1.
What is Active Directory ?
Active Directory is a Meta Data. Active Directory is a data
base which store a data base like your user information, computer information
and also other network object info. It has capabilities to manage and
administor the complite Network which connect with AD.
2.
What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources
(applications, printers, and so forth) for a group of users. The user need only
to log in to the domain to gain access to the resources, which may be located
on a number of different servers in the network. The 'domain' is simply your
computer address not to confused with an URL. A domain address might look
something like 211.170.469.
3.
What is domain controller ?
A Domain controller (DC) is a server that responds to security
authentication requests (logging in, checking permissions, etc.) within
the Windows Server domain. A domain is a concept introduced in
Windows NT whereby a user may be granted access to a number of computer resources
with the use of a single username and password combination.
4.
What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory
access protocol, making Active Directory widely accessible to management and
query applications. Active Directory supports LDAPv3 and LDAPv2.
5.
What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology
for inter site replication and for intrasitereplication.with in a site
replication traffic is done via remote procedure calls over ip, while between
site it is done through either RPC or SMTP.
6.
Where is the AD database held? What other folders
are related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
7.
What is the SYSVOL folder?
The sysVOL folder stores the server's copy of the domain's public files. The
contents such as group policy, users etc of the sysvol folder are replicated to
all domain controllers in the domain.
8.
What are the Windows Server 2003 keyboard
shortcuts ?
Winkey opens or closes the Start menu. Winkey + BREAK displays the System
Properties dialog box. Winkey + TAB moves the focus to the next application in
the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application
in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D
shows the desktop. Winkey + E opens Windows Explorer showing My Computer.
Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel
with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M
minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run
dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.
9.
Where are the Windows NT Primary Domain
Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.
10. I
am trying to create a new universal user group. Why can’t I ?
Universal groups are allowed only in native-mode Windows Server 2003
environments. Native mode requires that all domain controllers be promoted to
Windows Server 2003 Active Directory.
11. What
is LSDOU ?
It’s group policy inheritance model, where the policies are applied
toLocal machines, Sites, Domains
and Organizational Units.
12. Why
doesn’t LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority
among the numerous policies.
13. What’s
the number of permitted unsuccessful logons on Administrator account? Unlimited.
Remember, though, that it’s the Administrator account, not any account that’s
part of the Administrators group.
14. What’s
the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003
15. How
many passwords by default are remembered when you check "Enforce Password
History Remembered"?
User’s last 6 passwords.
16. Can
GC Server and Infrastructure place in single server If not explain why
?
No, As Infrastructure master does the same job as the GC. It does not work
together.
17. Which
is service in your windows is responsible for replication of Domain controller
to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
18. What
Intrasite and IntersiteReplication ?
Intrasite is the replication with in the same site &intersite the
replication between sites.
19. What
is lost & found folder in ADS ?
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when
replication happed ADS didn’t find the OU then it will put that in Lost &
Found Folder.
20. What
is Garbage collection ?
Garbage collection is the process of the online defragmentation of active
directory. It happens every 12 Hours.
21. What
System State data contains ?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
What
is the difference between Windows 2000 Active Directory and Windows 2003 Active
Directory? Is there any difference in 2000 Group Polices and 2003 Group
Polices? What is meant by ADS and ADS services in Windows 2003?
Windows 2003 Active Directory
introduced a number of new security features, as well as convenience features such
as the ability to rename a domain controller and even an entire domain
Windows Server 2003 also introduced numerous changes to the default settings
that can be affected by Group Policy - you can see a detailed list of each
available setting and which OS is required to support it by downloading
the Group Policy Settings Reference.
ADS stands for Automated Deployment Services, and is used to quickly roll out
identically-configured servers in large-scale enterprise environments. You can
get more information from the ADS homepage.
1.
I want to
setup a DNS server and Active Directory domain. What do I do first? If I
install the DNS service first and name the zone 'name.org' can I name the AD
domain 'name.org' too?
Not only can you have a DNS zone and an Active Directory domain with
the same name, it's actually the preferred way to go if at all possible. You
can install and configure DNS before installing Active Directory, or you
can allow the Active Directory Installation Wizard (dcpromo) itself install DNS
on your server in the background.
2.
How do I
determine if user accounts have local administrative access?
You can use the net localgroup administrators command on each workstation
(probably in a login script so that it records its information to a central file
for later review). This command will enumerate the members of the
Administrators group on each machine you run it on. Alternately, you can use
the Restricted Groups feature of Group Policy to restrict the
membership of Administrators to only those users you want to belong.
3.
Why am I
having trouble printing with XP domain users?
In most cases, the inability to print or access resources in situations like
this one will boil down to an issue with name resolution, either DNS or
WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are
configured with the correct DNS and WINS name servers, as well as with the
appropriate NetBIOS over TCP/IP settings. Compare your wireless
settings to your wired LAN settings and look for any discrepancies that may
indicate where the functional difference may lie.
4.
What is
the ISTG? Who has that role by default?
Windows 2000 Domain controllers each create Active Directory Replication
connection objects representing inbound replication from intra-site replication
partners. For inter-site replication, one domain controller per site has the
responsibility of evaluating the inter-site replication topology and creating
Active Directory Replication Connection objects for appropriate bridgehead
servers within its site. The domain controller in each site that owns this role
is referred to as the Inter-Site Topology Generator (ISTG).
5.
What is
difference between Server 2003 vs 2008?
1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for
Virtualization) but only on 64bit versions. More and more companies are seeing
this as a way of reducing hardware costs by running several 'virtual' servers
on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a
specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection - Microsoft's system for ensuring that clients
connecting to Server 2008 are patched, running a firewall and in compliance
with corporate security policies.
8. PowerShell - Microsoft's command line shell and scripting language has
proved popular with some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for
servers located in remote branch offices. br The main difference between 2003
and 2008 is Virtualization, management. 2008 has more in-build components and
updated third party drivers.
11. Windows Aero.
6.
What are the
requirements for installing AD on a new server?
1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS configMethode.
6 DNS configuration.
7.
What is LDP?
LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs
when traffic engineering is not required. It establishes LSPs that follow the
existing IP routing, and is particularly well suited for establishing a full
mesh of LSPs between all of the routers on the network.
What are the Groups types available
in active directory ?
Security groups: Use Security groups for granting permissions to gain
access to resources. Sending an e-mail message to a group sends the message to
all members of the group. Therefore security groups share the capabilities of
distribution groups.
Distribution groups: Distribution groups are used for sending e-main messages to
groups of users. You cannot grant permissions to security groups. Even though
security groups have all the capabilities of distribution groups, distribution
groups still requires, because some applications can only read distribution
groups.
Explain about the groups scope in AD
?
Domain Local Group: Use this scope to grant permissions to domain
resources that are located in the same domain in which you created the domain
local group. Domain local groups can exist in all mixed, native and interim
functional level of domains and forests. Domain local group memberships are not
limited as you can add members as user accounts, universal and global groups
from any domain. Just to remember, nesting cannot be done in domain local
group. A domain local group will not be a member of another Domain Local or any
other groups in the same domain.
Global Group: Users with similar function can be grouped under global
scope and can be given permission to access a resource (like a printer or
shared folder and files) available in local or another domain in same forest. To
say in simple words, Global groups can be use to grant permissions to gain
access to resources which are located in any domain but in a single forest as
their memberships are limited. User accounts and global groups can be added
only from the domain in which global group is created. Nesting is possible in
Global groups within other groups as you can add a global group into another
global group from any domain. Finally to provide permission to domain specific
resources (like printers and published folder), they can be members of a Domain
Local group. Global groups exist in all mixed, native and interim functional
level of domains and forests.
Universal Group Scope: These groups are precisely used for email distribution and
can be granted access to resources in all trusted domain as these groups can
only be used as a security principal (security group type) in a windows 2000
native or windows server 2003 domain functional level domain. Universal group
memberships are not limited like global groups. All domain user accounts and
groups can be a member of universal group. Universal groups can be nested under
a global or Domain Local group in any domain.
What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool
enables administrators to view the low-level status of Active Directory
replication, force synchronization between domain controllers, view the
topology in a graphical format, and monitor the status and performance of
domain controller replication.
What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as
a low-level editor for Active Directory. It is a Graphical User Interface (GUI)
tool. Network administrators can use it for common administrative tasks such as
adding, deleting, and moving objects with a directory service. The attributes
for each object can be edited or deleted by using this tool. ADSIEdit uses the
ADSI application programming interfaces (APIs) to access Active Directory. The
following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and
trust relationships. It is used for batch management of trusts, joining
computers to domains, verifying trusts, and secure channels.
What is REPADMIN?
This command-line tool assists administrators in diagnosing replication
problems between Windows domain controllers.Administrators can use Repadmin to
view the replication topology (sometimes referred to as RepsFrom and RepsTo) as
seen from the perspective of each domain controller. In addition, Repadmin can
be used to manually create the replication topology (although in normal
practice this should not be necessary), to force replication events between
domain controllers, and to view both the replication metadata and
up-to-dateness vectors.
