70-640V2 38

Testinside
Exam : Microsoft 70-640
Title : TS: Windows Server 2008

Active Directory,
Configuring
Version : V2.38
Testinside - help you pass any IT exam!

Testinside
Important Note, Please Read Carefully

Other TestInside products
All TestInside IT Exam Products
Our products of Offline Testing Engine

Use the offline Testing engine product to practice the questions in an exam environment.
Build a foundation of knowledge which will be useful also after passing the exam.
TestInside Testing Engine
Latest Version
We are constantly reviewing our products. New material is added and old material is revised. Free
updates are available for 90 days after the purchase. You should check your member zone at TestInside
and update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1.Go to http://www.TestInside.com
2. Log in the User Center
3.The latest versions of all purchased products are downloadable from here. Just click the links.
Feedback
If you spot a possible improvement then please let us know. We always interested in improving product
quality.
Feedback should be send to sales(at)TestInside.com. You should include the following: Exam number,
version, page number, question number, and your login Account.
Our experts will answer your mail promptly.
Explanations
This product does not include explanations at the moment. If you are interested in providing explanations
for this exam, please contact sales(at)TestInside.com.
TestInside Help You Pass Any IT Exam http://www.TestInside.com

Testinside
1. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company network. Windows Server 2008 is run by all domain controllers that are configured as DNS
servers. A domain controller named DC01 has a standard primary zone for wiikigo.com. A domain controller
named DC02 has a standard secondary zone for wiikigo.com.
You have to make sure that the replication of the wiikigo.com zone is encrypted. You must not lose any
zone data. So what action should you perform?
A. The zone transfer settings of the standard primary zone should be configured. The Master Servers lists
on the secondary zone should be modified.
B. The interface that the DNS server listens on should be modified on both servers.
C. The primary zone should be converted into an Active Directory-integrated zone. The secondary zone
should be deleted.
D. The primary zone should be converted into an Active Directory-integrated stub zone. The secondary
zone should be deleted.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is an organizational unit named
Production in your company. The Production organizational unit has a child organizational unit named R D.
After a GPO named Software Deployment is created by you, you link it to the Production organizational unit.
You create a shadow group for the R D organizational unit. You have to deploy an application to users in the
Production organizational unit. You also need to make sure that the application is not deployed to users in
the R D organizational unit. What are two possible ways to achieve this goal?
A. In order to achieve this goal, security filtering on the Software Deployment GPO should be configured to
Deny Apply group policy for the R D security group.
B. In order to achieve this goal, the Enforce setting should be configured on the software deployment GPO.
C. In order to achieve this goal, the Block Inheritance setting should be configured on the R D
organizational unit.

Testinside
D. In order to achieve this goal, the Block Inheritance setting should be configured on the Production
Answer: AC
Directory infrastructure and maintaining Active Directory objects. You have a domain controller named
DC01. Windows Server 2008 is run by this domain controller. DC01 is configured as a DNS server for
wiikigo.com. You have the DNS Server server role installed on a member server which is named Server01
and then you create a standard secondary zone for wiikigo.com. DC01 is configured as the master server
for the zone. You have to make sure that Server01 receives zone updates from DC01. What action should
you perform?
A. The zone transfer settings for the wiikigo.com zone should be modified on DC01.
B. The Server01 computer account should be added to the DNSUpdateProxy group.
C. A conditional forwarder should be added on S01.
D. The permissions of wiikigo.com zone should be modified on DC01.
Answer: A
Directory infrastructure and maintaining Active Directory objects. There are two domain controllers named
DC01 and DC02 in your company. All domain and forest operations master roles are hosted by DC01.
A problem occurred that DC01 fails.
Since you are the technical support, you are required to reinstall the operating system to rebuild DC01. In
addition, you are required to have all operations master roles rollbacked to their original state. A metadate
cleanup is performed and all references of DC01 are removed.
Which action should be performed to achieve the goal? (Choose three from the options below, and then put
them in a correct order)
1 Operations master roles should be transferred from DC01 to DC02.
2 Operations master roles should be transferred from DC02 to DC01.

Testinside
3 Operations master roles should be seized from DC01 to DC02.
4 Operations master roles should be seized from DC02 to DC01
5 DC01 should be rebuilt as a replica domain controller.
6 DC02 should be rebuilt as a domain controller.
A. 3->5->2
B. 3->6->1
C. 4->5->2
D. 4->6->1
Answer: A
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the
company. Not all domain controllers in the forest are configured as Global Catalog Servers. One root
domain and one child domain is contained in your domain structure. You modify the folder permissions on a
file server that is in the child domain. You find that some Access Control entries start with S-1-5-21 and that
no account name is listed. You have to list the account names. So what action should you perform?
A. The schema should be modified to enable replication of the friendlynames attribute to the Global
Catalog.
B. The RID master role in the child domain should be moved to a domain controller that holds the Global
Catalog.
C. The infrastructure master role in the child domain should be moved to a domain controller that does not
hold the Global Catalog.
D. The RID master role in the child domain should be moved to a domain controller that does not hold the
Global Catalog.
Answer: C

Testinside
company. The forest includes organizational units corresponding to the following four locations: Paris,
Huston, Denver, and Valencia.
Each location has a child organizational unit named Sales. All the users and computers from the sales
department are contained in the Sales organizational unit. The offices in Paris, Huston, and Denver are
connected by T1 connections. The office in Valencia is connected by a 256-Kbps ISDN connection.
According to the company requirement, you have to install an application on all the computers in the sales
department. So what should you do? (Choose more than one)
A. You should create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the
computers. The GPO should be linked to each Sales organizational unit.
B. The slow link detection setting should be disabled in the Group Policy Object (GPO).
C. The slow link detection threshold setting should be configured to 1,544 Kbps (T1) in the Group Policy
Object (GPO).
D. You should create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.
The GPO should be linked to each Sales organizational unit.
Answer: AB
Directory infrastructure and maintaining Active Directory objects. The company has an Active Directory
domain which is named ad.wiikigo.com. Luxware, Inc. has an Active Directory domain which is named
intranet.luxware.com. The transfer of internal DNS zone data outside the Luxware network is prevented by
Luxware security policy. According to the company requirement, you have to make sure that the Wiikkigo
users can resolve names from the intranet.luxware.com domain. So what action should you perform?
A. In order to make sure of this, conditional forwarding for the intranet.luxware.com domain should be
configured.
B. In order to make sure of this, a new stub zone should be created for the intranet.luxware.com domain.
C. In order to make sure of this, an Active Directoryintegrated zone should be created for the
intranet.luxware.com domain.
D. In order to make sure of this, a standard secondary zone should be created for the intranet.luxware.com
domain.

Testinside
Answer: A
Directory infrastructure and maintaining Active Directory objects. In your company, there is an Active
Directory domain named wiikigo.com. And there are two DNS servers named DNS01 and DNS02 on the
company network.
You can see the configuration of the DNS servers from the table below.
It is reported by the Domain users who are configured to utilize DNS02 as the preferred DNS server that
they cannot get access to Internet Web sites.
Since you are the technical report, you are required to have Internet name resolution enabled for all client
computers.
Which action should be performed to achieve the goal?
A. To achieve the goal, the Cache.dns file should be updated on DNS02. And then, conditional forwarding
should be configured on DNS01.
B. To achieve the goal, the .(root) zone should be deleted from DNS02. And then, conditional forwarding
should be set on DNS02.
C. To achieve the goal, a copy of the .(root) zone should be created on DNS01.
D. To achieve the goal, the list of root hints servers should be updated on DNS02.
Answer: B
company. Only Windows Server 2003 domain controllers are contained in this forest. Now you receive an
order from the company, you have to prepare the Active Directory domain to install Windows Server 2008

Testinside
domain controllers. What action should you perform? (Choose more than one)
A. The domain functional level should be raised to Windows Server 2008.
B. The adprep /forestprep command should be run.
C. The adprep /domainprep command should be run.
D. The forest functional level should be raised to Windows Server 2008.
Answer: BC
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain
named ad.wiikigo.com in your company. Two domain controllers named DC01 and DC02 are contained by
the domain. The DNS Server server role is installed by the two domain controllers. A new DNS server
named DNS01.wiikigo.com is installed on the perimeter network. DC01 is configured to forward all
unresolved name requests to DNS01.wiikigo.com. A problem occurred that the DNS forwarding option
cannot be used on DC02. Since you are the technical support, you are required to configure DNS
forwarding on the DC02 server to point to the DNS01.wiikigo.com server. Which action should be
performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, conditional forwarding on DC02 should be configured.
B. To achieve the goal, the Listen On address on DC02 should be configured.
C. To achieve the goal, the DNS cache on DC02 should be cleared.
D. To achieve the goal, the Root zone on DC02 should be deleted.
Answer: AD
Directory infrastructure and maintaining Active Directory objects. There is a domain controller in your
company. Windows Server 2008 is run by the domain controller. In addition, the domain controller is
configured as a DNS server. According to the company requirements, you are required to have all inbound
DNS queries to the server recorded. Which action should be performed in the DNS Manager console?
A. In the DNS Manager console, event logging should be configured to log errors and warnings.

Testinside
B. In the DNS Manager console, debug logging should be enabled.
C. In the DNS Manager console, automatic testing for simple queries should be enabled.
D. In the DNS Manager console, automatic testing for recursive queries should be enabled.
Answer: B
Directory infrastructure and maintaining Active Directory objects. There is a server that runs Windows
Server 2008 in your company. The company configures Active Directory Certificate Services (AD CS) as a
stand-alone Certification Authority (CA) on the server. According to the company requirements, you are
required to audit modifications to the CA configuration settings and the CA security settings. To achieve the
goal, which tasks should be performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, auditing of successful and failed attempts should be enabled to write to files in the
%SYSTEM32%\CertLog directory.
B. To achieve the goal, the Audit object access setting should be enabled in the Local Security Policy for the
Active Directory Certificate Services (AD CS) server.
C. To achieve the goal, auditing in the Certification Authority snap-in should be configured.
D. To achieve the goal, auditing of successful and failed attempts should be enabled to modify permissions
on files in the %SYSTEM32%\CertSrv directory.
Answer: BC
Directory infrastructure and maintaining Active Directory objects. Your network consists of an Active
Directory forest named contoso.com. All servers run Windows Server 2008. All domain controllers are
configured as DNS servers. The wiikigo.com DNS zone is stored in the ForestDnsZones Active Directory
application partition. You have a member server that contains a standard primary DNS zone for
dev.wiikigo.com. You have to make sure that all domain controllers can resolve names for dev.wiikigo.com.
What action should you perform?
A. The properties of the SOA record in the wiikigo.com zone should be modified.

Testinside
B. A NS record in the wiikigo.com zone should be created.
C. A delegation in the wiikigo.com zone should be created.
D. A standard secondary zone on a Global Catalog server should be created.
Answer: C
Directory infrastructure and maintaining Active Directory objects. The Active Directory Domain Services (AD
DS) role and the Active Directory Lightweight Directory Services (AD LDS) role are installed on a server
named DC01.An AD LDS instsance named LDS01 has its data stored on the C: drive.Since you are the
technical support, you are required to have the LDS01 instance relocated to the D: drive.
To achieve the goal, which actions should be performed to achieve the goal? (choose three options and put
them in a correct order)
1 The net stop ???Active Directory Domain Services??? command should be run.
2 The net stop LSD01 command should be run.
3 The Ntdsutil tool should be utilized to migrate the database files.
4 The xcopy command should be run to migrate the database files.
5 The net start LDS01 command should be run.
6 The net start ???Active Directory Domain Services??? command should be run.
7 The Windows Backup tool should be utilized to back up and recover the LDS01 instance to the D: drive.
A. 2->3->6
B. 3->2->5
C. 7->3->4
D. 1->3->5
Answer: A
Directory infrastructure and maintaining Active Directory objects. There are two servers named S01 and
S02. Windows Server 2008 is run by the two servers. The company configures S01 as an Enterprise Root

Testinside
certification authority (CA). The Online Responder role service is installed on S02. Since you are the
technical support, you are required to configure S02 so as to have certificate revocation lists (CRLs) issued
for the enterprise root CA. to achieve the goal, which action should be performed? (Choose more than one.)
A. To achieve the goal, the Startup Type of the Certificate Propagation service should be set to Automatic.
B. To achieve the goal, the enterprise root CA certificate should be imported.
C. To achieve the goal, the OCSP Response Signing certificate should be imported.
D. To achieve the goal, the S01 computer account should be added to the CertPublishers group.
Answer: BC
Directory infrastructure and maintaining Active Directory objects. One of the domain controllers in a child
domain is being decommissioned. Since you are the technical support, you are required to move all domain
operations master roles within the child domain to a newly installed domain controller, and the newly
installed domain is in the same child domain. From the following five domain operations master roles, which
three should be moved to finish the task? (Choose more than one.)
A. To finish the task, Domain naming master should be moved to a newly installed domain controller.
B. To finish the task, RID master should be moved to a newly installed domain controller.
C. To finish the task, PDC emulator should be moved to a newly installed domain controller.
D. To finish the task, Schema master should be moved to a newly installed domain controller.
E. To finish the task, Infrastructure master should be moved to a newly installed domain controller.
Answer: BCE
Directory infrastructure and maintaining Active Directory objects. Now you receive an order from the
company management, you are asked to make sure that users who enter three successive invalid
passwords within 5 minutes are locked out for 5 minutes. So what should you do? (Choose more than one)
A. The Enforce password history setting should be set to 3 passwords remembered.
B. The Account lockout duration setting should be set to 5 minutes.

Testinside
C. The Minimum password age setting should be set to one day.
D. The Maximum password age setting should be set to one day.
E. The Reset account lockout counter after setting should be set to 5 minutes.
F. The Account lockout threshold setting should be set to 3 invalid logon attempts.
Answer: BEF
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. And only Windows Server 2003 domain controllers are contained by an Active Directory forest.
Since you are the technical support, you are required to prepare the Active Directory domain so as to have
Windows Server 2008 domain controllers installed. Which actions should be performed to achieve the goal?
(Choose more than one.)
A. To achieve the goal, the forest functional level should be raised to Windows Server 2008.
B. To achieve the goal, the domain functional level should be raised to Windows Server 2008.
C. To achieve the goal, the adprep /forestprep command should be run.
D. To achieve the goal, the adprep /domainprep command should be run.
Answer: CD
Directory infrastructure and maintaining Active Directory objects. There is a head office and a branch office
in your company. A single-domain Active Directory forest is contained by your company. Two domain
controllers named DC01 and DC02 that run Windows Server 2008 are contained by the head office. And a
Windows Server 2008 read-only domain controller (RODC) named DC03 is contained by the branch office.
The DNS Server server role is held by all domain controllers which are configured as Active
Directory-integrated zones. Only secure updates are permitted by the DNS zones. You should enable
dynamic DNS updates on DC03. Which action should be performed to achieve the goal?
A. To achieve the goal, a custom application directory partition should be created on DC01. and then, the
partition should be configured to store Active Directory-integrated zones.

Testinside
B. To achieve the goal, the Ntdsutil.exe /DS Behavior commands should be run on DC03.
C. To achieve the goal, the Dnscmd.exe /ZoneResetType command should be run on DC03.
D. To achieve the goal, Active Directory Domain Services on DC03 should be reinstalled as a writable
domain controller.
Answer: D
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. A new domain controller is installed in the domain. It is reported by a few users that the
domain cannot be logged on. According to the company requirements, the SRV records should be
reregistered. On the new domain controller, which command should be run?
A. On the new domain controller, the sc stop netlogon command should be run followed by the sc start
netlogon command.
B. On the new domain controller, the netsh interface reset command should be run.
C. On the new domain controller, the ipconfig /flushdns command should be run.
D. On the new domain controller, the dnscmd /EnlistDirectoryPartition command should be run.
Answer: A
Directory infrastructure and maintaining Active Directory objects. Now according to the company
requirement, you are decommissioning domain controllers that hold all forest-wide operations master roles.
According to the company requirement, all forest-wide operations master roles need to be transferred to
another domain controller. Which two roles should you transfer?
A. Infrastructure master should be transferred.
B. Domain naming master should be transferred.
C. RID master should be transferred.
D. PDC emulator should be transferred.
E. Schema master should be transferred.

Testinside
Answer: BE
Directory infrastructure and maintaining Active Directory objects. In the company, the default domain GPO
is configured according to following account policy settings listed in the form.
Microsoft SQL Server is installed on a computer named S01, and Windows Server 2008 is run by S01. A
service account named SQLSer is utilized by the SQL Server application.
Domain user rights are given to the SQLSer account. The SQL Server computer functions properly at the
beginning. However, it fails to run after several months. You find that the SQLSer user account is not locked
out.
Since you are the technical support, you are required to solve the problem of the server failure and stop the
reappearance of the failure.
What should be done to achieve the goal? (Choose more than one.)
A. To achieve the goal, the properties of the SQLSer account should be configured to User cannot change
password.
B. To achieve the goal, the local security policy on S01 should be configured to explicitly grant the SQLSer
user account the Allow logon locally user right.
C. To achieve the goal, the password of the SQLSer user account should be reset.
D. To achieve the goal, the local security policy on S01 should be configured to grant the Logon as a
service right on the SQLSeruser account.
E. To achieve the goal, the properties of the SQLSer account should be configured to Password never
expires.
Answer: CE

Testinside
Directory infrastructure and maintaining Active Directory objects. There is a domain controller named DC01
that runs Windows Server 2008 in your company. And the company configures DC01 as a DNS server for
wiikigo.com. The DNS Server server role is installed on a member server named S01 and then a standard
secondary zone is created for wiikigo.com. DC01 is configured as the master server for the zone. You
should make sure that zone updates can be received by S01 from DC01. Which action should be
performed to achieve the goal?
A. On DC01, the zone transfer settings for the wiikigo.com zone should be changed.
B. The S01 computer account should be added to the DNSUpdateProxy group.
C. On S01, a conditional forwarder should be added.
D. On DC01, the permissions of wiikigo.com zone should be changed.
Answer: A
Directory infrastructure and maintaining Active Directory objects. There is a server in your company. And an
instance of Active Directory Lightweight Directory Services (AD LDS) is run by the server. According to the
company requirements, you should have new organizational units created in the AD LDS application
directory partition. Which action should be performed to achieve the goal?
A. You should create the organizational units by utilizing the dsmod OU <OrganizationalUnitDN> command.
B. You should create the organizational units on the AD LDS application directory partition by utilizing the
Active Directory Users and Computers snap-in.
C. You should create the organizational units on the AD LDS application directory partition by utilizing the
ADSI Edit snap-in.
D. You should create the organizational units by utilizing the dsadd OU <OrganizationalUnitDN> command.
Answer: C
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is

Testinside
contained by your network. There is a domain controller and a member server, and Windows Server 2008 is
run by the server. The company configures both servers as DNS servers. Either Windows XP Service Pack
2 or Windows Vista Client is run by computers. There is a standard primary zone on the domain controller. A
secondary copy of the zone is hosted by the member server. According to the company requirements, you
should make sure that host (A) records in the DNS zone can only be permitted only by authenticated users.
Which action should be performed first?
A. All computer accounts should be added to the DNSUpdateProxy group.
B. The standard primary zone should be converted to an Active Directory-integrated zone.
C. On the member server, a conditional forwarder should be added.
D. On the member server, Active Directory Domain Services should be installed.
Answer: B
26. Which of the following are required to create a domain controller successfully? (Choose all that apply.)
A. A valid DNS domain name
B. A valid NetBIOS name
C. A DHCP server to assign an IP address to the domain controller
D. A DNS server
Answer: AB
27. You are hired as the network administrator in your company. All the servers in your company run
windows 2008. The network of your company consists of a single Active Directory domain. There are two
Active Directory-integrated zones named CO1.com and CO2.com in the domain. All domain controllers are
configures as DNS servers. The company has instructed you to make sure that a user is able to modify
records in Hi-tech es.com while preventing the user to modify the SOA record in CO2.com zone. What
should you do to achieve this task?
A. Modify the permissions of CO1.com zone by accessing the DNS Manager Console
B. Configure the user permissions on CO1.com to include all the users and configure the user permissions
on CO2.com to allow only the administrators group to modify the records
C. Modify the permission of CO2.com zone by accessing the DNS Manager Console
D. Modify the Domain Controllers organizational unit by accessing the Active Directory Users and

Testinside
Computers console.
Answer: A
28. You are the administrator for a nationwide company with over 5,000 employees. Your main office has
approximately 4,500 employees, there are ten remote offices in the company. Each remote office has 50
users. Usually, you are not clear about the physical security at these offices. However, since there is a fairly
sizable amount of users at each office, you must provide them with directory services.
What is the BEST option to use for directory services when security is often an unknown?
A. Lightweight Directory Services
B. Read-only domain controllers
C. Active Directory Federation Services
D. Active Director Rights Management Services
Answer: B
29. Trey Research has recently acquired Litware, Inc. Because of regulatory issues related to data
replication, it is decided to configure a child domain in the forest for Litware users and computers. The Trey
Research forest currently contains only Windows Server 2008 domain controllers. The new domain will be
created by promoting a Windows Server 2008 domain controller, but you might need to use existing
Windows Server 2003 systems as domain controllers in the Litware domain. Which functional levels will be
appropriate to configure?
A. Windows Server 2008 forest functional level and Windows Server 2008 domain functional level for the
Litware domain
B. Windows Server 2008 forest functional level and Windows Server 2003 domain functional level for the
Litware domain
C. Windows Server 2003 forest functional level and Windows Server 2008 domain functional level for the
Litware domain
D. Windows Server 2003 forest functional level and Windows Server 2003 domain functional level for the
Litware domain
Answer: D

Testinside
30. You are hired as the network administrator in your company. In your company there are two servers
named server01 and server02 that runs Windows Server 2008. servers named Hi-tech A and Hi-tech B.
DNS servers are configured as shown in the table: Domain users are unable to connect to the Internet
website using Hi-tech B because it is configured as a preferred DNS server. You have to enable Internet
name resolution for all client computers.
What should you do to achieve this task?
A. Delete the .(root) zone from Hi-tech B. Configure conditional forwarding on Hi-tech B.
B. Update the Cache.dns file on Hi-tech B. Configure conditional forwarding on Hi-tech A.
C. Create a copy of the .(root) zone on Hi-tech A.
D. Update the list of root hints servers on Hi-tech B.
Answer: A
31. You are logged on as Administrator to SERVER02, one of four domain controllers in the hi-tech.com
domain that run Server Core. You want to demote the domain controller. Which of the following is required?
A. The local Administrator password
B. The credentials for a user in the Domain Admins group
C. The credentials for a user in the Domain Controllers group
D. The address of a DNS server
Answer: A
32. Hi-tech .com has an Active Directory domain called es. Hi-tech .com. Hi-tech .com has a subsidiary
company named Woksworks Inc. Woksworks Inc. has an Active Directory domain called
intranet.woksworks.com. Since woksworks Inc. security policy doesn't allow the transfer of internal DNS
zone data outside the woksworks network, you have to make sure that Hi-tech .com users are able to
resolve names from intranet.woksworks.com domain. What should you do to achieve this task?
A. Set the conditional forwarding for the intranet.woksworks.com domain

