
adprep /rodcprep; you can run adprep /rodcprep on any computer in the forest. Typically, this command is run on the schema
master
after the adprep /forestprep command is run. However, you must run this command before installing the first RODC. This step
is
required to enable RODC to replicate DNS partitions, unless you are creating a new forest that has only Windows Server 2008
domain
controllers, then this step is not required. You can copy the contents of the \source\adprep folder on the Windows Server 2008
installation DVD to the schema master and run the Adprep /rodcprep command before installing the RODC.
You should ensure the forest is at the Windows Server 2003 functional level before deploying an RODC. The forest functional
level of
Windows Server 2003 allows linked-value replication. The function level of the forest does not need to be set at Windows Server
2008
to deploy a RODC.
You should ensure the domain is at the Windows Server 2003 functional level before deploying an RODC. The domain
functional level
must be at least Windows Server 2003 so that Kerberos constrained delegation is available. The functional level of the domain
does not
need to be set at Windows Server 2008 to deploy a RODC.
You should not run adprep /forestprep from the domain naming master. This command must be run from the domain controller
that is
the schema master in the forest.
You should not log on to the domain naming master in the child2.company.com domain and run adprep /domainprep. The
Domain
Naming Master role processes all changes to the namespace. There is only one Domain Naming Master role in the entire forest,
typically in the forest root domain along with the Schema Master role. You must have a domain master available before adding
a child
domain to the forest. Therefore, you should log on to the infrastructure master in the child2.company.com domain and run
adprep /domainprep.
You are designing a site link topology for your company. Your corporate network consists of four sites, which are connected
through
WAN links. (Click the Exhibit(s) button.)
The network is fully routed, but the WAN links between Site1 and Site2 and between Site3 and Site4 are slow; therefore, you
do not
want Site2 to replicate directly with Site4. All the other sites should be able to replicate directly with each other.
Which of the following steps should you take? (Select all that apply.)
Item: 136 (Ref:Cert-70-640.2.4.14)
M|.Create three site links: one link that includes Site1 and Site2, another link that includes Site1 and Site3 and a third
link that
includes Site3 and Site4.
Page 139 of 173
Explanation:

Created: 18/04/2013
Version: 1.0
Document1
Page 108 of 133
Site links are logical objects that usually represent physical connectivity among sites. The component named Knowledge
Consistency
Checker (KCC) uses site links to create a replication topology automatically. Initially, a single default site link is automatically
created
that includes all of the existing sites. KCC assumes that all domain controllers in the sites that belong to the same site li nk can
directly
communicate with each other. If the actual WAN topology does not support direct connectivity among all domain controllers on
the
network or if you want to control the replication topology and sequence, then you can delete the default site link and create the
site links
that are appropriate for your network. You can bridge those site links that include at least one common site. Bridging makes site
links
transitive. For example, if sites A and B belong to the site link named AB, sites B and C belong to the site link named BC and
you
create a bridge that includes site links AB and BC, then sites A and C can replicate with each other, provided that the schedules
for
those site links overlap. By default, all site links are bridged.
To meet the requirements of this scenario, you should delete the default site link and disable the Bridge all site links option,
which is
enabled by default. Additionally, you should create two site links: one site link should include Site1, Site2, and Site3 and the
other site
link should include Site1, Site3, and Site4. The sites that belong to the same site link will be able to replicate with each other
directly;
that is, domain controllers in Site1, Site2, and Site3 will be able to replicate with each other directly, and domain controllers in
Site1,
Site3, and Site4 will be able to replicate with each other directly. The sites that do not belong to the same site link will not be
able to
replicate directly; that is, domain controllers in Site2 will not be able to directly replicate with domain controllers in Site4. Another
possible solution is to create three site links: one link between Site1 and Site2, one link between Site1 and Site3 and one link
between
Site3 and Site4. Then, you should create two bridges: one that includes the site link between Site1 and Site2 and the site link
between
Site1 and Site3 and another that includes the site link between Site1 and Site3 and the site link between Site3 and Site4.
If you did not delete the default site link, then all four sites would be able to replicate with each other directly. If you created site
links
and did not disable the default bridging of all site links, then all four sites would be able to replicate with each other directly.
Bridges can include only site links; they cannot include sites. Therefore, all choices that involve the creation of site link bridges
that
include sites are incorrect.
M|.Disable the default bridging of all site
links.
M|.Create a site link that includes Site1, Site2, and Site3, and create another site link that includes Site1, Site3, and
Site4.
M|.Delete the default site
link.
M|.Create a single site link bridge that includes all four
sites.
M|.Create a site link bridge that includes Site1, Site2, and Site3, and create another site link bridge that includes Site1,
Site3, and
Site4.
M|.Create three site link bridges: one bridge that includes Site1 and Site2, another bridge that includes Site1 and Site3
and a third
bridge that includes Site3 and Site4.
Answer:
Disable the default bridging of all site links.
Create a site link that includes Site1, Site2, and Site3, and create another site link that includes Site1, Site3, and
Site4.
Delete the default site link.
Page 140 of 173
You are the administrator of a company that manufactures high-performance engines for race cars. Your company's network
has a
single domain. All domain controllers are a mixture of Windows Server 2003 and Windows Server 2008 server computers. The
functional level of the domain and forest are set to Windows Server 2003.
You have entered into a partnership with another company that makes chassis for race cars. Your partners will need access to
a Webbased
application that is run on one of your servers. The partners company has a single domain. The functional level of the partner's
domain and forest are set to Windows Server 2003.
You plan to create a federated trust between your company and the partner company. You install an Active Directory Federation
server
on your internal network. You install an Active Directory Federation Proxy server in the perimeter network.

Created: 18/04/2013
Version: 1.0
Document1
Page 109 of 133
There is lot of personnel turnover in the partner company. You want to give the partner company access to the Web-based
inventory
control application, but you do not want to create user accounts or manage the users from the partner company. You decide to
install
an Active Directory Federation Service (AD FS) Web agent, as the Web agent is a claims-aware agent that is used for the
claims-aware
inventory control application.
When configuring the AD FS Web agent, you receive an error. You notice in the application log that the error is listed as Event
ID 613.
The Web Agent fails to start.
What should you do to fix the problem?
Explanation:
You should add the Federation Service Uniform Resource Locator (URL) to the web.config file. The error is due to the fact that
the AD
FS Web Agent for claims-aware applications cannot find the Federation Service URL that is configured in web.config. A claims-
aware
application must have the return URL typed correctly in the application's web.config file and it must match the application URL
that is
specified in the trust policy of the Federation Service.
You do not add the Federation Service URL in the registry. This must be specified in the web.config file.
You should not add the Federation Service URL in the ADFSSetup.log file. This log file is created after the setup of AD FS. It
will not
affect the Federation Service URL.
You do not have to upgrade all domain controllers in your domain to Windows Server 2008 and raised the functional level of the
domain
to Windows Server 2008. AD FS can operate properly if the functional level of the domain is set at Windows Server 2003. The
error is
occurring because the AD FS Web Agent for claims-aware applications cannot find the Federation Service URL in the
web.config file.
install
Active Directory Certificate Services (AD CS) on a computer running Windows Server 2008. The AD CS server is configured as
an
enterprise certification authority (CA).
You want to configure the CA to support the Online Responder service so that clients are not required to download complete
Certification Revocation Lists (CRLs). What should you do before you configure the CA to support the Online Responder
service?
Item: 137 (Ref:Cert-70-640.3.4.6)
*'Add the Federation Service URL in the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\WebSso\Parameters.
*'Add the Federation Service URL to the web.config
file.
*'Add the Federation Service URL in the
ADFSSetup.log.
*'Upgrade all of the domain controllers in your domain to Windows Server 2008 and raised the functional level of the
domain to
Answer:
Add the Federation Service URL to the web.config
file.
Item: 138 (Ref:Cert-70-640.6.5.5)
Page 141 of 173
(Choose three. Each correct answer presents a part of the solution.)
Explanation:
You should install Internet Information Services (IIS), configure an Online Certificate Status Protocol (OCSP) Response Signing
certificate template on the CA, and include the URL for the Online Responder in the Authority Information Access (AIA)
extension of
certificates issued by the CA. Online responders can be used in place of or as extensions of CRLs to provide certification
revocation
data to clients. In Windows Server 2008, you can use an Online Responder based on the OSCP to manage and distribute
revocation
status information where the user of conventional CRLs is not an optimal solution. OCSP is a Hypertext Transfer Protocol
(HTTP) that
allows a relying party to submit a certificate status request to an OCSP responder. After the OSCP responder receives the
request, it
returns a definitive, digitally signed response to the client indicating the certificate status.

Created: 18/04/2013
Version: 1.0
Document1
Page 110 of 133
by
You should not install .NET Framework 2.0 on the computer because this is not required for the Online Responder service to be
installed.
You should not create a CRL on the CA because a CRL is not a prerequisite for installing the Online Responder service.
M|.Install Internet Information Services (IIS) on the
computer.
M|.Install .NET Framework 2.0 on the computer.
M|.Configure an Online Certificate Status Protocol (OCSP) Response Signing certificate template on the
CA.
M|.Create a certificate revocation list (CRL) on the
CA.
M|.Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA)
extension of
Answer:
Install Internet Information Services (IIS) on the computer.
Include the Uniform Resource Locator (URL) for the Online Responder in the Authority Information Access (AIA)
extension of certificates issued by the CA.
Item: 139 (Ref:Cert-70-640.2.3.1)
You are the network administrator of Verigon Corporation. Your company has a main office and a branch office. The company's
network consists of a single Active Directory domain named verigon.com. Each office has its own Active Directory site. You
install a
read-only domain controller (RODC), named RODC1, in the branch office.
A user named Adam in the branch office reports that he is facing difficulty logging on to the network. You want to verify whether
Adam's credentials are cached on RODC1.
What should you do? (Select the appropriate steps on the left and place them in the correct order on the right. It may not be
necessary
to use all the steps provided.)
Page 142 of 173
Explanation:
You should perform the following steps to verify whether Adam's credentials are cached on RODC1 :
An RODC is a new type of domain controller supported by Windows Server 2008, which stores a read-only copy of the Active
Directory
database. After deploying the RODC, you must configure the Password Replication Policy on its respective writable domain
controller.
The Password Replication Policy acts as an access control list (ACL), determining whether the RODC should be permitted to
cache a
password or not. When the RODC receives a logon request, it refers to the Password Replication Policy. If the policy specifies
that the
user account password must be cached, the RODC caches the password, allowing the same account to perform subsequent
logons
more efficiently. To view credentials that are cached on an RODC, you should use the Active Directory Users and Computers
snap-in.
You should open the Password Replication Policy tab in the properties sheet for the RODC, and select the Accounts whose
passwords
are stored on this Read-Only Domain Controller option in the Advanced Password Replication Policy dialog box. Selecting this
option
displays the user and computer accounts whose credentials are cached on the RODC.
You should not open the Active Directory Sites and Services snap-in because this snap-in cannot be used to view credentials
that are
cached on an RODC.
Page 143 of 173
You should not click the Computers OU under the verigon.com node because RODC1 is a domain controller, and the computer
accounts for domain controllers are located in the Domain Controllers OU by default.
You should not select the Accounts that have been authenticated to this Read-Only Domain Controller option in the drop-down
list
because selecting this option displays a list of user and computer accounts that have been authenticated to an RODC.
You are the network administrator for your company. The company's network consists of a single Active Directory domain. All
servers
on the network run Windows Server 2008. A server named Server1 is configured as a domain controller.
Users report that Active Directory searches have become slow. You discover that Server1 is running low on disk space due to
the
gradual growth of the Active Directory database file. You decide to move the Active Directory database and log files to a single
partition
on another server, named Server2.