How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -
PROGRAM -ACCESORIES - SYSTEM TOOLS - BACKUP OR Open run window and ntbackup and
take systemstate backup when the backup screen is flash then take the backup of
SYSTEM STATE it will take the backup of all the necessary information about the
syatem including AD backup , DNS ETC.
What are the DS* commands ?
The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object
What are the requirements for
installing AD on a new server?
An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional -
default gateway).
A network connection (to a hub or to another computer via a crossover cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)
.
Explain about Trust in AD ?
To allow users in one domain to access resources in another,
Active Directory uses trusts. Trusts inside a forest are automatically created
when domains are created.
The forest sets the default boundaries of trust, not the
domain, and implicit, transitive trust is automatic for all domains within a
forest. As well as two-way transitive trust, AD trusts can be a shortcut (joins
two domains in different trees, transitive, one- or two-way), forest
(transitive, one- or two-way), realm (transitive or nontransitive, one- or
two-way), or external (nontransitive, one- or two-way) in order to connect to
other forests or non-AD domains.
Trusts in Windows 2000 (native mode)
One-way trust – One domain allows access to users on another
domain, but the other domain does not allow access to users on the first
domain.
Two-way trust – Two domains allow access to users on both
domains.
Trusting domain – The domain that allows access to users from
a trusted domain.
Trusted domain – The domain that is trusted; whose users have
access to the trusting domain.
Transitive trust – A trust that can extend beyond two domains
to other trusted domains in the forest.
Intransitive trust – A one way trust that does not extend
beyond two domains.
Explicit trust – A trust that an admin creates. It is not
transitive and is one way only.
Cross-link trust – An explicit trust between domains in
different trees or in the same tree when a descendant/ancestor (child/parent)
relationship does not exist between the two domains.
Windows 2000 Server – supports the following types of trusts:
Two-way transitive trusts.
One-way intransitive trusts.
Additional trusts can be created by administrators. These trusts can be:
Shortcut
Windows Server 2003 offers a new trust type – the forest root trust. This type
of trust can be used to connect Windows Server 2003 forests if they are
operating at the 2003 forest functional level. Authentication across this type
of trust is Kerberos based (as opposed to NTLM). Forest trusts are also
transitive for all the domains in the forests that are trusted. Forest trusts,
however, are not transitive.
Difference between LDIFDE and CSVDE?
CSVDE is a command that can be used to import and export objects to and from the
AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file
easily readable in Excel. I will not go to length into this powerful command,
but I will show you some basic samples of how to import a large number of users
into your AD. Of course, as with the DSADD command, CSVDE can do more than just
import users. Consult your help file for more info.
LDIFDE is a command that can be used to import and export objects to and from
the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file
is a file easily readable in any text editor, however it is not readable in
programs like Excel. The major difference between CSVDE and LDIFDE (besides the
file format) is the fact that LDIFDE can be used to edit and delete existing AD
objects (not just users), while CSVDE can only import and export objects.
What is tombstone lifetime attribute ?
The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and preventing
restores from reintroducing a deleted object. This value is in the Directory
Service object in the configuration NIC.
What are application partitions? When do I use them ?
AN application diretcory partition is a directory partition that is replicated
only to specific domain controller.Only domain controller running windows
Server 2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or
fault tolerance by replicating data to specific domain controller pr any set of
domain controllers anywhere in the forest.
How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmdServerName /CreateDirectoryPartition FQDN of partition
How do you view all the GCs in the forest?
C:\repadmin /showrepsdomain_controller where domain_controller is the DC you
want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.
Can you connect Active Directory to other 3rd-party
Directory Services? Name a few options.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.
What is IPSec Policy
IPSec provides secure gateway-to-gateway connections across outsourced private
wide area network (WAN) or Internet-based connections using L2TP/IPSec tunnels
or pure IPSec tunnel mode. IPSec Policy can be deployed via Group policy to the
Windows Domain controllers 7 Servers.
What are the different types of Terminal Services
?
User Mode & Application Mode.
What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).
What is the System Startup process ?
Windows 2K boot process on a Intel architecture.
Power-On Self Tests (POST) are run.
The boot device is found, the Master Boot Record (MBR) is
loaded into memory, and its program is run.
The active partition is located, and the boot sector is
loaded.
The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
The Windows 2000 loader switches the processor to the 32-bit
flat memory model.
The Windows 2000 loader starts a mini-file system.
The Windows 2000 loader reads the BOOT.INI file and displays the
operating system selections (boot loader menu).
The Windows 2000 loader loads the operating system selected by
the user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other
operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
NTDETECT.COM scans the hardware installed in the computer, and
reports the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.
NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware
information collected by NTDETECT.COM. Windows NT enters the Windows load
phases.
How do you change the DS Restore
admin password ?
In Windows 2000 Server, you used to
have to boot the computer whose password you wanted to change in Directory
Restore mode, then use either the Microsoft Management Console (MMC) Local User
and Groups snap-in or the command net user administrator * to change the
Administrator password.
Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you
reset the Directory Service Restore Mode password without having to reboot the
computer. (Microsoft refreshed Setpwd in SP4 to improve the utility?s scripting
options.)
In Windows Server 2003, you use the Ntdsutil utility to modify the Directory
Service Restore Mode Administrator password.
To do so, follow these steps:
1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator password-reset
utility by entering the argument ?set dsrm password? at the ntdsutil prompt:
ntdsutil: set dsrm password.
3. Run the Reset Password command, passing the name of the server on which to
change the password, or use the null argument to specify the local machine.
For example, to reset the password on server testing, enter the following argument
at the Reset DSRM Administrator Password prompt: Reset DSRM Administrator
Password: reset password on server testing
To reset the password on the local
machine, specify null as the server name:
Reset DSRM Administrator Password: reset password on server null
You?ll be prompted twice to enter
the new password. You?ll see the following messages:
5. Please type password for DS Restore Mode Administrator Account:
6. Please confirm new password:
Password has been set successfully.
7. Exit the password-reset utility by typing ?quit? at the following prompts:
8. Reset DSRM Administrator Password: quit
ntdsutil: quit
I am
upgrading from NT to 2003. The only things that are NT are the PDC and BDCs;
everything else is 2000 or 2003 member servers. My question is, when I upgrade
my NT domain controllers to 2003, will I need to do anything else to my Windows
2000/2003 member servers that were in the NT domain?
Your existing member servers, regardless of operating system, will simply
become member servers in your upgraded AD domain. If you will be using
Organizational Units and Group Policy (and I hope you are), you'll probably
want to move them to a specific OU for administration and policy application,
since they'll be in the default "Computers" container immediately
following the upgrade.
8.
How do I use Registry keys to remove a user from a group?
In Windows Server 2003, you can use the dsmod command-line utility with the
-delmbr switch to remove a group member from the command line. You should also
look into the freeware utilities available from www.joeware.net .ADFind and
ADMod are indispensable tools in my arsenal when it comes to searching and
modifying Active Directory.
9.
Why are my NT4 clients failing to connect to the Windows 2000
domain?
Since NT4 relies on NetBIOS for name resolution, verify that your WINS server
(you do have a WINS server running, yes?) contains the records that you expect
for the 2000 domain controller, and that your clients have the correct address
configured for the WINS server.
How to add your first Windows 2003
DC to an existing Windows 2000 domain ?
The first step is to install Windows
2003 on your new DC. This is a straighforward process, so we aren?t going to
discuss that here.
Because significant changes have been
made to the Active Directory schema in Windows 2003, we need to make our
Windows 2000 Active Directory compatible with the new version. If you already
have Windows 2003 DCs running with Windows 2000 DCs, then you can skip down to
the part about DNS.
Before you attempt this step, you
should make sure that you have service pack 4 installed on your Windows 2000
DC. Next, make sure that you are logged in as a user that is a member of the
Schema Admin and Enterprise Admin groups.
Next, insert the Windows 2003 Server
installation CD into the Windows 2000 Server.
Bring up a command line and change directories to the I386 directory on the
installation CD. At the command prompt, type: Code :
adprep /forestprep After running this command, make sure that the updates
have been replicated to all existing Windows 2000 DCs in the forest. Next, we
need to run the following command: Code :adprep /domainprep
The above command must be run on the
Infrastructure Master of the domain by someone who is a member of the Domain
Admins group.
Once this is complete, we move back to the Windows 2003 Server. Click ?start?
then ?run? - type in dcpromo and click OK. During the ensuing wizard, make sure
that you select that you are adding this DC to an existing domain.
After this process is complete, the server will reboot. When it comes back
online, check and make sure that the AD database has been replicated to your
new server.
Next, you will want to check and make sure that DNS was installed on your new
server.
If not, go to the control panel,
click on ?Add or Remove Programs?, and click the ?Add/Remove Windows
Components? button.