Testinside
B. Put intranet.woksworks.com in the Active Directory of Hi-tech .com
C. Create a subzone for the intranet.woksworks.com domain
D. Reconfigure the intranet.woksworks.com domain as a standard secondary zone
Answer: A
33. You are the administrator for a nationwide company with over 5,000 employees. Your director tells you
your company has just signed into a partnership with another organization, and that you will be responsible
for ensuring that authentication can occur between both organizations without the need for additional
sign-on accounts. Your boss mentions that the partner has a variety of Directory Services installed
throughout their organizations.
Which of the following can Active Directory Federation Services NOT connect to?
B. Windows Server 2003 Directory Services
C. Windows Server 2003 R2 Directory Services
D. All of the above
Answer: B
34. SERVER02 is running Server Core. It is already configured with the AD DS role. You want to add Active
Directory Certificate Services (AD CS) to the server. What must you do?
A. Install the Active Directory Certificate Services role.
B. Install the Active Directory Federated Services role.
C. Install the AD RMS role.
D. Reinstall the server as Windows Server 2008 (Full Installation).
Answer: D
Directory infrastructure and maintaining Active Directory objects. There are two Active Directory forests in
your company, and they are respectively named wiikigo.com and cosoto.com. Only domain controllers are
run by both forests, and Windows Server 2008 is run by the domain controller. The domain functional level

Testinside
of wiikigo.com is Windows Server 2008. You can see that the domain functional level of cosoto.com is
Windows Server 2003 Native mode. An external trust is configured between wiikigo.com and cosoto.com.
Since you are the technical support, you are required to enable the Kerberos AES encryption option. To
achieve the goal, which action should be performed to achieve the goal?
A. To achieve the goal, the forest functional level of cosoto.com should be raised to Windows Server 2008.
B. To achieve the goal, the domain functional level of cosoto.com should be raised to Windows Server
2008.
C. To achieve the goal, a new forest trust should be created and forest-wide authentication should be
enabled.
D. To achieve the goal, the forest functional level of wiikigo.com should be raised to Windows Server 2008.
Answer: B
36. Hi-tech .com has two Active Directory forests named Hi-tech.com and vervoks.com. The company
network has three DNS servers named Hi-tech A, Hi-tech B, and Hi-tech C. The DNS servers are
configured as shown in the table: All computers that belong to the vervoks.com domain have Hi-tech C
configured as the preferred DNS server. All other computers use Hi-tech A as the preferred DNS server.
Users from the acme.com domain are unable to connect to the servers that belong to the Hi-tech .com
domain. You need to ensure users in the acme.com domain are able to resolve all Hi-tech .com queries.
A. Create a copy of the _msdcs.Hi-tech.com zone on the Hi-tech C server.
B. Configure conditional forwarding on Hi-tech A and Hi-tech B to forward vervoks.com queries to Hi-tech C.
C. Configure conditional forwarding on Hi-tech C to forward Hi-tech .com queries to Hi-tech A.
D. Create a copy of the vervoks.com zone on the Hi-tech A server and the Hi-tech B server.
Answer: C
37. You are a support professional for Hi-tech, Ltd. The domain's administrators have distributed a custom

Testinside
console with the Active Directory Users and Computers snap-in. When you open the console and attempt to
reset a user's password, you receive Access Denied errors. You are certain that you have been delegated
permission to reset passwords for users. What is the best solution?
A. Close the custom console and open Server Manager. Use the Active Directory Users and Computers
snap-in in Server Manager.
B. Close the custom console and open a command prompt. Type dsa.msc.
C. Close the custom console, and then right-click the console and choose Run As Administrator. Type the
credentials for your secondary administrative account.
D. Close the custom console, and then right-click the console and open a command prompt. Use the
DSMOD USER command with the -p switch to change the user's password.
Answer: C
38. You are hired as the network administrator in your company. In your company there's a server named
Server01 that runs Windows Server 2008. You company has an Active Directory forest with single domain.
Server01 works as the Domain Controller with Active Directory Federation Services (AD FS) role installed.
Server01 is configured as a DNS server. You have to record all inbound DNS queries to server01.
What should you do?
A. In the DNS Manager Console Enable automatic testing for simple queries.
B. In the DNS Manager Console Enable debug logging.
C. In the DNS Manager Console Configure event logging to log errors and warnings.
D. In the DNS Manager Console Enable automatic testing for recursive queries.
Answer: B
39. You are the administrator for a nationwide company with over 5,000 employees. Your main office has
approximately 4,500 employees, while your company's ten remote offices have 50 users each residing in
them. You are often unaware of the physical security in place at these offices. However, since there is a
fairly sizable amount of users at each office, you need to provide them with directory services. What is the
BEST option to use for directory services when security is often an unknown?
B. Read-only domain controllers

Testinside
C. Active Directory Federation Services
D. Active Director Rights Management Services
Answer: B
40. You have opened a command prompt, using Run As Administrator, with credentials in the Domain
Admins group. You use the Dsrm command to remove an OU that had been created accidentally by James,
a member of the Administrators group of the domain. You receive the response: Dsrm Failed: Access Is
Denied. What is the cause of the error?
A. You must launch the command prompt as a member of Administrators to perform Active Directory tasks.
B. Only Administrators can delete OUs.
C. Only the owner of the OU can delete an OU.
D. The OU is protected from deletion.
Answer: D
41. You are hired as the network administrator in your company. All servers in your company run Windows
Server 2008. The company has a single Active Directory domain. Server01 and Server02 work as the
domain controllers with DNS server role installed. You plan to install a new DNS server named Server03 on
the perimeter network. Server01 is configured to forward all unresolved name requests to Server03. You
discover that the DNS forwarding option is unavailable on Server02. You need to configure DNS forwarding
on the Server02 to point to the Server03.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Clear the DNS cache on Server02.
B. Delete the Root zone on Server02.
C. Configure the Listen On address on Server02.
D. Configure conditional forwarding on Server02.
Answer: BD
42. You want to enable your help desk to reset user passwords and unlock user accounts.
Which of the following tools can be used? (Choose all that apply.)
A. The Delegation of Control Wizard

Testinside
B. DSACLS
C. DSUTIL
D. The Advanced Security Settings dialog box
Answer: ABD
43. You are hired as the network administrator in your company. Your company has an Active Directory
forest. All domain controllers run Windows Server 2008 and are configured as DNS servers. You have an
Active Directory-integrated zone for Hi-tech .com. You have a Unix-based DNS server. You need to
configure your Windows Server 2008 environment to allow zone transfers of the Hi-tech .com zone to the
Unix-based DNS server. What should you do in the DNS Manager console?
A. Create a secondary zone.
B. Enable BIND secondaries.
C. Disable recursion.
D. Create a stub zone.
Answer: B
44. The Web development team has requested that you implement a new Web server in a DMZ that will be
used for presenting Web sites to customers. Which of the following is NOT a reason for using Windows
Server 2008 Core Server?
A. A Core installation does not require a Windows Server 2008 license.
B. A Core installation does not provide GUIs, which limits console access.
C. Core Server installs fewer services than a full installation of Windows Server 2008.
D. Core Server uses fewer resources than a full installation of Windows Server 2008.
Answer: A
45. You are an administrator at a large university, and you have just been sent an Excel file containing
information about 2,000 students who will enter the school in two weeks.
You want to create user accounts for the new students with as little effort as possible.
Which of the following tasks should you perform?
A. Create a user account template and copy it for each student.

Testinside
B. Run LDIFDE -i.
C. Use CSVDE -i.
D. Run the DSADD USER command.
Answer: C
your company. Windows Server 2008 is run by all servers. An Enterprise Root certification authority (CA)
and an Enterprise Intermediate CA is used by your company. The Enterprise Intermediate CA certificate
expires. According to the company requirement, a new Enterprise Intermediate CA certificate needs to be
deployed to all computers in the domain. So What action should you perform?
A. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
group policy object.
B. The new certificate should be imported into the Intermediate Certification Store on the Enterprise Root
CA server.
C. The new certificate should be imported into the Intermediate Certification Store on the Enterprise
Intermediate CA server.
D. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
Controllers group policy object.
Answer: A
47. You are hired as the network administrator in your company. Your company network consists of a single
Active Directory domain. Ten domain controllers are present in the domain. All domain controllers run
Windows Server 2008 and are configured as DNS servers. You are instructed to create a new Active
Directory-integrated zone. You have to make sure that the new zone is only replicated to four of your
domain controllers. What should you do first?
A. execute dnscmd/enlistdirectorypartition from the command prompt
B. Configure a delegation in the DomainDnsZones application directory partition
C. Configure a new delegation in the ForestDnsZones application directory partition

Testinside
D. Run dnscmd/createdirectorypartition from the command prompt
Answer: D
48. You are an administrator at a large university. Which command can be used to delete user accounts for
students who graduated?
A. LDIFDE
B. Dsmod
C. DEL
D. CSVDE
Answer: A
49. You have a Windows Server 2003 R2 domain currently running in your organization. You would like to
install a read-only domain controller into your Directory Services structure, but you do not want to
completely upgrade your domain to Windows Server 2008 Directory Services just yet. What do you need to
do in order to add an RODC?
A. Change the domain functional level to Windows Server 2008 mixed mode.
B. Change the forest functional level to Windows Server 2008 mixed mode.
C. Run adprep on a Windows Server 2003 R2 domain controller.
D. An RODC cannot be added until the entire domain is a Windows Server 2008 Directory Services
domain.
Answer: C
50. Hi-tech .com has a single Active Directory domain called int. Hi-tech .com. You have installed domain
controllers with a DNS server role. The domain controllers run Windows Server 2008. Every computer in
the domain and non-domain members, register their DNS records dynamically. You want only the domain
members to register their DNS records dynamically. What should you do to configure int. Hi-tech .com?
A. Configure zone transfers to Name Servers
B. Set the Primary DNS server to register authenticated members only
C. Disable Everyone group in the Dynamic Objects permission
D. Set the option Secure only for Dynamic updates

Testinside
Answer: D
51. You want to create a user object with Windows PowerShell. Which of the following must you do?
A. Use the Create-User cmdlet.
B. Use the NewUser method of ADSI.
C. Invoke the Create method of an OU.
D. Use the set objUser=CreateObject statement.
Answer: C
52. You are hired as the network administrator in your company. Your company has a network consisting of
an Active Directory forest named ebd.com. All servers have Windows Server 2008. All domain controllers
are configured as DNS servers. The ebd.com DNS zone is stored in ForestDnsZones Active directory
partition. A member server contains a standard primary DNS zone for eb.ebd.com. You need to make sure
that all domain controllers can resolve names for eb.ebd.com. What should you do to achieve this task?
A. Create a delegation in the ebd.com zone
B. Change the properties of SOA record in the eb.ebd.com zone
C. Add NS record in the ebd.com zone
D. Create a secondary zone on a Global catalog server
Answer: A
53. You want to create a user object with a single command. Which of the following should you do?
A. Use the Create-Item cmdlet.
B. Use the SetInfo method.
C. Use the Create method of an OU.
D. Use the Dsadd command.
Answer: D
Server01 that runs Windows Server 2008. Server01 works as a Domain Controller is configured as DNS
server in a single Active Directory domain. The domain contains one Active Directory-integrated DNS zone.

Testinside
You have to make sure that outdated DNS records are removed from the DNS zone automatically. What
A. Modify the TTL of the SOA record by accessing the zone properties
B. Disable updates from the zone properties
C. Execute netsh/Reset DNS command from the Command prompt
D. Enable Scavenging by accessing the zone properties
Answer: D
55. Which of the following Directory Services administration tools can be used in a Windows Server 2008
Lightweight Directory Services installation?
A. Active Directory Users and Computers
B. Active Directory Sites and Services
C. Active Directory Domains and Trusts
D. Active Directory Licensing Manager
Answer: B
56. Which of the following lines of Windows PowerShell code are necessary to create a user object in the
People OU? (Choose all that apply. Each correct answer is a part of the solution.)
A. $objUser=$objOU.Create("user","CN=Jeff Ford")
B. $objUser.SetInfo()
C. $objUser=CreateObject("LDAP://CN=Jeff Ford,OU=People,DC=hi-tech,DC=com")
D. $objOU=[ADSI]"LDAP://OU=People,DC=hi-tech,DC=com"
Answer: ABD
Directory infrastructure and maintaining Active Directory objects. Since you are the technical support, you
are required to have an offline defragmentation of an Active Directory database performed.
Which four actions should you perform in sequence? (To answer, move the appropriate four actions from
the list of actions to the answer area and arrange them in the correct order.)

Testinside
1 ntds.dit should be compacted.
2 The ntds.dit file should be moved to %WINDIR%\NTDS.
3 The domain controller should be restarted in Safe Mode.
4 The Active Directory Domain Services service should be started.
5 The ntds.dit file should be replicated to %WINDIR%\SYSVOL
6 The Active Directory Domain Services service should be stopped.
A. 6->1->2->4
B. 5->1->3->4
C. 6->4->3->1
D. 4->6->3->5
Answer: A
Server01 that runs Windows Server 2008. Server01 is configured as DNS server and has 4 ctive
DirectoryCintegrated zones. For auditing purposes, you have to provide copies of the zone files of the DNS
server to the security audit group. What should you do to achieve this task?
A. Execute ntdsutil > Partition Management > Display commands
B. execute ipconfig/registerdns command
C. execute the dnscmd/ZoneExport command
D. Execute dnscmd/Zoneoutput command
Answer: C
59. You want to set the Office property of ten users in two different OUs. The users currently have the Office
property configured as Miammi. You recently discovered the typographic error and want to change it to
Miami. What can you do to make the change? (Choose all that apply.)
A. Select all ten users by holding the Ctrl key and opening the Properties dialog box.
B. Use Dsget and Dsmod.
C. Use Dsquery and Dsmod.
D. Use Get-Item and Move-Item.
Answer: C

Testinside
60. You are hired as the network administrator in your company. In your company there are two servers
named Server01 and Server02 that run Windows Server 2008. Server01 works as a Domain Controller and
is configured as DNS server in a single Active Directory domain. Server02 is a member of the domain as
the standard secondary zone with DNS Server role installed.You configured Server01 as the master server
for the zone.
What should you do to make sure that Server02 receives zone updates from Server01?
A. On Server02, add a conditional forwarder.
B. On Server01, modify the zone transfer settings for the zone.
C. Add the Server02 computer account to the DNSUpdateProxy group.
D. On Server01, modify the permissions of the zone.
Answer: B
61. BitLocker is a new technology that is available in Windows Server 2008 as well as Windows Vista.
Which is NOT an advantage of using BitLocker?
A. BitLocker can be used to prevent a hacker from detecting my password.
B. BitLocker prevents someone from removing a hard drive from a system and reading it by installing it on
another system.
C. BitLocker prevents someone from loading another operating system onto the server and reading the
contents of the disk using this additional operating system.
D. All of the above selections are an advantage of using BitLocker.
Answer: A
62. You want to move a user from the Paris OU to the Moscow OU. Which tools can you use? (Choose all
that apply.)
A. Move-Item
B. The MoveHere method of the Moscow OU
C. Dsmove
D. Redirusr.exe
E. Active Directory Migration Tool

Testinside
Answer: BC
63. Hi-tech .com has a main office and a branch office. All servers in both offices run Windows Server 2008.
The offices are connected through a MAN link. Hi-tech .com has an Active Directory domain that hosts a
single domain called maks. Hi-tech .com. There is a domain controller in the maks. Hi-tech .com domain
called Server01 . It is located in the main office. You have configured Server01 as a DNS server for maks.
Hi-tech .com DNS zone. It is configured as a standard primary zone. You are instructed to install a new
domain controller called Server02 in the branch office. After installing the domain controller, you install DNS
on Server02 . You want to ensure that the DNS service on Server02 can update records and resolve DNS
queries in the event of a MAN link failure.
What should you do to achieve this objective?
A. Configure the DNS on Server01 to forward requests to Server02
B. Add a secondary zone named raks. Hi-tech .com on Server02
C. Convert maks. Hi-tech .com on Server01 to an Active Directory-integrated zone
D. Configure a new stub zone on Server01 and set the forwarding option to Server02
Answer: C
64. A user reports that she is receiving a logon message that states, "Your account is configured to prevent
you from using the computer. Please try another computer." What should you do to enable her to log on to
the computer?
A. Click the Log On To button on the Account tab of her user account.
B. Click the Allowed To Join Domain button in the New Computer dialog box.
C. Use the Dsmove command.
D. Give her the right to log on locally, using the local security policy of the computer
Answer: A
65. You are the administrator for a nationwide company that currently runs Windows Server 2008 DNS and
are reviewing the resource records in your Active Directory-integrated DNS zone. You notice there are
hostnames that do not meet your company's naming convention and verify that the computers are not
members of your Active Directory domain. What must you do to ensure these hosts cannot create records

Testinside
in your DNS zone?
A. Disable DNS and enable DHCP.
B. Configure your zone to enable secure dynamic updates.
C. Disable dynamic updates in your zone.
D. You cannot prevent this from occurring in DNS.
Answer: B
66. Hi-tech .com has a single Active Directory domain. You have configured all domain controllers in the
network as DNS servers and they run Windows Server 2008. A domain controller named Server01 has a
standard Primary zone for Hi-tech .com and a domain controller named Server02 has a standard secondary
zone for Hi-tech .com. You have to make sure that the replication of the Hi-tech .com zone is encrypted so
you might not loose any zone data. What should you do to achieve this task?
A. Create a stub zone and delete the secondary zone
B. Convert the primary zone into an active directory zone and delete the secondary zone
C. Change the interface where DNS server listens on both servers
D. On the standard primary zone, configure zone transfer settings. After that modify the master servers lists
on the secondary zone
Answer: B
67. You are hired as the network administrator in your company. Your company has a main office and a
branch office that are configured as a single Active Directory forest. The functional level of the Active
Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the
main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the
branch office. Which two actions should you perform?(Choose two answers. Each answer is a part of the
complete solution.)
A. Run the adprep/rodcprep command.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Raise the functional level of the forest to Windows Server 2008.
Answer: AB

Testinside
company. And two domains are included by the Active Directory forest. Universal groups are included by
the forest. And members from each domain are included by the universal groups. There is a domain
controller named DC01 in the branch office. It is reported by users at the branch office that it takes quite
long time to log on. Since you are the technical support, you are required to reduce the amount of logon
time for the branch office users. Which action should be performed to achieve the goal?
A. To achieve the goal, the replication interval on the site link that connects the branch office to the
corporate network should be reduced.
B. To achieve the goal, the replication interval on the site link that connects the branch office to the
corporate network should be improved.
C. To achieve the goal, DC01 should be configured as a Global Catalog server.
D. To achieve the goal, DC01 should be configured as a bridgehead server for the branch office site.
Answer: C
69. A new project requires that users in your domain and in the domain of a partner organization have
access to a shared folder on your file server. Which type of group should you create to manage the access
to the shared folder?
A. Universal security group
B. Domain local security group
C. Global security group
D. Domain local distribution group
Answer: B
70. Your domain includes a global distribution group named Company Update. It has been used to send
company news by e-mail to its members. You have decided to allow all members to contribute to the
newsletter by creating a shared folder on a file server. What must you do to allow group members access to
the shared folder?

Testinside
A. Change the group scope to domain local.
B. Change the group scope to universal.
C. Add the group to the Domain Users group.
D. Use Dsmod with the-secgrp yes switch.
Answer: D
71. You are hired as the network administrator in your company. Your company has servers that run
Windows Server 2008. There are 2 domain controllers installed on the network. An Active Directory
database is installed on the D volume of a domain controller. You want to move the Active Directory
database to a new volume. What should you do to achieve this task?
A. Open the Files option in the Ntdsutil utility and move the ntds.dit file to the new volume.
B. Move the ntds.dit file to the new volume using Copy Paste function in the Windows Power Shell.
C. Use XCOPY command on Windows Command prompt to move ntds.dit file to the new volume.
D. Use Windows Explorer to move ntds.dit file to the new volume.
Answer: A
72. You are creating a new standard primary zone for the company you work for, Name Resolution
University, using the domain nru.corp. You create the zone through the DNS management console,and now
you want to view the corresponding DNS zone file, nru.corp.dns. Where do you need to look in order to find
this file?
A. You cannot view the zone file because it is stored in Active Directory.
B. You can look in the %systemroot%\system32\dns folder.
C. You cannot view the DNS file except by using the DNS management console.
D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if
you want to view the file.
Answer: B
73. Which of the following can be used to remove members from a group? (Choose all that apply.)
A. Remove-Item
B. Dsrm

Testinside
C. Dsmod
D. LDIFDE
E. CSVDE
Answer: BCD
74. Hi-tech .com has a single Active Directory domain named ad. Hi-tech .com. Windows Server 2008 is
installed on all domain controllers. The domain functional level and forest functional level are set to
Windows 2000 native mode. You have to ensure the UPN suffix for Hi-tech .com is available for user
accounts. What should you do first to achieve this task?
A. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to
Hi-tech .com.
B. Add the new UPN suffix to the forest.
C. Raise the Hi-tech .com domain functional level to Windows Server 2003 or Windows Server 2008.
D. Raise the Hi-tech .com forest functional level to Windows Server 2003 or Windows Server 2008.
Answer: B
75. You are using Dsmod to add a domain local group named GroupA to a global group named GroupB.
You are receiving errors. Which command will solve the problem so that you can then add GroupA to
GroupB? (Choose all that apply.)
A. Dsrm.exe
B. Dsmod.exe
C. Dsquery.exe
D. Dsget.exe
Answer: B
76. Hi-tech .com has a network consisting of a single Active Directory domain. All domain controllers run
Windows Server 2003. Hi-tech .com instructs you to upgrade all domain controllers to Windows Server
2008. After upgrading the domain controllers, you need to ensure that the ebsysvolume share replicates by
using DFS Replication (DFS-R). What should you do to achieve this task?
A. Run dfsutil/addrot:ebsysvolume on the command prompt

Testinside
B. Run netdom/dfs-r from the command prompt
C. Run dcpromo/attend:attendfile.xml
D. Raise the functional level of the domain to Windows Server 2008
Answer: D
77. You have removed WINS from your environment, but still have at least one legacy PC and application
that requires NetBIOS resolution. What solution can you use in place of WINS to address NetBIOS
resolution?
A. GlobalNames zones.
B. Reverse zones.
C. Dynamic updates.
D. None of the above. You need WINS for NetBIOS.
Answer: A
78. Your management has asked you to produce a list of all users who belong to the Special Project group,
including those users belonging to groups nested into Special Project. Which of the following can you use?
A. Get-Members
B. Dsquery.exe
C. LDIFDE
D. Dsget.exe
Answer: D
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. Two domain controllers are contained in the company. They are respectively named DC01 and
DC02. DC01 holds the schema master role, while DC02 fails. You use the administrator account to log on to
Active Directory. You cannot transfer the schema master role. You have to make sure that DC2 holds the
schema master role. So what action should you perform?
A. Seize the schema master role on DC02.