Created: 18/04/2013
Version: 1.0
Document1
Page 111 of 133
What is the minimum free disk space that will be required to permanently move Active Directory database and log files to
Server2?
Explanation:
You will require at least 20 percent (20%) of the size of the combined Ntds.dit and log files, or 1 GB, whichever is greater.
Relocating
the Active Directory database file is usually done due to hardware maintenance or low disk space. If the growth of the Active
Directory
database or log files are causing low disk space, you should either expand the partition on the disk that currently stores the
database
file, or move the database file to a bigger partition with the Ntdsutil.exe utility. To relocate the Active Directory database, you
should
restart the server in Directory Services Restore Mode. If the path to the database file or log files will change as a result of
moving the
files, it is recommended that you use the Ntdsutil.exe utility because Ntdsutil updates the registry with the new path. You
should also
perform a system state backup as soon as the move is complete so that the restore procedure uses the correct path. When you
are
permanently relocating only the Active Directory database file to a new location, the minimum free disk space required is the
size of the
database file plus 20 percent of the Ntds.dit file, or 500 MB, whichever is greater. When you are permanently relocating only
the log
files to a new location, the minimum free disk space required is the size of the combined log files plus 20 percent of the
combined logs,
or 500 MB, whichever is greater. When you want to relocate both database and logs permanently to a new location, the
minimum free
disk space required is at least 20 percent of the combined Ntds.dit and log files, or 1 GB, whichever is greater.
The other three options are incorrect. When you want to relocate both database and logs permanently to a new location, the
minimum
free disk space required is the greater of 1 GB or a volume equivalent to at least 20 percent of the combined Ntds.dit and log
files.
You are the systems administrator for QualityTech Corporation. All servers on the network run Windows Server 2003. The
network
includes two Domain Name System (DNS) servers, named DNS1 and DNS2. DNS1 is located in the perimeter network, and
DNS2 is
located in the internal network. DNS1 handles name resolution between the perimeter network and the Internet.
Your company is planning to upgrade the server from Windows Server 2003 to Windows Server 2008. However, before you
perform the
upgrade, you want to gather information about the current configuration of each zone in the DNS1 server.
What command should you run?
Item: 140 (Ref:Cert-70-640.5.2.3)
*'At least 15 percent (15%) of the size of the combined Ntds.dit and log files or 500 MB, whichever is
greater
*'At least 15 percent (15%) of the size of the combined Ntds.dit and log files or 1 GB, whichever is
greater
*'At least 20 percent (20%) of the size of the combined Ntds.dit and log files or 500 MB, whichever is
greater
*'At least 20 percent (20%) of the size of the combined Ntds.dit and log files or 1 GB, whichever is
greater
Answer:
At least 20 percent (20%) of the size of the combined Ntds.dit and log files or 1 GB, whichever is
greater
Item: 141 (Ref:Cert-70-640.1.1.4)
Page 144 of 173
Explanation:
You should run the Dnscmd /zoneinfo command to gather current configuration of each zone in DNS1. The Dnscmd
/zoneinfo
command displays the zone-level configuration for a particular zone. Follow the syntax given below to run the Dnscmd
/zoneinfo
command:
dnscmd [ServerName] /zoneinfo ZoneName
In the above syntax, the [ServerName] is the DNS server name that you specified and ZoneName is the name of the zone for
which
you want the configuration to be displayed. You can also run the Dnscmd /zoneexport command if you want to store all of the
resource records in a DNS zone to a text file. Use the following syntax to run the Dnscmd /zoneexport command:
dnscmd [ServerName] /zoneexport ZoneName ZoneExportFile
In the above syntax, the [ServerName] is the DNS server name that you specified, ZoneName is the name of the zone for which
you
want the configuration to be copied to the text file, and ZoneExportFile specifies the name of the file to create.
You should not run the Dnscmd /info command to gather the current configuration of each zone in DNS1. The Dnscmd /info

Created: 18/04/2013
Version: 1.0
Document1
Page 112 of 133
command displays DNS server level configuration information, and not zone-level information. To display the configuration for
each
zone, you must use the Dnscmd /zoneinfo command.
You should not run the Dnscmd /config command to gather the current configuration of each zone in DNS1. You can use the
Dnscmd /config command to change the values in the registry for the DNS server or for individual zones.
You should not run the Dnscmd /statistics command to gather the current configuration of each zone in DNS1. You can use
the
Dnscmd /statistics command to display or clear the data for a specified DNS server.
are in
the process of restoring a deleted Organizational Unit (OU) on a domain controller. You are required to perform a
nonauthoritative
restore before performing the authoritative restore of the OU.
Which type of backup is required before you perform a nonauthoritative restore of AD DS without affecting other data stored on
the
domain controller?
*'Dnscmd /info
*'Dnscmd /config
*'Dnscmd /zoneinfo
*'Dnscmd /statistics
Answer:
Dnscmd /zoneinfo
Item: 142 (Ref:Cert-70-640.5.1.5)
*'A full server
backup
*'A critical-volume
backup
*'Backup of the volume that contains the operating
system
*'Backup of the %SystemRoot%\Windows\NTDS
folder
Answer:
A critical-volume
backup
Page 145 of 173
Explanation:
You should perform a critical-volume backup before performing a nonauthoritative restore of the Active Directory Domain
Services (AD
DS) database. An authoritative restore process returns a designated object, or container of objects, to its state at the time of the
backup. An authoritative restore marks the OU as authoritative and causes the replication process to restore it to all domain
controllers
in the domain. To perform an authoritative restore of AD DS, you must first complete a nonauthoritative restore and ensure that
replication does not occur after the nonauthoritative restore. To perform a nonauthoritative restore of AD DS, you will requi re at
least a
critical-volume backup. A critical-volume backup includes all volumes that are reported by System Writers. To prevent the
replication
from occurring after the nonauthoritative restore, and to perform the authoritative restore portion of the operation, you must
restart the
domain controller in Directory Services Restore Mode and perform the authoritative restore at the domain controller that you are
restoring. After performing the authoritative restore of AD DS, you should start the domain controller normally and synchroni ze
replication with all replication partners.
You should not perform a full server backup because restoring a full server backup not only rolls back data in AD DS to the t ime
of
backup, it also rolls back all data in other volumes. Using a full server backup for nonauthoritative restore is an option when you
do not
have a critical-volume backup due to either human error or hardware failure
You should not perform backup of the volume that contains the operating system because this will also affect other data stored
on the
domain controller.
You should not perform a backup of the %SystemRoot%\Windows\NTDS folder because this will also affect other data stored
on the
domain controller. Also, Windows Server 2008 does not allow you to back up only a particular folder.
You administer a domain controller running Windows Server 2008. The domain controller contains 1,000 user accounts. A user
named
Paul has left your company. You want to delete Paul's user account from Active Directory.
Which tool can you use to achieve the objective?
Explanation:
The Dsrm tool is correct. The Directory Service command-line utilities include Dsadd, Dsget, Dsmod, Dsmove, Dsquery, and
Dsrm.
The Dsrm utility is used to delete objects from the directory.

Created: 18/04/2013
Version: 1.0
Document1
Page 113 of 133
The option stating Dsmod is incorrect. The Dsmod command-line utility can be used to modify attributes of Active Directory
objects,
but it cannot be used to delete objects from the directory.
The option stating Dsmove is incorrect. The Dsmove command-line utility can be used to move a single object, within a
domain, from
its current location in the directory to a new location, or to rename a single object without moving it in the directory tree. The
Dsmove
command-line utility cannot be used to delete objects from the directory.
The option stating Dsadd is incorrect. The Dsadd command-line utility can be used to add objects to Active Directory, but it
cannot be
used to delete objects from the directory.
You are the administrator for your company's Active Directory domain. You install a SQL 2005 Server as a back-end database
server
for an application. You create a domain account called SQL_Agent to be used with the SQL Agent Service to handle backup
and
maintenance issues with the SQL Server.
Item: 143 (Ref:Cert-70-640.4.2.8)
*'Dsmod
*'Dsmove
*'Dsadd
*'Dsrm
Answer:
Dsrm
Item: 144 (Ref:Cert-70-640.4.2.3)
Page 146 of 173
After 42 days, the backup jobs and maintenance jobs on the SQL 2005 server begin to fail. What should you do to fix the
problem?
Explanation:
You should unlock the account and set the password to never expire. The SQL Agent service in SQL 2005 Server manages
backup
jobs and maintenance jobs. Typically this account is a member of the local administrators group on the server. The SQL Agent
service
can have an account that is a domain member. If the account is a domain member, the account is governed by the password
policies
on the domain. In this scenario, the default setting for the maximum password age in a group policy object is 42 days. Since the
SQL_Agent account will be used for SQL Agent service on the SQL 2005 Server and not as a regular account to log in from
client
workstations, you should set the password to never expire.
You should not reset the password. Resetting the password will not prevent the problem from occurring again in the next 42
days. The
problem is that the account is governed by a password policy on the domain. You should set the password to never expire on
the
account.
You should not change the Maximum password age or Minimum password age in the default domain policy. Increasing the
maximum password age will delay the problem of the SQL_Agent's password from expiring. The minimum password age sets
the
number of days a password has to remain active before changing it. This setting will not help the problem of the password
expiring.
Also, changing any setting in the default domain policy will affect other accounts on the domain. In this scenario, you only want
to fix the
problem with the SQL_Agent account.
*'Unlock the account and reset the
password.
*'Unlock the account and set the password to never
expire.
*'Unlock the account and change the Maximum password age setting in the default domain policy to
999.
*'Unlock the account and change the Minimum password age setting in the default domain policy to
999.
Answer:
Unlock the account and set the password to never
expire.
Page 147 of 173
You are the network administrator of a US-based company that has several branch offices across the US. All branch offices in
the US
are connected to the company's head office by high-speed WAN links. The company ventures into the European region and
opens two
new branch offices there. These branch offices are connected to the company's US-based head office by a 56 kbps network
connection. You plan to enable universal group membership caching for the two branch office sites.