In the Windows Components screen, click on ?Networking Services? and click the
details button.
In the new window check ?Domain Name
System (DNS)? and then click the OK button. Click ?Next? in the Windows
Components screen.
This will install DNS and the server will reboot. After reboot, pull up the DNS
Management window and make sure that your DNS settings have replicated from the
Windows 2000 Server. You will need to re-enter any forwarders or other
properties you had set up, but the DNS records should replicate on their own.
The next 2 items, global catalog and
FSMO roles, are important if you plan on decomissioning your Windows 2000
server(s). If this is the case, you need to tansfer the global catalog from the
old server to the new one.
First, let?s
create a global catalog on our new server. Here are the steps:
10.
On the
domain controller where you want the new global catalog, start the Active
Directory Sites and Services snap-in.
To start the snap-in, click ?Start?, point to ?Programs?, point to
?Administrative Tools?, and then click ?Active Directory Sites and Services?.
2. In the console tree, double-click ?Sites?, and then double-click ?sitename?.
3. Double-click ?Servers?, click your domain controller, right-click ?NTDS
Settings?, and then click ?Properties?.
4. On the General tab, click to select the Global catalog check box to assign
the role of global catalog to this server.
5. Restart the domain controller.
11.
Make sure
you allow sufficient time for the account and the schema information to
replicate to the new global catalog server before you remove the global catalog
from the original DC or take the DC offline.
12.
After this
is complete, you will want to transfer or seize the FSMO roles for your new
server.
For instructions, read Using Ntdsutil.exe to transfer or seize FSMO roles to a
domain controller.
After this step is complete, we can now run DCPROMO on the Windows 2000 Servers
in order to demote them.
13.
Once this is
complete, copy over any files you need to your new server and you should have
successfully replaced your Windows 2000 server(s) with a new Windows 2003
server.
How do you view replication
properties for AD partitions and DCs?
By using replication monitor
go to start run type repadmin
go to start run type replmon
Why can't you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days.
Different modes of AD restore ?
A nonauthoritative restore is the default method for restoring Active
Directory. To perform a nonauthoritative restore, you must be able to start the
domain controller in Directory Services Restore Mode. After you restore the
domain controller from backup, replication partners use the standard
replication protocols to update Active Directory and associated information on
the restored domain controller.
An authoritative restore brings a domain or a container
back to the state it was in at the time of backup and overwrites all changes
made since the backup. If you do not want to replicate the changes that have
been made subsequent to the last backup operation, you must perform an
authoritative restore. In this one needs to stop the inbound replication first
before performing the An authoritative restore.
How do you configure a stand-by operation master for any of
the roles?
# Open Active Directory Sites and Services.
# Expand the site name in which the standby operations master is located to
display the Servers folder.
# Expand the Servers folder to see a list of the servers in that site.
# Expand the name of the server that you want to be the standby operations
master to display its NTDS Settings.
# Right-click NTDS Settings, click New, and then click Connection.
# In the Find Domain Controllers dialog box, select the name of the current
role holder, and then click OK.
# In the New Object-Connection dialog box, enter an appropriate name for the
Connection object or accept the default name, and click OK.
14. What's the difference between transferring a FSMO role and
seizing ?
Seizing an FSMO can be a destructive process and should only be attempted if
the existing server with the FSMO is no longer available.
15. If you perform a seizure of the FSMO roles from a DC, you
need to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER
return to the network. If you do an FSMO role Seize and then bring the previous
holder back online, you'll have a problem.
16. An FSMO role TRANSFER is the graceful movement of the roles
from a live, working DC to another live DC During the process, the current DC
holding the role(s) is updated, so it becomes aware it is no longer the role
holder
17. I want to look at the RID allocation table for a DC. What do
I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
18. What is BridgeHead Server in AD ?
A bridgehead server is a domain
controller in each site, which is used as a contact point to receive and
replicate data between sites. For intersite replication, KCC designates one of
the domain controllers as a bridgehead server. In case the server is down, KCC
designates another one from the domain controller. When a bridgehead server
receives replication updates from another site, it replicates the data to the
other domain controllers within its site.
What is the default size of ntds.dit ?
10 MB in Server 2000 and 12 MB in Server 2003 .
Where is the AD database held and What are other
folders related to AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in this
folder. These are the main files controlling the AD structure.
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a
write operation, Win2K records the transaction in the log file (edb.log). Once
written to the log file, the change is then written to the AD database. System
performance determines how fast the system writes the data to the AD database
from the log file. Any time the system is shut down, all transactions are saved
to the database.
During the installation of AD, Windows creates two files:
res1.log and res2.log. The initial size of each is 10MB. These files are used
to ensure that changes can be written to disk should the system run out of free
disk space. The checkpoint file (edb.chk) records transactions committed to the
AD database (ntds.dit). During shutdown, a "shutdown" statement is
written to the edb.chk file.
Then, during a reboot, AD determines that all transactions in
the edb.log file have been committed to the AD database. If, for some reason,
the edb.chk file doesn't exist on reboot or the shutdown statement isn't
present, AD will use the edb.log file to update the AD database. The last file
in our list of files to know is the AD database itself, ntds.dit. By default,
the file is located in\NTDS, along with the other files we've discussed
What FSMO placement considerations do you know of ?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master
method called FSMO (Flexible Single Master Operation), as described in
Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders
(all 5 of them) in the same spot (or actually, on the same DC) as has been
configured by the Active Directory installation process.
However, there are scenarios where an administrator would want
to move one or more of the FSMO roles from the default holder DC to a different
DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000
version when dealing with FSMO placement.
In this article I will only deal with Windows Server 2003
Active Directory, but you should bear in mind that most considerations are also
true when planning Windows 2000 AD FSMO roles
What do you do to install a new Windows 2003 R2 DC in a
Windows 2003 AD?
If you're installing Windows 2003 R2 on an existing Windows 2003 server with
SP1 installed, you require only the second R2 CD-ROM.
Insert the second CD and the r2auto.exe will display the
Windows 2003 R2 Continue Setup screen. If you're installing R2 on a domain
controller (DC), you must first upgrade the schema to the R2 version (this is a
minor change and mostly related to the new Dfsreplication engine).
To update the schema, run the Adprep utility, which you'll
find in the Components\r2\adprep folder on the second CD-ROM.
Before running this command, ensure all DCs are running Windows 2003 or Windows
2000 with SP2 (or later).
Here's a sample execution of the Adprep /forestprep
command:
D:\CMPNENTS\R2\ADPREPadprep /forestprep
ADPREP WARNING:
Before running adprep, all Windows 2000 domain controllers in the forest should
be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows
2000 SP2 (or later).
QFE 265089 (included in Windows 2000 SP2 and later) is required
to prevent potential domain controller corruption.
[User Action] If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENT ER to quit.
C Opened Connection to SAV
DALDC01 SSPI Bind succeeded Current Schema Version is 30
Upgrading schema to version 31 Connecting to "SAVDALDC01" Logging in
as current user using SSPI Importing directory from file
"C:\WINDOWS\system32\sch31.ldf" Loading entries... 139 entries
modified successfully.
The command has completed successfully Adprep successfully
updated the forest-wide information.
After running Adprep, install R2 by performing these steps:
Click the "Continue Windows Server 2003 R2 Setup"
link, as the figureshows.
2. At the "Welcome to the Windows Server 2003 R2 Setup Wizard"
screen, click Next.
3. You'll be prompted to enter an R2 CD key (this is different from your
existing Windows 2003 keys) if the underlying OS wasn't installed from R2 media
(e.g., a regular Windows 2003 SP1 installation).
Enter the R2 key and click Next. Note: The license key entered for R2 must
match the underlying OS type, which means if you installed Windows 2003 using a
volume-license version key, then you can't use a retail or Microsoft Developer
Network (MSDN) R2 key.
4. You'll see the setup summary screen which confirms the actions to be
performed (e.g., Copy files). Click Next.
5. After the installation is complete, you'll see a confirmation dialog box.
Click Finish
What is OU ?
Organization Unit is a container object in which you can keep objects such as
user accounts, groups, computer, printer .applications and other (OU).
In organization unit you can assign specific permission to the user's.
organization unit can also be used to create departmental limitation.
Name some OU design considerations ?
OU design requires balancing requirements for delegating administrative rights
- independent of Group Policy needs - and the need to scope the application of
Group Policy.
The following OU design recommendations address
delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active
Directory container to which you can assign Group Policy settings.
Delegating administrative authority
usually don't go more than 3 OU levels
What is sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP
subnets.
A site allows administrators to configure Active Directory
access and replication topology to take advantage of the physical network.
A Site object in Active Directory represents a physical
geographic location that hosts networks. Sites contain objects called Subnets.
Sites can be used to Assign Group Policy Objects, facilitate
the discovery of resources, manage active directory replication, and manage
network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real
property of a physical resource. Site Links may also be assigned a schedule.