Testinside
B. DC02 should be configured as a bridgehead server.
C. You should register the Schmmgmt.dll and start the Active Directory Schema snap-in.
D. Utilize an account that is a member of the Schema Admins group to log off and log on again to Active
Directory. Start the Active Directory Schema snap-in.
Answer: A
80. Your company is conducting a meeting for a special project. The data is particularly confidential. The
team is meeting in a conference room, and you have configured a folder on the conference room computer
that grants permission to the team members. You want to ensure that team members access the data only
while logged on to the computer in the conference room, not from other computers in the enterprise. What
must you do?
A. Assign the Allow Read permission to the Interactive group.
B. Assign the Allow Read permission to the team group.
C. Assign the Deny Traverse Folders permission to the team group.
D. Assign the Deny Full Control permission to the Network group.
Answer: D
81. Hi-tech.com has an Active Directory forest which runs Windows Server 2008. It has branch offices all
around the world. The forest includes finance organizational units for an office in the following locations:
New York
London
Amsterdam
Rome
Each location has a child organizational unit named finance. The finance organizational unit hosts all the
users and computers in the finance department. The offices in London and, Amsterdam and New York are
connected by T1 connections. However, the office in Rome is connected by a 128-Kbps ISDN connection.
Hi-tech .com has instructed you to install an application on all computers in the finance department. Which
two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the
complete solution)
A. Create a Group Policy Object (GPO) named accountingtree Install that assigns the application to the

Testinside
computers. Link the GPO to each finance organizational unit
B. Create a GPO named accounting tree install that assigns the application to each user in the
organizational unit. Link the GPO to each finance organizational unit
C. Change the slow link detection setting to 2,544 Kbps (T1) in the GPO
D. Disable the slow link detection setting in the GPO
Answer: AC
82. You've just created a new zone in DNS on a Windows Server 2008-based computer. You check the
zone and notice that the only records in it are the SOA and NS RRs. Checking the configuration, you see
that the zone is configured to accept dynamic updates. What should you do next?
A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV records.
B. Manually add A records for all hosts that cannot use dynamic updating.
C. Manually add A RRs and PTR RRs for all hosts that will be using dynamic updating.
D. Manually initiate a zone transfer to replicate all the needed RR to the new zone.
Answer: B
83. You want to allow a user named Mike Danseglio to add and remove users from a group called Special
Project. Where can you configure this permission?
A. The Members tab of the group
B. The Security tab of Mike Danseglio's user object
C. The Member Of tab of Mike Danseglio's user object
D. The Managed By tab of the group
Answer: D
84. You are hired as the network administrator in your company. Your company has a single Active
Directory domain. The domain controllers run Windows Server 2003. You are instructed to upgrade all
domain controllers to Windows Server 2008. To accomplish this task, you have to configure the Active
Directory environment to support multiple password policies application.
A. Create four Active Directory sites

Testinside
B. Execute dcpromo/adv on all domain controllers
C. Execute dcpromo/adv on only 2 domain controllers
D. Set the functional level of the domain to Windows Server 2008
Answer: D
85. Which of the following groups can shut down a domain controller? (Choose all that apply.)
A. Account Operators
B. Print Operators
C. Backup Operators
D. Server Operators
E. Interactive
Answer: BCD
86. Your company has offices in North America and Europe. It has an Active Directory forest with two
domains. You are assigned the task to reduce the time required to authenticate users from
labs.eul.hi-tech.com domain when they access resources on eng.na.hi-tech.com domain. What should you
do to achieve this task?
A. Create a one-way shortcut trust from eng.na.hi-tech.com to labs.eul.hi-tech.com.
B. Increase the replication interval for the DEFAULTIPSITELINK site link
C. Create a one-way shortcut trust from labs.eul.hi-tech.com to eng.na.hi-tech.com
D. Increase the replication interval for all connections objects.
Answer: A
87. You want to require all new computer accounts created when computers join the domain to be placed in
the Clients OU. Which command should you use?
A. Dsmove
B. Move-Item
C. Netdom
D. Redircmp
Answer: D

Testinside
domain. Another administrator at the company attempts to log on to a computer that was offline for 12
weeks. While accessing the computer, administrator receives an error message that authentication has
failed. What should you do to ensure that the administrator can log on to the computer?
A. Disjoin the computer from the domain and rejoin it to the domain. Reset the computer account
B. Delete the computer account from the organizational unit and then add the account again
C. Execute the netsh command on the computer and set the machine options
D. Execute netsh trust/reset command and join the computer to the domain again.
Answer: A
89. A DNS server, Aspen, has been successfully resolving queries but with the wrong information. You use
the Monitoring function in the DNS Management Console for Aspen and test the simple and recursive
queries. Both work fine. What is the most likely cause of the problem?
A. Aspen is not authoritative for the zone in which the wrong information is being returned.
B. Aspen is not configured to perform iterative queries.
C. Some clients do not support dynamic updates, or manually entered RRs have errors.
D. The clients that received the wrong information do not support the OPT record type.
Answer: C
Directory infrastructure and maintaining Active Directory objects. You have a computer which runs Windows
Server 2008. At present you are installing an application on this computer. During installation, the
application will need to install new attributes and classes to the Active Directory database. You have to
make sure that you are able to install the application. So what action should you perform?
A. You should use an account that has Server Operator rights to log on.
B. The functional level of the forest should be changed to Windows Server 2008.
C. You should use an account that has the Enterprise Administrator rights and the appropriate rights to log
on to install the application.

Testinside
D. You should use an account that has Schema Administrator rights and the appropriate rights to log on to
install the application.
Answer: D
91. You want to prevent nonadministrative users from joining computers to the domain. What should you
do?
A. Set ms-DS-MachineAccountQuota to zero.
B. Set ms-DS-DefaultQuota to zero.
C. Remove the Add Workstations To Domain user right from Authenticated Users.
D. On the domain, deny the Authenticated Users group the Create Computer Objects permission.
Answer: A
92. You are hired as the network administrator in your company. Your company has a main office and ten
branch offices. It has an Active Directory forest that hosts a single domain. Each office has one domain
controller and they are configured as an Active Directory site. All sites are connected with the
DEFAULTIPSITELINK object. You have to decrease the replication latency between the domain controllers.
A. Decrease the cost between the connection objects
B. Decrease the connection replication interval for all connection objects
C. Decrease the replication interval for the DEFAULTIPSITELINK object
D. Increase the replication interval for the DEFAULTIPSITELINK object
Answer: C
93. You want to join a remote computer to the domain. Which command should you use?
A. Dsadd.exe
B. Netdom.exe
C. Dctest.exe
D. System.cpl
Answer: B

Testinside
94. You are hired as the network administrator in your company. Your company has purchased a new
application to deploy on 200 computers. You are instructed to deploy the application on all 200 computers.
To install the application, you have to modify the registry on each target computer before installing the
application. Registry modifications are in a file that has an .adm extension.
You have to prepare the target computers for the application. What should you do to achieve this task?
A. Create a new Group Policy Object (GPO) and import the .adm file into it. Edit the GPO and link it to an
organizational unit that contains the target computers
B. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target
computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRCmp CONTAINER-DN command on each target computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRUsr CONTAINER-DN command on each target computer.
Answer: A
95. You have been tasked with designing a new Windows Server 2008 Active Directory forest. The network
is currently a combination of Windows 2000 Professional, Windows XP, Windows Vista, and Macintosh
clients. You want to reduce the administration of IP addresses. Which of the following services would you
implement to accomplish this?
A. DHCP
B. DNS
C. WINS
D. DDNS
Answer: A
96. Your manager has just asked you to create an account for DESKTOP234. Which of the following
enables you to do that in one step?
A. CSVDE
B. LDIFDE
C. Dsadd

Testinside
D. Windows PowerShell
E. VBScript
Answer: C
97. You are hired as the network administrator in your company. The headquarters of your company is
located in New York. Now your company builds its branch in Washington. The branch office in Washington
is configured as a separate Active Directory site and has an Active Directory domain controller. You disable
an account that has administrative rights. You need to immediately replicate the disabled account
information to all sites.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. From the Active Directory Sites and Services console, select the existing connection objects and force
replication.
B. From the Active Directory Sites and Services console, configure all domain controllers as global catalog
servers.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Answer: AC
98. Your hardware vendor has just given you an Excel worksheet containing the asset tags of computers
that will be delivered next week. You want to create computer objects for the computers in advance. Your
naming convention specifies that computers' names are their asset tags. Which of the following tools can
you use to import the computers? (Choose all that apply.)
A. CSVDE
B. LDIFDE
C. Dsadd
D. Windows PowerShell
E. VBScript
Answer: ADE

Testinside
located in New York. The main office has an existing Active Directory site named Site1. Now your company
builds its branch in Washington. You are assigned to deploy and implement a new Active Directory site and
name Site2. To configure Active Directory replication between Site1 and Site2, you install a new domain
controller and create the site link between Site1 and Site2. What should you do next to achieve this task?
A. Use the Active Directory Sites and Services console to configure the new domain controller as a
preferred bridgehead server for Site1.
B. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and
Site2.
C. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new
domain controller object to Site2.
D. Use the Active Directory Sites and Services console to configure a new site link bridge object.
Answer: C
100. Your network contains a mix of Windows 2003 and Windows Server 2008. You have three domain
controllers running Windows Server 2003. Your file server, print server, and Exchange server are running
Windows 2000 Server. Your DNS, DHCP, and WINS servers are running Windows Server 2008. All of your
clients are running Windows XP Professional with Service Pack 2. All machines, other than the servers that
require a static IP address, are configured as DHCP clients with the default settings. Your DNS server has
been configured to allow dynamic updates. Which of the
following records will be registered in DNS automatically? (Choose all that apply.)
A. MX
B. Host (A)
C. SRV
D. PTR
Answer: BCD

Testinside
company. This forest contains client computers that run Windows Vista and Windows XP. You have to make
sure that users are able to install approved application updates on their computers. What should you do?
(Choose more than one)
A. A GPO should be created and it should be linked to the domain. The GPO should be configured to direct
the client computers to the Microsoft WSUS server for approved updates.
B. Automatic Updates through Control Panel should be set up on the client computers.
C. A GPO should be created and it should be linked to the Domain Controllers organizational unit. The GPO
should be configured to automatically search for updates on the Microsoft Update
site.
D. The Microsoft WSUS application should be installed on a server in the environment. The server should
be configured to search for new updates on the Internet. All required updates should
be approved.
Answer: AD
102. A server administrator reports Failed To Authenticate events in the event log of a file server. What
should you do?
A. Reset the server account.
B. Reset the password of the server administrator.
C. Disable and enable the server account.
D. Delete the account of the server administrator.
Answer: A
domain. All servers in the Active Directory run Windows Server 2008. The domain runs Enterprise Root
certification authority (CA). You have to make sure that only administrators can sign code.
Which two tasks should you perform to achieve this task?
A. Change the local computer policy of the Enterprise Root CA to allow only administrators to manage
Trusted Publishers.
B. Publish the code signing template
C. Change the security settings on the template to allow only the administrators to request code signing

Testinside
certificates
D. Distribute the code signing template among the administrators and ask them to add it to the trust peer
certificates.
Answer: BC
104. A computer has permissions assigned to its account to support a system service. It also belongs to 15
groups. The computer is being replaced with new hardware. The new hardware has a new asset tag, and
your naming convention uses the asset tag as the computer name. What should you do? (Choose all that
apply. Each correct answer is a part of the solution.)
A. Delete the computer account for the existing system.
B. Create a computer account for the new system.
C. Reset the computer account for the existing system.
D. Rename the computer account for the existing system.
E. Join the new system to the domain.
Answer: CDE
located in New York. Now your company builds its branch in Washington. The branch office in Washington
is configured as a separate Active Directory site and has an Active Directory domain controller. You are
assigned to deploy and implement a new application which requires a local global Catalog server to support
at the branch office. Which tool should you use to configure the domain controller as a Global Catalog
server? (Each correct answer presents part of the solution. Choose two.)
A. The Active Directory Sites
B. The Active Directory Domains
C. The Trusts console
D. The Services console
E. The Computer Management console
Answer: AD
106. You have just installed a Windows Server 2008 domain controller in your environment. Which of the

Testinside
following default containers holds the default groups?
A. Users
B. Computers
C. Built-in
D. Default Groups
Answer: C
107. Your enterprise recently created a child domain to support a research project in a remote location.
Computer accounts for researchers were moved to the new domain. When you open Active Directory Users
And Computers, the objects for those computers are displayed with a down-arrow icon. What is the most
appropriate course of action?
A. Reset the accounts.
B. Disable the accounts.
C. Enable the accounts.
D. Delete the accounts.
Answer: C
108. You are hired as the network administrator in your company. Your company has a domain controller
that runs Windows Server 2008. It is configured as a DNS server. You have to record all inbound DNS
queries to the server. What should you configure in the DNS Manager Console?
A. To log errors and warnings, configure event logging
B. Disable automatic logs for recursive queries
C. Enable automatic testing for recursive queries
D. Enable debug logging
Answer: D
109. Your organization has one Active Directory domain in the Active Directory forest. You are responsible
for creating accounts for all users in your domain. Your company just bought another company with 5000
user accounts, and you are required to create their new user accounts without using a third-party tool.
Which of the following commands should be used to achieve this?

Testinside
A. dsadd
B. dsuseradd
C. adduser
D. adduser.ps
Answer: A
110. Litware, Inc., has three business units, each represented by an OU in the litwareinc.com domain. The
business unit administrators want the ability to manage Group Policy for the users and computers in their
OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for
their business units? (Choose all that apply. Each correct answer is a part of the solution.)
A. Copy administrative templates from the central store to the PolicyDefinitions folder on the administrators'
Windows Vista workstations.
B. Add business unit administrators to the Group Policy Creator Owners group.
C. Delegate Link GPOs permission to the administrators in the litwareinc.com
domain.
D. Delegate Link GPOs permission to the each business unit's administrators in the
business unit's OU.
Answer: BD
111. You are hired as the network administrator in your company. Your company has a main office and 15
branch offices. An Active Directory site with one domain controller is installed in each office. Only domain
controllers in the main office are configured as Global Catalog servers. On the domain controllers in the
branch offices, you need to deactivate the Universal Group Membership Caching (UGMC) option. However,
you need to deactivate UGMC on a certain level.
On which level should you deactivate UGMC?
A. Site
B. domain controllers
C. Forest
D. Connection object
Answer: A

Testinside
contained by your network. And there is a domain controller and a member server that run Windows Server
2008 in the company. The company configures the two servers as DNS servers. Either Windows XP
Service Pack 2 or Windows Vista is run by client computers. There is a standard primary zone on the
domain controller. A secondary copy of the zone is hosted by the member server. According to the company
requirements, you should make sure that host (A) records in the DNS zone can only be updated by
authenticated users.
A. The standard primary zone should be converted to an Active Directory-integrated zone.
B. On the member server, a conditional forwarder should be added.
C. On the member server, Active Directory Domain Services should be installed.
D. All computer accounts should be added to the DNSUpdateProxy group.
Answer: A
in your company. Windows Server 2003 is run by all domain controllers. You have Windows Server 2008
installed on a server. Since you are the technical support, you are required to have the new server added as
a domain controller in your domain. To achieve the goal, which action should be performed first?
A. On a domain controller, adprep /rodcprep should be run.
B. On a domain controller, adprep /forestprep should be run.
C. On the new server, dcpromo /adv should be run.
D. On the new server, dcpromo /createdcaccount should be run.
Answer: B
114. You are hired as the network administrator in your company. Your company has two active directory

Testinside
forests called Eb1.com and Eb2.com. Both forests have domain controllers that run Windows Server 2008.
Windows Server 2008 is running on the domain functional level on Eb1.com. The domain functional level of
Eb2.com is Windows Server 2003 Native mode. As per instructions, you configure an external trust
between Eb1.com and Eb2.com. To achieve this, you need to enable the Kerberos AES encryption option.
A. Raise the forest functional level of Eb2.com to Windows Server 2008
B. Configure a new forest trust and enable forest-wide authentication
C. Drop the forest functional level of Eb1.com to Windows Server 2003
D. Raise the domain functional level of Eb2.com to Windows Server 2008
Answer: D
115. You are an administrator at Hi-tech, Ltd. The hi-tech.com domain has a child domain, es.hi-tech.com,
for the branch in Spain. Administrators of that domain have asked you to provide a Spanish-language
interface for Group Policy Management Editor. How can you provide Spanish-language versions of
administrative templates?
A. Log on to a domain controller in the es.hi-tech.com domain, open %SystemRoot%
\SYSVOL\domain\Policies\PolicyDefinitions, and copy the ADM files to the ES folder.
B. Copy ADML files to the \\es.hi-tech.com\SYSVOL\es.hi-tech.com\policies\ PolicyDefinitions\es folder.
C. Log on to a domain controller in the es.hi-tech.com domain, open %System-
Root%\SYSVOL\domain\Policies\PolicyDefinitions, and copy the ADMX files to the ES folder.
D. Install the Boot.wim file from the Windows Server 2008 CD on a domain controller in the child domain.
Answer: BD
domain and two domain controllers named Server01 and Server02. The Server01 hosts the Schema
Master Role. Suddenly the Server01 fails. To rectify the problem, you log on to Active Directory using
administrator account. You are trying to transfer the Schema Master Operations role. But you fail. What
should you do to ensure that Server02 holds the Schema Master role?
A. Register Schemamt.dll on the Active Directory domain and start the Active Directory Schema snap-in
B. Configure Server02 as a Primary domain controller

Testinside
C. Join the Schema Administrators group and modify the Schema settings to save records on Server02
D. Seize the Schema Master role on Server02
Answer: D
117. You are at a branch office of your company assisting a user on his PC. While assisting the user, you
receive a phone call from your boss who wants to know why all the users are required to change their
passwords the first time they log on? What would be the best way to answer his question?
A. It's a default Active Directory group and domain policy to enforce user passwords set by the
administrator.
B. It's a default Active Directory group policy and cannot be modified.
C. This is a new feature in Active Directory 2008 to introduce extra security.
D. This is just a check box for user account properties to force users to change the default passwords set
by the administrator at the time of the creation of their account. This then forces users to pick their own
password.
Answer: D
118. You are an administrator at Hi-tech, Ltd. At a recent conference, you had a conversation with
administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations you have
deployed using a GPO. The Fabrikam administrators have asked you to copy the GPO to their domain.
Which steps can you and the Fabrikam administrators perform?
A. Right-click the Hi-tech GPO and choose Save Report. Create a GPO in the Fabrikam domain, right-click
it, and choose Import.
B. Right-click the Hi-tech GPO and choose Back Up. Right-click the Group Policy Objects container in the
Fabrikam domain and choose Restore From Backup.
C. Right-click the Hi-tech GPO and choose Back Up. Create a GPO in the Fabrikam domain, right-click it,
and choose Paste.
D. Right-click the Hi-tech GPO and choose Back Up. Create a GPO in the Fabrikam domain, right-click it,
and choose Import Settings.
Answer: D

Testinside
domain and two domain controllers named Server01 and Server02. The Server01 hosts the Schema
Answer: D
120. You want to deploy a GPO named Northwind Lockdown that applies configuration to all users at
Northwind Traders. However, you want to ensure that the settings do not apply to members of the Domain
Admins group. How can you achieve this goal? (Choose all that apply.)
A. Link the Northwind Lockdown GPO to the domain, and then right-click the domain and choose Block
Inheritance.
B. Link the Northwind Lockdown GPO to the domain, right-click the OU that contains the user accounts of
all users in the Domain Admins group, and choose Block Inheritance.
C. Link the Northwind Lockdown GPO to the domain, and then assign the Domain Admins group the Deny
Apply Group Policy permission.
D. Link the Northwind Lockdown GPO to the domain, and then configure security filtering so that the GPO
applies to Domain Users.
Answer: BC
121. Lisa works as a branch office administrator for your organization. She receives a call from her
manager, Dina, asking which of the following characteristics make up a strong password. Which one is
correct?
A. Contains a username or pet's name.
B. Contains dictionary words.
C. Contains place names.

Testinside
D. Is a combination of letters and numbers.
Answer: D
122. You want to create a standard lockdown desktop experience for users when they log on to computers
in your company's conference and training rooms. You have created a GPO called Public Computers
Configuration with desktop restrictions defined in the User Configuration node. What additional steps must
you take? (Choose all that apply. Each correct answer is a part of the solution.)
A. Enable the User Group Policy Loopback Processing Mode policy setting.
B. Link the GPO to the OU containing user accounts.
C. Select the Block Inheritance option on the OU containing conference and training room computers.
D. Link the GPO to the OU containing conference and training room computers
Answer: AD
domain. For regular checkups, you log on to the domain controller and open Microsoft Management
Console (MMC). The Active Directory Schema snap-in is not available. What should you do to access the
Active Directory Schema snap-in?
A. Register Schmmgmt.dll
B. using a member account of the Schema Administrators group, log off and log on again
C. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller
D. Execute Ntdsutil.exe command to connect to the Schema Master operations master.
Answer: A
are required to confirm whether Active Directory successfully copied between two domain controllers.
A. To achieve the goal, the Dsquery command should be run.
B. To achieve the goal, the RepAdmin command should be run.

Testinside
C. To achieve the goal, the Windows System Resource Manager should be run.
D. To achieve the goal, the DSget command should be run.
Answer: B
125. A user calls the help desk at your organization and reports problems that you suspect might be related
to changes that were recently made to Group Policy. You want to examine information regarding Group
Policy processing on her system. Which tools can you use to gather this information remotely? (Choose all
that apply.)
A. Group Policy Modeling Wizard
B. Group Policy Results Wizard
C. Gpupdate.exe
D. Gpresult.exe
E. Msconfig.exe
Answer: BD
126. You are hired as the network administrator in your company. Your company has instructed you to
decommission domain controllers that host all forest-wide operations master roles. Before you start taking
down these domain controllers, you want to transfer all forest-wide operation master roles to another
domain. Which two roles should you transfer to achieve this objective? (Choose two answers. Each answer
is a part of the complete solution)
A. Domain naming master
B. Secondary domain master
C. Forest-wide server master roles
D. Schema master
E. PDC Master
Answer: AD
127. Which of the following options require administrative privileges to change the password?
A. User must change password at next logon.
B. User cannot change password.

Testinside
C. Password never expires.
D. Store password using reversible encryption.
Answer: B
128. You are the administrator at Hi-tech, Ltd. The hi-tech.com domain has five GPOs linked to the domain,
one of which configures the password-protected screen saver and screen saver timeout required by
corporate policy. Some users report that the screen saver is not launching after 10 minutes as expected.
How do you know when the GPO was applied?
A. Run Gpresult.exe for the users.
B. Run Gpresult.exe-computer.
C. Run Gpresult-scope computer.
D. Run Gpupdate.exe /Target:User.
Answer: A
domain and two domain controllers named Server01 and Server02 . The Server01 hosts the Schema
Answer: D
130. The hi-tech.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a
GPO named Sydney Support linked to the Sydney OU within the Clients OU. The Corporate Help Desk
GPO includes a restricted groups policy for the HI-TECH\ Help Desk group that specifies This Group Is A
Member Of Administrators. The Sydney Support GPO includes a restricted groups policy for the
HI-TECH\Sydney Support group that specifies This Group Is A Member Of Administrators. A computer

Testinside
named DESKTOP234 joins the domain in the Sydney OU. Which of the following accounts will be a
member of the Administrators group on DESKTOP234? (Choose all that apply.)
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
E. Remote Desktop Users
Answer: ABCD
server01 that runs Windows Server 2008. An instance of Active Directory Lightweight Directory Service (AD
LDS) runs on Server01. You have to create new organizational units in the AD LDS application directory
partition.
A. Create the organizational units on the AD LDS application directory partition by accessing the ADSI Edit
snap-in.
B. Execute dsmod OU <OUDN> command to create Organizational units.
C. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS
application directory partition.
D. Execute dsadd OU command to create Organizational units.
Answer: A
132. You are attempting to describe the purpose of a template account to a co-worker. What should you tell
them?
A. A template account exists only for Novell users.
B. A template account exists only for Unix users.
C. A template account exists only for Windows NT 4.0 users.
D. A template account simplifies the creation of a large number of user accounts. In a template, you can
define all the account parameters you need to for your users. You can then use this template to create user
accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields.