Created: 18/04/2013
Version: 1.0
Document1
Page 114 of 133
Which statement is NOT true for enabling the universal group membership caching in both the branch offices?
Explanation:
The option stating that enabling universal group membership caching will require a considerable amount of hardware change is
not
true. Enabling universal group membership caching gathers the user information from the remote catalog server and stores it
locally on
the branch office domain controller. This user information that is stored locally does not require a lot of storage space.
Therefore, to
enable universal group membership caching, you do not need to upgrade the existing hardware of domain controllers, which
would
probably be required when hosting a global catalog.
The option stating that enabling universal group membership caching will provide faster logon times for branch office users is
true.
Enabling universal group membership caching ensures efficient and faster user logon. Once the user information is stored
locally on the
branch office domain controllers, the authentication request is no longer sent to the remote global catalog located at the head
office to
obtain universal group membership information, ensuring faster logon time.
The option stating that enabling universal group membership caching will require minimum network bandwidth usage is true.
Since user
information is stored locally at the branch office after enabling universal group membership caching, the branch office domai n
controllers will not require high network usage to log on branch offices users to the domain. Moreover, when universal group
membership caching is enabled and the WAN link between the branch office and head office sites is offline, then the branch
office
domain controller will be able to successfully log users on to the domain.
The option stating that enabling universal group membership caching will not cause global catalog queries to port 3268 to be
intercepted is true. If an application in the branch office site is sending global catalog queries to port 3268, then enabling
universal
group membership caching will not reduce the usage of the WAN link to resolve these queries. The only way to reduce
bandwidth
usage for applications sending queries to port 3268 is to host the global catalog in those sites.
You are the network administrator for Verigon Corporation, which manufactures shoes and equipment for joggers and runners.
The
company's network has a single domain. All domain controllers run Windows Server 2008, and all client computers run
Windows Vista.
You have a public key infrastructure with a subordinate enterprise Certification Authority (CA) that issues certificates on behalf
of the
root CA, as shown in the exhibit. (Click on the Exhibit(s) button.)
You have an business application that must authenticate users via a certificate. Only the users in the global group AppUsers
can
access the application. You create a new certificate template for a user certificate. You grant the AppUsers group the Read,
Enroll, and
AutoEnroll permissions. You create and link a group policy object to automatically distribute the certificates to users in the
AppUsers
group.
Users in the AppUsers group receive an "Access Denied" error when they attempt to receive a certificate from the CA.
Item: 145 (Ref:Cert-70-640.4.3.1)
*'Enabling universal group membership caching will provide faster logon times for branch office
users.
*'Enabling universal group membership caching will require a considerable amount of hardware
change.
*'Enabling universal group membership caching will reduce network bandwidth
usage.
*'Enabling universal group membership caching will not cause global catalog queries to port 3268 to be
intercepted.
Answer:
Enabling universal group membership caching will require a considerable amount of hardware
change.
Item: 146 (Ref:Cert-70-640.6.5.1)
Page 148 of 173
What should you do to correct the problem?
Explanation:
You should assign the Authenticated Users group the Request Certificates permission, or add an entry for the AppUsers
group and
assign them the Request Certificates permission. A user must have the appropriate permissions to request a certificate from a
CA. To
verify the client has permission to request from the CA, open CertSrv.msc on the CA, right-click the name of the CA, and open
the
Security tab. By default, Authenticated Users should have the Request Certificates permission. If the Authenticated Users
group

Created: 18/04/2013
Version: 1.0
Document1
Page 115 of 133
does not have this permission, you must make sure that the client requesting the certificate is a member of some group that
does have
this permission. You can give this permission to the AppUsers group. In addition to having the Request Certificates permission
on the
CA, the user requesting the certificate must have the permissions of Read, Enroll, and Automatically Enroll on the certificat e
template,
and also have permissions to the group policy object that is linked at the domain or other container that is used to distribute the
certificates.
You do not need to assign the AppUsers group the Read Permission on the subordinate enterprise CA. You can delegate the
permissions of Read, Issue and Manage Certificates, Manage CA, and Request Certificates on a CA.
Read - Allows users to read records from the CA database.
*'Assign the AppUsers group the Read Permission on the subordinate enterprise
CA.
*'Assign the Authenticated Users group the Request Certificates permission on the subordinate enterprise
CA.
*'Change the Publish Delta CRL value to 1 hour so expired certificates for AppUsers are published in Active
Directory.
*'Change the Publish CRL Interval value to 1 hour so expired certificates for AppUsers are published in Active
Directory.
Answer:
Assign the Authenticated Users group the Request Certificates permission on the subordinate enterprise
CA.
Page 149 of 173
Issue and Manage Certificates - Allows users to approve certificate enrollment and revocation requests. Assigning this
permission to a user makes the user a Certificate Manager.
Manage CA - Allows users to configure and maintain the CA. Assigning this permission to a user makes the user a CA
administrator. This is a separate role from the local administrator. The CA administrator has the ability to assign all other
roles and renew the CA certificate.
Request Certificate - Allows users to request certificates from the CA.
The error is occurring because the AppUsers group does not have the Request Certificates permission on the CA, or users in
that
group do not have those permissions through some other group that they belong to, such as Authenticated Users.
You do not have to change the Publish Delta CRL setting or the Publish CRL Interval setting. The Publish Delta CRL setting
determines how often changes to the Certificate Revocation List (CRL) are published. CAs can have lots of certificate
revocations and
will need to be downloaded frequently by clients. Clients can download the most current delta CRL, which contains all the
changes
since the last base CRL was published via the Publish CRL Interval setting. The base CRL can become very large. To
minimize the
frequent downloads of large CRLs, delta CRLs can be published instead. Clients combine the downloaded delta CRL with the
most
current base CRL to generate a complete list of revoked certificates. In this scenario, the "Access Denied" error is not occurring
because of a revoked certificate that appears on the CRL list. The error is occurring because the AppUsers group does not
have the
request certificates permission on the CA or users in that group do not have those permissions through some other group
membership,
such as Authenticated Users.
The following image shows that the Authenticated Users group has the Request Certificates permission:
You are a network administrator for a company named Northern Travel. The company's network consists of a single Active
Directory
forest that contains five domains. The root domain is named northerntravel.com. All domains operate at the Windows 2003
domain
functional level.
You must assign access to a shared folder named Customers. The Customers folder is located on a file server named FS1 in
the root
Item: 147 (Ref:Cert-70-640.4.2.10)
Page 150 of 173
domain. You create a domain local group named Confidential_Access in northerntravel.com and assign the appropriate
permissions
for Customers to this group. Users in each domain who require access to the Customers folder have been placed in global
groups.
You must define an access strategy that provides all forest users with the required access. Your solution must minimize
administrative
effort and network traffic.
What should you do? (Choose three. Each correct answer represents a part of the solution.)
Explanation:
You should create a new security group in the root domain, and configure the scope of this group as universal. Each global
group that

Created: 18/04/2013
Version: 1.0
Document1
Page 116 of 133
contains users who require access to Customers should be added to this universal group. The new universal group should then
be
added to the Confidential_Access domain local group. In order to create universal groups, a domain must operate at either the
Windows 2000 Server native domain functional level or the Windows Server 2003 domain functional level. Universal groups are
stored
in the global catalog and require that all changes to their membership be replicated. If the domain is operating at the Windows
Server
2003 functional level, only the changed attributes of the group will be replicated. To reduce the amount of network traffic, you
can add
users to global groups and then add the global groups to a universal group to gain the benefits of universal group membership.
By
using this method, universal group replication will occur only if global groups are added to or removed from the universal group.
You
can add or remove users from global groups that are nested in universal groups without initiating replication.
You should not create a distribution group in this scenario. Distribution groups are used to organize users into groups for
messaging
purposes. A distribution group can be used for sending e-mail messages, but it cannot be used for assigning access for
resources.
You should not configure the new group as the global group. Global groups can contain members only from within the local
domain.
Membership in global groups cannot span domains. You should create global groups when you need to combine users from a
domain
who share the same job profile or the same set of properties.
You should not configure the new group as a local group on FS1, and add each global group to this group. Although a local
group on a
file server can have global groups from other domains as members, you cannot add the local group as a member of a domain
local
group. A domain local group can include users, global groups or universal groups from any trusted domain. A domain local
group can
contain other domain local groups from the same domain as a member, but a domain local group cannot contain a local group
from
Windows NT, Windows 2000 Professional, Windows 2000/2003 Server, Windows XP or Windows Vista computers.
Your company's corporate network consists of a single Active Directory domain in which all domain controllers run Windows
Server
2008. You are the network administrator. The company's written security policy dictates that all user passwords be changed
every 45
days. All users, including administrators, must comply with this requirement. You configure the appropriate password policy i n a
new
Group Policy object (GPO) that is linked to the domain. All users are now periodically prompted to change their passwords.
Three months later, you perform maintenance on a domain controller; you restart it in Directory Services Restore Mode (DSRM)
and
notice that the administrative password is still valid. You must change the DSRM password on that domain controller.
M|.Create a new security group in the root
domain.
M|.Create a new distribution group in the root
domain.
M|.Configure the new group as a universal group, and add each global group to this
group.
M|.Configure the new group as a global group, and add each global group to this
group.
M|.Configure the new group as a local group on FS1, and add each global group to this
group.
M|.Add the new group to the Confidential_Access domain local
group.
Answer:
Create a new security group in the root domain.
Configure the new group as a universal group, and add each global group to this
group.
Add the new group to the Confidential_Access domain local group.
Item: 148 (Ref:Cert-70-640.4.6.7)
Page 151 of 173
What should you do?
Explanation:
DSRM is a special mode in which a domain controller is started as a stand-alone computer and the Active Directory directory
service is
not activated. DSRM is used to troubleshoot or to perform maintenance on the Active Directory database. During Active
Directory
installation, an administrator can set a password that a user must provide in order to log on to the computer in DSRM. To reset
this
password, you can use the Ntdsutil command-line utility when the domain controller is operating in normal mode. The DSRM
password