Trying to look at the Schema, how can I do that ?
register schmmgmt.dll using this command
c:\windows\system32regsvr32 schmmgmt.dll
Open mmc -- add snapin -- add Active directory schema
name it as schema.msc
Open administrative tool -- schema.msc
19. What is the port no of Kerbrose ?
88
20. What is the port no of Global catalog ?
3268
21. What is the port no of LDAP ?
389
22. Explain Active Directory Schema ?
Windows 2000 and Windows Server 2003 Active Directory uses a database set of
rules called "Schema". The Schema is defines as the formal definition
of all object classes, and the attributes that make up those object classes,
that can be stored in the directory. As mentioned earlier, the Active Directory
database includes a default Schema, which defines many object classes, such as
users, groups, computers, domains, organizational units, and so on.
23. These objects are also known as "Classes". The
Active Directory Schema can be dynamically extensible, meaning that you can
modify the schema by defining new object types and their attributes and by
defining new attributes for existing objects. You can do this either with the
Schema Manager snap-in tool included with Windows 2000/2003 Server, or
programmatically.
How can you forcibly remove
AD from a server, and what do you do later? ? Can I get user passwords from the
AD database?
Dcpromo /forceremoval , an administrator can forcibly remove
Active Directory and roll back the system without having to contact or
replicate any locally held changes to another DC in the forest. Reboot the
server then After you use the dcpromo /forceremoval command, all the remaining
metadata for the demoted DC is not deleted on the surviving domain controllers,
and therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings
object is not removed correctly you can use the Ntdsutil.exe utility to
manually remove the NTDS Settings object. You will need the following tool:
Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
What are the FSMO roles? Who has
them by default? What happens when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO
roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
24. What is domain tree ?
Domain Trees: A domain tree comprises several domains that share a common
schema and configuration, forming a contiguous namespace. Domains in a tree are
also linked together by trust relationships. Active Directory is a set of one
or more trees.
Trees can be viewed two ways. One view is the trust relationships between
domains. The other view is the namespace of the domain tree.
25. What is forests ?
A collection of one or more domain trees with a common schema and implicit
trust relationships between them. This arrangement would be used if you have
multiple root DNS addresses.
26. How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of
failure, From an Active Directory perspective, are Active Directory data
corruption and hardware failure.
27. Active Directory data corruption occurs when the directory
contains corrupt data that has been replicated to all domain controllers or
when a large portion of the Active Directory hierarchy has been changed
accidentally (such as deletion of an OU) and this change has replicated to
other domain controllers.
Where are the Windows NT Primary
Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a
multimaster peer-to-peer read and write relationship that hosts copies of the
Active Directory.
What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about
objects across a forest or tree. Every domain has at least one GC that is
hosted on a domain controller. In Windows 2000, there was typically one GC on
every site in order to prevent user logon failures across the network.
How long does it take for security
changes to be replicated among the domain controllers?
Security-related modifications are replicated within a site immediately. These
changes include account and individual user lockout policies, changes to
password policies, changes to computer account passwords, and modifications to
the Local Security Authority (LSA).
28.
When should you create a forest?
Organizations that operate on radically different bases may require separate
trees with distinct namespaces. Unique trade or brand names often give rise to
separate DNS identities. Organizations merge or are acquired and naming
continuity is desired. Organizations form partnerships and joint ventures.
While access to common resources is desired, a separately defined tree can
enforce more direct administrative and security restrictions.
29.
Describe the process of working with an external domain name
?
If it is not possible for you to configure your internal domain as a subdomain
of your external domain, use a stand-alone internal domain. This way, your
internal and external domain names are unrelated. For example, an organization
that uses the domain name contoso.com for their external namespace uses the
name corp.internal for their internal namespace.
30.
The
advantage to this approach is that it provides you with a unique internal
domain name. The disadvantage is that this configuration requires you to manage
two separate namespaces. Also, using a stand-alone internal domain that is
unrelated to your external domain might create confusion for users because the
namespaces do not reflect a relationship between resources within and outside
of your network.
31.
In addition,
you might have to register two DNS names with an Internet name authority if you
want to make the internal domain publicly accessible.
32.
How do you view all the GCs in the forest?
33.
C:\repadmin
/showreps
domain_controller
34.
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookupgc._msdcs.
35.
To find the
in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the GC’s in the forest
you can try dsquery server -forest -isgc.
Latest Active Directory
Interview Questions
What are the physical components of Active Directory ?
Domain controllers and Sites. Domain controllers are physical
computers which is running Windows Server operating system and Active Directory
data base. Sites are a network segment based on geographical location and which
contains multiple domain controllers in each site.
What are the logical components of Active Directory ?
Domains, Organizational Units, trees and forests are logical
components of Active Directory.
What are the Active Directory Partitions ?
Active Directory database is divided into different partitions
such as Schema partition, Domain partition, and Configuration partition. Apart
from these partitions, we can create Application partition based on the
requirement.
What is group nesting ?
Adding one group as a member of another group is called 'group
nesting'. This will help for easy administration and reduced replication
traffic.
What is the feature of Domain Local Group ?
Domain local groups are mainly used for granting access to
network resources.A Domain local group can contain accounts from any domain,
global groups from any domain and universal groups from any domain. For
example, if you want to grant permission to a printer located at Domain A, to
10 users from Domain B, then create a Global group in Domain B and add all 10
users into that Global group. Then, create a Domain local group at Domain A,
and add Global group of Domain B to Domain local group of Domain A, then, add
Domain local group of Domain A to the printer(of Domain A) security ACL.
How will you take Active Directory backup ?
Active Directory is backed up along with System State data.
System state data includes Local registry, COM+, Boot files, NTDS.DIT and
SYSVOL folder. System state can be backed up either using Microsoft's default
NTBACKUP tool or third party tools such as SymantechNetBackup, IBM Tivoli
Storage Manager etc.
What is Lost and Found Container ?
In multimaster replication method, replication conflicts can
happen. Objects with replication conflicts will be stored in a container called
'Lost and Found' container. This container also used to store orphaned user
accounts and other objects.
Do we use clustering in Active Directory ?Why ?
No one installs Active Directory in a cluster. There is no need
of clustering a domain controller. Because Active Directory provides total
redundancy with two or more servers.
What is Active Directory Recycle Bin ?
Active Directory Recycle bin is a feature of Windows
Server 2008 AD. It helps to restore accidentally deleted Active Directory
objects without using a backed up AD database, rebooting domain controller or
restarting any services.
What is RODC ? Why do we configure RODC ?
Read only domain controller (RODC) is a feature of Windows
Server 2008 Operating System. RODC is a read only copy of Active Directory
database and it can be deployed in a remote branch office where physical
security cannot be guaranteed. RODC provides more improved security and faster log
on time for the branch office.
How do you check currently forest and domain functional levels?
Say both GUI and Command line.
To find out forest and domain functional levels in GUI mode,
open ADUC, right click on the domain name and take properties. Both domain and
forest functional levels will be listed there. TO find out forest and domain
functional levels, you can use DSQUERY command.
Which version of Kerberos is used for Windows 2000/2003 and
2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
Name few port numbers related to Active Directory ?
Kerberos 88, LDAP 389, DNS 53, SMB 445
What is an FQDN ?
FQDN can be expanded as Fully Qualified Domain Name.It is a
hierarchy of a domain name system which points to a device in the domain at its
left most end. For example in system.
Have you heard of ADAC ?
ADAC- Active Directory Administrative Center is a new GUI tool
came with Windows Server 2008 R2, which provides enhanced data management
experience to the admin. ADAC helps administrators to perform common Active
Directory object management task across multiple domains with the same ADAC
instance.
How many objects can be created in Active Directory? (both 2003
and 2008)
As per Microsoft, a single AD domain controller can create
around 2.15 billion objects during its lifetime.
explain the process between a user providing his Domain
credential to his workstation and the desktop being loaded? Or how the AD
authentication works ?
When a user enters a user name and password, the computer sends
the user name to the KDC. The KDC contains a master database of unique long
term keys for every principal in its realm. The KDC looks up the user's master
key (KA), which is based on the user's password. The KDC then creates two items:
a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT).
The TGT includes a second copy of the SA, the user name, and an expiration
time. The KDC encrypts this ticket by using its own master key (KKDC), which
only the KDC knows. The client computer receives the information from the KDC
and runs the user's password through a one-way hashing function, which converts
the password into the user's KA. The client computer now has a session key and
a TGT so that it can securely communicate with the KDC. The client is now
authenticated to the domain and is ready to access other resources in the
domain by using the Kerberos protocol.
What Is Urgent Replication And When Is It Used ?
You probably know how Active Directory core replication works.
When there’s an object changed, the source DC, the one that serviced the change
request, notifies it’s direct replication neighbours that there was a change to
some object. The neighbors then start the replication process by requesting the
changes made since the last replication.