Testinside
Answer: D
GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This
Group setting to be HI-TECH\Help Desk. The Sydney Support GPO includes a restricted groups policy for
the Administrators group that specifies the Members Of This Group setting to be HI-TECH\Sydney Support.
A computer named DESKTOP234 joins the domain in the Sydney OU. Which of the following accounts will
be a member of the Administrators group on DESKTOP234? (Choose all that apply.)
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
Answer: AC
Directory domain. All the domain controllers run Windows Server 2003. You install Windows Server 2008
on a server. You need to ensure that the new server is added as a domain controller in the domain. What
A. Execute dcpromo/controllerprep on a new server
B. Run adprep/forestprep command on a domain controller
C. Run adprep/rodcprep on a new server
D. Run dcpromo/createaccount on a domain controller
Answer: B
in your network. Windows Server 2008 is run by all domain controllers. The Audit account management

Testinside
policy setting and Audit directory services access setting are enabled for the entire domain. You need to
ensure that changes made to Active Directory objects can be logged.
The logged changes must include the old and new values of any attributes. So what action should you
perform?
A. The Audit directory service access setting and directory service changes should be enabled from the
Default Domain Controllers policy.
B. The Audit account management policy should be enabled in the Default Domain Controller Policy.
C. The Security settings of the Domain Controllers OU should be configured after running auditpol.exe.
D. The Audit directory service access setting should be enabled in the Default Domain policy after running
auditpol.exe.
Answer: C
GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This
Group setting to be HI-TECH\Help Desk. The Sydney Support GPO includes a restricted groups policy for
the HI-TECH \Sydney Support group that specifies This Group Is A Member Of Administrators. A computer
named DESKTOP234 joins the domain in the Sydney OU.
Which of the following accounts will be a member of the Administrators group on DESKTOP234? (Choose
all that apply.)
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
Answer: ACD
137. You are hired as the network administrator in your company. Your company network consists of a
single Active Directory domain. All domain controllers run Windows Server 2008. Some of the Lightweight
Directory Access Protocol (LDAP) clients are using the largest amount of CPU resources on a domain

Testinside
controller. You need to identify those. What should you do to achieve this task?
A. Execute the Active Directory Diagnostics Data Collector Set a review the Active Directory report
B. Open Resource Monitor and review the performance data
C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
D. Review the Hardware Events log in the Event Viewer.
Answer: A
138. A large company has just merged with yours. This organization has recently converted its internal
network from IPv4 addressing to IPv6 to support a number of new network applications that required it. You
must now begin to plan for IPv6 support on your own internal network. You are creating training materials
for your junior networking staff. Which of the following features is built into IPv6 that was not required in
IPv4?
A. Classless Inter-Domain Routing (CIDR)
B. IP Security through the use of IPSec
C. Network address translator (NAT)
D. Loopback IP addressing
Answer: B
139. You want to deploy security settings to multiple servers by using Group Policy. The settings need to
apply the user rights that you have configured and validated on a server in your test environment. Which
tool should you use?
A. Local Security Policy
B. Security Configuration And Analysis
C. Security Configuration Wizard
D. Security Templates
Answer: B
forest. You want to install an Enterprise certification authority (CA) on a stand-alone server. When you try to
add Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not

Testinside
available. You have to install the AD CS role as an Enterprise CA.
What should you do first to achieve this task?
A. Add the Active Directory Certificate Services (AD CS) role.
B. Add the Web server (IIS) role and the AD LDS role.
C. Add the DNS Server role.
D. Join the server to the domain.
Answer: D
141. You want to deploy security settings to multiple servers by using Group Policy. The settings need to
configure services, firewall rules, and audit policies appropriate for servers in your enterprise that act as file
and print servers. Which tool would be the best choice for you to use?
A. Local Security Policy
B. Security Configuration And Analysis
C. Security Configuration Wizard
D. Security Templates
Answer: C
142. You are hired as the network administrator in your company. You company has a server that's runs
Windows Server 2008. Active directory forest is configured at the functional level. To enable users to have a
database services on the server, you install Microsoft SQL server 2005 and implement Active Directory
Rights Management Service (AD RMS). While testing the server, you attempt to open the AD RMS
administration website. You receive an error message saying:" SQL Server does not exist or access is
denied".
You want to rectify this problem and open AD RMS administration website. Which two actions should you
perform to achieve this objective? (Select two answers. Each answer is the part of complete solution)
A. Install and configure Message Queuing
B. Restart the Internet Information Server (IIS)
C. Delete the AD RMS instance and the SQL server and install it again.
D. Start the MSSQLSVC service
Answer: BD

Testinside
143. Your company, mycompany.com, is merging with the yourcompany.com company. The details of the
merger are not yet complete. You need to gain access to the resources in the yourcompany.com company
before the merger is completed. What type of trust relationship should you create?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
Answer: C
144. You created a security policy by using the Security Configuration Wizard. Now you want to deploy the
settings in that security policy to the servers in your Servers OU. Which of the following steps are required?
(Choose two. Each correct answer is a part of the solution.)
A. Use Scwcmd.exe /transform.
B. Create a Group Policy Object in the Group Policy Objects container.
C. Right-click the Security Settings node of a GPO and choose Import.
D. Link the GPO to the Servers OU.
Answer: AD
located in New York. Now your company builds its branch in Washington. You are assigned to deploy and
implement a Read-only Domain Controller (RODC) at the branch office. You deploy a RODC that runs
Windows Server 2008.
You must make sure that the users at the branch office can log on to the domain using RODC, so what
should you do?
A. Use Password Replication Policy on the RODC
B. Add RODC to the main office
C. Deploy and configure a new bridgehead server in the branch office
D. Deploy and configure a Password Replication Policy on the RODC in the main office
Answer: A

Testinside
company. A single domain is contained in this forest. The domain member server has an Active Directory
Federation Services (AD FS) server role installed. You have to configure AD FS to make sure that AD FS
tokens contain information from the Active Directory domain. So what action should you perform?
A. A new resource partner should be added and configured.
B. A Claims-aware application should be added and configured.
C. A new account store should be added and configured.
D. A new account partner should be added and configured.
Answer: C
147. You want to deploy an application by using Group Policy to client computers in the headquarters and in
a branch office. The branch office is connected to the headquarters with a wide area network connection
that is 364 kbps. What steps must you take to deploy the software? (Choose two. Each correct answer is
part of the solution.)
A. Create a GPO that applies to all client computers in the headquarters and branch office. In the GPO,
create a software package in the User Configuration node that assigns the application.
B. Create a GPO that applies to all client computers in the headquarters and branch office. In the GPO,
create a software package in the Computer Configuration node that assigns the application.
C. In a GPO that applies to all computers, configure the slow link detection policy connection speed in the
User Configuration node to 256 kbps.
D. In a GPO that applies to computers in the branch office, configure the slow link detection policy
connection speed in the Computer Configuration node to 256 kbps.
E. In a GPO that applies to computers in the branch office, configure the slow link detection policy
connection speed in the Computer Configuration node to 1,000 kbps.
Answer: BD

Testinside
located in New York. Now your company builds its branch in Washington. There is a single-domain Active
Directory forest in your company. All servers run Windows Server2008. Server01 and Server02 work as the
Domain Controller in the main office while Server03 works as a Windows Server 2008 read-only domain
controller (RODC) in the branch office. All domain controllers hold the DNS Server role and are configured
as Active Directory-integrated zones. The DNS zones only allow secure updates.
You must make sure to enable dynamic DNS updates on Server03. What should you do?
A. Run the Ntdsutil.exe > DS Behavior commands on DC3.
B. Run the Dnscmd.exe /ZoneResetType command on DC3.
C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
D. Create a custom application directory partition on DC1. Configure the partition to store Active
Directory-integrated zones.
Answer: C
149. You are hired as the network administrator in your company. All the servers in your company run
windows 2008. The network of your company consists of an Active Directory forest that contains one
domain. There is an Active Directory-integrated zone with two Active Directory sites in the domain. Each
site contains two domain controllers. All domain controllers are configures as DNS servers.
You are assigned to deploy and implement a new NS record to the zone. You have to make sure that all
domain controllers immediately receive the new NS record. What should you do to achieve this task?
A. Execute repadmin/syncall from the command prompt
B. Reload the zone from the DNS Manager console
C. Create an SOA record from the DNS Manager console
D. Shutdown and then, restart the DNS server service from services snap-in
Answer: A
150. Your boss just informed you that your company will be participating in a joint venture with a partner
company. He is very concerned about the fact that a trust relationship needs to be established with the
partner company. He fears that an administrator in the other company might be able to masquerade as one
of your administrators and grant himself privileges to resources. You assure him that your network and its
resources can be protected from an elevated privilege attack. Along with the other security precautions that

Testinside
you will take, what will you tell your boss that will help him rest easy about the upcoming scenario?
A. The permissions set on the Security Account Manager (SAM) database will prevent the other
administrators from being able to make changes.
B. The SIDHistory attribute tracks all access from other domains. Their activities can be tracked in the
System Monitor.
C. The SIDHistory attribute from the partner's domain attaches the domain SID for identification. If an
account from the other domain tries to elevate its own or another user's privilege, the SID filtering removes
the SID in question.
D. SID filtering tracks the domain of every user who accesses resources. The SIDHistory records this
information and reports the attempts to the Security log in the Event Viewer.
Answer: C
151. In your domain, the Employees OU contains all user accounts. Each site has an OU within which a
Sales OU contains accounts for the computers in the Sales department at that site. You want to deploy an
application so that it is available to all users in the organization's Sales departments. Which methods can
you use? (Choose all that apply.)
A. Create a GPO linked to the domain. Create a group containing all Sales users. Filter the GPO so that it
applies only to the group. In the GPO's User Configuration policies, create a software package that assigns
the application.
B. Create a GPO linked to each site's Sales OU. In the GPO's User Configuration policies, create a
software package that assigns the application.
C. Create a GPO linked to the domain. Create a group containing all Sales users. Filter the GPO so that it
applies only to the group. In the GPO's Computer Configuration policies, create a software package that
assigns the application.
D. Create a GPO linked to each site?0100110010014301001100100154s Sales OU. In the GPO User
Configuration policies, create a software package that assigns the application. In the GPO's Computer
Configuration, enable loopback policy processing in merge mode
Answer: AD

Testinside
forest with six domains. The company has 5 sites. The company requires a new distributed application that
uses a custom application directory partition named ResData for data replication. The application is
installed on one member server in five sites. You need to configure the five member servers to receive the
ResData application directory partition for data replication. What should you do?
A. Run the Dcpromo utility on the five member servers
B. Run the Regsvr32 command on the five member servers
C. Run the Wbadmin command on the five member servers
D. Run the RacAgent utility on the five member servers
Answer: A
153. You are hired as the network administrator in your company. Your company network has an Active
Directory forest that contains one parent domain and one child domain. The child domain has two domain
controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the
parent domain. The child domain is scheduled to be decommissioned. You need to remove the child
domain from the Active Directory forest. What are two possible ways to achieve this goal? (Choose two
answers. Each answer is part of the complete solution.)
A. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory
domain services role.
B. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
C. Delete the computer accounts for each domain controller in the child domain. Remove the trust
relationship between the parent domain and the child domain.
D. Run the Computer Management console to stop the Domain Controller service on both domain
controllers in the child domain.
Answer: AB
154. Your organization consists of ten branch offices. Within your Active Directory, an Employees OU is
divided into ten child OUs containing user accounts at each branch office. You want to deploy an application
to users at four branches. The application should be fully installed before the user opens the application for
the first time. Which steps should you take? (Choose four. Each correct answer is a part of the solution.)
A. Create a software deployment GPO linked to the Employees OU.

Testinside
B. Create a package in the User Configuration polices that publishes the application.
C. Select the Install This Application At Logon deployment option.
D. Create a shadow group that includes the users in the four branches. Filter the software deployment GPO
so that it applies only to the shadow group.
E. Create a package in the User Configuration policies that assigns the application.
F. Select the Required Upgrade For Existing Packages option
Answer: ACDE
155. Robin is managing an Active Directory environment of a medium-size company. He is troubleshooting
a problem with the Active Directory. One of the administrators made an update to a user object and another
reported that he had not seen the changes appear on another DC. It was more than a week since the
change was made Robin checks the problem by making a change to another Active Directory object. Within
a few hours, the change appears on a few DCs, but not on all of them. Which of the following is a possible
cause for this problem?
A. Connection objects are not properly configured.
B. Robin has configured one of the DCs for manual updates.
C. There might be different DCs for different domains.
D. Creation of multiple site links between the sites.
Answer: A
Server01 that runs Windows Server 2008. You company has an Active Directory forest with single domain.
Server01 works as the Domain Controller with Active Directory Federation Services (AD FS) role installed.
Some other applications are also hosted on its perimeter network. The organization wants single sign-on to
all applications hosted on perimeter network.
You are required to configure the AD FS trust policy to populate AD FS tokens with employee's information
from Active directory domain. What should you do?
A. Add and configure a new application
B. Add and configure a new account store
C. Add and configure a new account partner

Testinside
D. Add and configure a new organization claim
Answer: B
company. A Windows Server 2008 is run by all servers. An Enterprise Root certificate authority (CA) is used
by your company. You have to make sure that revoked certificate information is highly available. So what
action should you perform?
A. You should use a Group Policy Object (GPO) to publish the trusted certificate authorities list to the
domain.
B. You should use Network Load Balancing to implement an Online Certificate Status Protocol (OCSP)
responder.
C. You should create a new Group Policy Object (GPO) that allows users to trust peer certificates. The
GPO should be linked to the domain.
D. You should use an Internet Security and Acceleration Server array to implement an Online Certificate
Status Protocol (OCSP) responder.
Answer: B
158. You are concerned that an individual is trying to gain access to computers by logging on with valid
domain user names and a variety of attempted passwords. Which audit policy should you configure and
monitor for such activities?
A. Logon Event failures
B. Directory Service Access failures
C. Privilege Use successes
D. Account Logon Event failures
E. Account Management failures
Answer: D
159. You want to audit changes to attributes of user accounts used by administrators in your organization.

Testinside
When a change is made, you want to see both the previous and changed values of the attribute.
What must you do to achieve your goal?
A. Define Account Management audit policy.
B. Use the Auditpol.exe command.
C. Enable Privilege Use auditing.
D. Define Directory Service Access audit policy.
Answer: B
domain which runs Windows Server 2008. A user attempts to log on to the domain from the client computer
using his account. He receives the following message: "This account has expired. Contact your
administrator to reactivate the account" What should you do to ensure that the user is able to log on to the
domain using his account?
A. Open the properties of the user account and change the option to "Never Expire"
B. Open the properties of the user account and extend the Logon Hours setting
C. Open the properties of the user account and modify the default domain policy to decrease the duration of
account lockout.
D. Change the password option to never expire in the user account properties
Answer: A
161. Darien is a new member of the Web Services team at your company. He is going to be responsible for
running and testing scripts for an in-house homegrown application which requires a special application that
is deployed via Group Policy. The first time he logs on to the domain he does not receive the software
package. You verify that his user account is in the proper OU. What could be causing Darien not to receive
the GPO with the software policy?
A. Security filtering has been enabled on the GPO and Darien is not a member of the proper group
B. WMI Filtering has been enabled on the GPO and Darien is not a member of the proper group
C. Darien must be a local administrator on his machine to download a GPO with a software package in it
D. Darien's user account has Block Inheritance configured on it and therefore he cannot download the
policy

Testinside
Answer: A
162. Your organization includes 10 file servers, which have computer accounts in the Servers OU of your
domain. A GPO named Server Configuration is linked to the Servers OU. On five of the servers, a folder
called Confidential Data exists. You have hired a team of consultants to assist on a project, and you want to
ensure that those consultants cannot access the Confidential Data folder. You configure permissions on the
folder to prevent access by consultants, and you want to audit any attempt by consultants to open or
manipulate the folder. Which steps must you take? (Choose three.
Each correct answer is part of the solution.)
A. Add audit entries to the Confidential Data folder to audit successful Full Control access.
B. Evaluate entries in the Security logs on the domain controllers.
C. Define the Audit Directory Service Access policy in the Server Configuration GPO.
D. Define the Audit Object Access policy in the Default Domain Controllers GPO.
E. Define the Audit Object Access policy in the Server Configuration GPO.
F. Evaluate entries in the Security logs on each file server.
G. Add audit entries to the Confidential Data folder to audit failed Full Control access.
Answer: EFG
163. Hi-tech has an Active Directory forest with single domain. Some other applications are also hosted on
its perimeter network. The organization wants single sign-on to all applications hosted on perimeter network.
The company has a domain member server with Active Directory Federation Services (AD FS) role
installed.
You are required to configure the AD FS trust policy to populate AD FS tokens with employee's information
from Active directory domain. What should you do?
A. Add and configure a new account store
B. Add and configure a new organization claim
C. Add and configure a new account partner
D. Add and configure a new application
Answer: A

Testinside
164. You are an administrator at Tailspin Toys. Your Active Directory domain includes an OU called Service
Accounts that contains all user accounts. Because you have configured service accounts with passwords
that never expire, you want to apply a password policy that requires passwords of at least 40 characters.
Which of the following steps should you perform? (Choose all that apply. Each correct answer is part of the
solution.)
A. Set the Minimum Password Length policy in the Default Domain Policy GPO.
B. Link a PSO to the Service Accounts OU.
C. Create a group called Service Accounts.
D. Link a PSO to the Service Accounts group.
E. Add all service accounts as members of the Service Accounts group.
Answer: CDE
165. As an administrator at You are hired as the network administrator in your company. Your company, you
have installed an Active Directory forest that has a single domain. You have installed an Active Directory
Federation services (AD FS) on the domain member server. What should you do to configure AD FS to
make sure that AD FS token contains information from the active directory domain?
A. Add a new account store and configure it
B. Add a new resource partner and configure it
C. Add a new resource store and configure it
D. Add a new administrator account on AD FS and configure it
Answer: A
166. SueyDog Enterprises will soon be deploying Microsoft Office Communicator into its environment. All of
its DCs are running Windows Server 2008. Their administrator, Matthew, is attempting to prepare for the
new product by creating a GPO and exploring the available settings. He creates a new policy and proceeds
to expand each section of the policy, looking for the section containing the Microsoft Office Communicator
settings. He can't seem to locate the settings for Microsoft Office Communicator. What should Matthew do
to gain the settings he seeks?
A. Download the appropriate .adm file and import it into the new GPO
B. Install Microsoft Office Communicator on the DC to make the setting available

Testinside
C. Download the appropriate .admx file and import it into the new GPO
D. Download the appropriate .adm file and place it in the Central Store
Answer: A
167. You want to configure account lockout policy so that a locked account will not be unlocked
automatically. Rather, you want to require an administrator to unlock the account. Which configuration
change should you make?
A. Configure the Account Lockout Duration policy setting to 100.
B. Configure the Account Lockout Duration policy setting to 1.
C. Configure the Account Lockout Threshold to 0.
D. Configure the Account Lockout Duration policy setting to 0.
Answer: D
company. The company locates in three different places. An organizational unit and a child organizational
unit named Sales are included by each location. All users and computers of the sales department are
included by the Sales organizational unit. A Microsoft Office 2007 application should be deployed on all
computers within the three Sales organizational units. According to the company requirements, you should
make sure that the Office 2007 application can only be installed on the computers in the Sales
organizational units. Which action should be performed to achieve the goal?
A. A Group Policy Object (GPO) named SalesAPP GPO. And then, the GPO should be configured to
publish the application to the user account. At last, the SalesAPP GPO should be linked to to the Sales
organizational unit in each location.
B. A Group Policy Object (GPO) named SalesAPP GPO. And then, the GPO should be configured to assign
the application to the computer account. At last, the SalesAPP GPO should be linked to to the Sales
organizational unit in each location.
C. A Group Policy Object (GPO) named SalesAPP GPO should be created. And then, the GPO should be
configured to assign the application to the computer account. At last, the SalesAPP GPO should be linked

Testinside
to the domain.
D. A Group Policy Object (GPO) named SalesAPP GPO should be created. And then, the GPO should be
configured to assign the application to the user account. At last, the SalesAPP GPO should be linked to to
the Sales organizational unit in each location.
Answer: B
forest. There is one main office and branch office in two different locations. Both of the locations have an
organizational unit. Hi-tech has instructed you to ensure that the branch office administrators are able to
create and apply GPOs only to their respective organizational unit. Which two actions should you perform
to achieve this task?
A. Add branch administrators for each organizational unit in the Managed By Tab settings.
B. Add the branch office administrators user accounts in the Group Policy Creator Owners Group
C. Execute the Delegation of Control Wizard and delegate the right to link GPOs for their branch
organizational units to the branch administrators
D. Execute the Delegation of Control Wizard and delegate the right to links GPOs for the domain to the
branch office administrators
Answer: BC
170. As you evaluate the password settings objects in your domain, you discover a PSO named PSO1 with
a precedence value of 1 that is linked to a group named Help Desk. Another PSO, named PSO2,with a
precedence value of 99, is linked to a group named Support. Mike Danseglio is a member of both the Help
Desk and Support groups. You discover that two PSOs are linked directly to Mike.PSO3 has a precedence
value of 50, and PSO4 has a precedence value of 200. Which PSO is the resultant PSO for Mike?
A. PSO1
B. PSO2
C. PSO3
D. PSO4
Answer: C

Testinside
domain running Windows Server 2008. The Finance OU (organizational unit) contains an OU for computers,
an OU for groups and an OU for users. As per company policy, you perform daily backups. Another
administrator mistakenly deletes the groups OU. You have to restore the Groups OU without affecting users
and computers in the Finance OU. What should you do to achieve this task?
A. Perform an authoritative restore of the Groups OU
B. Perform a complete restore of the Finance OU
C. Perform a non-authoritative restore of the Finance OU
D. Perform a non-authoritative restore of the Groups OU
Answer: A
172. You work for a large hospital. The main users in the hospital are nurses and doctors. Because they are
always on the go, you set up kiosk stations throughout the hospital for them to log on to and check Web
mail or access applications. The kiosks share one user logon and the nurses and doctors use their personal
accounts to gain access to resources via a browser interface which prompts them for credentials. One
morning a nurse logs onto a kiosk machine and is greeted by extremely offensive wallpaper. How would
you utilize Group Policy to prevent this from happening in the future?
A. Create a Group Policy and apply it to the nurses' user accounts. Disable Display Settings.
B. Create a Group Policy and apply it to the nurses' user accounts. Configure Loopback Processing in
Replace mode.
C. Create a Group Policy and apply it to the kiosk machines. Configure the wallpaper to the company logo
and disable Display Settings.
D. Create a Group Policy and apply it to the kiosk machines. Configure Loopback Processing in Replace
mode.
Answer: D
173. You want to obtain a log that will help you isolate the times of day that failed logons are causing a
user's account to be locked out. Which policy should you configure?
A. Define the Audit Account Logon Events policy setting for Success events in the Default Domain Policy
GPO.