Created: 18/04/2013
Version: 1.0
Document1
Page 117 of 133
cannot be reset when a computer is started in DSRM.
You cannot use the password policy in the Default Domain Policy GPO or the Default Domain Controllers Policy GPO to
change
the DSRM password on the domain controller. Password policies that are configured in GPOs cannot be used to specify
passwords
and do not affect DSRM passwords on domain controllers. In Windows Server 2008, you can define different password and
account
lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password
policies
within a single domain. Fine-grained password policies apply only to user objects and global security groups. To configure fine-
grained
password policies, the domain functional level must be Windows Server 2008.
You should not use Computer Management to reset the password for the local Administrator account. No local user accounts
exist on
domain controllers. Therefore, the Local Users and Groups node does not appear in Computer Management when this
console is
connected to a domain controller.
You administer a server named Server1 that runs Windows Server 2008. Server1 has the Active Directory Lightweight
Directory
Services (AD LDS) role installed. You install an instance of AD LDS named HRApp1 on Server1 to provide Active Directory
data to an
application used by the human resource department.
To organize AD LDS users, you want to create a new Organizational Unit (OU) in the AD LDS application directory partition.
Which two tools can you use to perform the required task? (Choose two. Each correct answer represents a complete solution.)
Explanation:
You can use both the Dsadd.exe and Adsiedit.msc tools to create a new OU in the AD LDS application directory partition. AD
LDS is
usually used to store information about users, organizations, and the groups that they belong to. Lightweight Directory Access
Protocol
*'Use Computer Management to reset the password for the local Administrator
account.
*'Use the Ntdsutil utility to reset the DSRM
password.
*'Configure the password policy in the Default Domain Policy
GPO.
*'Configure the password policy in the Default Domain Controllers Policy
GPO.
Answer:
Use the Ntdsutil utility to reset the DSRM
password.
Item: 149 (Ref:Cert-70-640.3.1.1)
M|.Dsadd.exe
M|.Dsmod.exe
M|.Adsiedit.msc
M|.Ntdsutil.exe
Answer:
Dsadd.exe
Adsiedit.msc
Page 152 of 173
(LDAP)-based directories, such as Active Directory Domain Services (AD DS) and AD LDS, most commonly use OUs to keep
users
and groups organized. To create a new OU in AD LDS, you can use either the Adsiedit.msc or Dsadd.exe tools. Active
Directory
Services Interfaces Editor (ADSI Edit) is a low-level editor for AD DS and AD LDS. ADSI Edit can be used to view, modify,
create, and
delete any object in AD DS and AD LDS. Dsadd.exe is a command-line tool that is built into Windows Server 2008. Dsadd.exe
is
available if you have the AD DS server role installed. To use Dsadd.exe, you must run the Dsadd command from an elevated
command prompt. The Dsadd ou command allows you to add a single OU to the directory. To add an OU to the directory with
the
Dsadd ou command, you should follow this syntax:
Dsadd ou <OrganizationalUnitDN>
<OrganizationalUnitDN> is a required parameter which specifies the distinguished name of the OU that you want to add.
You cannot use the Dsmod.exe tool to create a new OU in the AD LDS application directory partition. Dsmod.exe is a
command-line
tool built into Windows Server 2008, which can be used to modify an existing object of a specific type in the directory.
You cannot use the Ntdsutil.exe tool to create a new OU in the AD LDS application directory partition. Ntdsutil.exe is a
command-line
tool that provides management facilities for Active Directory directory services. Ntdsutil.exe tool can be used to perform AD DS
database maintenance, to manage and control single master operations, and to remove metadata left behind by domain
controllers that

Created: 18/04/2013
Version: 1.0
Document1
Page 118 of 133
were removed from the network without being properly uninstalled.
You are the network administrator for your company. All servers on the network run Windows Server 2008. A server named
Srv1 is
configured as a domain controller. You have configured a scheduled backup to be performed every day on Srv1.
Over a period of time, users report that searching resources in the Active Directory takes longer and longer. What should you do
to
resolve this problem?
Explanation:
You should perform an offline defragmentation of the AD DS database. Offline defragmentation of the AD DS database is used
to
defragment the fragmented database. When you perform offline defragmentation of the directory database file, a new
compacted
version of the database file is created in a different location. In Windows Server 2008, you can perform offline defragmentat ion
of AD
DS database by stopping the AD DS service, performing the offline defragmentation, and restarting the AD DS service. In
Windows
Server 2008, the Restartable AD DS feature allows you to perform tasks, such as offline defragmentation of AD DS database,
without
restarting the domain controller in Directory Services Restore Mode.
To perform offline defragmentation, you should stop the AD DS server by stopping the AD DS service. Once the AD DS is
stopped
should run the Compact to command at the Ntdsutil file maintenance prompt. This command creates a compacted copy of
the
Ntds.dit file at the location specified in the Compact to command. You can specify a folder on the local computer, or a shared
folder
on a remote computer, in the Compact to command. If defragmentation completes successfully, you should delete all of the log
files in
the log directory by typing the Del drive:\pathToLogFiles\*.log command. You should then manually copy the compacted
database file
to its original location. After copying the compacted Ntds.dit file to its original location, you should perform the integrity check on
the
database. If integrity check succeeds, you should restart the AD DS service.
You should not perform an online defragmentation of the AD DS database. When a server or database is used for a long time, it
becomes fragmented. This fragmentation causes the server or database to respond slowly to user queries. To resolve this
problem, you
should regularly defragment the server or the database. Active Directory automatically performs online defragmentation of the
database
at certain intervals, which is every 12 hours by default, as part of the Garbage Collection process. Online defragmentation does
not
reduce the size of the database file, but instead optimizes data storage in the database and reclaims space in the directory for
new
Item: 150 (Ref:Cert-70-640.5.2.6)
*'Perform an online defragmentation of the AD DS
database.
*'Perform an offline defragmentation of the AD DS
database.
*'Stop and then restart the AD DS
service.
*'Restart the domain
controller.
Answer:
Perform an offline defragmentation of the AD DS
database.
Page 153 of 173
objects.
You should not stop and then restart the AD DS service or restart the domain controller. In this scenario, the problem is the
fragmented
AD DS database. Restarting the AD DS service or the domain controller will not defragment the AD DS database.
You are the network administrator for the Nutex corporation. The Nutex corporation has its main office in Atlanta, where you
work, and
has branch offices in New Orleans, Birmingham, Knoxville, and Charlotte. Nutex has a single Active Directory domain and each
office is
configured as a separate Active Directory site. All DNS servers are located on domain controllers in each office and contain an
Active
Directory-integrated zone named nutex.com. The domain controllers in the company are a mixture of Windows Server 2008,
Windows
Server 2003, and Windows 2000 Server operating systems.
Nutex has enrolled employees at each branch office in online training classes provided by Kaplan IT. However, they are having
problems downloading the materials from the Kaplan IT Web site. In an effort to resolve queries to kaplanit.com, you create a
conditional forwarder on the DNS server in the Atlanta office, as shown in the exhibit. (Click on the Exhibit(s) button.)

Created: 18/04/2013
Version: 1.0
Document1
Page 119 of 133
DNS administrators in the other offices complain that the conditional forwarder setting is not configured on the DNS servers of
their
respective offices.
Item: 151 (Ref:Cert-70-640.1.2.2)
*'Increase the Number of seconds before forward queries time out to
15.
*'Use Repadmin to force replication between each
site.
*'Configure the conditional forwarder setting to replicate to All DNS servers in the
domain.
*'Configure the conditional forwarder setting to replicate to All domain controllers in this
domain.
Answer:
Configure the conditional forwarder setting to replicate to All domain controllers in this
domain.
Page 154 of 173
Explanation:
You should configure the conditional forwarder setting to replicate to All domain controllers in this domain. A conditional
forwarder
can be used to forward specific queries to a specific DNS server. In this scenario, you want to forward all requests to
kaplanit.com to
the IP address 206.17.132.250. For other branch office DNS servers to contain this setting, you should select the Store this
conditional forwarder in Active Directory, and replicate it as follows: setting. This setting can be configured as follows:
All DNS servers in the forest: Replicates the setting to all DNS servers in the forest that are domain controllers running
Windows Server 2008 or Windows Server 2003. This setting will not replicate to DNS servers that are pre-Windows 2003
domain
controllers.
All DNS servers in the domain: Replicates the setting to all DNS servers in the domain that are domain controllers running
Windows Server 2008 or Windows Server 2003. This setting will not replicate to DNS servers that are pre-Windows 2003
domain
controllers.
All domain controllers in this domain: Replicates to all domain controllers in the domain. This setting should be used if you
have DNS servers that are pre-Windows 2003 domain controllers.
Since the domain controllers in your company are a mixture of Windows Server 2008, Windows Server 2003, and Windows
2000
Server, and some DNS servers may be using Windows 2000 Server, you should select All domain controllers in this domain.
You should not configure the conditional forwarder setting to replicate to All DNS servers in the domain. This setting will
replicate the
conditional forwarder setting only to DNS servers that are domain controllers running Windows Server 2008 and Windows
Server 2003.
In this scenario, the domain controllers are a mixture of Windows Server 2008, Windows Server 2003, and Windows 2000
Server, and
some DNS servers may be using Windows 2000 Server.
You should not increase the Number of seconds before forward queries time out value to 15. This setting will only change
timeout
value of the query. This setting will not allow replication throughout Active Directory.
You should not use Repadmin to force replication between each site. Repadmin.exe is a command-line tool that assists
administrators
in diagnosing replication problems between Windows domain controllers. Replication is not the problem in the scenario. The
conditional
forwarder setting is not being replicated because you have not selected the Store this conditional forwarder in Active
Directory,
and replicate it as follows: setting. You should configure All domain controllers in this domain.
You are the administrator for a company that makes golf equipment. Your company hires seasonal workers who work on site
twice a
Item: 152 (Ref:Cert-70-640.4.2.4)
Page 155 of 173
year, during the spring and fall seasons. You create user accounts for 12 seasonal employees. You want to ensure that the
employees
are not able to access resources in the domain during the periods when they are not actively employed by the company.
What should you do?
Explanation:
You should create a Lighweight Directory Access Protocol (LDAP) query in Active Directory Users and Computers by selecting
Find
from the Action menu and creating an LDAP query that will return the seasonal user accounts. You then select the user
accounts
returned by the query and simultaneously modify the expiration dates in their accounts' properties. This method will allow you to
easily

Created: 18/04/2013
Version: 1.0
Document1
Page 120 of 133
update the expiration date on the user accounts, which will disable their access to the domain when they are no longer
employed.
You cannot use an LDAP query return the seasonal user accounts and lock the accounts. There is no setting to lock an
account. You
can only set an expiration date on the account. An account can be locked if a user fails to type the correct password a specific
number
of times. This setting is configured in the account lockout policy. Depending on what is configured in the account lockout policy,
the
lockout can be for a certain period of time, such as 30 minutes or until the account is unlocked by an administrator.
You should not use the CSVDE utility to change the settings of an existing account. The CSVDE utility can be used to import a
commadelimited
file in Active Directory. However, this utility can be used to import only new objects; it cannot be used to modify existing
objects.
You are the network administrator of a company that manufactures golf equipment. Your company's network has a single
domain. All
domain controllers use Windows Server 2008. The functional level and domain level are set at Window Server 2003. You have
Group
Policy Objects (GPOs) deployed in your domains that set folder redirection all for users in the domain.
Your company purchases a company that manufactures bowling equipment. This company's network also has a single domain.
All
domain controllers use Windows Server 2008. The functional level and domain level are set at Window Server 2003.
You export the settings of a Group Policy Object (GPO) from the golf company's domain. You want to import the settings of this
GPO
into a GPO in the bowling company's domain.
How could you retain the settings from the golf company's GPO with the least amount of administrative effort?
*'In Active Directory Users and Computers, select Find from the Action menu and create an LDAP query that will
return the
seasonal user accounts. Select all of the user accounts returned by the query and simultaneously set an expiration date.
*'At the end of the spring or fall season, use Active Directory Users and Computers, select Find from the Action
menu, and create
an LDAP query that will return the seasonal user accounts. Select all of the user accounts returned by the query and lock their
accounts.
*'Create a comma-delimited file for the seasonal accounts. Configure an expiration date for the accounts in the file.
Use the CSVDE
utility to import the file.
*'At the end of the spring or fall season, create a comma-delimited file for the seasonal accounts. Configure the
accounts to be
locked. Use the CSVDE utility to import the file.
Answer:
In Active Directory Users and Computers, select Find from the Action menu and create an LDAP query that will
return the seasonal user accounts. Select all of the user accounts returned by the query and simultaneously set an
expiration date.
Item: 153 (Ref:Cert-70-640.4.4.7)
*'Use the CreateGPOs.wsf script to import the
settings.
*'Use the ImportGPOs.wsf script to import the
settings.
*'Create a two-way trust between the domains. Use the CreateGPOs.wsf script to import the
settings.
*'Create a two-way trust between the domains. Use the ImportGPOs.wsf script to import the
settings.
Answer:
Use the ImportGPOs.wsf script to import the
Page 156 of 173
Explanation:
You should use the ImportGPOs.wsf script to import the settings from one GPO into a GPO into the bowling company's
domain. You
can use the ImportGPOs.wsf script to use a backup of a GPO and import the settings from the backup GPO into a new
specified GPO.
You do not need to establish a trust relationship between the domains if the domains are in different forests. You need requi re
read
access to the location that contains the source file.
The syntax for the ImportGPOs.wsf script is as follows:
ImportGPO.wsf <BackupLocation> <BackupID> [TargetGPO] [/MigrationTable:<FilePath>]
[/CreateIfNeeded]
[/Domain:<DNSDomainName>]
You can use the GPO name or GPO ID for the BackupID parameter. Doing this will only import the most recent backup of the
GPO if
multiple backups exist. To import an earlier version of a GPO's backup, you must specify the unique backup ID for the specifi c
backup.