Important to know is, that there is a “notification delay”
between the actual change to the objects in the directory and the notification
sent to the replication partners. Server 2003 DCs wait 15 seconds before they
fire out the change notification. This delay is there to onlysend one change
notification once the change transaction to the object is done. If there are
multiple changes made to an object, let’s say the phone number, the home town
and the employeeID of a user and the changes were made in 1 second delay each,
we only send one change notification for those three changes. If there was no
notification delay and we waited a second between the changes to a user’s
attributes, the source DC were sending three change notifications to its
partners. Too much traffic there! Note that the default change notificaction
delay in Windows 2000 was 5 minutes (the numbers may differ depending on
installation type (upgrade from 2000 to 2003, forest functional level, …).
Given that fact, one can think of several scenarios which may
lead to “problem” since the change to the directory is not replicated right
away: user Password changes, user lockout, Password Policy changed,…
For this reason, there’s urgent replication. Urgent replication
works in the same way “normal” replication does, but has no notification delay
of a few seconds/minutes. That makes “urgent” changes that need to be
distributed thrughout the sites and DCs to get more quickly to all edges.
Urgent replication takes place in the following cases:
The Password Policy or account lockout policy of a domain
has changed
The LSA secret has changed (that’s used for the “secure
channels” between machines and DCs and trusts)
a user or computer is locked out due to a failed logon
attempt (in this case, the urgent replication is used to notify the DC with the
PDC emulator role first and then to all others)
the RID master has changed
So — if one of the mentioned events take place, urgent
replication takes place and there’s no notification delay prior to change
notification of neighbour DCs.
Which FSMO role directly impacting the consistency of
Group Policy ?
PDC Emulator.
I want to promote a new additional Domain Controller in
an existing domain. Which are the groups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain
Admins group. Also you should be member of local Administrators group of the
member server which you are going to promote as additional Domain Controller.
Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will
list all the FSMO role handling domain controllers.
What is Realm trust ?
Use realm trusts to form a trust relationship between a non-Windows Kerberos
realm and an Active Directory domain.
Name few Active Directory Built in
groups
SID: S-1-5-32-544 - Name: Administrators -
Description: A built-in group. After the initial installation of the operating
system, the only member of the group is the Administrator account. When a
computer joins a domain, the Domain Admins group is added to the Administrators
group. When a server becomes a domain controller, the Enterprise Admins group
also is added to the Administrators group.
SID: S-1-5-32-548 - Name: Account
Operators - Description: A built-in group that exists only on domain
controllers. By default, the group has no members. By default, Account
Operators have permission to create, modify, and delete accounts for users, groups,
and computers in all containers and organizational units of Active Directory
except the Builtin container and the Domain Controllers OU. Account Operators
do not have permission to modify the Administrators and Domain Admins groups,
nor do they have permission to modify the accounts for members of those groups.
SID: S-1-5-32-549 - Name: Server
Operators - Description: A built-in group that exists only on domain
controllers. By default, the group has no members. Server Operators can log on
to a server interactively; create and delete network shares; start and stop
services; back up and restore files; format the hard disk of the computer; and
shut down the computer.
SID: S-1-5-32-550 - Name: Print
Operators - Description: A built-in group that exists only on domain
controllers. By default, the only member is the Domain Users group. Print
Operators can manage printers and document queues.
SID: S-1-5-32-551 - Name: Backup
Operators - Description: A built-in group. By default, the group has
no members. Backup Operators can back up and restore all files on a computer,
regardless of the permissions that protect those files. Backup Operators also
can log on to the computer and shut it down.
In a domain environment these groups
are present, and are used for administrative purposes.
SID: S-1-5-21domain-512 -
Name: Domain Admins - Description: A global group whose members
are authorized to administer the domain. By default, the Domain Admins group is
a member of the Administrators group on all computers that have joined a
domain, including the domain controllers. Domain Admins is the default owner of
any object that is created by any member of the group.
SID: S-1-5-21root domain-518
- Name: Schema Admins - Description: A universal group in a
native-mode domain; a global group in a mixed-mode domain. The group is
authorized to make schema changes in Active Directory. By default, the only
member of the group is the Administrator account for the forest root domain.
SID: S-1-5-21root domain-519
- Name: Enterprise Admins - Description: A universal group in
a native-mode domain; a global group in a mixed-mode domain. The group is
authorized to make forest-wide changes in Active Directory, such as adding
child domains. By default, the only member of the group is the Administrator
account for the forest root domain.
SID: S-1-5-21domain-520 -
Name: Group Policy Creator Owners - Description: A global
group that is authorized to create new Group Policy objects in Active
Directory. By default, the only member of the group is Administrator.
Scenario Based AD Interview Questions and Answers - Microsoft 70-640 Exam
QUESTION NO: 1
You have a single Active Directory domain. All domain controllers run
Windows Server 2008 and are configured as DNS servers. The domain contains one
Active Directory-integrated DNS zone. You need to ensure that outdated DNS
records are automatically removed from the DNS zone.
What should you do?
A.From the properties of the zone, modify the TTL of the
SOA record.
B.From the properties of the zone, enable scavenging.
C.From the command prompt, run ipconfig /flushdns.
D.From the properties of the zone, disable dynamic updates.
Answer: B
Explanation:
To remove the outdated DNS records from the DNS zone
automatically, you should enable Scavenging through Zone properties. Scavenging
will help you clean up old unused records in DNS. Since "clean up"
really means "delete stuff" a good understanding of what you are
doing and a healthy respect for "delete stuff" will keep you out of the
hot grease. Because deletion is involved there are quite a few safety valves
built into scavenging that take a long time to pop. When enabling scavenging,
patience is required.
QUESTION NO: 2
Your network consists of a single Active Directory domain. All domain
controllers run Windows Server 2008 R2. The Audit account management policy
setting and Audit directory services access setting are enabled for the entire
domain.
You need to ensure that changes made to Active Directory objects can be
logged. The logged changes must include the old and new values of any
attributes.
What should you do?
a.
Run auditpol.exe and then configure the Security
settings of the Domain Controllers OU.
b.
From the Default Domain Controllers policy, enable the
Audit directory service access setting and enable directory service changes.
c.
Enable the Audit account management policy in the
Default Domain Controller Policy.
d.
Run auditpol.exe and then enable the Audit directory
service access setting in the Default Domain policy.
Answer: A
Explanation:
To make sure the changes made to active directory objects are logged and the
logs show the old and new values of any attribute, you should run audipol.exe
and configure the security settings for the domain controllers Organizational
Unit.
QUESTION NO: 3
Your company, Contoso, Ltd., has a main office and a branch office. The
offices are connected by a WAN link. Contoso has an Active Directory forest
that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is
located in the main office. DC1 is configured as a DNS server for the
ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You
install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS
queries in the event that a WAN link fails.
What should you do?
e.
Create a new stub zone named ad.contoso.com on DC2.
f.
Create a new standard secondary zone named
ad.contoso.com on DC2.
g.
Configure the DNS server on DC2 to forward requests to
DC1.
h.
Convert the ad.contoso.com zone on DC1 to an Active
Directory-integrated zone.
Answer: D
Explanation:
To make sure that the DNS service on TK2 can update records and resolve DNS
queries in the event of a MAN link failure, you should convert maks.contoso.com
on TK1 to an Active Directory-integrated zone. Active Directory-integrated DNS
offers two pluses over traditional zones. For one, the fault tolerance built
into Active Directory eliminates the need for primary and secondary
nameservers.
Effectively, all nameservers using Active Directory-integrated zones are
primary nameservers. This has a huge advantage for the use of dynamic DNS as
well: namely, the wide availability of nameservers that can accept registrations.
Recall that domain controllers and workstations register their locations and
availability to the DNS zone using dynamic DNS.
In a traditional DNS setup, only one type of nameserver can accept these
registrations—the primary server, because it has the only read/write copy of a
zone. By creating an Active Directory-integrated zone, all Windows Server 2008
nameservers that store their zone data in Active Directory can accept a dynamic
registration, and the change will be propagated using Active Directory
multimaster replication.
Windows Server 2008 Active
directory Interview Questions and Answers
QUESTION NO: 4
Your company has a server that runs an instance of Active Directory
Lightweight Directory Service (AD LDS). You need to create new organizational
units in the AD LDS application directory partition. What should you do?
i.
Use the dsmod OU <OrganizationalUnitDN command to
create the organizational units.
j.
Use the Active Directory Users and Computers snap-in to
create the organizational units on the AD LDS application directory partition.
k.
Use the dsadd OU <OrganizationalUnitDN command to
create the organizational units.
l.
Use the ADSI Edit snap-in to create the organizational
units on the AD LDS application directory partition.
Answer: D
Explanation:
To create new OUs in the AD LDS application directory partition, you should
use ADSI Edit snap-in. ADSI Edit is a snap-in that runs in a Microsoft
Management Console (MMC). The default console containing ADSI Edit is
AdsiEdit.msc. If this snap-in is not added in your MMC, you can do it by adding
through Add/Remove Snap-in menu option in the MMC or you can open AdsiEdit.msc
from a Windows Explorer.