Testinside
B. Define the Audit Account Logon Events policy setting for Failure events in the Default Domain Policy
GPO.
C. Define the Audit Logon Events policy setting for Success events in the Default Domain Policy GPO.
D. Define the Audit Logon Events policy setting for Failure events in the Default Domain Policy GPO.
Answer: B
174. You are hired as the network administrator in your company. You are assigned to relocate the existing
user and computer objects in your company to different organizational units. What are two possible ways to
achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the Dsmod utility.
B. Run the Active Directory Migration Tool (ADMT).
C. Run the Active Directory Users and Computers utility.
D. Run the move-item command in the Microsoft Windows PowerShell utility.
Answer: AC
175. You want to keep track of when users log on to computers in the human resources department of
Adventure Works. Which of the following methods will enable you to obtain this information?
A. Configure the policy setting to audit successful account logon events in the Default Domain Controllers
GPO. Examine the event log of the first domain controller you installed in the domain.
B. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing user
accounts for employees in the human resources department. Examine the event logs of each computer in
the human resources department.
C. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing
computer accounts in the human resources department. Examine the event logs of each computer in the
human resources department.
D. Configure the policy setting to audit successful account logon events in a GPO linked to the OU
containing computer accounts in the human resources department. Examine the event logs of each domain
controller.
Answer: C

Testinside
domain which runs Windows Server 2008. A user attempts to log on to the domain from the client computer
using his account. He receives the following message: "This account has expired. Contact your
administrator to reactivate the account".
What should you do to ensure that the user is able to log on to the domain using his account?
A. Open the properties of the user account and change the option to "Never Expire"
B. Open the properties of the user account and extend the Logon Hours setting
C. Open the properties of the user account and modify the default domain policy to decrease the duration of
account lockout.
D. Change the password option to never expire in the user account properties
Answer: A
177. The CIO has asked you to configure a GPO that will ensure that antivirus software is installed on every
computer in the company. You are the most senior administrator in the company and have full access to
every computer, and to Active Directory. Your company has a single domain and site. Which one of the
following actions do you take?
A. You configure a GPO at the domain level, and publish the application to all computers
B. You configure a GPO at the site level, and assign the application to all computers
C. You create a GPO with the required settings and link it into all OUs that have computer accounts in it.
You set the options to assign the application to computers.
D. You tell him it cannot be done.
Answer: D
178. Your domain consists of five domain controllers, one of which is running Windows Server 2008. All
other DCs are running Windows Server 2003. What must you do before installing a read-only domain
controller?
A. Upgrade all domain controllers to Windows Server 2008.
B. Run Adprep /rodcprep.
C. Run Dsmgmt.
D. Run Dcpromo /unattend.

Testinside
Answer: B
Directory infrastructure and maintaining Active Directory objects. There is a head office and five branch
offices in the company. The offices are connected by WAN links. The company has an Active Directory
domain named wiikigo.com. Each branch office has a member server configured as a DNS server. All
branch office DNS servers host a secondary zone for wiikigo.com.
According to the company requirement, the wiikigo.com zone needs to be configured to resolve client
queries for at least four days in the event that a WAN link fails. So what action should you perform?
A. The Refresh interval option for the wiikigo.com zone should be configured to 4 days.
B. The Minimum (default) TTL option for the wiikigo.com zone should be configured to 4 days.
C. The Expire after option for the wiikigo.com zone should be configured to 4 days.
D. The Retry interval option for the wiikigo.com zone should be configured to 4 days.
Answer: C
forest. There is a main office and five branch offices. Each branch office has an organizational unit and a
child organizational unit called Accounts. The Accounts organizational unit contains all users and
computers of the accounts department. You are directed to install Peachtree application only on the
computers in the finance organizational unit. To install the application, you create a GPO named
FinanceApp. What should you do next to achieve this task?
A. Create a GPO to assign application to the user groups in the accounts organizational unit. Link the
FinanceApp GPO to the organizational unit.
B. Create a GPO and assign the application to each computer account. Link the FinanceApp GPO to the
Accounts organizational unit.
C. Configure the GPO to assign the application to the computer account. Link the FinanceApp GPO to the
organizational unit in each location
D. Configure the GPO to assign the application to the organizational unit. Link the FinanceApp GPO to the
Accounts organizational unit.

Testinside
Answer: C
181. During a recent burglary at a branch office of Tailspin Toys, the branch office RODC was stolen. Where
can you find out which users' credentials were stored on the RODC?
A. The Policy Usage tab
B. The membership of the Allowed RODC Password Replication Group
C. The membership of the Denied RODC Password Replication Group
D. The Resultant Policy tab
Answer: A
forest containing eight linked GPOs. One of the eight GPOs publishes applications to user objects. One of
the user reports that the application is not available for installation. You have to identity whether the GPO is
applied. What should you do to achieve this task?
A. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the Group Policy Results utility for the computer.
D. Run the Group Policy Results utility for the user.
Answer: D
183. Your company decided not to renew the license agreement for its contact management software. The
software is deployed on systems across many client computers in the company. A single GPO was
configured to install the software, and was linked into multiple places in the Active Directory hierarchy to
accommodate the various user groups that needed the program. You've gone into the GPO and removed
the published object for the software. Now, the object is gone from the GPO but the application is still
installed on the client computers. Which one of the following most likely explains what happened?
A. You left the default option for removal enabled
B. You selected the option to make the removal optional
C. You selected the option to force removal
D. You deleted the software object from the GPO but forgot to select the uninstall options first

Testinside
Answer: B
184. Next week, five users are relocating to one of the ten overseas branch offices of Litware, Inc. Each
branch office contains an RODC. You want to ensure that when the users log on for the first time in the
branch office, they do not experience problems authenticating over the WAN link to the data center. Which
steps should you perform? (Choose all that apply.)
A. Add the five users to the Allowed RODC Password Replication Group.
B. Add the five users to the Password Replication Policy tab of the branch office RODC.
C. Add the five users to the Log On Locally security policy of the Default Domain Controllers Policy GPO.
D. Click Prepopulate Passwords.
Answer: BD
185. You are hired as the network administrator in your company. Your company has a group of consultants.
All consultants belong to a global group named TempWorkers. You were advised to place three file servers
in a new organizational unit named Secureserv. These file servers contain confidential data located in
shared folders. After placing the file servers, you need to record any failed attempts made by the
consultants to access confidential data. Which of the following two actions should you perform to achieve
this task?
A. On each shared folder on the three file servers, add the TempWorkers global groups to the Auditing tab.
configure the Failed Full control setting in the Auditing Entry dialog box.
B. Create and link a new GPO to the SecureServ organizational unit. Configure the Deny access to this
computer from the network user rights setting for the TempWorkers global group.
C. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the
Failed Full control setting in the Auditing Entry dialog box.
D. Create and link a new GPO to the SecureServ organizational unit. Configure the Audit privilege use
Failure audit policy setting.
E. Create and link a new GPO to the SecureServ organizational unit. Configure the Audit object access
Failure audit policy setting.
Answer: AE

Testinside
186. You are hired as the network administrator in your company. Your company has an organizational unit
called subproduction. The organizational unit has a child organizational unit called Research.
You create a GPO named Software Deployment and link it to the Production organizational unit. You create
a shadow group for the Research organizational unit. You need to deploy an application to users in the
subproduction organizational unit. You also need to ensure that the application is not deployed to users in
the Research organizational unit. What are two possible ways to achieve this goal? (Choose two answers.
Each answer is part of the complete solution)
A. Configure the Enforce setting on the software deployment GPO.
B. Configure the Block Inheritance setting on the subproduction organizational unit.
C. Configure the Block Inheritance setting on the research organizational unit.
D. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the
research security group.
Answer: CD
187. You are an administrator for Hi-tech, Ltd. Your organization has decided to move to Windows Server
2008 and, because of your past experience, you have decided to create a new server implementation
instead of upgrading your existing infrastructure. After the new infrastructure has been created, you will
move all data-accounts, directory settings, and more-to the new forest you will implement with Windows
Server 2008. You have been asked to create the initial forest structure. This forest includes a root domain, a
global child production domain, and a domain tree. The forest is named with a .net extension, and the
domain tree uses a .ms extension to differentiate it from the production forest. You successfully create the
forest root domain and the child domain, but when you come to the domain tree, you find that you cannot
locate the domain tree option. What could be the problem?
A. You cannot create a domain tree with the Active Directory Domain Services Installation Wizard. You must
use the command-line Dcpromo.exe command to do so.
B. You are not logged on with the appropriate credentials.
C. You must return to the Welcome page of the wizard to select the Advanced mode of the wizard.
D. The server you are using is not a member of the forest root domain.
Answer: C

Testinside
188. This morning you deployed an application by assigning it to computers, and then many of the
applications failed. On some systems the application installed just fine, on others it only partially installed,
and on still others it failed very early in the process. You figured out what went wrong, and have modified
the MSI file. Which one of the following should you do to correct the problem?
A. You should do a forced removal of the software
B. You should delete and re-create the deployment object in group policy
C. You should redeploy the software
D. You should begin manually troubleshooting the workstations that had problems
Answer: C
189. You are an administrator for Hi-tech, Ltd. Your organization has decided to move to Windows Server
2008 and, because of your past experience, you have decided to create a new server implementation
instead of upgrading your existing infrastructure. After the new infrastructure has been created, you will
move all data-accounts, directory settings, and more-to the new forest you will implement with Windows
Server 2008. You have been asked to create the initial forest structure. This forest includes a root domain, a
global child production domain, and a domain tree. The forest is named with a .net extension, and the
domain tree uses a .ms extension to differentiate it from the production forest. You successfully create the
forest root domain and the child domain, but when you come to the domain tree, you find that you cannot
create the delegation, no matter which options you try or which credentials you provide. What could be the
problem? (Choose all that apply.)
A. You must select the advanced mode of the wizard to create the delegation.
B. You must create a manual delegation before creating the domain tree.
C. You must tell the wizard to create the delegation during the creation of the domain tree and provide
appropriate credentials.
D. You must tell the wizard to omit the creation of the delegation during the creation of the domain tree.
E. You must create the delegation manually after the domain tree has been created.
Answer: BD

Testinside
company network. Two domains are contained in this forest. All servers run Windows Server 2008. All
domain controllers are configured as DNS servers. You have a standard primary zone for dev.wiikigo.com
that is stored on a member server. You have to make sure that all domain controllers can resolve names
from the dev.wiikigo.com zone. What action should you perform?
A. A conditional forwarder should be created on one domain controller. The conditional forwarder should be
configured to replicate to all DNS servers in the domain.
B. A stub zone should be created on the member server.
C. A NS record for each domain controller should be created on the member server.
D. A conditional forwarder should be created on one domain controller. The conditional forwarder should be
configured to replicate to all DNS servers in the forest.
Answer: D
domain with an organizational unit called Sales. This organizational unit hosts two global security groups
named Sales directors and Sales executives. Hi-tech has instructed you to apply desktop restrictions to the
sales executives group. However, the desktop restrictions should not be applied to the Sales directors
group. You create a GPO named Desktop Lockdown and link it to the Sales organizational unit. What
should you do next?
A. Set the Deny Apply Group Policy permission for the Sales directors on the DesktopLockdown GPO
B. Set the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown GPO
C. Set the Allow Apply Group Policy permission for the Local domain users on DesktopLockdown GPO
D. Set the Allow Apply Group Policy permission for the Authenticated Users on DesktopLockdown GPO
Answer: A
192. You are an administrator at Trey Research. The Trey Research forest consists of three domains, each
of which includes two domain controllers running Windows Server 2003. You want to upgrade one of the
domain controllers to Windows Server 2008. What must you do first?
A. Upgrade the domain controller's operating system to Windows Server 2008.
B. Run the Adprep.exe /domainprep /gpprep command.

Testinside
C. Run the Active Directory Domain Services Installation Wizard.
D. Run the Adprep.exe /forestprep command.
E. Run the Adprep.exe /rodcprep command.
Answer: D
193. You work for a small accounting firm. Recently your boss, the owner of the company, read an article
about weaknesses in password security. He's asked that you require everyone in the company to change
his or her password every 30 days, and to have to use at least 12 different passwords per year. Which of
the following settings do you configure in the Default Domain Policy? (Select all that apply.)
A. You set the Maximum password age option to 30
B. You set the Enforce password history option to 12
C. You set the Minimum password age option to 15
D. You disable the Passwords must meet complexity requirements option
Answer: AC
forest that contains Windows Server 2008 domain controllers and DNS servers. All client computers run
Windows XP. You need to use your client computers to edit domain-based GPOs by using the ADMX files
that are stored in the ADMX central store. What should you do?
A. Add your account to the Domain Admins group.
B. Create a folder on the Primary Domain Controller (PDC) emulator for the domain in the PolicyDefinitions
path. Copy the ADMX files to the PolicyDefinitions folder.
C. Upgrade your client computers to Windows Vista.
D. Install .NET Framework 3.0 on your client computer.
Answer: C
195. You are an administrator at Hi-tech, Ltd. The domain was built using Windows Server 2008 domain
controllers. You want to improve authentication at a remote site by promoting a member server at the site to
a read-only domain controller. There is no IT support at the site, so you want the site's manager to perform
the promotion. You do not want to give her administrative credentials in the domain. Which steps must you

Testinside
or the manager take? (Choose all that apply. Each correct answer is part of the solution.)
A. Run Adprep /rodcprep.
B. Create the RODC account in the Domain Controllers OU.
C. Run Dcpromo.exe with the UseExistingAccount option.
D. Remove the server from the domain.
Answer: BCD
196. You are working in a Windows Server 2008 PKI and going over various user profiles that are subject to
deletion due to company policy. The public keys for these users are stored under Documents and
Settings\Administrator\System Certificates\My\Certificates and the private keys would be under Documents
and Settings\Administrator\Crypto\RSA. You possess copies of the public keys in the registry, and in Active
Directory. What effect will the deletion of the user profile have on the private key?
A. It will have no effect.
B. It will be replaced by the public key that is stored.
C. The Private Key will be lost.
D. None of the above.
Answer: C
197. You are hired as the network administrator in your company. Your company has a network with a
single Active Directory domain. There are two domain controllers installed which run Windows Server 2008.
You have enabled the Audit account management policy and Audit directory services access settings for
the entire domain. You must ensure that the changes made to Active Directory objects are logged. The
changes logged must show the old and new values of any attribute. What should you do to achieve this
task?
A. Enable the Audit Directory services access setting and directory service changes by accessing Default
Domain Controllers policy
B. Disable Audit account management policy and enable it again
C. Execute auditpol.exe and configure the security settings of the domain controllers Organizational unit
D. Execute Audipol.exe and disable the default domain policy
Answer: C

Testinside
198. You want to promote a server to act as a domain controller, but you are concerned about the
replication traffic that will occur during the promotion and its impact on the slow link between the server's
site and the data center where all other domain controllers are located, so you choose to promote the
server, using a backup of the directory from another domain controller. What must you do to create the
installation media?
A. Run Ntbackup.exe and select System State.
B. Install the Windows Server Backup Features.
C. Run Ntdsutil.exe in the IFM mode and use the Create Sysvol Full command.
D. Copy ntds.dit and SYSVOL from a domain controller to a location in the remote site.
Answer: C
forest with a single domain. The domain has Windows Server 2008 at its functional level. You are instructed
to create a global distribution group and add users to it. After creating the group and adding users, you
create a shared folder on a Windows Server 2008 member server and place the global distribution group in
a domain local group that has access to the shared folder. What should you do to ensure that the users can
access the shared folder?
A. Rename the global distribution group to a universal distribution group
B. Change the forest functional level to Windows Server 2008
C. Add Domain Administrators to the global distribution group
D. Modify the group type of the global distribution group to a security group
Answer: D
200. You are an administrator at Hi-tech, Ltd. The hi-tech.com domain consists of two sites. At the
headquarters, one domain controller, named SERVER01, is a GC server and performs all five operations
master roles. The second domain controller at the headquarters is named SERVER02. SERVER02 is not a
GC and performs no operations master roles. At the branch office, the domain controller is named
SERVER03, and it is a GC server. Which change to the operations master role placement must you make?
A. Transfer the infrastructure master to SERVER03.

Testinside
B. Transfer the RID master to SERVER02.
C. Transfer the schema master to SERVER02.
D. Transfer the domain naming master to SERVER03.
E. Transfer the infrastructure master to SERVER02.
Answer: E
your company. All consultants belong to a global group named TempWorkers. The TempWorkers group is
not nested in any other groups. You have the computer objects of three file servers moved to a new
organizational unit named SecureServers. These file servers contain only confidential data in shared
folders.
According to the company requirement, you have to prevent members of the TempWorkers group from
accessing the confidential data on the file servers. When you try to achieve this, you must make sure that
you do not affect access to other domain resources.
So what action should you perform?
A. A new GPO should be created and it should be linked to the SecureServers organizational unit. The
Deny log on locally user right should be assigned to the TempWorkers global group.
B. A new GPO should be created and it should be linked to the domain. The Deny log on locally user right
should be assigned to the TempWorkers global group.
C. A new GPO should be created and it should be linked to the domain. The Deny access to this computer
should be assigned from the network user right to the TempWorkers global group.
D. A new GPO should be created and it should be linked to the SecureServers organizational unit. The
Deny access to this computer should be assigned from the network user right to the TempWorkers global
group.
Answer: D
202. You are hired as the network administrator in your company. Your company network consists of a

Testinside
single Active Directory domain. The functional level of the forest is Windows Server 2008. You need to
create multiple password policies for users in your domain. What should you do?
A. From the ADSI Edit snap-in, create multiple Password Setting objects.
B. From the Group Policy Management snap-in, create multiple Group Policy objects.
C. From the Schema snap-in, create multiple class schema objects.
D. From the Security Configuration Wizard, create multiple security policies.
Answer: A
203. You are an administrator at Hi-tech, Ltd. The forest consists of two domains, hi-tech.com and
windows.hi-tech.com. Currently, SERVER02.windows.hi-tech.com performs all five operations master roles.
You are going to decommission the windows.hi-tech.com domain and move all accounts into hi-tech.com.
You want to transfer all operations masters to SERVER01.hi-tech.com. Which operations masters do you
transfer? (Choose all that apply.)
A. Infrastructure master
B. PDC emulator
C. RID master
D. Schema master
E. Domain naming master
Answer: DE
204. You are browsing your company's e-commerce site using Internet Explorer 7 and have added a
number of products to the shopping cart. You notice that there is a padlock symbol in the browser. By right
clicking this symbol you will be able to view information concerning the site's:
A. Private Key.
B. Public Key.
C. Information Architecture.
D. Certificates.
Answer: D

Testinside
forest which runs Windows Server 2008. It has branch offices all around the world. The forest includes
finance organizational units for an office in the following locations:
New York
London
Amsterdam
Rome
Each location has a child organizational unit named finance. The finance organizational unit hosts all the
users and computers in the finance department. The offices in London and, Amsterdam and New York are
connected by T1 connections. However, the office in Rome is connected by a 128-Kbps ISDN connection.
The company has instructed you to install an application on all computers in the finance department. Which
two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the
complete solution)
A. Create a Group Policy Object (GPO) named accountingtree Install that assigns the application to the
computers. Link the GPO to each finance organizational unit
B. Create a GPO named accounting tree install that assigns the application to each user in the
organizational unit. Link the GPO to each finance organizational unit
C. Change the slow link detection setting to 2,544 Kbps (T1) in the GPO
D. Disable the slow link detection setting in the GPO
Answer: AC
206. You are an administrator at Hi-tech, Ltd. The hi-tech.com domain has five domain controllers. You
want to move all domain operations masters to SERVER02.hi-tech.com. Which masters do you move?
(Choose all that apply.)
A. Infrastructure master
B. PDC emulator
C. RID master
D. Schema master
E. Domain naming master
Answer: ABC

Testinside
207. Hi-tech.com has an Active Directory forest that hosts client computers running Windows Vista and
Windows XP. Hi-tech .com has directed you to ensure that users are able to install approved application
updates on their computers. Which of the following two actions should you perform to achieve this task?
(Choose two answers. Each answer is part of the complete solution)
A. Create a GPO and link it to the domain. Configure the GPO to direct client computers to the Microsoft
WSUS server for approved updates
B. In the environment, install the Microsoft WSUS application on a server and configure the server to
search for new updates on the internet. Configure it to approve all required updates.
C. Configure automatic updates in the control panel of client computers
D. Create a GPO and link it to the server. Configure the GPO to automatically search for updates on
Microsoft update site
Answer: AB
208. You are an administrator at Trey Research. Your domain consists of three domain controllers, two
running Windows Server 2008 and one running Windows Server 2003. The forest root domain has two
domain controllers, both running Windows Server 2003. You want to replicate SYSVOL in your domain,
using DFS-R. What steps must you take? (Choose all that apply. Each correct answer is part of the
solution.)
A. Upgrade the forest root domain controllers to Windows Server 2008.
B. Configure the forest functional level to Windows Server 2008.
C. Upgrade your Windows Server 2003 domain controller to Windows Server 2008.
D. Configure the domain functional level of your domain to Windows Server 2008.
E. Configure the domain functional level of the forest root domain to Windows Server 2008.
Answer: CD
209. You are hired as the network administrator in your company. Your company has a network that
consists of a single Active Directory domain. Windows Server 2008 is installed on all domain controllers in
the network. You are instructed to capture all replication errors from all domain controllers to a central
location. What should you do to achieve this task?
A. Initiate the Active Directory Diagnostics data collector set

Testinside
B. Set event log subscriptions and configure it
C. Initiate the System Performance data collector set
D. Create a new capture in the Network Monitor
Answer: B
210. You are the administrator of your company's Windows Server 2008-based network and are attempting
to enroll a smart card and configure it at an enrollment station. Which of the following certificates must be
requested in order to accomplish this action?
A. A machine certificate.
B. An application certificate.
C. A user certificate.
D. All of the above.
Answer: C
211. You are hired as the network administrator in your company. Your company has file server located in
an organizational unit named Salaries. The files servers have salaries files in a folder named salaries. You
create a GPO. You have to track which employees access the salaries files on the file servers. What should
you do you achieve this task?
A. Enable AUDIT object access option. Link the GPO to the Salaries organizational unit. On the file servers,
configure Auditing for the Everyone group in the Payroll folder.
B. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file
servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure
Auditing for the Authenticated Users group in the Payroll folder.
D. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On
the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
Answer: A