Created: 18/04/2013
Version: 1.0
Document1
Page 121 of 133
This is the string that uniquely identifies the backup within its backup directory. You would have to run the
QueryBackupLocation.wsf
script to retrieve the unique backup IDs for all GPOs in a specific backup location.
You can use the TargetGPO parameter to specify the target GPO where the settings should be imported. The
MigrationTable
switch is optional and is used to map security principals and paths across domains when importing a GPO. The
CreateIfNeeded
switch is used to create a new GPO if the specified target GPO does not exist.
ImportGPO.wsf f:\backup BowlingGPO GolfGPO /CreateIfNeeded
You should not use the CreateGPOs.wsf script. This script will only create new GPOs, and will not import settings from an
existing
GPO.
You do not need to create a two-way trust between the forests. As long as you have read access to the source location of the
GPO and
have permissions in the destination domain, you can use the ImportGPO.wsf script to import it.
You are the network administrator for your company, which has a main office and a branch office. The company's network
consists of a
single Active Directory domain. You install Domain Name System (DNS) on a Windows Server 2008 computer in the main
office,
named DNS1, which contains the primary zone. You also install a UNIX DNS server in the branch office.
You want to prevent interoberability-related problems between the DNS servers in each office. What should you do?
Explanation:
You should select the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
Windows Server 2008 support two types of zone file replication: full zone transfer (AXFR) and incremental zone transfer (IXFR).
In
AXFR, the entire zone file is replicated. In IXFR, only records that have been modified are replicated. Berkeley Internet Name
Domain
(BIND) version 4.9.3 and earlier DNS server software, such as UNIX DNS and Windows NT 4.0 DNS, only support full zone
transfers.
There are two types of the AXFR: one requires a single record per packet, and the other allows multiple records per packet. The
Windows Server 2008 DNS service supports both types of zone transfer and uses multiple records per packet by default.
Therefore, to
configure your Windows Server 2008 DNS server to successfully work and replicate with a UNIX DNS server, you should enable
BIND
secondaries. Enabling the BIND secondaries option disables the fast zone transfer method on Windows Server 2008, which
enables
settings.
Item: 154 (Ref:Cert-70-640.1.3.5)
*'Select the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
*'Clear the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
*'Clear the Enable round robin option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
*'Clear the Enable netmask ordering option in the Server options list on the Advanced tab in the properties sheet
for
DNS1.
Answer:
Select the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
Page 157 of 173
the server to make successful zone transfers to DNS servers that support BIND versions prior to version 4.9.4.
You should not clear the BIND secondaries option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
Clearing the BIND secondaries option enables the fast zone transfer method, which is not supported by DNS servers that have
BIND
version 4.9.4 or earlier, such as UNIX DNS servers.
You should not clear the Enable round robin option in the Server options list on the Advanced tab in the properties sheet for
DNS1.
Round robin is a local load balancing mechanism used by DNS servers to share and distribute network resource loads.
Disabling round
robin will not ensure that Windows Server 2008 DNS server and UNIX DNS server do not have interoperability-related
problems.
You should not clear the Enable netmask ordering option in the Server options list on the Advanced tab in the properties
sheet for
DNS1. Netmask ordering allows you to use one host name for multiple IP addresses. Disabling netmask ordering will not ensure
that
Windows Server 2008 DNS server and UNIX DNS server do not have interoperability-related problems.
You are the network administrator for your company. Your account is a member of the Enterprise Admins, Domain Admins, and
Schema Admins groups. You have three sites in three different cities as shown in the exhibit. (Click the Exhibit(s) button.)

Created: 18/04/2013
Version: 1.0
Document1
Page 122 of 133
You have moved some user accounts from the Lost and Found Organizational Unit (OU) to the Accounting OU on DC3. You
have an
assistant, a user named Jeff, who had been delegated permissions in Site2 to use Active Directory Sites and Services to force
replication to other directory partitions.
Jeff receives the following error:
"Access Denied"
The replication fails. The Active Directory information must be replicated. What can you do to force replication to other directory
partitions?
Explanation:
Since your account is a member of the Enterprise Admins group, you should use Repadmin to force replication, not Jeff. In this
scenario, Jeff used Active Directory Sites and Services on DC3 to force replication. Active Directory Sites and Services initiates
Item: 155 (Ref:Cert-70-640.2.4.12)
*'Have Jeff use
Rsnotify.
*'Use Rsnotify yourself to force
replication.
*'Have Jeff use Repadmin to force
replication.
*'Use Repadmin yourself to force replication.
Answer:
Use Repadmin yourself to force
replication.
Page 158 of 173
replication on all common directory partitions between the replication partners of DC3. Jeff can only force manual replication for
containers on which he has been assigned the Replication Synchronization permission. The replication of other directory
partitions for
which Jeff does not have the Replication Synchronization permission will fail, causing the "Access Denied" error. An Enterpri se
Administrator has the Replication Synchronization permission throughout the forest. You can use either the Repadmin or
Replmon
command-line tools to manually force the replication of a specific directory partition.
Neither you nor Jeff should use Rsnotify to force replication. This command is a remote storage recall notification program on a
Windows operating system. This command will not force replication.
You are the systems administrator for your company. The company has a main office and a branch office, and each office has
its own
Active Directory domain in a single forest. The branch office network contains a read-only domain controller (RODC) that is
configured
to cache passwords for all domain users.
A user named Adam is moving to the main office from the branch office. You want to clear Adam's user account password that
is
cached on the RODC. What should you do?
Explanation:
You should reset the password for Adam's user account. Credential caching is the storage of user or computer credentials. You
can
configure the Password Replication Policy on a writable domain controller to specify if an RODC should be allowed to cache a
password. Password caching enables an RODC to directly service a user's request to log on if the user's credentials are cached
on the
RODC. A list of all credentials stored on RODCs is also maintained by Active Directory Domain Services (AD DS), which allows
an
administrator to force a password reset for all user credentials stored on an RODC if the RODC is ever compromised. Resetting
the
password for a given user is the mechanism to securely clear the cached password for that user.
You should not delete Adam's user account from the Password Replication Policy tab in the properties dialog box for the
RODC, or
add Adam's user account to the Denied List in the Password Replication Policy. The Password Replication Policy tab
contains a list
of groups that are allowed or denied for replication to an RODC. Only passwords for accounts that are in the Allow groups can
be
replicated to the RODC, not passwords for accounts in the Deny groups. In this scenario, the password for Adam's user account
is
already cached on the RODC in the branch office. Therefore, to clear the cached password for Adam's user account, you shoul d
reset
the password for Adam's user account.
You should not select the User must change password at next logon option in the properties dialog box for Adam's user
account.
This option forces a user to change his or her password the next time he or she attempts to log on to the domain. The
mechanism to
securely clear the cached password for a given user on an RODC is to reset the password.
You are the systems administrator of your company. The network of the company consists of a single Active Directory domain.
The
client computers on the network run Windows XP, Windows 2000, and Windows Vista. Two Windows Server 2003 computers
named

Created: 18/04/2013
Version: 1.0
Document1
Page 123 of 133
WinDC1 and WinFile1 are configured as a domain controller and a file server, respectively.
You create .ADMX and .ADML files to define registry-based policy settings on all client computers in the domain. You want to
create a
central store to provide a centralized storage location for all .ADMX and .ADML files for the domain. First, you must ensure that
you
have met the minimum requirements to create a central store.
Item: 156 (Ref:Cert-70-640.3.3.6)
*'Delete Adam's user account from the Password Replication Policy tab in the properties dialog box for the
RODC.
*'Add Adam's user account to the Denied List in the Password Replication
Policy.
*'Select the User must change password at next logon option in the properties dialog box for Adam's user
account.
*'Reset the password for Adam's user
account.
Answer:
Reset the password for Adam's user
account.
Item: 157 (Ref:Cert-70-640.4.4.6)
Page 159 of 173
Explanation:
You should upgrade WinDC1 from Windows Server 2003 to Windows Server 2003 R2 and create a folder in the SYSVOL folder
on
WinDC1. Group Policy is used to apply one or more desired configurations or policy settings to a set of targeted users and
computers
within an Active Directory environment. Over 700 new policy settings are included in Group Policy in Windows Vista, which
provides
greater coverage of policy settings for easier administration by including Group Policy Management console (GPMC), support
for
multilingual environments by using ADMX files, and providing support for multiple components of Windows Vista. The registry-
based
policy settings in Windows Vista are defined by using a standards-based XML file format known as ADMX files. The ADMX files
are
language-neutral resource files. The other type of registry-based policy settings are known as ADML files, which are language-
specific
resource files. ADMX and ADML files replace the ADM files that were used in earlier versions of Windows.
To ensure that ADMX files are recognized by Group Policy tools, such as GPMC and Group Policy Object Editor, you must be
running
a Windows Vista-based or Windows Server 2008-based computer. ADMX files are not stored in individual Group Policy Objects
(GPOs). If you have a domain environment, you can create a central store location of ADMX files that can be accessed by
anyone with
controller,
and provides a centralized storage location for ADMX and ADML files for the domain. A central store can be created on a
domain
controller running Windows Server 2003 R2, Windows Server 2003 Service Pack 1 (SP1), or Windows 2000 Server. The ADMX
files
supersede the default ADM files that were included in the operating system, such as System.adm and Inetres.adm. Therefore,
Group
Policy tools exclude the default ADM files. If you have any custom ADM files in your existing environment, Group Policy tools
will
continue to recognize those ADM files. You can use the Add/Remove Template menu option to add or remove custom ADM
files to a
GPO. New Windows Vista-based policy settings can only be managed from Windows Vista-based machines by using the Group
Policy
Object Editor or GPMC. The Group Policy Object Editor on Windows Server 2003, Windows XP, or Windows 2000 machines
will not
display new Windows Vista Administrative Template policy settings that may be enabled or disabled within a GPO. You can use
the
Group Policy Object Editor or GPMC in Windows Vista to manage all operating systems that support Group Policy, such as
Windows
Vista, Windows Server 2003, Windows XP, and Windows 2000.
You should not upgrade WinDC1 from Windows Server 2003 to Windows Server 2008 or create a shared folder on WinFile1.
The
central store is a folder created in the SYSVOL folder of an Active Directory domain controller, not a file server. The creation of
the
central store does not require Windows Server 2008.
You should not create a folder on the NETLOGON folder on WinDC1. The central store must be created in the SYSVOL folder
of an
Active Directory domain controller.