QUESTION NO: 5
Your company has an Active Directory domain. The company has two domain
controllers named DC1 and DC2. DC1 holds the Schema Master role.
DC1 fails. You log on to Active Directory by using the administrator account.
You are not able to transfer the Schema Master operations role.
You need to ensure that DC2 holds the Schema Master role.
What should you do?
A. Configure DC2 as a bridgehead server.
B. On DC2, seize the Schema Master role.
C. Log off and log on again to Active Directory by using an
account that is a member of the Schema Administrators group. Start the Active
Directory Schema snap-in.
m.
Register the Schmmgmt.dll. Start the Active Directory
Schema snap-in.
Answer: B
Explanation:
To ensure that DC2 holds the Schema Master role, you should seize the Schema
Master role on DC2. Seizing the schema master role is a drastic step that
should be considered only if the current operations master will never be
available again. So to transfer the schema master operations role, you have to
seize it on DC2.
QUESTION NO: 6
Your company has an Active Directory forest that runs at the functional
level of Windows Server 2008.
You implement Active Directory Rights Management Services (AD RMS).
You install Microsoft SQL Server 2005. When you attempt to open the AD RMS
administration Web site, you receive the following error message: "SQL
Server does not exist or access denied."
You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of
the solution. Choose two.)
n.
Restart IIS.
o.
Manually delete the Service Connection Point in AD DS
and restart AD RMS.
p.
Install Message Queuing.
q.
Start the MSSQLSVC service.
Answer: A,D
Explanation:
To rectify the SQL server problem, you have to restart the internet
information server (IIS). The IIS server will be refreshed. Then you start the
MSSQULSVC service to start the SQL server. This will enable you to access the
database from AD RMS administration website.
QUESTION NO: 7
Your network consists of an Active Directory forest that contains one domain
named contoso.com. All domain controllers run Windows Server 2008 R2 and are
configured as DNS servers.
You have two Active Directory-integrated zones: contoso.com and
nwtraders.com. You need to ensure a user is able to modify records in the
contoso.com zone. You must prevent the user from modifying the SOA record in
the nwtraders.com zone. What should you do?
r.
From the Active Directory Users and Computers console,
run the Delegation of Control Wizard.
s.
From the Active Directory Users and Computers console,
modify the permissions of the Domain Controllers organizational unit (OU).
t.
From the DNS Manager console, modify the permissions of
the contoso.com zone.
u.
From the DNS Manager console, modify the permissions of
the nwtraders.com zone.
Answer: C
Explanation:
To allow the user to modify records in contoso.com and prevent him/her from
modifying the SOA record in contoso.com zone, you should set the permissions of
contoso.com through DNS Manager Console. You set the permissions for the users
to modify the records in contoso.com. By setting permission on one Active
directory-integrated zone, you will be preventing the users from modifying
anything else on the other zones.
Windows Server 2008 Active
directory Exam Questions and Answers
QUESTION NO: 8
Your company has an Active Directory domain. All
servers run Windows Server 2008 R2. Your company uses an Enterprise Root
certificate authority (CA). You need to ensure that revoked certificate
information is highly available. What should you do?
a.
Implement an Online Certificate Status Protocol (OCSP)
responder by using an Internet Security and Acceleration Server array.
b.
Publish the trusted certificate authorities list to the
domain by using a Group Policy Object (GPO).
c.
Implement an Online Certificate Status Protocol (OCSP)
responder by using Network Load Balancing.
d.
Create a new Group Policy Object (GPO) that allows
users to trust peer certificates. Link the GPO to the domain.
Answer: C
Explanation:
To ensure that the revoked certificate information is available at all, you
should use the network load balancing and publish an OCSP responder. OCSP is an
online responder that can receive a request to check for revocation of a
certificate without the client having to download the entire CRL. This process
speeds up certificate revocation checking and reduces network bandwidth used
for this process. This can be helpful especially when such checking is down
over slow WAN links.
QUESTION NO: 9
You have two servers named Server1 and Server2.
Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise
root certification authority (CA). You install the Online Responder role
service on Server2. You need to configure Server1 to support the Online
Responder. What should you do?
Import the enterprise root CA certificate.
Configure the Certificate Revocation List
Distribution Point extension.
Configure the Authority Information Access (AIA)
extension.
Add the Server2 computer account to the
CertPublishers group.
Answer: C
Explanation:
To configure online responder role service on S1,
you should configure AIA extension. The authority information access extension
indicates how to access CA information and services for the issuer of the
certificate in which the extension appears. Information and services may
include on-line validation services and CA policy data. (The location of CRLs
is not specified in this extension; that information is provided by the cRLDistributionPoints
extension.) This extension may be included in subject or CA certificates, and
it MUST be non-critical.
QUESTION NO: 10
Your company has an Active Directory domain. A user
attempts to log on to a computer that was turned off for twelve weeks. The
administrator receives an error message that authentication has failed. You
need to ensure that the user is able to log on to the computer. What should you
do?
Run the netsh command with the set and machine
options.
Reset the computer account. Disjoin the computer
from the domain, and then rejoin the computer to the domain.
Run the netdom TRUST /reset command.
Run the Active Directory Users and Computers
console to disable, and then enable the computer account.
Answer: B
Explanation:
To ensure that the administrator can log on to the
computer, you should disjoin the computer from the domain and rejoin it again.
Reset the computer account too. Due to long inactivity, the computer was not
responding to the authentication query using the Active Directory records. So
when you disjoin and rejoin the computer to the domain and reset the computer
account, the Active Directory refreshes the computer account password. After
that the administrator can easily log on to the computer.
QUESTION NO: 11
Your company has an Active Directory forest that
contains a single domain. The domain member server has an Active Directory
Federation Services (AD FS) role installed. You need to configure AD FS to
ensure that AD FS tokens contain information from the Active Directory domain.
What should you do?
a.
Add and configure a new account partner.
b.
Add and configure a new resource partner.
c.
Add and configure a new account store.
d.
Add and configure a Claims-aware application.
Answer: C
Explanation:
To configure the AD FS trust policy to populate AD FS tokens with employee's
information from Active directory domain, you need toadd and configure a new
account store.
AD FS allows the secure sharing of identity information between trusted
business partners across an extranet. When a user needs to access a Web
application from one of its federation partners, the user's own organization is
responsible for authenticating the user and providing identity information in
the form of "claims" to the partner that hosts the Web application.
The hosting partner uses its trust policy to map the incoming claims to claims
that are understood by its Web application, which uses the claims to make
authorization decisions. Because claims originate from an account store, you
need to configure account storeto configure the AD FS trust policy.
QUESTION NO: 12
You network consists of a single
Active Directory domain. All domain controllers run Windows Server 2008 R2. You
need to reset the Directory Services Restore Mode (DSRM) password on a domain
controller.
What tool should you use?
a.
Active Directory Users and Computers
snap-in
b.
ntdsutil
c.
Local Users and Groups snap-in
d.
dsmod
Answer: B
Explanation:
To reset the DSRM password on a
single domain controller, you should use ntdsutil utility. You can use
Ntdsutil.exe to reset this password for the server on which you are working, or
for another domain controller in the domain. Type ntdsutil and at the ntdsutil
command prompt, type set dsrm password.
QUESTION NO: 13
Your company has a main office and a
branch office. You deploy a read-only domain controller (RODC) that runs
Microsoft Windows Server 2008 to the branch office. You need to ensure that
users at the branch office are able to log on to the domain by using the RODC.
What should you do?
Add another RODC to the branch
office.
Configure a new bridgehead server in
the main office.
Decrease the replication interval
for all connection objects by using the Active Directory Sites and Services
console.
Configure the Password Replication
Policy on the RODC.
Answer: D
Explanation:
To ensure that the users at the
branch office can log on to the domain using RODC, you should use a Password
Replication Policy. RODCs don't cache any user or machine passwords. You can
change this by adding a policy through each RODC's unique Password Replication
Policy (PRP). A policy would create a group for each branch office with a RODC
and add users in that branch office. An administrator, then, can allow password
replication for the branch-office group.
QUESTION NO: 14
Your company has a single Active
Directory domain named intranet.adatum.com. The domain controllers run Windows
Server 2008 and the DNS server role. All computers, including non-domain
members, dynamically register their DNS records. You need to configure the
intranet.adatum.com zone to allow only domain members to dynamically register
DNS records. What should you do?
a.
Set dynamic updates to Secure Only.
b.
Remove the Authenticated Users
group.
c.
Enable zone transfers to Name
Servers.
d.
Deny the Everyone group the Create
All Child Objects permission.
Answer: A
Explanation:
To make sure only the domain members
are able to register their DNS records dynamically, set the option Secure only
for Dynamic updates. This will let only the domain members to register their
DNS records dynamically.