Testinside
company. And a single domain is included by the Active Directory forest. An Active Directory Federation
Services (AD FS) server role is installed on the domain member server. Since you are the technical support,
you are required to have AD FS configured so as to make sure that
information from the Active Directory domain is included by AD FS tokens. Which action should be
A. To achieve the goal, a new resource partner should be added and configured.
B. To achieve the goal, a Claims-aware application should be added and configured.
C. To achieve the goal, a new account store should be added and configured.
D. To achieve the goal, a new account partner should be added and configured.
Answer: C
213. You want to configure Active Directory so that replication of logon scripts is managed using DFS-R.
Which command do you use?
A. Dfsrmig.exe
B. Repadmin.exe
C. Dfsutil.exe
D. Dfscmd.exe
Answer: A
214. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair
consisting of a public key and a private key. A public key was used to encrypt a message and the
corresponding private key was used to decrypt. What is the major security issue with this scenario?
A. Private keys are revealed during the initial transaction.
B. Information encrypted with a public key can be decrypted too easily with out the private key.
C. An attacker can intercept the data mid-stream, and replace the original signature with his or her own,
using his private key.
D. None of the Above
Answer: C

Testinside
215. You are hired as the network administrator in your company. Your company has a domain controller
that runs Windows Server 2008. The server is a backup server with a single 500-GB hard disk and has
three partitions for the applications, operating system and data. As per company policy, you perform daily
backups of the server. The hard disk fails and you replace the hard disk with a new one of same capacity.
After restarting the computer on the installation media, you select repair your computer option. You want to
restore the operating system and all the other files. What should you do to achieve this task?
A. Do the startup repair
B. Perform the System Restore
C. At the command prompt, execute wbadmin utility
D. Perform the Disk defragment
Answer: C
216. Client computers in a branch office are performing poorly during logon. You notice that the computers
report that their logon server is a domain controller in a remote site rather than the domain controller in the
branch office itself. Which of the following could cause this problem?
A. The branch office domain controller is not assigned to a site.
B. The branch office site is not assigned to a site link.
C. The branch office IP address range is not associated with the site.
D. The branch office subnet is assigned to two sites.
Answer: C
Directory domain and two domain controllers which run Windows Server 2008. Due to a problem, you need
to reset the Directory Services Recovery Mode (DSRM) password on one domain controller. What tool
should you use to achieve this task?
A. Active Directory Security for Computers snap-in
B. Netsh
C. ntdsutil
D. Domain Controller security snap-in
E. All of the above

Testinside
Answer: C
218. You are responsible for performing backups on the DCs on your network. Your boss has requested
that you conduct system state backups to DVD. How do you accomplish this?
A. Run the Windows Server Backup Wizard, select System State Backup, and set your target to the DVD
drive
B. Run the Windows Server Backup Wizard, select a local drive as the target, and then copy the system
state backup to the DVD drive
C. Run the wbadmin.exe command with the start systemstatebackup command and target it to the DVD
drive
D. Run the wbadmin.exe command with the start systemstatebackup command, set the target to a local
fixed drive, and then copy the system state backup to a DVD
Answer: D
domain called ad. Hi-tech .com. There are two domain controllers on the network: Server01 and Server02.
Other administrators try to log on to the domain controllers but their logon attempts fail. You have to identify
the logon attempts on the domain controllers. What should you do to achieve this task?
A. Check the security tab on the domain controller computer object
B. Access the Event Viewer
C. Check the security data on domain controller event viewer
D. Execute netsh/events command on the command prompt
Answer: B
220. You are adding a read-only domain controller to a branch office location. You want to ensure that
clients in the branch office are likely to authenticate with the RODC. What is required? (Choose all that
apply.)
A. A subnet object with the network prefix of the branch office IP address range
B. An account for the domain controller in the organizational unit for the site
C. A site link transport for the site

Testinside
D. A site object for the branch office
E. A server object in the site object for the branch office
Answer: ADE
221. You are the network administrator at your company. The Active Directory database file on one of your
DCs is corrupt. You decide to perform a nonauthoritative restore on the DC. You reboot the server into
DSRM and try to log on as the domain administrator but you cannot. You need to get this DC back up and
functioning as soon as possible. What can you do to achieve this?
A. Log on to the server with another domain administrator's account
B. Log on to the server using the local administrator's account
C. Change the domain administrator's password from another DC and then log on using the account with
the new password
D. Log on using the DSRM administrator's account and password
Answer: D
222. As an administrator at You are hired as the network administrator in your company. Your company, you
create 200 new user accounts. The users are located in six different sites. The users report that when they
try to log on, they receive the following error message: "The username or password is incorrect" You
confirm that the user accounts exist and are enabled. You also confirm that the username and password
are correct too. You have to identity the cause of this failure. You also need to ensure that the new users are
able to log on using their accounts. What should you do to achieve this task?
A. Repadmin
B. Rsdiag
C. Active Directory Domains and Trusts
D. Rstools
Answer: A

Testinside
company. You have the domain controller logged on to. You find that you cannot access the Active Directory
Schema snap-in in the Microsoft Management Console (MMC). Since you are the technical support, you
are required to make sure that the Active Directory Schema snap-in is available.
Which action should you perform to achieve the goal?
A. To achieve the goal, you should connect to the schema master operations master and open the schema
for writing by utilizing the Ntdsutil.exe command.
B. To achieve the goal, you should have the Active Directory Lightweight Directory Services (AD LDS) role
added to the domain controller by utilizing Server Manager.
C. To achieve the goal, you should register Schmmgmt.dll.
D. To achieve the goal, you should utilize an account that is a member of the Schema Admins group to log
off and log on again.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a current Active Directory site
named S01. You have a new Active Directory site created and name it S02. Since you are the technical
support, you are required to configure Active Directory replication between S01 and S02. A new domain
controller is installed. And the site link between S01 and S02 is created. To achieve the goal, which action
should be performed next?
A. To achieve the goal, the Active Directory Sites and Services console should be utilized to assign a new
IP subnet to S02. And then, the new domain controller object should be migrated to S02.
B. To achieve the goal, the Active Directory Sites and Services console should be utilized to configure the
new domain controller as a preferred bridgehead server for S01.
C. To achieve the goal, the Active Directory Sites and Services console should be utilized to configure a
new site link bridge object.
D. To achieve the goal, the Active Directory Sites and Services console should be utilized to decrease the
site link cost between S01 and S02.
Answer: A

Testinside
225. A branch office is connected to the data center with a slow link that is not reliable. You want to ensure
that the domain controller in the branch is able to authenticate users when it cannot contact a global catalog
server. Which of the following should you configure?
A. Read-only domain controller
B. Application directory partition
C. Intersite replication
D. Universal group membership caching
Answer: D
226. You are the domain administrator for your company. Your network consists of multiple DCs at multiple
sites. A DC at your local site is having problems with replicating. You need to know when this DC last
attempted to perform an inbound replication on the Active Directory partitions. How would you accomplish
this?
A. Open a command prompt on the DC and run ntdsutil
B. Open a command prompt on the DC and run repadmin /replicate
C. Open a command prompt on the DC and run repadmin /rodcpwdrepl
D. Open a command prompt on the DC and run repadmin /showrepl
Answer: D
227. You are hired as the network administrator in your company. Hi-tech .com runs Window Server 2008
on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The
security policy at Hi-tech .com makes it necessary to examine revoked certificate information. You need to
make sure that the revoked certificate information is available at all times.
What should you do to achieve that?
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and
link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet
Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder

Testinside
Answer: D
228. You are hired as the network administrator in your company. Your company has a server that runs
Windows Server 2008. The Enterprise Root CA is also installed on the server. The Security policy prevents
port 443 and port 80 from being opened on domain controllers and on the issuing CA. You have to allow
users to request certificates from a web interface. To do that, you install AD CS role. What should you do
next?
A. Configure the Certification Authority Web Enrollment Role Service on a member server.
B. Configure the Online Responder Role Service on a member server.
C. Configure the Certification Authority Web Enrollment Role Service on a domain controller.
D. Configure the Online Responder Role Service on a domain controller.
Answer: A
229. You are the administrator at Hi-tech, Ltd. The Hi-tech forest consists of three domains, each with four
domain controllers. You are preparing to demote a domain controller in the forest root domain.You want to
be sure that you do not permanently destroy any Active Directory partitions. Which of the following Active
Directory partitions might exist only on that domain controller? (Choose all that apply.)
A. Schema
B. Configuration
C. Domain
D. Partial attribute set
E. Application directory partition
Answer: DE
domain. As an administrator, you plan to install the Active Directory Certificate Service (AD CS) role on a
member server running Windows Server 2008. You have to make sure that the Account Operators group is
able to issue smartcard credentials without being able to revoke certificate.
Which of the following three actions should you perform to achieve this task?
A. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.

Testinside
B. Install the AD CS role and configure it as a Standalone CA.
C. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Create an Enrollment Agent certificate.
F. Create a Smartcard logon certificate.
Answer: ADF
231. You are hired as the network administrator in your company. Your company employs Windows Server
2008 Enterprise certificate authority (CA) to issue certificates. You're instructed to implement key archival.
A. On the server, archive the private key
B. Configure Hisecdc security template
C. Revoke the Enterprise subordinate CA and issue a user certificate to users of the encrypted files
D. Configure the automatic enrollement for the computers that store encrypted files
Answer: A
232. You are the domain administrator for your company. At your site you have a single DC that also acts as
an application server. From 10:00 a.m. to 4:00 p.m., users complain about slow logons to the network and
that accessing resources from this DC is incredibly slow during most of the workday. You log on to the DC,
pull up the Task Manager, and notice that a process called CustApp.exe is using just more than 90% of the
CPU cycles. The application must remain running during the day, but you also need to resolve the slow
logon issues. There is no money in the budget for additional hardware. What is the best way to handle this
situation?
A. Go into the Windows System Resource Manager on the DC, and create a new recurring calendar event
to start at 8:00 a.m. and end at 5:00 p.m. daily. Associate the event with the Equal_Per_Process policy.
B. Go into the Task Manager and into the Processes tab. Find CustApp.exe and set the priority to Below
Normal.
C. Go into the Task Manager and into the Process tab. Find CustApp.exe and end the process.
D. Purchase a second server to run only the CustApp.exe application
Answer: A

Testinside
233. You are hired as the network administrator in your company. Your company has a server that runs
Windows Server 2008. Primarily this server has certification services configured as a stand-alone
Certification Authority (CA). As per company policy, you are required to audit changes to the CA
configuration setting and the CA security settings. Which two actions should you perform to achieve this
task? (Choose two answers. Each answer is part of the complete solution)
A. Open the Certification services snap-in and configure auditing
B. Enable and configure the Audit object Access setting in the local security policy for the certification
services server
C. Configure the certification services server to log successful and failed attempts to change permissions
on files in %SYSTEM32%\CertSrv directory
D. Open the Certification services snap-in and configure auditing for security settings
Answer: AB
234. You want to configure all the existing domain controllers in your forest as global catalog servers. Which
tools can you use to achieve this goal? (Choose all that apply.)
A. Dcpromo.exe
B. Active Directory Domain Services Installation Wizard
C. Active Directory Sites and Services snap-in
D. Active Directory Users and Computers snap-in
E. Active Directory Domains and Trusts snap-in
Answer: C
Directory infrastructure and maintaining Active Directory objects. Nine new employees are hired by your
company. The new employees should connect to the main office through a VPN connection. New user
accounts are created and the new employees are granted the Allow Read and Allow Execute permissions
to shared resources in the head office. Shared resources in the head office cannot be accessed by the new
employees. Since you are the technical support, you are required to make sure that users are enabled to

Testinside
create a VPN connection to the head office. Which action should be performed to achieve the goal?
A. To achieve the goal, the new employees should be added to the Windows Authorization Access security
group.
B. To achieve the goal, the new employees should be granted the Allow Full control permission.
C. To achieve the goal, the new employees should be granted the Allow Access Dial-in permission.
D. To achieve the goal, the new employees should be added to the Remote Desktop Users security group.
Answer: C
236. The network infrastructure at Trey Research prevents direct IP connectivity between the data center
and a research ship at sea. What must you do to support replication between the data center and the ship?
A. Configure a separate domain in the forest for the ship.
B. Increase the cost of the Active Directory site link containing the headquarters and the ship.
C. Configure the domain controller on the ship as a preferred bridgehead server.
D. Manually create a connection object between the domain controller on the ship and a domain controller
at the headquarters.
Answer: A
237. You are hired as the network administrator in your company. Your company has servers that run
Windows Server 2008. You administer 2 servers named SERVER01 and SERVER02. You have installed
the enterprise root certification authority (CA) on SERVER01 and Online Responder role service on
SERVER02. You want the SERVER01 to support the online responder. What should you do to configure
online responder on SERVER01?
A. On SERVER01, configure Authority Information Access (AIA) extension
B. Configure CertPublishers group on SERVER01 and SERVER02
C. Configure Dual Certificate List extension on SERVER01 and SERVER02
D. Create a conventional Group Policy Object (GPO) and import enterprise root CA certificate. Link the
GPO to SERVER01
Answer: A
238. You want to initiate replication manually between two domain controllers to verify that replication is

Testinside
functioning correctly. Which of the following tools can you use? (Choose all that apply.)
A. The Active Directory Sites And Services snap-in
B. Repadmin.exe
C. Dcdiag.exe
D. The Active Directory Domains And Trusts snap-in
Answer: AB
239. You are hired as the network administrator in your company. Your company runs Window Server 2008
on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The
security policy at Hi-tech.com makes it necessary to examine revoked certificate information. You need to
make sure that the revoked certificate information is available at all times.
What should you do to achieve that?
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and
link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet
Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder
Answer: D
240. You want to raise the domain functional level of a domain in the hi-tech.com forest. Which tool can you
use? (Choose all that apply.)
A. Active Directory Users And Computers
B. Active Directory Schema
C. Active Directory Sites And Services
D. Active Directory Domains And Trusts
Answer: AD
241. You are an administrator of the hi-tech.com domain. You want to add a read-only domain controller to
a domain with one Windows Server 2003 domain controller and one Windows 2008 domain controller.

Testinside
Which of the following must be done before adding a new server as an RODC? (Choose all that apply. Each
correct answer is part of the solution.)
A. Upgrade the Windows 2003 domain controller to Windows Server 2008.
B. Raise the domain functional level to Windows Server 2003.
C. Raise the domain functional level to Windows Server 2008.
D. Raise the forest functional level to Windows Server 2003.
E. Run Adprep /rodcprep.
F. Run Adprep /forestprep.
Answer: BDE
242. You have just finished upgrading all domain controllers in the hi-tech.com domain to Windows Server
2008. Domain controllers in the subsidiary.hi-tech.com domain will be upgraded in three months. You want
to configure fine-grained password policies for several groups of users in hi-tech.com. What must you do
first?
A. Install a read-only domain controller.
B. Run Dfsrmig.exe.
C. Raise the forest functional level.
D. Install the Group Policy Management Console (GPMC) feature
Answer: C
243. You are an administrator at Wingtip Toys, which has just acquired Tailspin Toys. You have created a
one-way outgoing trust to enable users in the tailspintoys.com domain to access resources that have been
moved into the wingtiptoys.com domain. Some users from tailspintoys.com are able to access the
resources successfully, but other users are reporting that they are unable to gain access to the resources.
You discover that the users having problems have worked for Tailspin Toys for eight or more years and that
their accounts were migrated from a Windows NT 4.0 domain. What must you do to enable them to gain
access to the resources? (Choose all that apply.)
A. Create accounts in the wingtiptoys.com domain with the same user names and passwords as their
accounts in the tailspintoys.com domain.
B. Rebuild the Windows NT 4.0 domain and upgrade a domain controller to Windows Server 2008.

Testinside
C. Run the Netdom trust command with the /verify parameter.
D. Run the Netdom trust command with the /quarantine:no parameter.
Answer: CD
244. You are a systems administrator for hi-tech.com. You have been requested to compact the database
on one of the two DCs for the forest root domain. However, when you try to stop the AD DS service, you find
that you cannot stop it on the server you are working on. What could be the problem?
A. You cannot stop the AD DS service on a Windows Server 2008 DC.
B. Someone else is working on another DC in this domain.
C. You must restart the server in Directory Services Restore Mode.
D. You must use the net stop command to stop the AD DS service.
Answer: B
245. You are a systems administrator at hi-tech.com. As you log on to a DC to perform maintenance, you
get the impression that server response is sluggish. You want to verify what is going on. Which tool should
you use? (Choose all that apply.)
A. Reliability Monitor
B. Event Viewer
C. Task Manager
D. Performance Monitor
Answer: ABCD
contained by your network. Windows Server 2003 is run by all domain controllers. All domain controllers are
upgraded to Windows Server 2008. Since you are the technical support, you are required to make sure that
the Sysvol share replicates by utilizing DFS Replication (DFS-R).
A. From the command prompt, dfsutil /addroot:sysvol should be run.

Testinside
B. The functional level of the domain should be raised to Windows Server 2008.
C. From the command prompt, dcpromo /unattend:unattendfile.xml should be run.
D. From the command prompt, netdom /reset should be run.
Answer: B
domain. As an administrator, you plan to install the Active Directory Certificate Service (AD CS) role on a
member server running Windows Server 2008. You have to make sure that the Account Operators group is
able to issue smartcard credentials without being able to revoke certificate.
Which of the following three actions should you perform to achieve this task?
A. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
B. Install the AD CS role and configure it as a Standalone CA.
C. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Create an Enrollment Agent certificate.
F. Create a Smartcard logon certificate.
Answer: ADF
Directory infrastructure and maintaining Active Directory objects. You have a domain controller that runs the
DHCP service. You need to perform an offline defragmentation of the Active Directory database on the
domain controller. You must achieve this goal without affecting the availability of the DHCP service. What
should you do?
A. The Active Directory Domain Services service should be stopped. The Ntdsutil utility should be run.
B. The domain controller should be restarted in Directory Services Restore Mode. The Ntdsutil utility should
be run.
C. The Active Directory Domain Services service should be stopped. The Disk Defragmenter utility should
be run.
D. The domain controller should be restarted in Directory Services Restore Mode. The Disk Defragmenter

Testinside
utility should be run.
Answer: A
company. Windows Server 2008 is run by all servers. An Enterprise Root certification authority (CA) is run
by your company. You have to make sure that only administrators can sign code. So what should you do?
(Choose more than one)
A. The security settings on the template should be modified to allow only administrators to request code
signing certificates.
B. The local computer policy of the Enterprise Root CA should be edited to allow only administrators to
manage Trusted Publishers.
C. The code signing template should be published.
D. The local computer policy of the Enterprise Root CA should be edited to allow users to trust peer
certificates and allow only administrators to apply the policy.
Answer: AC
your company. An Enterprise Root certification authority (CA) is installed on a member server named S01.
Since you are the technical support, you are required to make sure that only the Security Manager is
enabled to revoke certificates which are provided by S01. Which action should be performed to achieve the
goal?
A. To achieve the goal, the Allow - Manage CA permission should be assigned to only the Security Manager
user account.
B. To achieve the goal, the Allow - Issue and Manage Certificates permission should be assigned to only
the Security Manager user account.
C. To achieve the goal, the Request Certificates permission should be removed from the Domain Users

Testinside
group.
D. To achieve the goal, the Request Certificates permission should be removed from the Authenticated
Users group.
Answer: B
your company. And Windows Server 2008 is run by the Active Directory domain. An OU for Computers, an
OU for Groups, and an OU for Users are included by the Sales OU. Nightly backups are performed. The
Groups OU is deleted by an administrator. Since you are the technical support, you are required to restore
the Groups OU, and users and computers in the Sales OU should not be affected. Which action should be
A. To achieve the goal, a non-authoritative restore of the Groups OU should be performed.
B. To achieve the goal, a non-authoritative restore of the Sales OU should be performed.
C. To achieve the goal, an authoritative restore of the Sales OU should be performed.
D. To achieve the goal, an authoritative restore of the Groups OU should be performed.
Answer: D
company. An organizational unit and a child organizational unit named Sales are contained by each branch
office. All users and computers of the sales department are included by the Sales organizational unit. Since
you are the technical support, you are required to have a Microsoft Office 2007 application installed only on
the computers in the Sales organizational unit. A GPO named SApplication GPO should be created. Which
action should be performed next?
A. The GPO should be configured to assign the application to the computer account. And then, the
SApplication GPO should be linked to the domain.
B. The GPO should be configured to assign the application to the user account. And then, the SApplication

Testinside
GPO should be linked to the Sales organizational unit in each location.
C. The GPO should be configured to publish the application to the user account. And then, the SApplication
GPO should be linked to the Sales organizational unit in each location.
D. The GPO should be configured to assign the application to the computer account. And then, the
SApplication GPO should be linked to the Sales organizational unit in each location.
Answer: D
Directory infrastructure and maintaining Active Directory objects. It is reported by a user in a branch office of
your company that he fails to join a computer to the domain. Since you are the technical support, you are
required to enable the user to join a single computer to the domain. In addition, you should make sure that
only rights which are necessary to finish the task should be given to the user. Which action should be
A. To achieve the goal, the user to the Server Operators group should be added in the Active Directory
domain.
B. To achieve the goal, the user the right should be granted to log on locally by utilizing a Group Policy
Object (GPO).
C. To achieve the goal, the computer account should be prestaged in the Active Directory domain.
D. To achieve the goal, the user to the Domain Administrators group should be added for one day.
Answer: C
contained by your network. And nine domain controllers are included by the domain. Windows Server 2008
is run by the domain controllers. In addition, the domain controllers are configured as DNS servers. A new
Active Directory-integrated zone will be created. According to the company requirements, you should make
sure that the new zone is only copied to four of your domain controllers. Which actions should be performed
first?