Created: 18/04/2013
Version: 1.0
Document1
Page 124 of 133
You do not need to manually create a shared folder on WinDC1. The central store must be created in folder called SYSVOL
that is
already shared on an Active Directory domain controller.
You install Windows Server 2008 on a server on your network. The server is configured as a domain controller. You want to
install a
new custom application that will be used by all users on the network. This application will store data in Active Directory.
You are required to install some new attributes and classes in the schema to successfully install the application. To achieve this,
you
want to install the Active Directory Schema snap-in on the domain controller.
What is the minimum group membership that you will require for installing the Active Directory Schema snap-in?
M|.Upgrade WinDC1 from Windows Server 2003 to Windows Server 2003
R2.
M|.Upgrade WinDC1 from Windows Server 2003 to Windows Server
2008.
M|.Create a folder in the SYSVOL folder on
WinDC1.
M|.Create a folder on the NETLOGON folder on
WinDC1.
M|.Create a shared folder on WinFile1.
Answer:
Upgrade WinDC1 from Windows Server 2003 to Windows Server 2003
R2.
Create a folder in the SYSVOL folder on WinDC1.
Item: 158 (Ref:Cert-70-640.2.6.5)
Page 160 of 173
Explanation:
You will require membership of the Domain Admins group. The Active Directory Schema snap-in is an Active Directory
administrative
tool for managing the schema. It is not available by default on the Administrative Tools menu and must be added manually. To
install
the Active Directory Schema snap-in, you should register the Schmmgmt.dll dynamic link library (DLL) that is required for the
Active
Directory Schema snap-in. You should open a command prompt and enter the following command to register the required DLL
file:
regsvr32 schmmgmt.dll
After registering the Schmmgmt.dll file, you can add the Active Directory Schema snap-in to Microsoft Management Console
(MMC).
To install the Active Directory Schema snap-in, membership in the Domain Admins group, or equivalent, is the minimum
requirement.
The options stating membership of the Schema Admins group, membership of the Enterprise Admins group, and
membership of the
Administrators group on the domain controller are all incorrect. Membership of the Schema Admins group is required when
you want
to perform a task that requires modification in the schema, such as transferring the schema master role to another computer in
the
forest, or installing an application that will install new attributes and classes in the Active Directory database. To instal l the
Active
Directory Schema snap-in, the membership of the Domain Admins group, or equivalent, is the minimum requirement.
You are a network administrator for one of the branch offices of your company. All client computers are connected to the
Windows
Server 2008 domain.
You are issuing certificates to all client computers by using Active Directory Certificate Service (AD CS) on your server. One of
the
clients in another branch uses the Linux operating system, and you want to choose the best method to issue a certificate to t his
client.
What should you do?
Explanation:
You should use the Web enrollment service to issue certificates to non-Microsoft client computers that are not part of the
domain. It can
be used to assign certificates to these clients which cannot rely on the auto-enrollment mechanisms of a certification authority
(CA) or
the Certificate Request Wizard. The Web enrollment service is a Windows based CA, which allows users to obtain new or
renewed
certificates over the Internet.
*'Membership of the Domain Admins
group.
*'Membership of the Schema Admins
group.
*'Membership of the Enterprise Admins
group.
*'Membership of the Administrators group on the domain

Created: 18/04/2013
Version: 1.0
Document1
Page 125 of 133
controller.
Answer:
Membership of the Domain Admins group.
Item: 159 (Ref:Cert-70-640.6.2.3)
*'Issue a certificate using the Network Device Enrollment Service
(NDES).
*'Issue a certificate using Enterprise Public Key Infrastructure (PKI)-
View.
*'Issue a certificate using the Web enrollment
service.
*'Issue a certificate using a restricted enrollment
agent.
Answer:
Issue a certificate using the Web enrollment
service.
Page 161 of 173
In Windows Server 2008, using AD CS certificate revocation is a necessary part of the process of managing certificates issued
by CAs.
The most common method of communicating certificate status in Windows Server 2008 is distributing certificate revocation list s
(CRLs).
In Windows Server 2008, where the use of conventional CRLs is not the most optimal solution, an Online Responder based on
the
Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information or make the
revoked
certificates highly available. The CRLs used to provide validity checking for certificates include the serial numbers of all
certificates that
are still within their validity period but should no longer be trusted. For example, if an employee has a certificate with an
expiration date
of December 1, 2008, but the employee leaves the organization on October 1, 2007, the serial numbers of the employee's
certificates
would be placed on the CRL. The CRL would be made highly available at multiple CRL Distribution Points (CDPs) as described,
in
either HTTP or Lightweight Directory Access Protocol (LDAP) paths.
You cannot use the Network Device Enrollment Service (NDES) to provide certificates to non-Microsoft client computers. NDES
is
Microsoft implementation of a communications protocol named Simple Certificate Enrollment Protocol (SCEP). SCEP helps
provide
X.509 certificates for software running on network devices such as routers and switches.
You cannot use Enterprise PKI-View to provide certificates to non-Microsoft client computers. Enterprise PKI-View provides a
status
view of your network's PKI environment, which enables administrators to troubleshoot possible errors by the CA and easily fix
the
errors.
You cannot use a restricted enrollment agent to provide certificates to non-Microsoft client computers. Using restricted
enrollment
agents in AD CS allows you to limit permissions to users who are designated as enrollment agents and receive certificates on
behalf of
other users in the network.
You are network administrator for United Sales Corporation. The organization's network contains five servers running Windows
Server
2008 in an Organizational Unit (OU) named US-security. All five servers are part of the domain, which is named usales.com.
You notice that some unauthorized network connection attempts have been made by users to connect to all five servers. You
want to
track all network connection events across the five servers in the US-security OU.
What should you do?
Explanation:
You should activate the Audit logon events policy to achieve the objective in this scenario. An Audit logon events policy will
audit
each event related to a user logging on, logging off, or making a network connection. The events in this level of audit are l ogged
when a
user logs on interactively to a workstation with a domain user account. You can configure the Audit logon events policy in
Group
Policy Object (GPO) settings either in Graphical User Interface (GUI) mode or by using the Auditpol.exe command line utility.
To access group policy and configure Audit logon events policy on a domain controller, perform the following steps:
1. Click the Start button, type gpedit.msc in the Run dialog box, and press the Enter key. This will open the group policy
window.
2. Under Group Policy menu, scroll down to the following node: Computer Configuration\Security Settings\Local
3. In the right pane, right-click Audit logon events and click Properties.
5. Once you configure the Audit policy, you can link the GPO to the appropriate OU.

Created: 18/04/2013
Version: 1.0
Document1
Page 126 of 133
You should not activate the Audit process tracking policy to achieve the objective in this scenario. An Audit process tracking
policy
will audit events related to processes on the computer, such as program activation, process exit, handle duplication, and indirect
object
access.
Item: 160 (Ref:Cert-70-640.5.3.4)
*'Activate the Audit logon events
policy.
*'Activate the Audit process tracking
policy.
*'Activate the Audit object access
policy.
*'Activate the Audit account logon events policy.
Answer:
Activate the Audit logon events
policy.
Page 162 of 173
You should not activate the Audit object access policy to achieve the objective in this scenario. An Audit object access policy
will
audit events when a user attempts to access an object. Objects include files, folders, printers, registry keys, and Active Directory
objects.
You should not activate Audit account logon events policy to achieve the objective in this scenario. An Audit account logon
events
policy audits each time a user is logging on or off the domain.
You are a network administrator for your company. Your corporate network consists of a single Active Directory domain. The
company's written security policy dictates that all Human Resources personnel must use strong passwords because they handle
confidential data. No other users are required to have strong passwords.
What should you do to configure a separate password policy for Human Resource personnel with minimal administrative effort?
Explanation:
You should create a global security group for the Human Resource employees and apply a fine-grained password policy. In a
Windows
Server 2008 environment you can define different password and account lockout policies for different sets of users in a domai n.
You
can use fine-grained password policies to specify multiple password policies within a single domain. Fine-grained password
policies
apply only to user objects and global security groups. To configure fine-grained password policies, the domain functional level
must be
Windows Server 2008. If you do not create fine-grained password policies for different sets of users, the Default Domain Policy
settings
apply to all users in the domain.
users
a finegrained
password policy. You would add users of the OU as members of the newly created shadow group, and then apply the
finegrained
You should not move the user accounts of the Human Resources employees to an OU, and create and link a GPO to that OU.
Performing these steps would require more administrative effort than creating a global security group and applying a fine-
grained
password policy.
You should not move the computer objects for the client computers of the Human Resources employees to a new domain, and
create
and link a GPO to that domain. Performing these steps would require more administrative effort than necessary.
You should not move the computer objects for the client computers of the Human Resources employees to an OU, and create
and link
a GPO to that OU because performing these steps would require more administrative effort than necessary.
You are the network administrator for your company. The network contains three Windows Server 2008 computers configured
as
domain controllers, named DC1, DC2, and DC3. Another Windows Server 2008 computer, named DNS1, is configured as the
DNS
server for the network.
Users complain that they are unable to access some resources on DC3. When you troubleshoot the problem, you discover that
the
appropriate service (SRV) records for DC3 have not been registered on DNS1. You need to ensure that the appropriate SRV
records
Item: 161 (Ref:Cert-70-640.4.6.6)
*'Move the user accounts of the Human Resources employees to an OU. Create and link a GPO to that
OU.
*'Move the computer objects for the client computers of the Human Resources employees to a new domain. Create
and link a GPO