QUESTION NO: 15
Your network consists of a single
Active Directory domain. All domain controllers run Windows Server 2008 R2 and
are configured as DNS servers. A domain controller named DC1 has a standard
primary zone for contoso.com. A domain controller named DC2 has a standard
secondary zone for contoso.com. You need to ensure that the replication of the
contoso.com zone is encrypted. You must not lose any zone data. What should you
do?
1.
Convert the primary zone into an
Active Directory-integrated stub zone. Delete the secondary zone.
2.
Convert the primary zone into an
Active Directory-integrated zone. Delete the secondary zone.
3.
Configure the zone transfer settings
of the standard primary zone. Modify the Master Servers lists on the secondary
zone.
4.
On both servers, modify the
interface that the DNS server listens on.
Answer: B
Explanation:
To make sure that the replication of
the contoso.com zone is encrypted to prevent data loss, you should convert the
primary zone into an active directory zone and delete the secondary zone.
QUESTION NO: 16
You are decommissioning domain
controllers that hold all forest-wide operations master roles. You need to
transfer all forest-wide operations master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the
solution. Choose two.)
1.
Domain naming master
2.
Infrastructure master
3.
RID master
4.
PDC emulator
5.
Schema master
Answer: A,E
Explanation:
To transfer all forest-wide
operation master roles to another domain, you should transfer Domain naming
master and Schema master. Schema Master: The schema master domain controller
controls all updates and modifications to the schema. To update the schema of a
forest, you must have access to the schema master.
There can be only one schema master
in the whole forest. Domain naming master: The domain naming master domain
controller controls the addition or removal of domains in the forest. There can
be only one domain naming master in the whole forest.
QUESTION NO: 17
Contoso, Ltd. has an Active
Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory
domain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer
of internal DNS zone data outside the Fabrikam network. You need to ensure that
the Contoso users are able to resolve names from the intranet.fabrikam.com
domain. What should you do?
1.
Create a new stub zone for the
intranet.fabrikam.com domain.
2.
Configure conditional forwarding for
the intranet.fabrikam.com domain.
3.
Create a standard secondary zone for
the intranet.fabrikam.com domain.
4.
Create an Active
DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Answer: B
Explanation:
To enable a fabrikam.com user to
resolve names from intranet.fabrikam.com domain, you should set the conditional
forwarding for the intranet.fabrikam.com domain. A conditional forwarding is a
DNS query setting that enables a DNS server to route a request for a particular
name to another DNS server by specifying a name and IP address.
QUESTION NO: 18
An Active Directory database is
installed on the C volume of a domain controller. You need to move the Active
Directory database to a new volume. What should you do?
a.
Copy the ntds.dit file to the new
volume by using the ROBOCOPY command.
b.
Move the ntds.dit file to the new
volume by using Windows Explorer.
c.
Move the ntds.dit file to the new
volume by running the Move-item command in Microsoft Windows PowerShell.
d.
Move the ntds.dit file to the new
volume by using the Files option in the Ntdsutil utility.
Answer: D
Explanation:
To move the Active Directory
database to a new volume, you should move the ntds.dit file to the new volume
by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move
the database file, the log files, or both to a larger existing partition. If
you are not using Ntdsutil.exe when moving files to a different partition, you
will need to manually update the registry.
QUESTION NO: 19
Your company has file servers
located in an organizational unit named Payroll. The file servers contain
payroll files located in a folder named Payroll. You create a GPO. You need to
track which employees access the Payroll files on the file servers. What should
you do?
a.
Enable the Audit process tracking
option. Link the GPO to the Domain Controllers organizational unit. On the file
servers, configure Auditing for the Authenticated Users group in the Payroll
folder.
b.
Enable the Audit object access
option. Link the GPO to the Payroll organizational unit. On the file servers,
configure Auditing for the Everyone group in the Payroll folder.
c.
Enable the Audit process tracking
option. Link the GPO to the Payroll organizational unit. On the file servers,
configure Auditing for the Everyone group in the Payroll folder.
d.
Enable the Audit object access
option. Link the GPO to the domain. On the domain controllers, configure
Auditing for the Authenticated Users group in the Payroll folder.
Answer: B
QUESTION NO: 20
Your company uses a Windows 2008
Enterprise certificate authority (CA) to issue certificates. You need to
implement key archival. What should you do?
a.
Configure the certificate for
automatic enrollment for the computers that store encrypted files.
b.
Install an Enterprise Subordinate CA
and issue a user certificate to users of the encrypted files.
c.
Apply the Hisecdc security template
to the domain controllers.
d.
Archive the private key on the
server.
Answer: D
QUESTION NO: 21
Your company has an Active Directory
domain that runs Windows Server 2008 R2. The Sales OU contains an OU for
Computers, an OU for Groups, and an OU for Users. You perform nightly backups.
An administrator deletes the Groups OU. You need to restore the Groups OU
without affecting users and computers in the Sales OU. What should you do?
a.
Perform an authoritative restore of
the Sales OU.
b.
Perform a non-authoritative restore
of the Sales OU.
c.
Perform an authoritative restore of
the Groups OU.
d.
Perform a non-authoritative restore
of the Groups OU.
Answer: C
QUESTION NO: 22
Your network consists of a single
Active Directory domain. The functional level of the forest is Windows Server
2008 R2. You need to create multiple password policies for users in your
domain. What should you do?
A. From the Group Policy Management snap-in, create multiple Group
Policy objects.
B.
From the Schema snap-in, create multiple class schema objects.
C.
From the ADSI Edit snap-in, create multiple Password Setting objects.
From the Security Configuration Wizard,
create multiple security policies.
Answer: C
QUESTION NO: 23
You have a domain controller that
runs Windows Server 2008 R2 and is configured as a DNS server. You need to
record all inbound DNS queries to the server. What should you configure in the
DNS Manager console?
a.
Enable debug logging.
b.
Enable automatic testing for simple
queries.
c.
Configure event logging to log
errors and warnings.
d.
Enable automatic testing for
recursive queries.
Answer: A
QUESTION NO: 24
Your company has a main office and a
branch office. The company has a single-domain Active Directory forest. The
main office has two domain controllers named DC1 and DC2 that run Windows
Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain
controller (RODC) named DC3. All domain controllers hold the DNS Server role
and are configured as Active Directory-integrated zones. The DNS zones only
allow secure updates. You need to enable dynamic DNS updates on DC3. What
should you do?
a.
Run the Dnscmd.exe /ZoneResetType
command on DC3.
b.
Reinstall Active Directory Domain
Services on DC3 as a writable domain controller.
c.
Create a custom application
directory partition on DC1. Configure the partition to store Active
Directory-integrated zones.
d.
Run the Ntdsutil.exe DS Behavior commands on DC3.
Answer: B
QUESTION NO: 25
Your company has an Active Directory
domain named ad.contoso.com. The domain has two domain controllers named DC1
and DC2. Both domain controllers have the DNS server role installed.
You install a new DNS server named
DNS1.contoso.com on the perimeter network. You configure DC1 to forward all
unresolved name requests to DNS1.contoso.com.
You discover that the DNS forwarding
option is unavailable on DC2.
You need to configure DNS forwarding
on the DC2 server to point to the DNS1.contoso.com server.
Which two actions should you
perform? (Each correct answer presents part of the solution. Choose two.)
Clear the DNS cache on DC2.
Configure conditional forwarding on
DC2.
Configure the Listen On address on
DC2.
Delete the Root zone on DC2.
Answer: B,D
QUESTION NO: 26
Your company has an organizational
unit named Production. The Production organizational unit has a child
organizational unit named R&D. You create a GPO named Software Deployment
and link it to the Production organizational unit.
a.
You create a shadow group for the
R&D organizational unit. You need to deploy an application to users in the
Production organizational unit.
b.
You also need to ensure that the
application is not deployed to users in the R&D organizational unit.
c.
What are two possible ways to
achieve this goal? (Each correct answer presents a complete solution. Choose
two.)
d.
Configure the Block Inheritance
setting on the R&D organizational unit.
e.
Configure the Enforce setting on the
software deployment GPO.
f.
Configure security filtering on the
Software Deployment GPO to Deny Apply group policy for the R&D security
group.
g.
Configure the Block Inheritance
setting on the Production organizational unit.
Answer: A,C
QUESTION NO: 27
Your company has a branch office
that is configured as a separate Active Directory site and has an Active
Directory domain controller. The Active Directory site requires a local Global
Catalog server to support a new application. You need to configure the domain
controller as a Global Catalog server. Which tool should you use?
a.
The Server Manager console
b.
The Active Directory Sites and
Services console
c.
The Dcpromo.exe utility
d.
The Computer Management console
e.
The Active Directory Domains and
Trusts console
Answer: B
QUESTION NO: 28
Your company has a main office and
three branch offices. The company has an Active Directory forest that has a
single domain. Each office has one domain controller. Each office is configured
as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK
object. You need to decrease the replication latency between the domain
controllers. What should you do?
a.