Testinside
A. From the command prompt, dnscmd should be run and the /enlistdirectorypartition parameter should be
specified.
B. From the command prompt, dnscmd should be run and the /createdirectorypartition parameter should be
specified.
C. A new delegation should be created in the ForestDnsZones application directory partition.
D. A new delegation should be created in the DomainDnsZones application directory partition.
Answer: B
Directory infrastructure and maintaining Active Directory objects. There is a domain controller which runs
Windows Server 2008. The domain controller has the Windows Server Backup feature installed. You have
to use an existing backup file to perform a non-authoritative restore of the domain controller. So what action
should you perform?
A. The domain controller should be restarted in safe mode. Perform a critical volume restore by using the
WBADMIN command.
B. The domain controller should be restarted in safe mode. Perform a critical volume restore by using the
Windows Server Backup snap-in.
C. The domain controller should be restarted in Directory Services Restore Mode. Perform a critical volume
restore by using the WBADMIN command.
D. The domain controller should be restarted in Directory Services Restore Mode. Perform a critical volume
restore by using the Windows Server Backup snap-in.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a domain controller in the
company, and the DHCP service is run by the controller. Since you are the technical support, you are
required to have an offline defragmentation of the Active Directory database performed on the domain
controller. In addition, the availability of the DHCP service should not be affected during the process. Which

Testinside
action should be performed to achieve the goal?
A. To achieve the goal, the Active Directory Domain Services service should be stopped. And then, the
Ntdsutil utility should be run.
B. To achieve the goal, the Active Directory Domain Services service should be stopped. And then, the Disk
Defragmenter utility should be run.
C. To achieve the goal, the domain controller should be restarted in Directory Services Restore Mode. And
then, the Disk Defragmenter utility should be run.
D. To achieve the goal, the domain controller should be restarted in Directory Services Restore Mode. And
then, the Ntdsutil utility should be run.
Answer: A
Directory infrastructure and maintaining Active Directory objects. You are in charge of two servers named
S01 and S02. Windows Server 2008 is run by both servers. S01 is configured as an enterprise root
certification authority (CA). You have the Online Responder role service installed on S02. You have to
configure S01 to support the Online Responder. So what action should you perform?
A. The Authority Information Access (AIA) extension should be configured.
B. S02 computer account should be added to the CertPublishers group.
C. The enterprise root CA certificate should be imported.
D. The Certificate Revocation List Distribution Point extension should be configured.
Answer: A
Directory infrastructure and maintaining Active Directory objects. An Active Directory forest is included by
your network. And one domain named wiikigo.com is contained by the Active Directory forest. Windows
Server 2008 is run by all domain controllers. In addition, all domain controllers are configured as DNS
servers. There are two Active Directory-integrated zones: wiikigo.com and cosoto.com. According to the
company requirements, you should make sure that a user can change records in the wiikigo.com zone. The

Testinside
user should be stopped from changing the SOA record in the cosoto.com zone. Which action should be
A. From the Active Directory Users and Computers console, the Delegation of Control Wizard should be
run.
B. From the Active Directory Users and Computers console, the permissions of the Domain Controllers
organizational unit (OU) should be changed.
C. From the DNS Manager console, the permissions of the wiikigo.com zone should be changed.
D. From the DNS Manager console, the permissions of the cosoto.com zone should be changed.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a head office and three branch
offices in your company. The company configures each office as a separate Active Directory site, and the
Active Directory site has its own domain controller. An account that has administrative rights should be
disabled. Since you are the technical support, you are required to copy the disabled account information
instantly to all sites. To accomplish the task, which two of the following options should be performed?
A. To accomplish the task, the current connection objects and force replication should be chosen from the
Active Directory Sites and Services console.
B. To accomplish the task, all domain controllers should be configured as global catalog servers from the
C. To accomplish the task, Dsmod.exe should be utilized to configure all domain controllers as global
catalog servers.
D. To accomplish the task, Repadmin.exe should be utilized to force replication between the site connection
objects.
Answer: AD

Testinside
contained by your network. Windows Server 2008 is run by all domain controllers. Since you are the
technical support, you are required to have all replication errors captured from all domain controllers to a
central location. Which action should be performed to achieve the goal?
A. To achieve the goal, the Active Directory Diagnostics data collector set should be started.
B. To achieve the goal, Network Monitor should be installed and a new a new capture should be created.
C. To achieve the goal, event log subscriptions should be configured.
D. To achieve the goal, the System Performance data collector set should be started.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a head office and 40 branch
office in your company. Each branch office is configured as a separate Active Directory site which has a
dedicated read-only domain controller (RODC). An RODC server is stolen from one of the branch offices.
According to the company requirement, you have to identify the user accounts that were cached on the
stolen RODC server. Which utility should be used?
A. Ntdsutil.exe should be used.
B. Dsmod.exe should be used.
C. Active Directory Users and Computers should be used.
D. Active Directory Sites and Services should be used.
Answer: C
in the company network. User accounts for engineering department reside in an OU named Engineering.
According to the company requirement, you have to create a password policy for the engineering
department that is different from your domain password policy. So what action should you perform?
A. A domain local security group should be created and all the user accounts for the engineering

Testinside
department should be added to the group. Choose the group and run the Delegation of Control Wizard from
the Active Directory Users and Computer console.
B. A new GPO should be created. The GPO should be linked to the Engineering OU.
C. A new GPO should be created. The GPO should be linked to the domain. Block policy inheritance on all
OUs except for the Engineering OU.
D. A global security group should be created and all the user accounts for the engineering department
should be added to the group. A new Password Policy Object (PSO) should be created and it should be
applied to the group.
Answer: D
Directory infrastructure and maintaining Active Directory objects. The company has offices that are located
in Asian and Europe. There is an Active Directory forest in this company. This forest contains three domains.
Now you receive an order from the company management. You are asked to cut down the time required to
authenticate users from the labs.eu.wiikigo.com domain when they access resources in the
eng.na.wiikigo.com domain. So what action should you perform?
A. The replication interval for the DEFAULTIPSITELINK site link should be decreased.
B. The replication interval for all Connection objects should be decreased.
C. A one-way shortcut trust from labs.eu.wiikigo.com to eng.na.wiikigo.com should be set up.
D. A one-way shortcut trust from eng.na.wiikigo.com to labs.eu.wiikigo.com should be set up.
Answer: D
named wiikigo.com in your company. There are two DNS servers named DNS01 and DNS02 in the
company network.
The table below shows the configuration of the DNS servers.Domain users, who are configured to use
DNS02 as the preferred DNS server, cannot connect to Internet Web sites. According to the company

Testinside
requirement, you have to enable Internet name resolution for all client computers. So what action should
you perform?
A. The list of root hints servers on DNS02 should be updated.
B. A copy of the .(root) zone on DNS01 should be created.
C. The .(root) zone should be deleted from DNS02. Conditional forwarding on DNS02 should be configured.
D. The Cache.dns file on DNS02 should be updated. Conditional forwarding on DNS01 should be
configured.
Answer: C
in the company network. Windows Server 2008 is run by all domain controllers.
Auditing is configured to log changes made to the Managed By attribute on group objects in an
organizational unit named OU1. You have to log changes made to the Description attribute on all group
objects in OU1 only. So what action should you perform?
A. A new Group Policy object (GPO) should be created. The Audit account management policy setting
should be enabled. The GPO should be linked to OU1.
B. auditpol.exe should be run.
C. The auditing entry for OU1 should be modified.
D. The auditing entry for the domain should be modified.
Answer: C
company network. One domain is contained in this forest. Windows Server 2008 is run by all domain
controllers that are configured as DNS servers. You have an Active Directory-integrated zone and two

Testinside
Active Directory sites. There are five domain controllers in each site. You have a new NS record added to
the zone. According to the company requirement, you have to make sure that all domain controllers
immediately receive the new NS record. So what action should you perform?
A. Run repadmin /syncall from the command prompt.
B. Increase the version number of the SOA record from the DNS Manager console.
C. Reload the zone from the DNS Manager console.
D. Restart the DNS Server service from the Services snap-in.
Answer: A
Directory infrastructure and maintaining Active Directory objects. There is a server named S01 in the
company. S01 runs Windows Server 2008. S01 runs an instance of Active Directory Lightweight Directory
Services (AD LDS). You need to replicate the AD LDS instance on a test computer that is located on the
network. So what action should you perform?
A. Run the Dsmgmt command on the test computer to create a naming context.
B. Run the Dsmgmt command on the test computer to create a new directory partition.
C. Run the AD LDS Setup wizard on the test computer to create and install a replica.
D. The repadmin /kcc <servername> command should be run on the test computer.
Answer: C
Directory infrastructure and maintaining Active Directory objects. The company wants users to use a new
User Principal Name (UPN) to log on to Active Directory. You are asked to modify the UPN suffix for all user
accounts. Which tool should be used?
A. Netdom should be used.
B. Redirusr should be used.
C. Dsmod should be used.
D. Active Directory Domains and Trusts should be used.

Testinside
Answer: C
are required to have all failed logon attempts on the domain controllers identified.
A. To achieve the goal, the Security tab should be viewed on the domain controller computer object.
B. To achieve the goal, Event Viewer should be run.
C. To achieve the goal, the Netlogon.log file should be viewed.
D. To achieve the goal, the Security Configuration Wizard should be run.
Answer: B
included by your network. Windows Server 2008 is run by all domain controllers. Since you are the
technical support, you are required to reset the Directory Services Recovery Mode (DSRM) password on a
domain controller. From the following four tools, which one should be utilized to achieve the goal?
A. To achieve the goal, local Users and Groups snap-in should be utilized.
B. To achieve the goal, active Directory Users and Computers snap-in should be utilized.
C. To achieve the goal, dsmod should be utilized.
D. To achieve the goal, ntdsutil should be utilized.
Answer: D
company. And a single domain is included by the Active Directory forest. An Active Directory Federation
Services (AD FS) server role is installed on the domain member server. Since you are the technical support,

Testinside
you are required to configure AD FS so as to make sure that information from the Active Directory domain is
included by AD FS tokens contain. Which action should be performed to achieve the goal?
A. To achieve the goal, a new resource partner should be added and configured.
B. To achieve the goal, a Claims-aware application should be added and configured.
C. To achieve the goal, a new account store should be added and configured.
D. To achieve the goal, a new account partner should be added and configured.
Answer: C
your company. The company intends to have the Active Directory Certificate Service (AD CS) server role
installed on a member server, and Windows Server 2008 is run by the server. Since you are the technical
support, you are required to make sure that members of the Account Operators group should be enabled to
have smartcard credentials issued. But they should not be enabled to have certificates revoked. To achieve
the goal, which action should be performed?
A. To achieve the goal, an Enrollment Agent certificate should be created.
B. To achieve the goal, the AD CS server role should be installed and it should be configured as an
Enterprise Root CA.
C. To achieve the goal, the AD CS server role should be installed and it should be configured as a
Standalone CA.
D. To achieve the goal, enrollment agents for the Smartcard logon certificate should be restricted to the
Account Operator group.
E. To achieve the goal, certificate managers for the Smartcard logon certificate should be restricted to the
Account Operator group.
F. To achieve the goal, a Smartcard logon certificate should be created.
Answer: BDF

Testinside
in the company. The offices are connected by a WAN link. There is an Active Directory forest in the
company. A single domain named ad.wiikigo.com is contained in the forest. The ad.wiikigo.com domain
contains one domain controller named DC01 that is located in the head office. DC01 is configured as a
DNS server for the ad.wiikigo.com DNS zone. This zone is configured as a standard primary zone. You
install a new domain controller named DC02 in the branch office. You install DNS on DC02. You have to
make sure that the DNS service can update records and resolve DNS queries in the event that a WAN link
fails. So what action should you perform?
A. The DNS server on DC02 should be configured to forward requests to DC01.
B. A new standard secondary zone named ad.wiikigo.com should be created on DC02.
C. The ad.wiikigo.com zone on DC01 should be converted to an Active Directory-integrated zone.
D. In order to make sure of this, a new stub zone named ad.wiikigo.com should be created on DC02.
Answer: C
Directory infrastructure and maintaining Active Directory objects. An Active Directory Rights Management
Services (AD RMS) server is contained by your company. Windows Vista is run by the users' computers.
And the company configures an Active Directory domain at the Windows Server 2003 functional level.
According to the company requirements, you should configure AD RMS so as to make sure that the users
are enabled to protect their documents. Which action should be performed to achieve the goal?
A. To achieve the goal, an e-mail account should be created in Active Directory Domain Services (AD DS)
for each RMS user.
B. To achieve the goal, Active Directory domain should be upgraded to the functional level of Windows
Server 2008.
C. To achieve the goal, the AD RMS client 2.0 should be installed on each client computer.
D. To achieve the goal, the RMS service account should be added to the local administrators group on the
AD RMS server.
Answer: A

Testinside
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain, and
Windows Server 2008 is run by the domain. You are required to implement a certification authority (CA)
server, and the following requirements should be met.
First, the certification authority should be permitted to automatically issue certificates
Second, a certification authority (CA) server should integrate with Active Directory Domain Services
A. To achieve the goal, a certificate should be purchased from a third-party certification authority. And then,
the certificate should be imported into the computer store of the schema master.
B. To achieve the goal, the Active Directory Certificate Services server role should be installed and
configured as a Standalone Root CA.
C. To achieve the goal, the Active Directory Certificate Services server role should be installed and
configured as an Enterprise Root CA.
D. To achieve the goal, a certificate should be purchased from a third-party certification authority. And then,
the Active Directory Certificate Services server role should be installed and configured as a Standalone
Subordinate CA.
Answer: C
are required to have a read-only domain controller (RODC) deployed, and Windows Server 2008 is run by
RODC. As you should choose a minimal forest functional level, which of the following should be utilized?
A. Windows 2000 Native mode should be utilized.
B. Windows Server 2003 Native mode should be utilized.
C. Windows Server 2008 should be utilized.
D. Windows Server 2003 Interim mode should be utilized.
Answer: B

Testinside
Directory infrastructure and maintaining Active Directory objects. There are file servers in your company,
and they are located in an organizational unit named PRoll. PRoll files are included by file servers which are
in a folder named PRoll. A GPO is created. Since you are the technical support, you are required to have
the employees who access the PRoll files on the file servers tracked.
Which action should be performed?
A. The Audit process tracking option should be enabled. And then, the GPO should be linked to the PRoll
organizational unit. At last, Auditing for the Everyone group in the PRoll folder should be configured on the
file servers.
B. The Audit object access option should be enabled. And then, the GPO should be linked to the PRoll
organizational unit. At last, Auditing for the Everyone group in the PRoll folder should be configured on the
file servers.
C. The Audit object access option should be enabled. And then, the GPO should be linked to the domain. At
last, Auditing for the Authenticated Users group in the PRoll folder should be configured on the domain
controllers.
D. The Audit process tracking option should be enabled. And then, the GPO should be linked to the Domain
Controllers organizational unit. At last, Auditing for the Authenticated Users group in the PRoll folder should
be configured on the file servers.
Answer: B
company. You have a new domain controller installed in the domain. You receive report from twenty users
saying that they cannot log on to the domain. You have to reregister the SRV records. Which command
should you run on the new domain controller?
A. The dnscmd /EnlistDirectoryPartition command should be run.
B. The sc stop netlogon command should be run followed by the sc start netlogon command.

Testinside
C. The netsh interface reset command should be run.
D. The ipconfig /flushdns command should be run.
Answer: B
Directory infrastructure and maintaining Active Directory objects. In your company, there are three Active
Directory domains in a single forest. A new Active Directoryenabled application is installed. New user
attributes are added to the Active Directory schema by the application. You find that the Active Directory
replication traffic to the Global Catalogs has raised. Since you are the technical support, you are required to
stop the new attributes from being copied to the Global Catalog. The application functionality should not be
affected. Which action should be performed to achieve the goal?
A. To achieve the goal, the new attributes in the Active Directory schema should be marked as defunct.
B. To achieve the goal, the properties in the Active Directory schema should be changed for the new
attributes.
C. To achieve the goal, the replication interval for the DEFAULTIPSITELINK object should be modified to
9990.
D. To achieve the goal, the cost for the DEFAULTIPSITELINK object should be modified to 9990.
Answer: B
company. The company intends to have an Enterprise certification authority (CA) installed on a dedicated
stand-alone server. When you try to have the Active Directory Certificate Services (AD CS) server role
added, you find that the Enterprise CA option cannot be accessed. You are required to have the AD CS
server role installed as an Enterprise CA. Which action should be performed to achieve the goal?
A. To achieve the goal, the Web Server server role and the AD CS server role should be added.
B. To achieve the goal, the Active Directory Lightweight Directory Services (AD LDS) server role should be
added.

Testinside
C. To achieve the goal, the DNS Server server role should be added.
D. To achieve the goal, the server should be joined to the domain.
Answer: D
in the company network. Ten domain controllers are contained in the domain. Windows Server 2008 is run
by the domain controllers that are configured as DNS servers. You decide to create a new Active
Directory-integrated zone. You have to make sure that the new zone is only replicated to four of your
domain controllers. What action should you perform first?
A. Run dnscmd and specify the /enlistdirectorypartition parameter from the command prompt.
B. Run dnscmd and specify the /createdirectorypartition parameter from the command prompt.
C. A new delegation should be created in the ForestDnsZones application directory partition.
D. A new delegation should be created in the DomainDnsZones application directory partition.
Answer: B
Directory infrastructure and maintaining Active Directory objects. There is a current Active Directory site
named S01. A new Active Directory site named S02 is created. Since you are the technical support, you are
required to configure Active Directory replication between S01 and S02. A new domain controller is installed.
The site link between S01 and S02 is created. To achieve the goal, which action should be performed next?
A. To achieve the goal, the Active Directory Sites and Services console should be utilized to reduce the site
link cost between S01 and S02.
B. The Active Directory Sites and Services console should be utilized to assign a new IP subnet to S02. And
then, the new domain controller object should be migrated to S02.
C. The Active Directory Sites and Services console should be utilized to configure the new domain
controller as a preferred bridgehead server for S01.
D. To achieve the goal, the Active Directory Sites and Services console should be utilized to configure a

Testinside
new site link bridge object.
Answer: B
Directory infrastructure and maintaining Active Directory objects. There are two domain controllers in your
company, and both domain controllers are configured as internal DNS servers. You can see all zones on
the DNS servers are Active Directory-integrated zones. All dynamic updates are permitted by the zone. You
find a problem that there are multiple entries in the wiikigo.com zone
for the host names of computers that do not exist. Therefore, you plan to configure the wiikigo.com zone to
automatically move expired records. Which action should be performed to achieve the goal?
A. To achieve the goal, the default expiration interval should be increased on the wiikigo.com zone from the
Start of Authority tab.
B. To achieve the goal, only secure updates should be enabled on the wiikigo.com zone.
C. To achieve the goal, scavenging should be enabled and the refresh interval should be configured on the
wiikigo.com zone.
D. To achieve the goal, the default refresh interval should be reduced on the wiikigo.com zone from the
Start of Authority tab.
Answer: C
Directory infrastructure and maintaining Active Directory objects. Shared folders are used by your company.
Users are granted access to the shared folders by using domain local groups. Confidential data is
contained in one of the shared folders. You have to make sure that unauthorized users cannot access the
shared folder that contains confidential data. So what action should you perform?
A. The unauthorized users should be instructed to use the Guest account to log on. Configure the Deny Full
control permission on the shared folders that hold the confidential data for the Guest account.
B. Use the Dsmod utility to enable the Do not trust this computer for delegation property on all the
computers of unauthorized users.

Testinside
C. A Domain Local Group named Deny DLG should be created. The global group that contains the
unauthorized users should be placed into the Deny DLG group. The Deny Full control permission should be
configured on the shared folder that holds the confidential data for the Deny DLG group.
D. A Global Group named Deny DLG should be created. The global group that contains the unauthorized
users should be placed into the Deny DLG group. The Allow Full control permission should be configured
on the shared folder that holds the confidential data for the Deny DLG group.
Answer: C
company. Three branch offices are contained by the company, and the branch offices are located in three
different places. An organizational unit is contained by each location. Since you are the technical support,
you are required to make sure that the branch office administrators are enabled to create and apply GPOs
only to their respective organizational units. Which actions should be performed to achieve the goal?
A. The Delegation of Control Wizard should be run and the right to link GPOs for the domain should be
delegated to the branch office administrators.
B. The Delegation of Control Wizard should be run and the right to link GPOs for their branch organizational
units should be delegated to the branch office administrators.
C. The user accounts of the branch office administrators should be added to the Group Policy Creator
Owners Group.
D. The Managed By tab in each organizational unit should be changed to add the branch office
administrators to their respective organizational units.
Answer: BC
your company. And there is a two-tier PKI infrastructure which an offline root CA and an online issuing CA

Testinside
are contained. Windows Server 2008 is run by the Enterprise certification authority. According to the
company requirements, you are required to make sure that users can have
new certificates enrolled. Which action should be performed to achieve the goal?
A. The issuing CA certificate should be imported into the Intermediate Certification Authorities store on all
client workstations.
B. To achieve the goal, the Certificate Revocation List (CRL) should be renewed on the root CA. And then,
the CRL should be replicated to theCertEnroll folder on the issuing CA.
C. The Certificate Revocation List (CRL) should be renewed on the issuing CA. And then, the CRL should
be replicated to theSystemCertificates folder in the users profile.
D. The root CA certificate should be imported into the Trusted Root Certification Authorities store on all
Answer: B
company. In the company, there are servers that run Windows Server 2008 and client computers that run
Windows Vista. The domain uses a set of GPO administrative templates that have been approved to
support regulatory compliance requirements. There is an Active Directory forest that contains a single
domain in your partner company. The company has servers that run Windows Server 2008 and client
computers that run Windows Vista. According to the company requirement, your partner companys domain
needs to be configured to use the approved set of administrative templates. So what action should you
perform?
A. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web
site. The ADM files should be copied to the PolicyDefinitions folder on the partner companys PDC emulator.
B. You should back up the GPO to a file by using the Group Policy Management Console (GPMC) utility. In
each site, import the GPO to the default domain policy.
C. The ADMX files should be copied from your companys PDC emulator to the PolicyDefinitions folder on
the partner companys PDC emulator.
D. The ADML files should be copied from your companys PDC emulator to the PolicyDefinitions folder on

Testinside
the partner companys PDC emulator.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a head office and 9 branch offices
in your company. An Active Directory site is contained by each branch office, and one domain controller is
included by the Active Directory site. The company configures only domain controllers in the head office as
Global Catalog servers. Since you are the technical support, you are required to disable the Universal
Group Membership Caching option on the domain controllers in the branch offices. As you should disable
the disable the Universal Group Membership Caching option, which level should you choose?
A. You should disable the Universal Group Membership Caching option at Connection object level.
B. You should disable the Universal Group Membership Caching option at Site level.
C. You should disable the Universal Group Membership Caching option at Server level.
D. You should disable the Universal Group Membership Caching option at Domain level.
Answer: B
in your company network. The forest plays in the functional level of Windows Server 2008. According to the
company requirement, you have to create multiple password policies for users in your domain. So what
action should you perform?
A. Multiple security policies should be created from the Security Configuration Wizard.
B. Multiple Group Policy objects should be created from the Group Policy Management snap-in.
C. Multiple class schema objects should be created from the Schema snap-in.
D. Multiple Password Setting objectss should be created from the ADSI Edit snap-in.
Answer: D

Testinside
included by your network. The functional level of the forest is Windows Server 2008.
Since you are the technical support, you are required to have multiple password policies created for users
in your domain. Which action should be performed to achieve the goal?
A. From the Group Policy Management snap-in, multiple Group Policy objects should be created.
B. From the Schema snap-in, multiple class schema objects should be created.
C. From the ADSI Edit snap-in, multiple Password Setting objects should be created.
D. From the Security Configuration Wizard, multiple security policies should be created.
Answer: C
named intranet.wiikigo.com in your company. Windows Server 2008 is run by all domain controllers. The
company configures the domain functional level and the forest functional level to Windows 2000 native
mode. Since you are the technical support, you are required to make sure that the UPN suffix for
wiikigo.com is available for user accounts. To achieve the goal, which action should be performed first?
A. To achieve the goal, the new UPN suffix should be added to the forest.
B. To achieve the goal, the Primary DNS Suffix option in the Default Domain Controllers Group Policy
Object (GPO) should be modified to wiikigo.com.
C. To achieve the goal, the wiikigo.com forest functional level should be raised to Windows Server 2003 or
Windows Server 2008.
D. To achieve the goal, the wiikigo.com domain functional level should be raised to Windows Server 2003
or Windows Server 2008.
Answer: A