Created: 18/04/2013
Version: 1.0
Document1
Page 127 of 133
to that domain.
*'Move the computer objects for the client computers of the Human Resources employees to an OU. Create and link
a GPO to that
OU.
*'Create a global security group for the Human Resource employees and apply a fine-grained password
policy.
Answer:
Create a global security group for the Human Resource employees and apply a fine-grained password
policy.
Item: 162 (Ref:Cert-70-640.1.2.5)
Page 163 of 173
for DC3 are registered.
What should you do? (Choose two. Each correct answer presents a unique solution.)
Explanation:
You should either restart the NetLogon service on DC3 or restart DC3. Either of these choices will cause the domain controller
to
register its SRV records with the DNS server. When the NetLogon service starts, the service attempts to register some or all
SRV
resource records.
You should not restart the NetLogon service on DNS1 or restart DNS1. The problem in this scenario is not caused by the DNS
server. If
the DNS server were the problem, you would have experienced trouble with the records for other computers, not only DC3.
You should not restart the DNS client service on DC3. The DNS client service is not responsible for registering the SRV records
for a
domain controller.
You should not restart the DNS server service on DNS1. The DNS server service is not responsible for registering the SRV
records for
a domain controller.
You are the network administrator of the Nutex corporation. Nutex has a single forest with three domains: nutex.com,
west.nutex.com, and east.nutex.com.
A domain controller in east.nutex.com is taken offline. You run a script to create several accounts in all three domains.
Accounts in
nutex.com and west.nutex.com are created without error. Accounts in east.nutex.com are not created and generate errors.
You
suspect that a Flexible Single Master Operation (FSMO) role is not available.
Which FSMO role is NOT available?
M|.Restart the NetLogon service on
DC3.
M|.Restart the NetLogon service on
DNS1.
M|.Restart
DC3.
M|.Restart
DNS1.
M|.Restart the DNS client service on
DC3.
M|.Restart the DNS server service on
DNS1.
Answer:
Restart the NetLogon service on
DC3.
Restart DC3.
Item: 163 (Ref:Cert-70-640.2.6.2)
*'Schema
Master
*'Domain Naming
Master
*'RID
Master
*'Global Catalog
server
Answer:
RID Master
Page 164 of 173
Explanation:
The RID master role is not available. The RID master, infrastructure master, and PDC emulator are FSMO roles for a domain.
The RID
master role is the single domain controller within a domain that is responsible for processing RID Pool requests from all domain

Created: 18/04/2013
Version: 1.0
Document1
Page 128 of 133
controllers within a given domain. The RID master is responsible for assigning Security Identifiers (SIDs) to objects such as
users and
groups. In this scenario, the domain controller in the east.nutex.com that was taken offline was the RID master. Since the RID
master
is offline, the user account creation in the east.nutex.com domain failed. You can transfer the RID master functionality to
another
domain controller in the east.nutex.com domain with Active Directory Users and Computers if the RID master is offline, or by
using the
ntdsutil utility if the RID master is online. To transfer the RID Master role to another domain controller in the east.nutex.com
domain,
you should connect to other domain controller in the east.nutex.com domain using either Active Directory Users and
Computers or the
ntdsutil command-line tool, and then initiate the transfer.
If the RID master has failed and cannot be brought back online, you can use the ntdsutil utility to seize the role. Seizing a
FSMO role
allows another domain controller to assume the FSMO role of a failed domain controller. Seizing an operations master role is an
extreme measure that is possible only if the original operations master is unavailable. You should not seize the RID master role
unless
you are absolutely sure that the original RID master will never be brought back online.
To transfer the RID master role to DC2, you should connect to DC2 by using either Active Directory Users and Computers or the
Ntdsutil command-line tool, and then initiate the transfer. Seizing is also referred to as forcing the transfer of an operations
master role.
The temporary absence of a PDC emulator can be tolerated in this scenario because no computers in the domain run legacy
operating
systems. The temporary absence of the infrastructure master can also be tolerated because the scenario does not indicate that
any
relevant activity, such as renaming or moving user accounts or modifying group memberships, is expected to be performed
during the
next few hours.
The schema master and domain naming master are forest FSMO roles and not domain FSMO roles. A schema master is the
single
domain controller in the forest that is responsible for updates to the schema. A domain naming master is the single domain
controller in
the forest that is responsible for making changes to the forest-wide domain name space of the directory. You cannot add or
remove a
domain without contacting the domain naming master.
A global catalog server is not a FSMO role. A global catalog is a domain controller that stores a copy of all Active Directory
objects in a
forest. The global catalog stores a full copy of all objects in the directory for its own domain, and a partial copy of all objects for
all other
domains in the forest. Global catalog servers replicate with other global catalog servers in the forest based on the replication
schedule.
You are the network administrator of your company. The servers on the company's network run Windows Server 2008. The
company's
network consists of a single Active Directory domain. A server named DNS1 is configured as a Domain Name System (DNS)
server
and stores the directory-integrated DNS zone for your company.
You promote a member server to a domain controller, but you discover that the Service Record (SRV) for the new domain
controller is
not created in the Active Directory-integrated DNS zone. What should you do to create an SRV record for the new domain
controller,
involving the least administrative effort?
Explanation:
You should restart the Netlogon service. The SRV records of a domain controller in the domain play an important role in Active
Directory. Active Directory cannot work without a DNS server. The DNS server in Active Directory is used to locate domain
controllers
in the forest or domain with the help of SRV records. When you promote a member server to a domain controller, the SRV
records are
registered specifically for domain controllers. The Netlogon service on domain controllers is responsible for registering SRV
records. If
Item: 164 (Ref:Cert-70-640.1.2.6)
*'Restart the DHCP Client
service.
*'Restart the Netlogon
service.
*'Configure the properties for forward lookup zone to allow only secure
updates.
*'Manually add an SRV record for the new domain
controller.
Answer:
Restart the Netlogon service.
Page 165 of 173

Created: 18/04/2013
Version: 1.0
Document1
Page 129 of 133
the SRV records for a domain controller are not registered in the DNS server, you can re-register them by restarting the
Netlogon
service on the domain controller.
You should not restart the Dynamic Host Configuration Protocol (DHCP) Client service because the Netlogon service on domain
controller is responsible for registering SRV records. The DHCP Client service is responsibl e for registering and updating IP
addresses
and DNS records for the computer on which it is running.
You should not configure the properties for forward lookup zone to allow only secure updates. When the Allow dynamic
updates
setting on the parent Active Directory-integrated DNS server is set to Only Secure Updates, registration of SRV records may
not work.
You should not manually add an SRV record for the new domain controller because this will involve more administrative effort
than
restarting the Netlogon service on the domain controller.
You are the network administrator for a large distribution company. You want to determine who is accessing the DNS server in
the
domain. You want to log packets sent from a specific IP address to the DNS server, and from the DNS server to the specific IP
address.
What should you configure on your DNS server's Properties sheet?
Explanation:
You should enable Log Packets for Debugging on the Debug Logging tab, and configure a filter for the Filter packets by IP
address setting. Once you enable the Log packets for debugging setting, you can configure the DNS server to begin
capturing
debug packet information. You can use the Filter packets by IP address setting to log packets sent from specific IP addresses
to a
DNS server, or from a DNS server to specific IP addresses. In this scenario, you want to log packets sent from a specific IP
address to
the DNS server and from the DNS server to that IP address. You can use the Filter button to specify the IP addresses that you
want to
log packets to or from. This information is stored in the DNS debug log, named Dns.log. The Dns.log file can be opened only
when the
DNS Server service is stopped.
You can use debug logging to record queries, transfers, updates, and notifications. You can specify whether to record the
information
about incoming or outgoing DNS packets, DNS requests or responses, or DNS packets sent by using TCP or UDP. You can
specify
whether detailed information about each packet must be recorded, and you can specify whether packets must be filtered
according to
IP addresses.
You should not just enable Log Packets for Debugging on the Debug Logging tab and configure both the Outgoing and
Incoming
setting for Packet Direction. The Outgoing setting logs all packets that are sent by the DNS server. The Incoming setting logs
all
packets that received by the DNS server. To log packets sent from a specific IP address to the DNS server and from the DNS
server to
that IP address, you will also have enable the Filter packets by IP address setting and configure the IP addresses that you
want to
filter.
On the Monitoring tab, you can configure a DNS server to perform two types of functionality testing. A simple query test verifies
whether individual records can be read from zone data on the server. A recursive test verifies whether the server can
communicate with
Internet root DNS servers. Performing these tests, however, would not log packets sent from a specific IP address to the DNS
server
and from the DNS server to the specific IP address.
On the Event Logging tab of a DNS server's Properties sheet, you can specify the types of events, such as errors and
warnings, to be
recorded in the DNS event log. Although event logging can provide useful information about possible problems, the DNS event
log
does not record individual queries, and so would not solve the problem in this scenario.
Item: 165 (Ref:Cert-70-640.1.2.4)
*'On the Debug Logging tab, enable Log Packets for Debugging and configure a filter for the Filter packets by IP
address
setting.
*'On the Debug Logging tab, enable Log Packets for Debugging and configure both the Outgoing and Incoming
setting for
Packet Direction.
*'On the Event Logging tab, set the Log the following events: option to All
Events.
*'On the Monitoring tab, enable both simple queries and recursive
queries.
Answer:

Created: 18/04/2013
Version: 1.0
Document1
Page 130 of 133
On the Debug Logging tab, enable Log Packets for Debugging and configure a filter for the Filter packets by IP
address setting.
Page 166 of 173
You are a network administrator for your company. The corporate network consists of a single Active Directory domain and
three sites
that are presented in the following exhibit.
There are two domain controllers in each of the sites, and one domain controller in each site is designated as a preferred
bridgehead
server. The network is not fully routed, and the default bridging of all site links is disabled. You want changes made to Act ive
Directory
in any of the sites to be propagated to the other sites even if any one domain controller in each site fails.
Item: 166 (Ref:Cert-70-640.2.4.1)
*'Bridge the two site links.
*'Create a site link between Site1 and
Site3.
*'Designate both domain controllers in Site2 as preferred bridgehead
servers.
*'Reconfigure each site so that there are no preferred bridgehead
Page 167 of 173
Explanation:
One domain controller in each site is automatically designated as a bridgehead server for that site. Changes to Active Direct ory
that are
made on a particular domain controller in a particular site are first replicated to other domain controllers within that site. When
the
bridgehead server for that site receives those changes, it then replicates them to bridgehead servers in other sites, and each of
those
bridgehead servers replicates the changes to other domain controllers in its respective site. If the bridgehead server in a site
fails, then
another domain controller in that site is automatically designated as the bridgehead server for that site. An administrator can
control
which domain controllers are designated as bridgehead servers. If an administrator designates one or more domain controllers
in a site
as preferred bridgehead servers for that site, then only one of those domain controllers can become the bridgehead server for
that site.
If that domain controller fails, then another preferred bridgehead server in that site is automatically designated as the
bridgehead server
for that site. If there are no more preferred bridgehead servers in the site, then replication between that site and other si tes will
not
occur.
To provide the required replication fault tolerance in this scenario, you should reconfigure the domain controllers so that there
are no
preferred bridgehead servers in any of the sites. Alternatively, you can configure all domain controllers as preferred bridgehead
servers
in their respective sites. Bridging the existing two site links would have no effect in this scenario because the network is not fully
routed.
Thus, domain controllers in Site1 cannot directly communicate with domain controllers in Site3. Therefore, creating a site link
between
Site1 and Site3 would also have no effect in this scenario. If you designated both domain controllers in Site2 as preferred
bridgehead
servers, then Site2 would be able to replicate with other sites should any one of the domain controllers in Site2 fail. However,
Site1 and
Site3 would be able to replicate with Site2 if the bridgehead servers in Site1 and Site3 failed.
You are the head network administrator of your company. The company has a main office and one branch office. The main
office
contains 1500 users and the branch office contains 15 users. All servers on the network run Windows Server 2008. The network
consists of a single Active Directory domain. You have configured a separate Active Directory site for each office.
The branch office network contains one domain controller and 15 client computers. The two offices are connected through a 56-
Kbps
dial-up link. The Active Directory replication between the sites consumes a substantial portion of the available bandwidth of the
dial-up
link, and users in the branch office report that access to resources in the central office is slow. You must utilize the bandwidth on
the
dial-up link more efficiently for uninterrupted resource access.
What should you do?
Explanation:
You should increase the replication interval on the site link. There are several ways to provide more bandwidth on the slow i nter-
site