Decrease the replication schedule
for the DEFAULTIPSITELINK object.
b.
Decrease the replication interval
for the DEFAULTIPSITELINK object.
c.
Decrease the cost between the
connection objects.
d.
Decrease the replication interval
for all connection objects.
Answer: B
QUESTION NO: 29
Your company has two Active
Directory forests named contoso.com and fabrikam.com. Both forests run only
domain controllers that run Windows Server 2008. The domain functional level of
contoso.com is Windows Server 2008. The domain functional level of fabrikam.com
is Windows Server 2003 Native mode. You configure an external trust between
contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption
option. What should you do?
a.
Raise the forest functional level of
fabrikam.com to Windows Server 2008.
b.
Raise the domain functional level of
fabrikam.com to Windows Server 2008.
c.
Raise the forest functional level of
contoso.com to Windows Server 2008.
d.
Create a new forest trust and enable
forest-wide authentication.
Answer: B
QUESTION NO: 30
All consultants belong to a global
group named TempWorkers. You place three file servers in a new organizational
unit named SecureServers. The three file servers contain confidential data
located in shared folders. You need to record any failed attempts made by the
consultants to access the confidential data. Which two actions should you
perform? (Each correct answer presents part of the solution. Choose two.)
a.
Create and link a new GPO to the
SecureServers organizational unit. Configure the Deny access to this computer
from the network user rights setting for the TempWorkers global group.
b.
Create and link a new GPO to the
SecureServers organizational unit. Configure the Audit privilege use Failure
audit policy setting.
c.
Create and link a new GPO to the
SecureServers organizational unit. Configure the Audit object access Failure
audit policy setting.
d.
On each shared folder on the three
file servers, add the three servers to the Auditing tab. Configure the Failed
Full control setting in the Auditing Entry dialog box.
e.
On each shared folder on the three
file servers, add the TempWorkers global group to the Auditing tab. Configure
the Failed Full control setting in the Auditing Entry dialog box.
Answer: C,E
QUESTION NO: 31
You have two servers named Server1
and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as
an Enterprise Root certification authority (CA). You install the Online
Responder role service on Server2. You need to configure Server2 to issue
certificate revocation lists (CRLs) for the enterprise root CA. Which two tasks
should you perform? (Each correct answer presents part of the solution. Choose
two.)
a.
Import the enterprise root CA
certificate.
b.
Import the OCSP Response Signing
certificate.
c.
Add the Server1 computer account to
the CertPublishers group.
d.
Set the Startup Type of the
Certificate Propagation service to Automatic.
Answer: A,B
QUESTION NO: 32
Your company has an Active Directory
forest. The forest includes organizational units corresponding to the following
four locations:
London
Chicago
New York
India
Each location has a child
organizational unit named Sales. The Sales organizational unit contains all the
users and computers from the sales department.
The offices in London, Chicago, and
New York are connected by T1 connections. The office in India is connected by a
256-Kbps ISDN connection.
You need to install an application
on all the computers in the sales department.
Which two actions should you
perform? (Each correct answer presents part of the solution. Choose two.)
a.
Create a Group Policy Object (GPO)
named OfficeInstall that assigns the application to users. Link the GPO to each
Sales organizational unit.
b.
Disable the slow link detection
setting in the Group Policy Object (GPO).
c.
Configure the slow link detection
threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).
d.
Create a Group Policy Object (GPO)
named OfficeInstall that assigns the application to the computers. Link the GPO
to each Sales organizational unit.
Answer: B,D
QUESTION NO: 33
Your company has a domain controller
server that runs the Windows Server 2008 R2 operating system. The server is a
backup server. The server has a single 500-GB hard disk that has three
partitions for the operating system, applications, and data. You perform daily
backups of the server.
The hard disk fails. You replace the
hard disk with a new hard disk of the same capacity. You restart the computer
on the installation media. You select the Repair your computer option.
You need to restore the operating
system and all files.
What should you do?
a.
Select the System Image Recovery
option.
b.
Run the Imagex utility at the
command prompt.
c.
Run the Wbadmin utility at the
command prompt.
d.
Run the Rollback utility at the
command prompt.
Answer: C
QUESTION NO: 34
You need to remove the Active Directory
Domain Services role from a domain controller named DC1. What should you do?
a.
Run the netdom remove DC1 command.
b.
Run the Dcpromo utility. Remove the
Active Directory Domain Services role.
c.
Run the nltest /remove_server: DC1
command.
d.
Reset the Domain Controller computer
account by using the Active Directory Users and Computers utility.
Answer: B
QUESTION NO: 35
Your company has an Active Directory
forest. The company has branch offices in three locations. Each location has an
organizational unit. You need to ensure that the branch office administrators
are able to create and apply GPOs only to their respective organizational
units. Which two actions should you perform? (Each correct answer presents part
of the solution. Choose two.)
a.
Run the Delegation of Control wizard
and delegate the right to link GPOs for their branch organizational units to
the branch office administrators.
b.
Add the user accounts of the branch
office administrators to the Group Policy Creator Owners Group.
c.
Modify the Managed By tab in each
organizational unit to add the branch office administrators to their respective
organizational units.
d.
Run the Delegation of Control wizard
and delegate the right to link GPOs for the domain to the branch office
administrators.
Answer: A,B
QUESTION NO: 36
Your company has an Active Directory
domain. A user attempts to log on to the domain from a client computer and
receives the following message: "This user account has expired. Ask your
administrator to reactivate the account." You need to ensure that the user
is able to log on to the domain. What should you do?
a.
Modify the properties of the user
account to set the account to never expire.
b.
Modify the properties of the user
account to extend the Logon Hours setting.
c.
Modify the default domain policy to
decrease the account lockout duration.
d.
Modify the properties of the user
account to set the password to never expire.
Answer: A
QUESTION NO: 37
You have an existing Active
Directory site named Site1. You create a new Active Directory site and name it
Site2.
You need to configure Active
Directory replication between Site1 and Site2. You install a new domain
controller.
You create the site link between
Site1 and Site2.
What should you do next?
a.
Use the Active Directory Sites and
Services console to assign a new IP subnet to Site2. Move the new domain
controller object to Site2.
b.
Use the Active Directory Sites and
Services console to configure a new site link bridge object.
c.
Use the Active Directory Sites and
Services console to decrease the site link cost between Site1 and Site2.
d.
Use the Active Directory Sites and
Services console to configure the new domain controller as a preferred
bridgehead server for Site1.
Answer: A
QUESTION NO: 38
Your company has an Active Directory
forest. Each branch office has an organizational unit and a child
organizational unit named Sales. The Sales organizational unit contains all
users and computers of the sales department. You need to install an Office 2007
application only on the computers in the Sales organizational unit. You create
a GPO named SalesApp GPO. What should you do next?
a.
Configure the GPO to assign the
application to the computer account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
b.
Configure the GPO to assign the
application to the computer account. Link the SalesAPP GPO to the domain.
c.
Configure the GPO to publish the
application to the user account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
d.
Configure the GPO to assign the
application to the user account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
Answer: A
QUESTION NO: 39
Your network consists of an Active
Directory forest that contains one domain. All domain controllers run Windows
Server 2008 R2 and are configured as DNS servers. You have an Active Directory-
integrated zone.
You have two Active Directory sites.
Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain
controllers immediately receive the new NS record.
What should you do?
a.
From the DNS Manager console, reload
the zone.
b.
From the DNS Manager console,
increase the version number of the SOA record.
c.
From the command prompt, run
repadmin /syncall.
d.
From the Services snap-in, restart
the DNS Server service.
Answer: C
QUESTION NO: 40
Your company has a single Active
Directory domain named intranet.contoso.com. All domain controllers run Windows
Server 2008 R2. The domain functional level is Windows 2000 native and the
forest functional level is Windows 2000.
You need to ensure the UPN suffix
for contoso.com is available for user accounts.
What should you do first?
a.
Raise the intranet.contoso.com
forest functional level to Windows Server 2003 or higher.
b.
Raise the intranet.contoso.com
domain functional level to Windows Server 2003 or higher.
c.
Add the new UPN suffix to the
forest.
d.
Change the Primary DNS Suffix option
in the Default Domain Controllers Group Policy Object (GPO) to contoso.com.
Answer: C
QUESTION NO: 41
You have a Windows Server 2008 R2
Enterprise Root CA . Security policy prevents port 443 and port 80 from being
opened on domain controllers and on the issuing CA .
You need to allow users to request
certificates from a Web interface. You install the Active Directory Certificate
Services (AD CS) server role.
What should you do next?
a.
Configure the Online Responder Role
Service on a member server.
b.
Configure the Online Responder Role
Service on a domain controller.
c.
Configure the Certificate Enrollment
Web Service role service on a member server.
d.
Configure the Certificate Enrollment
Web Service role service on a domain controller.
Answer: C