Testinside
company. This forest runs at the functional level of Windows Server 2008. You implement Active Directory
Rights Management Services (AD RMS). Microsoft SQL Server 2005 is installed by you. When you try to
open the AD RMS administration Web site, you receive the following error message: "SQL Server does not
exist or access denied." You have to open the AD RMS administration Web site. So what should you do?
(choose more than one)
A. The Service Connection Point in Active Directory Domain Services (AD DS) should be deleted manually
and AD RMS should be restarted.
B. IIS should be restarted.
C. Message Queuing should be installed.
D. The MSSQLSVC service should be started.
Answer: BD
Directory infrastructure and maintaining Active Directory objects. 200 new user accounts are created by you.
The users are located in six different sites. Now you receive report from new users. At the time that they
attempt to log on, they receive the following error message when they try to log on: "The username or
password is incorrect." You are sure that the user accounts exist and are enabled. You also confirm that the
user name and password information supplied are correct. You need to find out the cause of the failure.
Besides, you have to make sure that the new users are able to log on. Which utility should be run?
A. Rstools should be run.
B. Repadmin should be run.
C. Rsdiag should be run.
D. Active Directory Domains and Trusts should be run.
Answer: B
your company. An organizational unit named Sales is contained in this domain. There are two global

Testinside
security groups in this Sales organizational unit. The twp global grip[s are respectively named sales
managers and sales executives. You have to apply desktop restrictions to the sales executives group. You
must not apply these desktop restrictions to the sales managers group. After a GPO named
DesktopLockdown is created and linked to the Sales organizational unit. What action should you perform
next?
A. The Deny Apply Group Policy permission should be configured for Authenticated Users on the
DesktopLockdown GPO.
B. The Allow Apply Group Policy permission should be configured for Authenticated Users on the
C. The Deny Apply Group Policy permission should be configured for the sales managers on the
D. The Deny Apply Group Policy permission should be configured for the sales executives on the
Answer: C
in your company network. All domain controllers run Windows Server 2008. You have to reset the Directory
Services Recovery Mode (DSRM) password on a domain controller. What tool should be used?
A. ntdsutil should be used.
B. Dsmod should be used.
C. Local Users and Groups snap-in should be used.
D. Active Directory Users and Computers snap-in should be used.
Answer: A
included by the network. Windows Server 2008 is run by all domain controllers. Since you are the technical

Testinside
support, you are required to track all duplication errors from all domain controllers to a central location.
A. To achieve the goal, Network Monitor should be installed and a new a new capture should be created.
B. To achieve the goal, event log subscriptions should be configured.
C. To achieve the goal, the System Performance data collector set should be started.
D. To achieve the goal, the Active Directory Diagnostics data collector set should be started.
Answer: B
Directory infrastructure and maintaining Active Directory objects. You have a Windows Server 2008 which
has the Active Directory Certificate Services server role installed. Since it takes a long time for client
computers to download a certificate revocation list (CRL), you are asked to cut down the amount of time. So
what action should you perform?
A. An additional domain controller should be installed and configured.
B. An Online Responder should be installed and configured.
C. The Issuing CA certificate should be imported into the Trusted Root Certification Authorities store on all
D. The Root CA certificate should be imported into the Trusted Root Certification Authorities store on all
Answer: B
Directory infrastructure and maintaining Active Directory objects. All consultants are members of a global
group named TWorkers. Three file servers are placed in a new organizational unit named Safeservers.
Confidential data which is located in shared folders are included by the three file servers. Since you are the
technical support, you are required to record any unsuccessful attempts made by the consultants to
connect the confidential data. Which two actions should be performed to achieve the goal? (Choose more
than one.)

Testinside
A. On each shared folder on the three file servers, the TWorkers global group should be added to the
Auditing tab. And then, the Failed Full control setting should be configured in the Auditing Entry dialog box.
B. A new GPO should be created and linked to the Safeservers organizational unit. And then, the Audit
privilege use Failure audit policy setting should be configured.
C. A new GPO should be created and linked to the Safeservers organizational unit. And then, the Audit
object access Failure audit policy setting should be configured.
D. A new GPO should be created and linked to the Safeservers organizational unit. And then, the Deny
access to this computer from the network user rights setting should be configured for the TWorkers global
group.
E. On each shared folder on the three file servers, the three servers should be added to the Auditing tab.
And then, the Failed Full control setting should be configured in the Auditing Entry dialog box.
Answer: AC
company network. Windows Server 2008 is run by all domain controllers that are configured as DNS
servers. You have an Active Directory-integrated zone for wiikigo.com. You have a UNIX-based DNS server.
Your Windows Server 2008 environment needs to be configured to allow zone transfers of the wiikigo.com
zone to the UNIX-based DNS server. What action should you perform in the DNS Manager console?
A. A secondary zone should be created.
B. BIND secondaries should be enabled.
C. You should disable recursion.
D. A stub zone should be created.
Answer: B
Directory infrastructure and maintaining Active Directory objects. There is an existing Active Directory site
named Site01. After you create a new Active Directory site, you name it Site02.

Testinside
Now you receive an order from the company management. According to the company requirement, you
have to configure Active Directory replication between Site01 and Site02. After a new domain controller is
installed by you, the site link between Site01 and Site02 is created. What action should you perform next?
A. The new domain controller should be configured as a preferred bridgehead server for Site01 by using the
B. A new site link bridge object should be configured by using the Active Directory Sites and Services
console.
C. The site link cost between Site01 and Site02 should be decreased by using the Active Directory Sites
and Services console.
D. A new IP subnet should be assigned to Site02 by using the Active Directory Sites and Services console.
The new domain controller object should be moved to Site02.
Answer: D
company. A user receives the following message when trying to log on to the domain from a client computer:
"This user account has expired. Ask your administrator to reactivate the account." So what action should
you perform?
A. The properties of the user account should be modified to set the password to never expire.
B. The default domain policy should be modified to decrease the account lockout duration.
C. The properties of the user account should be modified to set the account to never expire.
D. The properties of the user account should be modified to extend the Logon Hours setting.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain and
an organizational unit in the company. The organizational unit is named Web. You configure and test new
security settings for Internet Information Service (IIS) servers on a server named IISServerA. You have to

Testinside
deploy the new security settings only on the IIS servers that are members of the Web organizational unit.
What action should you perform?
A. The hisecws.inf file template should be imported into a GPO and the GP should be linked to the Web
B. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf
from the command prompt.
C. Run secedit /configure /db webou.inf from the command prompt after running secedit /configure /db
iis.inf from the command prompt on IISServerA.
D. Export the settings on IISServerA to create a security template. Import the security template into a GPO
and link the GPO to the Web organizational unit.
Answer: D
Directory infrastructure and maintaining Active Directory objects. Recently, a new subsidiary company has
been purchased by your company, and the new company is located in Quebec. The French-language
version of the administrative templates should be utilized by the Active Directory administrators of the
subsidiary company. A folder is created on the PDC emulator for the subsidiary domain in the path
%systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR. Since you are the technical support, you
are required to make sure that the French-language version of the templates can be used. Which action
should be performed?
A. The ADMX files from the French local installation media for Windows Server 2008 should be replicated
to the FR folder on the subsidiary PDC emulator.
B. The Conf.adm, System.adm, Wuau.adm, and Inetres.adm files should be downloaded from the Microsoft
Web site. And then, the ADM files should be replicated to the FR folder.
C. The ADML files from the French local installation media for Windows Server 2008 should be replicated to
the FR folder on the subsidiary PDC emulator.
D. The Install.WIM file from the French local installation media for Windows Server 2008 should be
replicated to the FR folder on the subsidiary PDC emulator.
Answer: C

Testinside
Directory infrastructure and maintaining Active Directory objects. There are two Active Directory forests in
your company. And they are respectively named F01 and F02. The company configures the forest
functional level and the domain functional level of F01 to Windows Server 2008. In addition, the company
set the forest functional level of F02 to Windows 2000. What's more,the company sets the domain
functional levels in F02 to Windows Server 2003. Since you are the technical support, you are required to
create a transitive forest trust between F01 and F02. To achieve the goal, which action should be performed
first?
A. To achieve the goal, the domain controllers in F02 should be upgraded to Windows Server 2003.
B. To achieve the goal, the forest functional level of F02 should be raised to Windows Server 2003 Interim
mode.
C. To achieve the goal, the forest functional level of F02 should be raised to Windows Server 2003.
D. To achieve the goal, the domain controllers in F02 should be upgraded to Windows Server 2008.
Answer: C
company. And it runs at the functional level of Windows Server 2008. Active Directory Rights Management
Services (AD RMS) is implemented. Microsoft SQL Server 2005 is installed. When you try to open the AD
RMS administration Web site, the following error message is received.
SQL Server does not exist or access denied.
Since you are the technical support, you are required to open the AD RMS administration Web site. To
achieve the goal, which two actions should be performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, the Service Connection Point should be deleted manually in Active Directory
Domain Services (AD DS) and AD RMS should be restarted.
B. To achieve the goal, IIS should be restarted.
C. To achieve the goal, Message Queuing should be installed.

Testinside
D. To achieve the goal, the MSSQLSVC service should be started.
Answer: BD
in the company network. All domain controllers run Windows Server 2008 is run by all domain controllers.
According to the company requirement, you have to identify the Lightweight Directory Access Protocol
(LDAP) clients that are using the largest amount of available CPU resources on a domain controller. So
what action should you perform?
A. The Active Directory Diagnostics Data Collector Set should be run. The Active Directory Diagnostics
report should be reviewed.
B. Performance data in Resource Monitor should be reviewed.
C. The Hardware Events log in the Event Viewer should be reviewed.
D. The LAN Diagnostics Data Collector Set should be run. The LAN Diagnostics report should be reviewed.
Answer: A
Directory infrastructure and maintaining Active Directory objects. There is a Windows Server 2008
Enterprise Root CA in your company. Port 443 and port 80 is prevented from being opened on domain
controllers and on the issuing CA by security policy. Since you are the technical support, you are required to
permit users to have certificates requested from a Web interface. First, you have the Active Directory
Certificate Services (AD CS) server role installed. To achieve the goal, which action should be performed
next?
A. To achieve the goal, the Certification Authority Web Enrollment Role Service should be configured on a
member server.
B. To achieve the goal, the Certification Authority Web Enrollment Role Service should be configured on a
domain controller.
C. To achieve the goal, the Online Responder Role Service should be configured on a member server.

Testinside
D. To achieve the goal, the Online Responder Role Service should be configured on a domain controller.
Answer: A
named ad.wiikigo.com in your company. Two domain controllers named DC01 and DC02 are contained by
the domain. The DNS Server server role is installed by both domain controllers. A new DNS server named
DNS01.wiikigo.com is installed on the perimeter network. DC01 is configured to have all unresolved name
requests forwarded to DNS01.wiikigo.com. A problem occurs that the DNS forwarding option cannot be
accessed on DC02. Since you are the technical support, you are required to have DNS forwarding
configured on the DC02 server to point to the DNS01.wiikigo.com server. What should be done to achieve
the goal? (Choose more than one.)
A. To achieve the goal, conditional forwarding should be configured on DC02.
B. To achieve the goal, the Listen On address should be configured on DC02.
C. To achieve the goal, the DNS cache should be cleared on DC02.
D. To achieve the goal, the Root zone should be deleted on DC02.
Answer: AD
Directory infrastructure and maintaining Active Directory objects. There is a domain controller, and
Windows Server 2008 is run by the domain controller. The company installs the Windows Server Backup
feature on the domain controller. Since you are the technical support, you are required to utilize a current
backup file so as to perform a non-authoritative restore of the domain controller. Which action should be
A. The domain controller should be restarted in safe mode. And then, the Windows Server Backup snap-in
should be utilized to perform a critical volume restore.
B. The domain controller should be restarted in safe mode. And then, the WBADMIN command should be
utilized to perform a critical volume restore.

Testinside
C. The domain controller should be restarted in Directory Services Restore Mode. And then, the WBADMIN
command should be utilized to perform a critical volume restore.
D. The domain controller should be restarted in Directory Services Restore Mode. And then, the Windows
Server Backup snap-in should be utilized to perform a critical volume restore.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a single-domain Active Directory
forest in your company. The functional level of the domain plays at the functional level of Windows Server
2008. You perform the following activities:
Create a global distribution group.
Have users added to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared folder.
According to the company requirement, you have to make sure that the users have access to the shared
folder. So what action should you perform to make sure of this?
A. The group type of the global distribution group should be changed to a security group.
B. The scope of the global distribution group should be changed to a Universal distribution group.
C. Raise the forest functional level should be raised to Windows Server 2008.
D. Add the global distribution group should be added to the Domain Administrators group.
Answer: A
company. And multiple domain controllers are included by the Active Directory forest. Windows Server 2008
is run by the domain controllers.
Since you are the technical support, you are required to recover a deleted organizational unit and its child
objects.

Testinside
Which actions should be performed to achieve the goal? (Choose four options and out them in correct
answer.)
1 The Ntdsutil utility should be utilized to mark the organizational unit as authoritative.
2 The Dsadd utility should be utilized to recreate the organization unit.
3 The system controller should be restarted in Safe Mode.
4 The system state data should be recovered to a date before the organizational unit was deleted.
5 The domain controller should be restarted.
6 The domain controller should be restarted in Directory Services Restore Mode(DSRM).
A. 6->4->1->5
B. 3->4->1->5
C. 4->6->2->5
D. 1->4->5->6
Answer: A
your company. Windows Server 2008 is run by all servers. An Enterprise Root certification authority (CA)
and an Enterprise Intermediate CA are utilized by your company. However, the Enterprise Intermediate CA
certificate expires. Therefore, you should have a new Enterprise Intermediate CA certificate deployed to all
computers in the domain. Which action should be performed to achieve the goal?
A. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
Controllers group policy object.
B. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
group policy object.
C. The new certificate should be imported into the Intermediate Certification Store on the Enterprise Root
CA server.
D. The new certificate should be imported into the Intermediate Certification Store on the Enterprise
Intermediate CA server.
Answer: B

Testinside
in the company. Windows Server 2003 is run by all domain controllers. You have Windows Server 2008
installed on a server. The new server needs to be added as a domain controller in your domain. So what
action should you perform first?
A. adprep /rodcprep should be run on a domain controller.
B. adprep /forestprep should be run on a domain controller.
C. dcpromo /adv should be run on the new server.
D. dcpromo /createdcaccount should be run on the new server.
Answer: B
Directory infrastructure and maintaining Active Directory objects. In your company, a branch office that is
configured as a separate Active Directory site and has an Active Directory domain controller. The Active
Directory site needs a local Global Catalog server to support a new application. According to the company
requirement, the domain controller needs to be configured as a global Catalog server. Which tool should be
used?
A. The Active Directory Sites and Services console should be used.
B. The Active Directory Domains and Trusts console should be used.
C. The Dcpromo.exe utility should be used.
D. The Server Manager console should be used.
E. The Computer Management console should be used.
Answer: A

Testinside
in your company. And they are configured as a single Active Directory forest. You can see the functional
level of the Active Directory forest is Windows Server 2003. Four Windows Server 2003 domain controllers
are contained in the main office. Since you are the technical support, you are required to make sure that
you should be enabled to deploy a read-only domain controller (RODC) at the branch office. To achieve the
goal, which actions should be performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, a Windows Server 2008 domain controller should be deployed at the head office.
B. To achieve the goal, the adprep/rodcprep command should be run.
C. To achieve the goal, the functional level of the forest should be raised to Windows Server 2008.
D. To achieve the goal, the functional level of the domain should be raised to Windows Server 2008.
Answer: AB
Directory infrastructure and maintaining Active Directory objects. An Active Directory forest is contained by
your network, and one domain is included by the Active Directory forest. Windows Server 2008 is run by all
domain controllers and the domain controllers are configured as DNS servers. There is an Active
Directory-integrated zone, and two Active Directory sites. Five domain controllers are included by each site.
A new NS record should be added to the zone. Therefore, you should make sure that the new NS record is
received instantly by all domain controllers. Which action should be performed to finish the task?
A. From the Services snap-in, the DNS Server service should be restarted.
B. From the command prompt, repadmin /syncall should be run.
C. From the DNS Manager console, the version number of the SOA record should be increased.
D. From the DNS Manager console, the zone should be reloaded.
Answer: B
Directory infrastructure and maintaining Active Directory objects. Complex passwords are required
according to the requirement of the company security policy. You have a comma delimited file named
import.csv that contains user account information. You need to use the import.csv file to create user

Testinside
accounts in the domain. Besides, you have to make sure that the new user accounts are set to use default
passwords and are disabled. So what action should you perform?
A. The userAccountControl attribute should be modified to disabled. The ldifde i f import.csv command
should be run. Set passwords for the imported user accounts by running the DSADD utility.
B. The userAccountControl attribute should be modified to disabled. The csvde i k f import.csv command
should be run. Set default passwords for the user accounts by running the DSMOD utility.
C. The userAccountControl attribute should be modified to accounts disabled. The csvde f import.csv
command should be run. set default passwords for the user accounts by running the DSMOD utility.
D. The userAccountControl attribute should be modified to disabled. The wscript import.csv command
should be run. Set default passwords for the imported user accounts by running the DSADD utility.
Answer: B
company. A DNS server named DNS01 is contained by the head office. DNS01 is configured with Active
Directory-integrated DNS. A DNS server named DNS02 and a secondary copy of the zone file from DNS01
are included by the branch office. The company connects the two offices with an unreliable WAN link. A new
server is added to the head office. After the server has been added for ten minutes, it is reported by a user
from the branch office that the new server is unavailable. Since you are the technical support, you are
required to make sure that the user can get access to the new server. Which action should be performed to
achieve the goal?
A. To achieve the goal, the zone on DNS01 should be reloaded.
B. To achieve the goal, the zone on DNS02 should be refreshed.
C. To achieve the goal, the zone should be exported from DNS01 and imported to DNS02.
D. To achieve the goal, the cache on DNS02 should be cleared.
Answer: B

Testinside
Directory infrastructure and maintaining Active Directory objects. An Active Directory forest named
wiikigo.com is contained by your network. Windows Server 2008 is run by all servers. The company
configures all domain controllers as DNS servers. The company has the wiikigo.com DNS zone stored in
the ForestDnsZones Active Directory application partition. In addition, you have a member server and a
standard primary DNS zone for dev.wiikigo.com is included by the member server. According to the
company requirements, you are required to make sure that all domain controllers can have names resolved
for dev.wiikigo.com. Which action should be performed to achieve the goal?
A. To achieve the goal, the properties of the SOA record should be changed in the wiikigo.com zone.
B. To achieve the goal, a NS record should be created in the wiikigo.com zone.
C. To achieve the goal, a delegation should be created in the wiikigo.com zone.
D. To achieve the goal, a standard secondary zone should be created on a Global Catalog server.
Answer: C
Directory infrastructure and maintaining Active Directory objects. There is a Windows Server 2008
Enterprise Root certification authority (CA). Members of the Account Operators group should be offered
with the ability to only manage Basic EFS certificates. The Account Operators group is granted the Issue
and Manage Certificates permission on the CA. To achieve the goal, which actions should be performed?
A. To achieve the goal, all unnecessary certificate templates that are assigned should be migrated to the
Account Operators group.
B. To achieve the goal, the Restrict Enrollment Agents option should be enabled on the CA.
C. To achieve the goal, the Restrict Certificate Managers option should be enabled on the CA.
D. To achieve the goal, the Basic EFS certificate template should be added for the Account Operators
group.
E. To achieve the goal, the Account Operators group the Manage CA permission should be granted on the
CA.
Answer: ACD

Testinside
321.
Answer:
322.
Answer:

Testinside
323.
Answer:

Testinside
Testinside.com was founded in 2006. The safer,easier way to help you pass any IT
Certification exams . We provide high quality IT Certification exams practice
questions and answers(Q&A). Especially Adobe, Apple, Citrix, Comptia, EMC, HP,
Juniper, LPI, Nortel, Oracle, SUN, Vmware and so on. And help you pass any IT
Certification exams at the first try.
You can reach us at any of the email addresses listed below.
English Customer: Sales(at)TestInside.Com

TaiWan&HK Customer: Salestw(at)TestInside.Com
Chinese Customer: Salescn(at)TestInside.com
English Version http://www.testinside.com

Chinese (Traditional) http:// www.testinside.net
Chinese (Simplified) http:// www.testinside.cn

70-640V2 38

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70-640V2 38

Uploaded by

Copyright:

Available Formats

Testinside

Exam : Microsoft 70-640

Title : TS: Windows Server 2008

Testinside - help you pass any IT exam!

Important Note, Please Read Carefully

Our products of Offline Testing Engine

TestInside Testing Engine

and update 3-4 days before the scheduled exam date.

Here is the procedure to get the latest version:

2. Log in the User Center

version, page number, question number, and your login Account.

Our experts will answer your mail promptly.

for this exam, please contact sales(at)TestInside.com.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

named DC02 has a standard secondary zone for wiikigo.com.

zone data. So what action should you perform?

on the secondary zone should be modified.

zone should be deleted.

Deny Apply group policy for the R D security group.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

B. The Server01 computer account should be added to the DNSUpdateProxy group.

C. A conditional forwarder should be added on S01.

D. The permissions of wiikigo.com zone should be modified on DC01.

A problem occurred that DC01 fails.

cleanup is performed and all references of DC01 are removed.

them in a correct order)

1 Operations master roles should be transferred from DC01 to DC02.

2 Operations master roles should be transferred from DC02 to DC01.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

4 Operations master roles should be seized from DC02 to DC01

5 DC01 should be rebuilt as a replica domain controller.

6 DC02 should be rebuilt as a domain controller.

hold the Global Catalog.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

Huston, Denver, and Valencia.

connected by T1 connections. The office in Valencia is connected by a 256-Kbps ISDN connection.

department. So what should you do? (Choose more than one)

computers. The GPO should be linked to each Sales organizational unit.

The GPO should be linked to each Sales organizational unit.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

they cannot get access to Internet Web sites.

Which action should be performed to achieve the goal?

should be configured on DNS01.

should be set on DNS02.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

A. The domain functional level should be raised to Windows Server 2008.

B. The adprep /forestprep command should be run.

C. The adprep /domainprep command should be run.

D. The forest functional level should be raised to Windows Server 2008.

performed to achieve the goal? (Choose more than one.)

A. To achieve the goal, conditional forwarding on DC02 should be configured.

B. To achieve the goal, the Listen On address on DC02 should be configured.

C. To achieve the goal, the DNS cache on DC02 should be cleared.

D. To achieve the goal, the Root zone on DC02 should be deleted.

TestInside Help You Pass Any IT Exam http://www.TestInside.com

Active Directory Certificate Services (AD CS) server.

on files in the %SYSTEM32%\CertSrv directory.

What action should you perform?

TestInside Help You Pass Any IT Exam http://www.TestInside.com

C. A delegation in the wiikigo.com zone should be created.

D. A standard secondary zone on a Global Catalog server should be created.

them in a correct order)

2 The net stop LSD01 command should be run.