Created: 18/04/2013
Version: 1.0
Document1
Page 131 of 133
connection in this scenario. Among the presented choices, the best is to increase the replication interval on the site l ink. The
replication
frequency of a site link determines how often replication occurs over that site link. The default replication frequency for a site link
is 180
minutes. You can set the replication frequency for a site link from 15 minutes to 10,080 minutes by using the Active Directory
Sites and
Services snap-in. The total amount of data associated with the Active Directory changes that must be replicated between sites
does not
depend on replication frequency. Less frequent replication sessions will generate less communication overhead, such as the
traffic that
servers.
Answer:
Reconfigure each site so that there are no preferred bridgehead
servers.
Item: 167 (Ref:Cert-70-640.2.4.8)
*'Replace the IP site link with an SMTP site
link.
*'Increase the replication interval on the site
link.
*'Reduce the cost of the site
link.
*'Move the branch office resources to the main office site, and remove the branch office
site.
Answer:
Increase the replication interval on the site link.
Page 168 of 173
is necessary to establish each session.
When you have multiple sites, decreasing the replication interval between a pair of sites will ensure that the data between sites
is more
up to date. For example, if the replication interval between SiteA and SiteB is 180 minutes, decreasing the replication interval to
90
minutes will ensure that both sites are more up to date. Increasing the replication interval to 360 minutes will generate less
communication and use less bandwidth. Another possible solution is to configure the inter-site replication to occur after business
hours.
Because there are fewer than 100 users in the branch office, you should consider removing the domain controller from that site.
The
logon traffic across the dial-up link might require less bandwidth than replication.
If you demoted the domain controller to a member server, and if that server hosted some network resources, then branch office
users
might be unable to access those resources by using their domain user accounts if the dial-up link to the central office became
unavailable. In the single-domain environment in this scenario, you could conserve some WAN bandwidth by configuring
Universal
group membership caching in a remote site instead of having a domain controller in the branch office as a Global Catalog
server.
Universal group membership caching should be enabled in a site that is connected by a low bandwidth connection or that has
hardware
limitations on the domain controller, such as limited hard disk space, that would prohibit installing the global catalog. Enabli ng
universal
membership caching provides efficient user logon in situations of low or no network bandwidth.
You should not replace the IP site link with an SMTP site link in this scenario. An SMTP site link does not support the replication
of
domain directory partitions; therefore, it cannot be used for replication between domain controllers that belong to the same
domain.
You should not reduce the cost of the site link. Site link costs are numerical values that indicate relative preference among
alternative
site link paths between the same pair of sites. Changing the cost of the only site link in this scenario would not have any effect
on
replication.
You should not move the branch office resources to the main office site, and remove the branch office site. If you merged the
two sites
into a single site, then replication between the domain controllers in the main office and the domain controller in the branch
office would
occur continuously and the replicated data would not be compressed. Additionally, branch office logon requests would be
processed by
any domain controller, not only by the one in the branch office. Therefore, the WAN bandwidth usage would increase.
You are the network administrator for a company that manufactures golf equipment. Your company has a single domain. Every
department has their own Organizational Unit (OU). The functional level of the domain and forest is Windows Server 2008.
Your company purchases another company that makes cricket equipment. This company has a single domain. All domain
controllers in
this domain are Windows Server 2003. The domain functional level and forest functional level of the acquired company are set
to

Created: 18/04/2013
Version: 1.0
Document1
Page 132 of 133
Windows 2003.
The cricket equipment company will remain a separate forest. You want to accomplish the following:
Create several similar GPOs in the golf equipment domain and link them to different OUs.
Take the settings from the GPO linked to the Accounting OU in the golf domain and copy it to the Tax OU in the cricket
equipment company's domain.
Item: 168 (Ref:Cert-70-640.4.4.2)
M|.In the golf equipment company's domain, create a Starter GPO. Create GPOs based on the Starter GPO and link
them to the
appropriate OUs.
M|.In the golf equipment company's domain, create a Starter GPO. Link the GPO to the appropriate
OUs.
M|.In the golf equipment company's domain, use the Group Policy Management Console (GPMC) to back up the
appropriate GPO
from the Accounting OU. At a domain controller at the cricket equipment company's domain, use the GPMC to import the GPO
to
the appropriate container.
M|.Create a two-way trust between the two forests. In the golf equipment company's domain, use the Group Policy
Management
Console (GPMC) to back up the appropriate GPO from the Accounting OU. At a domain controller at the cricket equipment
company's domain, use the GPMC to import the GPO to the appropriate container in the Tax OU.
Answer:
In the golf equipment company's domain, create a Starter GPO. Create GPOs based on the Starter GPO and link
them to the appropriate OUs.
In the golf equipment company's domain, use the Group Policy Management Console (GPMC) to back up the
appropriate GPO from the Accounting OU. At a domain controller at the cricket equipment company's domain, use
the GPMC to import the GPO to the appropriate container.
Page 169 of 173
Explanation:
You should create a Starter GPO in the golf equipment company's domain. You should then create GPOs based on the Starter
GPO
and link GPOs to the appropriate OUs. A Starter GPO allows you to create a baseline from which you can build GPOs. You can
configure settings in the Administrative Template for the Computer Configuration and User Configuration of a GPO. When you
create a
new GPO, you can use the previously created Starter GPO to prepopulate settings for the new GPO. In this scenario, you can
create a
Starter GPO to ensure all GPOs have similar settings. You can differentiate each GPO according to the requirements of each
department.
You should use the Group Policy Management Console (GPMC) to back up the appropriate GPO from the Accounting OU in
the golf
equipment company's domain. Once the GPO is backed up, you should go to a domain controller at the cricket equipment
company's
domain and use the GPMC to import the GPO to the appropriate container. You can export the settings of a GPO by using the
backup
function of the GPMC. You can import the settings into a new domain by using the import function. The import operations
transfer
settings from the backup GPO into a new GPO in the new domain. You do not need to have a cross-domain or cross-forest trust
relationship. You do need to have access to the file system where the backup of the GPO resides. The backup and import
operations
are ideally suited for copy GPOs that you created on a test environment into a production environment.
To back up a GPO by using the GPMC, follow these steps:
Highlight the GPO that you want to back up.
Right-click and choose Back up from the menu.
Specify the location for to back up and click the Back Up button.
To import a GPO by using the GPMC, follow these steps:
Highlight the GPO to receive the imported settings from the backup of the GPO.
Right click the GPO and choose Import Settings.
The Import Wizard will prompt you for the location of the backup from which settings should be imported.
Choose the GPO that holds the settings that you want to import.
You should not attempt to link a GPO from the Starters GPO. You cannot link GPOs from the Starters GPO. You can only use
GPOs in
the Starters GPO as baselines for new GPOs.
You do not require a trust relationship between domains to import GPO settings from a backup. You only need to have read
permissions to the location where the backup resides.
The following graphic shows how to create new GPOs from a Starter GPO:
Page 170 of 173
You are the security administrator of Verigon Corporation. The network of the company consists of a single Active Directory
domain
named verigon.com. The servers on the network run Windows Server 2008. The client computers run Windows Vista. The

Created: 18/04/2013
Version: 1.0
Document1
Page 133 of 133
organizational unit (OU) structure of the company is shown in the exhibit. (Click the Exhibit(s) button.)
You create a Group Policy Object (GPO) named GPO1 to apply standard desktop settings to all desktop and portable client
computers
that are joined to the network. GPO1 is linked to the Client Computers OU. You have an assistant administrator named Paul.
You
want to enable Paul to edit only GPO1 , and not any other group policy object?
What should you do?
Item: 169 (Ref:Cert-70-640.4.3.10)
*'Add Paul's user account to the Delegation tab in the properties sheet for GPO1 and assign him the permission to
Edit
settings.
*'Add Paul's user account to the Managed By tab in the properties sheet for Client Computers
OU.
*'Run the Delegation of Control Wizard and delegate Paul the right to manage Group Policy links for the Client
Computers
OU.
*'Run the Delegation of Control Wizard and delegate Paul the right to manage Group Policy links for the
domain.
Answer:
Add Paul's user account to the Delegation tab in the properties sheet for GPO1 and assign him the permission to
Edit settings.
Page 171 of 173
Explanation:
You should add Paul's user account to the Delegation tab in the properties sheet for GPO1 and assign him the permission to
Edit
settings. Windows Server 2008 allows you to delegate the following three Group Policy tasks independently:
Managing Group Policy links for a site, domain, or organizational unit.
Creating Group Policy objects.
Editing Group Policy objects.
To edit a Group Policy object, the user must be one of the following:
An administrator.
A Creator Owner.
A user with delegated access to the Group Policy object. That is, an administrator or the Creator Owner must have delegated
access to this user by opening the Security tab in the Group Policy object Properties page, adding them to the Delegation tab
in the properties sheet for GPO1, and assigning them permission to Edit settings or Edit settings, delete, modify security.
By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and the operating system can
create
new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to
create
GPOs, that user or group can be added to the Group Policy Creator Owners security group. Being a member of the Group
Policy
Creator Owners group gives the non-administrator full control of only those Group Policy objects that the user creates or those
explicitly delegated to that user. It does not give the user full control of any other Group Policy objects, and does not all ow the
user to
link Group Policy objects to sites, domains, or organizational units.
You should not add Paul's user account to the Managed By tab in the properties sheet for the Client Computers OU. When
you add a
user in the Managed By tab in the properties sheet of an OU as a manager, the user does not get any permissions for the OU.
This
setting is only informational. The other fields on the tab display the manager's properties and not the OU's properties.
You should not run the Delegation of Control Wizard and delegate Paul the right to manage Group Policy links for the Client
Computers OU or for the domain. The Delegation of Control Wizard can used to delegate a user with the rights to manage
Group
Policy links for a site, domain, or OU. Delegating Paul the right to manage Group Policy links for the Client Computers OU will
only
enable Paul to manage links for Group Policies that are applied to the Client Computers OU or the domain. This will not enable
Paul to
edit GPO1.
Page 172 of 173
Page 173 of 173

Trans

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Trans

Uploaded by

Copyright:

Available Formats

TAFE NSW Western Sydney Institute

You might also like